信息安全英文文献
Study on Security Strategies for Information Systems and
Information Management
Rosenblad-Wallin E
Department of Consumer Technology, Chalmers University of Technology, Göteborg,Sweden.
Abstract
This article describes the characteristics and structure of information systems, analyzes the security of information systems. By security considerations of information systems, security risks, security mechanisms to build secure information systems derived measures, and it has great practical significance.
Keywords:information systems; information management; security Policy
1Information system
Information systems is a very complex system of modern information resource network computer systems and communications systems is based. Among them, the computer is the core of information systems, software and hardware components, used to complete the automated processing of information; communication system consists of a workstation, computer networks and communication networks constituted by a computer or between the line and through the line and terminal equipment between data transmission. Combined with computer systems and communication systems, so that the information transmission with dynamic, random and transient characteristics such as the occurrence and treatment across geographic barriers to achieve a global interconnection. 9major feature is the system open information systems, resource sharing, media storage density, data exchange visits, information gather by nature confidential difficulty, medium remanence effect, electromagnetic leakage resistance, communication networks and other vulnerabilities. Obviously, these characteristics are closely related to the security of information systems, determines the insecurity of information systems. These characteristics of its information systems security poses a potential danger if these characteristics are utilized, system resources will be a great loss to, or even related to the organization of important secrets. Therefore, strengthen the management of information systems have great practical significance.
2Information System Architecture
Information system is a complex technical system, from a structural point of view description should include infrastructure, architecture and basic functions of three parts, as shown in
Fig.1.
Fig.1Information System Architecture
3The security of information systems
Information Systems Security
Security of information systems refers to prevent run accident or vandalism of information systems, or the illegal use of information resources, information systems security measures taken. Factors associated with the information system security mainly in the following seven kinds:
a.Natural and irresistible factors:mainly hazards of fire, electricity, water, static electricity, dust, harmful gases, earthquakes, lightning, strong magnetic fields, electromagnetic pulses and social violence or war, etc., some of these hazards can damage the system equipment, The data will be destroyed, and even destroy the entire system and data. These factors will directly endanger the security of information systems entities.
b.The hardware and physical factors:Refers to a secure environment and a reliable system hardware, including security room facilities, computer main body, the storage system, auxiliary equipment, data communication facilities, and information storage medium.
c.Electromagnetic factors:the computer system and its control of information and data transmission channel, in the course of their work will produce electromagnetic radiation, in a certain geographic range is easily detected and received by a radio receiver, which may result in information via electromagnetic radiation leaks. In addition, the space electromagnetic system may produce electromagnetic interference, affecting the normal operation of the system.
d.Software factors:illegal deletion, duplication and theft software will make the system a loss, and may cause leaks. Computer virus is a software network intrusion systems as a means of destruction.
e.Data factors:refers to the data in the storage and transmission of information in the process of security, which is the main core of computer crime, that must be the focus of security and confidentiality.
f.Human and management factors:the quality of the staff involved, responsibility, and strict administrative systems and laws and regulations to protect against the threat of man-made factors
active safety systems directly caused.
g.Other factors:refers to system security if there are problems, can minimize the loss, the impact is limited to the extent permitted, to ensure rapid and effective recovery of all factors that the system is running.
The main safety hazards
System security risks in information systems frequently occur are the following:
a. Data entry problems:data input devices into the system, the input data is vulnerable to tampering or adulteration;
b. Data processing problems:data processing part of the hardware can easily be destroyed or theft, and susceptible to electromagnetic interference or because of information leakage caused by electromagnetic radiation;
c.Communication lines risks:information and communication lines can easily be intercepted on the line can easily be destroyed or theft;
d.Software system problems:operating systems, database systems and applications software and the integrity of the relevant information, specifically including software development disciplines, software security testing, software modification and replication;
e.Output system problems:device outputting information likely to cause information leakage or theft.
f.Run a security risk:use of system resources and information resources legitimacy. Including:power, atmosphere, personnel, room management access control, data and media management, operation management and maintenance.
Security mechanism
Security is a complete logical structure of information about the system. Security of information systems require about mechanisms:
a.Deterrence mechanisms:a warning to remind people not to do or harmful to the security of information systems, otherwise you would be punished by law.
b.Preventive mechanisms:to prevent and to deter criminals use computers or computer assets hazards.
c.Check the mechanism:the system can detect security risks, identify the cause of the events that have occurred, including the detection of criminal cases.
d.Recovery mechanisms:System accident or incident causing the system to break or after the data is corrupted, can be restored in a short time.
e.Correction mechanism:timely loopholes, improve safety measures.
Problems need to be solved
In summary, the security of information systems is mainly reflected in the high-security, controllability, easy to examine four areas, anti-attack and so on. Information systems security issues is not only social issues, technical issues, but also an economic problem. To take security measures, they are bound to increase the cost of the system, the higher the security of the investment costs of the system will be greater, even under conditions of confidentiality premium, the increased costs may exceed the amount of normal system investments. So, be careful to deal with this problem. Must clearly not the system security and confidentiality higher the better, but should moderate as the standard, the best security measures in general, with strict scientific management for the protection. In addition, the security of the system and its flexible and easy to use is a big problem, to make the system a high degree of safety and reliability, the cost of the
system will increase a lot, the response time of the system will also be affected by restrictions on the use of personnel will increase operating procedures will be complex, thus giving users a lot of inconvenience. Security settings should be the system cost and ease of use of the system considered appropriate to moderate.
4Information systems security measures need to be taken
Conventional measures
To take some of the protection of computer equipment, facilities (includingnetworking, communications equipment) and other media from floods, fires, toxic gases and other environmental incidents (suchas electromagnetic pollution) measures to undermine the process. This is the basic element of the entire information system security operation.
In order to protect the safety of the whole system function requires an effective security measures to protect the security of information processing, including:risk analysis, audit trail, backup and recovery, and emergency response. Necessary to develop, with good operability regulations to carry out the constraints, it is very necessary and important, and it is very urgent. The formation of a high consciousness, technical personnel of law-abiding, is another important part of computer network security. To strengthen the security of computer systems management, strengthen personnel education to strictly and effectively restrict unauthorized access to computer users, prevent unauthorized users intrusion. Only strict management, in order to curb all kinds of harm to a minimum.
Data is the foundation of information is a valuable business asset. Information management tasks and aims through data collection, entry, storage, processing, transmission, etc. all aspects of the flow of data were well-organized and strict controls to ensure data accuracy, completeness, timeliness, safety, suitability and Hang sex altogether. Develop good information security regulations, is the most effective techniques. And not just data, but also the technical data, application data and business application software included.
Anti-virus measures
Computer virus after another, spread wide, against big, with unpredictable nature, and destructive potential.
The use of well-known manufacturers of specialized anti-killing virus program can reduce the harm of the virus;
Appropriately set access permissions and access rights system resources on a network server, you can prevent virus attacks to some extent;
Using anti-virus hardware, such as anti-virus board or chip, can effectively prevent the intrusion of the virus on the system.
Network Security
Because LAN technology used is based on Ethernet for broadcast, communication packets between any two nodes, only received two nodes for the network, and also the same as in any node on the Ethernet card interceptions. Therefore, as long as access to any node on an Ethernet network to listen, they can occur on the Ethernet capture all packets, unpack its analysis. To steal critical information. This is the LAN inherent security risks.
a.Transparent Proxy
With traditional client /server security mode, the corrective measures taken by the program are:Each database application to build a real database only accounts, he has full access to all data
entities involved in the system applications operate. At the same time, for every system operator were to create an "application system account" to create a user account written through program execution. This safety system makes the application as a user database, and all the operator application system comprising a system administrator) is indirect user database; in other words, the application system in addition to the application logic to complete its outside, a user and a database system will be completely isolated, become a solid "firewall" in the database because of this security system, the possibility of a real database account leaked and spread of almost zero, all users must access the database through the application of the system of the "single-point" So it can be concluded as long as the application is safe and reliable, the entire system is safe and reliable.
b.Enhance the user authorization mechanism
Because of this security system, applications and databases to become isolated from the user firewall, which itself must have considerable security features. Especially user authorization management mechanism, its rigor will affect the security of the entire information system. You can select different security granularity according to the actual needs of the software, such as record-level, file-level information security level to reach.
c. Intelligent log
Logging system with a comprehensive data logging functions and automatic classification retrieval capabilities. Logs recorded content username, login IP address, login time for future use audit verification.
d.Complete backup and recovery mechanism
Log can record the illegal operation, but to really make the system recover from the disaster, but also a complete backup solution and recovery mechanisms. To prevent damage to the storage device, the server can be hot-swappable SCSI hard to RAIDS way hot backup system in real time. When all the information you need to track retrospective data loss or damage to the event, then the system log and backup data organically combined to realize the security of the system.
Because WAN using the public network for data transmission, and use of information from being intercepted during transmission over the WAN is much greater than the LAN. Therefore, we must take the necessary measures so that the information in the WAN transmission line is safe. The use of encryption technology
The basic idea of encryption technology is not dependent on the security of the network data path to achieve security network systems, but through the network data encryption to protect the safety and reliability of the network. Data encryption technology into symmetric key encryption and asymmetric key encryption technology.
Using VPN technology
Core VPN technology is the use of tunneling technology, after the enterprise private network data encryption package, for transmission through the virtual public network tunnel, thereby preventing sensitive data being stolen. Enterprises to establish VPN through the public network, just as through their own private network to establish an intranet, enjoy higher security, priority, reliability and manageability, while its establishment period, investment and maintenance costs are greatly reduced.
5Information Systems Security Management
Develop security objectives and security policies for the construction of a secure computer system is important. Can be used on network security technologies such as firewalls and other
network security. Choose different security software development granularity, such as record-level, file-level information, such as class, expand the security control at all levels of the system is very beneficial. Set security access control at the application software layer is an important step in the entire security applications. In addition, safety education and management is an important aspect of system security. Safety Management Information System is to adopt administrative measures to secure the activities of the integrated management system, combined with the technology strategies and measures, so that the information system to achieve the level of security in general. From the engine room safety, safety equipment, physical security and network security systems to develop and maintain safe operation of the process system, the layers are required personnel safety education to improve safety management. Preparations for the start of the system, it should analyze security needs, establish security objectives in line with the actual management of the demand for different work environments,different personnel,development of safety responsibilities and safety procedures.In fact, security management application software can solve some of the problems can not be solved. Safety Management Information System consists of three levels:leadership, management and executive level. Each unit or system must be based on the actual situation, such as the size and characteristics of the task set security organization, the appointment of the head of security. This is the basis of information systems improve safety work, it must be led by the attention and support in order to be implemented. And specifically to carry out safety information system is management and executive-level responsibilities. Information system security management strategy in the following areas:
a.To develop safety goals:different organizations because of its safety objectives and tasks of different functions of its information systems, scale, working methods and processing methods are different, and therefore the security objectives are different. Therefore, to make safety requirements analysis, explicit safety requirements in order to form a formal security policy, as a basis for security planning work.
b.The development of a safety management system:the development of safety management regulations as the basis for security. Safety regulations require explicit safety management objectives, responsibilities, security agencies, authority staff safety, security departments should follow the principles, movement and safety management responsibilities for all staff and so on.
c.Develop contingency plans:contingency plans based on risk analysis, consists of an emergency action plan, resources, backup, backup plan, rapid recovery and testing parts.
d.Security planning and coordination:the development of security plans based on the actual situation and security policies and security planning system construction and maintenance process to resolve emerging security issues.
e.Information protection strategy:information protection strategy is used to determine what information the system uses the system access control method, according to the system in safe mode what works. Information Protection divided into dense, determine the data areas, and several other aspects of the way expressly authorized.
f.Risk and threat analysis:threats to information systems where it comes from, what kind of character, what kind of consequences will result in qualitative and quantitative analysis, the risk, and thus deduce the system can afford the risk. According to the system can withstand the threats and risks, the costs and risks into account both the means to counter the threat to be accessed.
g.Daily business:conduct staff safety education information system security staff business knowledge and technical training at all levels do a good job managing the security sector,
regularly check the security status of technical equipment and regular safety audits.
References
[1]Yi Cheng, Duoqian Miao, Qinrong Feng. Positive approximation and converse approximation
in interval-valued fuzzy rough sets[J].Information Sciences, 2011, 181(11).
[2]Rupesh Kumar, Santosh Kumar, M.K. Tiwari. An expert enhanced coloured fuzzy Petri net
approach to reconfigurable manufacturing systems involving information delays[J].The International Journal of Advanced Manufacturing Technology, 2005, 26(7).
[3]Bing Huang, Hua-xiong Li, Da-kuan Wei. Dominance-based rough set model in intuitionistic
fuzzy information systems[J].Knowledge-Based Systems, 2012, 28.
[4]J. Vicente Riera, Joan Torrens. Using discrete fuzzy numbers in the aggregation of incomplete
qualitative information[J].Fuzzy Sets and Systems, 2014.
[5]Zeshui Xu, Xiaoqiang Cai. Recent advances in intuitionistic fuzzy information aggregation[J].
Fuzzy Optimization and Decision Making, 2010, 9(4).
[6]Abdulsalam Yassine, Ali Asghar Nazari Shirehjini, Shervin Shirmohammadi et al..
Knowledge-empowered agent information system for privacy payoff in eCommerce[J].Knowledge and Information Systems, 2012, 32(2).