数字图书馆信息安全规范化管理研究
发布时间:2018-08-28 08:57
【摘要】:自1991年数字图书馆概念被提出以来,其研究和实践在全球范围内蓬勃发展。然而数字图书馆广泛依赖于计算机技术、网络技术和数据通信技术等高科技专业技术而存在和发展,其面临的安全风险远远高于传统图书馆。信息安全问题成为数字图书馆研究和实践的重大命题。美国的图书馆在经历了技术保障、管理保障和制度保障三个发展阶段后,开始尝试建立信息安全管理体系,通过风险评估、建立预防机制和主动干预等方式应对各类突发信息安全问题。而我国图书馆在信息安全方面大多数还处于技术保障阶段。据调查,我国100%的数字图书馆每年至少发生一次信息安全事件,而信息安全意识薄弱、信息安全管理人员不足、缺乏信息安全管理策略等原因首当其冲。可见,贯彻“三分技术,七分管理”的黄金定律,建立信息安全管理体系对于数字图书馆信息安全保障而言势在必行。为了能够给数字图书馆信息安全管理体系的建立提供符合国际标准与国家标准的、具有可操作性的完整解决方案,同时解决数字图书馆标准与规范建设中较少涉猎的信息安全规范化管理的关键性问题,完善数字图书馆标准规范体系,推动数字图书馆信息安全领域的规范化、标准化,将ISO 27000的基本原则与思想完整地引入数字图书馆信息安全领域,使数字图书馆信息安全规范化管理工作与先进的国际标准相接轨。本文对数字图书馆信息安全规范化管理的实施框架、方法模型和标准规范草案进行研究,解决了数字图书馆信息安全规范化管理过程中涉及的关键性问题,形成建议方案,为制定数字图书馆行业目标明确、体系完备、功能实用、可操作性强的信息安全管理标准规范奠定基础。具体研究内容和成果包括以下五个方面:(1)数字图书馆信息安全规范化管理的实施框架研究通过对ISO/IEC 27001标准中涉及的PDCA过程方法、主要因素、管理流程等内容进行梳理分析,结合数字图书馆自身的需求和特点,完成了ISO/IEC 27001过程模式在图书馆领域的转化。包括:明确了数字图书馆信息安全管理的PDCA过程方法与内涵;梳理了数字图书馆信息安全管理从制定方案到风险评估再到风险控制的管理流程,以及其中每个过程的实施流程;分析并确定了风险评估和风险控制的主要影响因素,其中,风险评估的主要因素包括直接因素(资产,威胁,脆弱性,控制措施)与间接因素(保密性,完整性,可用性,保密性、完整性、可用性对资产价值的重要程度,威胁发生的可能性,威胁发生后对资产的保密性、完整性、可用性产生的损失)两种类型,风险控制的主要因素包括直接因素(实施成本和有效性)和间接因素(时间、人力、费用、难度、对每项风险的有效性等)两种类型。(2)数字图书馆信息安全风险评估方法模型研究从已有的信息安全风险评估方法和模型总结入手,分析了现有风险评估模型在平衡定量与定性关系、可操作性、结果可接受性等方面存在的问题,阐述了现有的风险评估方法不适用于数字图书馆信息安全风险评估的原因。进而,确定了数字图书馆信息安全风险评估方法和模型的选择依据。最终,研究构建了具有可操作性的基于GB/T 20984的数字图书馆信息安全风险评估模型、基于多因素模糊综合评判矩阵的资产价值和威胁大小的计算模型、以及基于多渠道加权平均的脆弱性大小计算模型,详细阐述了评估模型的数据采集和分析计算策略,并通过实证研究的方式对该风险评估方法模型的可行性及实际评估效果进行了验证。(3)数字图书馆信息安全风险控制方法模型研究从已有的信息安全风险控制方法和模型总结入手,分析了现有风险控制模型存在与风险评估环节相脱离、操作繁琐复杂等问题,并阐述了现有的风险控制方法不适用于数字图书馆信息安全风险评估的原因,明确了基于ISO 27000、与风险评估相衔接的、半定量方法或综合分析方法更适用于数字图书馆的信息安全风险控制。基于此前提,对ISO/IEC 27002:2005和ISO/IEC 27002:2013中的风险控制措施进行了调研分析,最终确定了基于ISO/IEC 27002的数字图书馆风险控制核心要素和参考要素集合。并以数字图书馆领域成本最低、成效最佳的风险控制要求,构建了基于线性规划和模糊数学的风险控制决策模型,并详细阐述了控制决策模型的数据采集和分析计算策略,确保了该模型的可操作性和有效性。(4)数字图书馆信息安全管理的标准规范草案研究在对数字图书馆信息安全管理过程模式、风险评估和风险控制的方法模型进行研究的基础上,结合ISO/IEC 27001和ISO/IEC 27002在电信、金融、医疗行业的标准转化和应用分析,探讨了在数字图书馆领域信息安全标准规范形成和实施推广过程中还应注意的问题,包括标准确立的目的、意义、范围、结构、流程、核心、实施障碍、推行策略等方面内容。最终,初步制定并撰写了数字图书馆信息安全管理标准的草案,为数字图书馆信息安全规范化管理提供了长效的机制保障。(5)数字图书馆信息安全规范化管理的实证研究选择了国内某知名的大学城图书馆作为实证研究对象,严格按照数字图书馆信息安全管理标准草案中涉及的流程、方法、要求等进行了实证研究,包括该图书馆信息安全管理的目标、范围、方法、团队、计划等前期准备工作,资产、威胁、脆弱性等识别、估值、计算等风险评估工作,控制措施的影响要素识别、有效性计算、措施推荐等风险控制工作,并最终根据实施结果和实际访谈调研,对该数字图书馆已建立的信息安全管理体系进行审查,验证了数字图书馆信息安全风险管理的方法流程和标准规范的合理性和有效性。本文研究旨在建立通用、规范、可行、有效的数字图书馆信息安全管理的实施框架,解决数字图书馆规范化管理过程中的关键问题。研究成果的创新性体现在:(1)构建了可操作性强、周期可控的数字图书馆信息安全管理的实施框架。该框架不仅能够满足ISO 27000思想要求和数字图书馆的具体要求,而且能够将在数字图书馆的调研实施周期缩短在一个月之内,节省了数字图书馆信息安全管理的时间与资金成本。(2)构建了具有可操作性和有效性的数字图书馆信息安全风险评估和风险控制的应用模型。该模型模型使得风险评估和风险控制定量化计算流程简化有效,同时又能符合数字图书馆的信息安全管理要求和现状。(3)以2013版ISO 27002为依据筛选适合于数字图书馆领域的核心控制要素和参考控制要素。该要素集合为数字图书馆风险控制措施的决策实施提供了基础和依据。(4)设计了一套既遵守IS0 27000基本原则与思想、又照顾到数字图书馆行业特点的标准规范草案。该草案为数字图书馆信息安全管理标准与规范的制定打下了基础,能够用于指导数字图书馆信息安全规范化管理的实践。另外,本文所研究的方法、模型以及各种清单、模板还可以为其它行业研究利用ISO 27000系列标准进行信息安全规范化管理提供一定的参考和思路。
[Abstract]:Since the concept of digital library was put forward in 1991, its research and practice have flourished all over the world. However, digital libraries exist and develop on the basis of computer technology, network technology and high-tech professional technology such as data communication technology. The security risks they face are far higher than those of traditional libraries. American libraries have gone through three stages of development: technical support, management support and institutional support. They have begun to try to establish an information security management system to deal with all kinds of unexpected information security problems through risk assessment, prevention mechanism and active intervention. According to the survey, 100% of Digital Libraries in China have at least once a year information security incidents, which are mainly caused by weak awareness of information security, insufficient information security managers and lack of information security management strategies. It is imperative for digital libraries to establish information security management system according to the golden law. In order to provide an operable and complete solution to the establishment of information security management system in digital libraries which conforms to international standards and national standards, and to solve the construction of digital library standards and specifications at the same time. In order to improve the standard system of digital libraries, promote the standardization and standardization of the information security field of digital libraries, introduce the basic principles and ideas of ISO 27000 into the information security field of digital libraries, and make the information security standardization of digital libraries managers. This paper studies the implementation framework, method model and standard draft of information security standardization management in digital libraries, solves the key problems involved in the process of information security standardization management in digital libraries, forms a proposal scheme, and makes clear the objectives of digital library industry. The specific research contents and achievements include the following five aspects: (1) Research on the implementation framework of information security standardization management in digital libraries through the PDCA process methods, main factors, management processes involved in ISO/IEC 27001 standards. Combining with the demand and characteristics of digital library, this paper completes the transformation of ISO/IEC 27001 process mode in the field of library. It includes: defining the PDCA process method and connotation of information security management in digital library; combing the management of information security management in digital library from formulating scheme to risk assessment to risk control. The main influencing factors of risk assessment and risk control are analyzed and identified. The main factors of risk assessment include direct factors (assets, threats, vulnerability, control measures) and indirect factors (confidentiality, integrity, availability, confidentiality, integrity, availability) and asset value. There are two types of risk control: direct factors (cost and effectiveness of implementation) and indirect factors (time, manpower, cost, difficulty, effectiveness of each risk, etc.). (2) Digital Chart This paper begins with the summary of the existing methods and models of information security risk assessment, analyzes on the problems existing in the existing risk assessment models in balancing quantitative and qualitative relationships, operability and acceptability of results, and expounds that the existing risk assessment methods are not applicable to digital library credit. Finally, the paper studies and constructs an operable information security risk assessment model for digital libraries based on GB/T 20984, and the asset value and threat size based on multi-factor fuzzy comprehensive evaluation matrix. Computing model and vulnerability calculation model based on multi-channel weighted average are introduced in detail. The data collection and analysis calculation strategies of the evaluation model are elaborated. The feasibility and actual evaluation effect of the risk assessment model are verified by empirical research. (3) Information security risk control method of Digital Library Starting with the existing methods and models of information security risk control, this paper analyzes the problems existing in the existing risk control models, such as separation from the risk assessment link and complicated operation, and expounds the reasons why the existing risk control methods are not applicable to the risk assessment of information security in digital libraries. The semi-quantitative method or comprehensive analysis method is more suitable for information security risk control of digital libraries, which is connected with risk assessment. Based on the previous research, the risk control measures of ISO/IEC 27002:2005 and ISO/IEC 27002:2013 are investigated and analyzed. Finally, the core elements of risk control of digital libraries based on ISO/IEC 27002 are determined. According to the requirement of the lowest cost and the best effect in the field of digital library, a risk control decision-making model based on linear programming and fuzzy mathematics is constructed, and the data acquisition, analysis and calculation strategies of the control decision-making model are expounded in detail to ensure the operability and effectiveness of the model. (4) Digital map On the basis of the research on the process model, risk assessment and risk control model of information security management in digital libraries, this paper discusses the standard transformation and application analysis of ISO/IEC 27001 and ISO/IEC 27002 in the telecommunication, finance and medical industries, and discusses the application in the field of digital libraries. In the process of the formation and implementation of information security standards, some problems should be paid attention to, including the purpose, significance, scope, structure, process, core, implementation obstacles and implementation strategies of the standards. Management provides a long-term mechanism to ensure. (5) The empirical study of standardized management of information security in digital libraries selects a well-known university library in China as the research object, and strictly follows the procedures, methods and requirements involved in the draft information security management standards for digital libraries, including the library. Information security management objectives, scope, methods, teams, plans and other preparatory work, assets, threats, vulnerability identification, valuation, calculation and other risk assessment work, control measures impact factors identification, effectiveness calculation, measures recommended risk control work, and ultimately based on the results of implementation and actual interviews and research, the digital library The established information security management system has been examined to verify the rationality and validity of the methods, procedures and standards of information security risk management in digital libraries. The innovations of the research results are as follows: (1) The implementation framework of information security management in digital libraries with strong operability and controllable cycle is constructed. The framework can not only meet the requirements of ISO 27000 and the specific requirements of digital libraries, but also shorten the investigation and implementation cycle of digital libraries by one month. (2) An operational and effective application model of information security risk assessment and risk control in digital libraries is constructed. The model simplifies and validates the quantitative calculation process of risk assessment and risk control, and at the same time conforms to digital maps. The requirements and current situation of information security management in libraries. (3) Selecting core control elements and reference control elements suitable for digital libraries based on ISO 27002 of 2013 edition. This set of elements provides the basis and basis for decision-making and implementation of risk control measures in digital libraries. (4) Designing a set of basic principles and thoughts that comply with IS0 27000. It lays a foundation for the establishment of information security management standards and norms for digital libraries, and can be used to guide the practice of standardized information security management in digital libraries. It provides some references and ideas for the industry to study the standardized management of information security using ISO 27000 series standards.
【学位授予单位】:南京农业大学
【学位级别】:博士
【学位授予年份】:2016
【分类号】:G250.76;TP309
[Abstract]:Since the concept of digital library was put forward in 1991, its research and practice have flourished all over the world. However, digital libraries exist and develop on the basis of computer technology, network technology and high-tech professional technology such as data communication technology. The security risks they face are far higher than those of traditional libraries. American libraries have gone through three stages of development: technical support, management support and institutional support. They have begun to try to establish an information security management system to deal with all kinds of unexpected information security problems through risk assessment, prevention mechanism and active intervention. According to the survey, 100% of Digital Libraries in China have at least once a year information security incidents, which are mainly caused by weak awareness of information security, insufficient information security managers and lack of information security management strategies. It is imperative for digital libraries to establish information security management system according to the golden law. In order to provide an operable and complete solution to the establishment of information security management system in digital libraries which conforms to international standards and national standards, and to solve the construction of digital library standards and specifications at the same time. In order to improve the standard system of digital libraries, promote the standardization and standardization of the information security field of digital libraries, introduce the basic principles and ideas of ISO 27000 into the information security field of digital libraries, and make the information security standardization of digital libraries managers. This paper studies the implementation framework, method model and standard draft of information security standardization management in digital libraries, solves the key problems involved in the process of information security standardization management in digital libraries, forms a proposal scheme, and makes clear the objectives of digital library industry. The specific research contents and achievements include the following five aspects: (1) Research on the implementation framework of information security standardization management in digital libraries through the PDCA process methods, main factors, management processes involved in ISO/IEC 27001 standards. Combining with the demand and characteristics of digital library, this paper completes the transformation of ISO/IEC 27001 process mode in the field of library. It includes: defining the PDCA process method and connotation of information security management in digital library; combing the management of information security management in digital library from formulating scheme to risk assessment to risk control. The main influencing factors of risk assessment and risk control are analyzed and identified. The main factors of risk assessment include direct factors (assets, threats, vulnerability, control measures) and indirect factors (confidentiality, integrity, availability, confidentiality, integrity, availability) and asset value. There are two types of risk control: direct factors (cost and effectiveness of implementation) and indirect factors (time, manpower, cost, difficulty, effectiveness of each risk, etc.). (2) Digital Chart This paper begins with the summary of the existing methods and models of information security risk assessment, analyzes on the problems existing in the existing risk assessment models in balancing quantitative and qualitative relationships, operability and acceptability of results, and expounds that the existing risk assessment methods are not applicable to digital library credit. Finally, the paper studies and constructs an operable information security risk assessment model for digital libraries based on GB/T 20984, and the asset value and threat size based on multi-factor fuzzy comprehensive evaluation matrix. Computing model and vulnerability calculation model based on multi-channel weighted average are introduced in detail. The data collection and analysis calculation strategies of the evaluation model are elaborated. The feasibility and actual evaluation effect of the risk assessment model are verified by empirical research. (3) Information security risk control method of Digital Library Starting with the existing methods and models of information security risk control, this paper analyzes the problems existing in the existing risk control models, such as separation from the risk assessment link and complicated operation, and expounds the reasons why the existing risk control methods are not applicable to the risk assessment of information security in digital libraries. The semi-quantitative method or comprehensive analysis method is more suitable for information security risk control of digital libraries, which is connected with risk assessment. Based on the previous research, the risk control measures of ISO/IEC 27002:2005 and ISO/IEC 27002:2013 are investigated and analyzed. Finally, the core elements of risk control of digital libraries based on ISO/IEC 27002 are determined. According to the requirement of the lowest cost and the best effect in the field of digital library, a risk control decision-making model based on linear programming and fuzzy mathematics is constructed, and the data acquisition, analysis and calculation strategies of the control decision-making model are expounded in detail to ensure the operability and effectiveness of the model. (4) Digital map On the basis of the research on the process model, risk assessment and risk control model of information security management in digital libraries, this paper discusses the standard transformation and application analysis of ISO/IEC 27001 and ISO/IEC 27002 in the telecommunication, finance and medical industries, and discusses the application in the field of digital libraries. In the process of the formation and implementation of information security standards, some problems should be paid attention to, including the purpose, significance, scope, structure, process, core, implementation obstacles and implementation strategies of the standards. Management provides a long-term mechanism to ensure. (5) The empirical study of standardized management of information security in digital libraries selects a well-known university library in China as the research object, and strictly follows the procedures, methods and requirements involved in the draft information security management standards for digital libraries, including the library. Information security management objectives, scope, methods, teams, plans and other preparatory work, assets, threats, vulnerability identification, valuation, calculation and other risk assessment work, control measures impact factors identification, effectiveness calculation, measures recommended risk control work, and ultimately based on the results of implementation and actual interviews and research, the digital library The established information security management system has been examined to verify the rationality and validity of the methods, procedures and standards of information security risk management in digital libraries. The innovations of the research results are as follows: (1) The implementation framework of information security management in digital libraries with strong operability and controllable cycle is constructed. The framework can not only meet the requirements of ISO 27000 and the specific requirements of digital libraries, but also shorten the investigation and implementation cycle of digital libraries by one month. (2) An operational and effective application model of information security risk assessment and risk control in digital libraries is constructed. The model simplifies and validates the quantitative calculation process of risk assessment and risk control, and at the same time conforms to digital maps. The requirements and current situation of information security management in libraries. (3) Selecting core control elements and reference control elements suitable for digital libraries based on ISO 27002 of 2013 edition. This set of elements provides the basis and basis for decision-making and implementation of risk control measures in digital libraries. (4) Designing a set of basic principles and thoughts that comply with IS0 27000. It lays a foundation for the establishment of information security management standards and norms for digital libraries, and can be used to guide the practice of standardized information security management in digital libraries. It provides some references and ideas for the industry to study the standardized management of information security using ISO 27000 series standards.
【学位授予单位】:南京农业大学
【学位级别】:博士
【学位授予年份】:2016
【分类号】:G250.76;TP309
【参考文献】
相关期刊论文 前10条
1 任妮;黄水清;;新版ISO 27000要求下的数字图书馆信息安全管理[J];图书与情报;2015年06期
2 朱益e,
本文编号:2208917
本文链接:https://www.wllwen.com/shoufeilunwen/xxkjbs/2208917.html
最近更新
教材专著
