信息系统安全性审计问题研究

发布时间：2018-05-25 18:24

本文选题：信息系统 + 安全性　；参考：《厦门大学》2007年硕士论文

【摘要】： 随着信息技术和信息系统的迅速发展,越来越多企业开始运用信息系统,提高服务和管理水平,增强企业的竞争力,特别是互联网的迅猛发展,使得信息系统已无所不在地影响着企业经营管理和社会生活的方方面面,与此同时,信息技术固有的安全风险,以及针对重要信息系统和信息资产的入侵行为也呈上升趋势,信息系统的安全问题已引起社会各界的广泛关注。如何通过信息系统的安全性审计,以认证企业(单位)所使用的信息系统的安全性是否达到企业或使用者的安全需求,已逐渐成为审计业务新增长点,但在我国,信息系统审计尚没有一套专业技术规范,更没有针对信息系统安全性审计的技术规范及实施指南,目前不仅对信息系统安全性审计的目标和范围不明确,而且所采用的通过对系统生命周期内相关活动、系统功能及构件的审计,来评价系统安全性的审计方法,也存在审计周期长、审计成本高的缺陷,针对这些问题,本论文探讨了信息系统安全性审计的目标和范围,以及运用风险导向审计方法进行信息系统安全性审计的办法,并对审计过程必须考虑的风险识别和审计风险评估等有关问题进行研究,为今后开展信息系统安全性审计工作打下理论和实践基础。本论文分为六个部分:第一章分析了信息系统的组成、发展及其所存在的风险,以及实施信息系统安全防御的策略;第二章通过对信息系统安全性内涵的探讨,阐述了信息系统安全性审计含义、产生及其发展概况;第三章探讨了信息系统安全性审计目标、范围及常用信息系统安全性审计技术及其特点,为实施信息系统安全性审计打下基础;第四章阐述了风险导向审计概念及其特点,并提出了风险导向审计方法在信息系统安全性审计中的应用方法,同时,对信息系统风险识别和评估、信息系统安全性审计计划制定和审计风险评估等有关问题进行研究;第五章探讨了如何评价被审计信息系统安全性,并提出了从信息系统安全治理的成熟度和计算机信息系统的安全级别两个方面,对被审计系统安全性发表审计意见的方法;第六章通过对我国现有信息系统安全性审计现状的分析,提出我国信息系统安全性审计的发展策略。
[Abstract]:With the rapid development of information technology and information system, more and more enterprises begin to use information system, improve the level of service and management, enhance the competitiveness of enterprises, especially the rapid development of the Internet. The information system has already affected all aspects of business management and social life everywhere. At the same time, the inherent security risks of information technology, as well as the invasion of important information systems and information assets, are also on the rise. The security of information system has attracted wide attention from all walks of life. How to pass the security audit of information system to verify whether the security of the information system used by enterprises (units) meets the security needs of enterprises or users has gradually become a new growth point of audit business, but in our country, There is not a set of professional technical specifications for information system audit, and there is no technical specification and implementation guide for information system security audit. At present, the objectives and scope of information system security audit are not clear. Moreover, the audit method used to evaluate system security by auditing related activities, system functions and components in the system life cycle also has the defects of long audit cycle and high audit cost. This paper discusses the goal and scope of information system security audit, and the method of applying risk-based audit method to information system security audit. In order to lay a theoretical and practical foundation for the information system security audit in the future, this paper studies the related problems such as risk identification and audit risk assessment that must be considered in the audit process. This paper is divided into six parts: the first chapter analyzes the composition, development and risk of information system, as well as the implementation of information system security defense strategy. This paper expounds the meaning, emergence and development of information system security audit. Chapter three discusses the goal, scope, common information system security audit technology and its characteristics of information system security audit. The fourth chapter expounds the concept and characteristics of risk-based audit, and puts forward the application method of risk-based audit in information system security audit, at the same time, Research on information system risk identification and evaluation, information system security audit plan formulation and audit risk assessment. Chapter five discusses how to evaluate the security of audited information system. It also puts forward the methods of issuing audit opinions on the security of the audited system from two aspects: the maturity of the information system security governance and the security level of the computer information system. The sixth chapter analyzes the present situation of information system security audit in our country, and puts forward the development strategy of information system security audit in our country.
【学位授予单位】：厦门大学
【学位级别】：硕士
【学位授予年份】：2007
【分类号】：F239.1

【引证文献】