iMeasure Security (iMS): A Framework for Quantitative Assessment of Security Measures and its Impacts

ABSTRACT

As business systems are getting interconnected, the importance of security is growing at an unprecedented pace. To protect information, strong security measures need to be implemented and continuously updated and monitored to ensure their promise against present and future security breaches. However, the growth of networked systems and the increasing availability of sophisticated hacking tools make the task of securing business systems challenging. To enhance the security strength and to justify any investment in security-related products, it becomes mandatory to assess the security measures in place and estimate the level of security provided by them. The existing standards to certify the strength of a security system are qualitative, lack consideration of the countermeasures and do not consider the impact of security breaches. Consequently, there is a need for an alternative approach to estimate the security strength of a system in a quantitative manner. This paper aims to provide an extensible framework called iMeasure Security (iMS) that quantifies the security strength of an enterprise system by considering the countermeasures deployed in its network, analyzes the business impact of the security breaches, and provides insights as to how the level of security can be improved from current levels.     

基于生命周期分析信息安全管理体系

信息安全管理正成为当前全球的热门话题,建立健全信息安全管理体系对企业的安全管理工作和企业的发展意义重大。信息技术在加速企业发展的同时,也给企业带来了各种各样的威胁。文中在跟踪现有的信息安全管理实际状况的基础上,分析各项威胁对信息系统造成的影响,并讨论基于生命周期建立一套信息安全管理体系所经历的四个阶段的主要内容及其作用。确保信息的完整性、可用性和保密性,从而保持业务运作的持续性和组织的竞争优势。     

Law Enforcement's Ability to Deal with Digital Crime and the Implications for Business

Much has been made of the capabilities to commit a crime that has a digital component, whether it is hacking, fraud, embezzlement, identity theft, organized crime, child pornography, or other criminal act. While the capabilities of the perpetrators and IT professionals' response are often discussed, what is often overlooked is the ability of law enforcement to investigate and prosecute digital crime. An information security plan that is not developed with prosecution as a possible outcome is short sighted. This article is a research report on Michigan's law enforcement capabilities, including training, staffing levels, and trends, and it provides information that will help IT professionals understand the challenges they may encounter when soliciting help from law enforcement agencies.     

Coremail邮件系统安全防护策略探讨

黑客入侵企业邮箱骗取金钱的案件频繁发生,直接给企业带来形象和物质上的损失,因此,企业迫切需要一套安全的邮件通讯解决方案。盈世Coremail邮件系统采用防盗号、防跟踪、防伪造三项加固防御措施,可以确保邮件信息往来的绝密安全。     

一种国际业务信息安全防护模型

企业国际化经营是进一步拓展发展空间与提升可持续发展能力的有效途径,国际业务及其信息化建设的发展同时也给企业信息安全提出了新的挑战。文中针对电网企业国际业务及其信息安全的特点,提出了一种国际业务信息安全防护模型。在分析电网企业国际业务安全风险的基础上,从安全防护模型的主站层、网络层和终端层三个层次研究了安全防护技术措施,并提出了安全管理思路及措施。     

浅议网络信息安全防御体系建设

当前网络和信息系统的安全已成为我国信息产业健康发展必须面对的严重问题.信息系统面临着全面威胁,不断遭到黑客攻击,利用互联网传播有害信息的手段日益翻新,对青少年的危害极大,因此我们必须按照国家信息安全法律法规的要求加强信息安全保证工作,建立建全网络信息安全防御体系.     

A Management Perspective on Risk of Security Threats to Information Systems

Electronic commerce and the Internet have enabled businesses to reduce costs, attain greater market reach, and develop closer partner and customer relationships. However, using the Internet has led to new risks and concerns. This paper provides a management perspective on the issues confronting CIOs and IT managers: it outlines the current state of the art for security in e-commerce, the important issues confronting managers, security enforcement measure/techniques, and potential threats and attacks. It develops a scheme for probabilistic evaluation of the impact of security threats with some illustrative examples. This methodology may be used to assess the probability of success of attacks on information assets in organizations, and to evaluate the expected damages of these attacks. The paper also outlines some possible remedies, suggested controls and countermeasures. Finally, it proposes the development of cost models which quantify damages of these attacks and the effort of confronting these attacks. The construction of one such cost model for security risk assessment is also outlined. It helps decision makers to select the appropriate choice of countermeasure(s) to minimize damages/losses due to security incidents. Finally, some recommendations for future work are provided to improve the management of security in organizations on the whole.     

网络安全意识问题的分析

随着网络技术的快速发展,网络安全问题也变得越来越重要,一些突发的网络信息安全事件给国家和社会造成了巨大的影响。因此,安全始终是政府和企业关注的重要问题之一。提高“人”的信息安全意识,加强“人”的信息安全教育,已成为我们开展信息安全工作,构建信息安全保障体系的关键问题。本文从安全意识的角度来讨论内部安全问题,并提出一种应对思路。     

等级保护思想在烟草行业信息安全体系建设的研究及应用

随着信息技术的高速发展,烟草行业对信息系统的依赖日益加深,面临的信息安全风险也与日剧增。为切实降低信息安全风险,文章引入等级保护思想,通过剖析思想特点、实施路径,研究等级保护与信息安全体系的业务融合关系,构建符合烟草特性的信息安全体系。     

浅谈医院等级保护的建设

随着医院业务系统对信息化依赖程度的提高,信息安全影响医院业务系统是否能正常运行,一旦医院的信息系统出现故障,医院将面临巨大损失;同时医院数据中包含大量患者私密信息,如果信息泄露,将对医院和患者造成负面影响。近期医院信息安全事故频发,医院信息安全等级保护已经成为了医院信息化系统建设的重点。     

医院网络与信息系统建设探析

医院网络与信息系统是医院各项业务稳定运行的基础性条件,在安全的网络与信息系统保证之下,能够提升医院的运行效率,所以构建健全的医院网络与信息系统就非常有必要。就当前的医院网络系统运行水平来看,仍然具有一些安全漏洞,时刻影响着医院的稳定发展,不利于医院业务的开展。对此,文章对医院网络与信息系统存在的问题进行了研究,并提出了针对性策略,认为不断加强系统软件防护,科学设置系统权限等措施,对于提升医院网络与信息系统安全有着重要的意义。     

Information Security Awareness Status of Business College: Undergraduate Students

Abstract

Because end users are often the weakest link in a security chain, students need to practice security controls properly to improve information security on campus. This study surveyed undergraduate students in a business college to investigate their understanding and attitudes toward information security. Survey findings show that college students understand most information security topics suggested by National Institute of Standards and Technology (NIST) Special Report 800-50. Universities should provide easily accessible security training programs for students. Practical suggestions are provided to encourage students to participate in security training to enhance their security awareness level.     

网络媒体发展中的信息安全问题探讨

现代信息化的技术的进步给我们的社会生活带来的很大帮助,而网络媒体就是信息化技术的一个产物,它能迅速成为市场的一大宠儿,不仅有着他自身独有的优势和特点,还有与之相适应的外部条件,传统媒体在某些方面已经不能适应现代产业的发展,人们正在寻求一种迅速、容量大的传播方式,于是网络媒体的出现众望所归。但是由于我国的网络媒体的出现时间尚短,难免有着这样那样的问题,随着网络媒体为越来越多的人所接受,其问题也更加严重,尤其是传播不良的信息荼毒青少年的思想健康,网络受到黑客、病毒的侵袭,网上传播虚假信息、盗窃数据库资料等等,信息安全问题突出,这些问题越来越受到全世界的关注,成为全球共同注意的事情。     

统一密钥支撑体系的研究

随着企业互动化、移动化和智能化业务的逐步推进,密码技术作为业务信息安全保护的核心内容越来越重要,但由于业务系统所采用的密码算法及应用模式的不同,通常企业存在多种多样的密钥管理系统,导致密钥资源无法有效快速利用,缺少统一的密钥监控和保护措施。文中介绍的统一密钥支撑体系以密钥管理PDCA为模型,从密钥管理体系及标准,密钥监控与分析系统和密钥安全性检测平台出发构建层次化的体系架构,规范业务系统密码技术的使用方式和流程,完善密钥全生命周期安全管控措施,建立业务系统标准化、通用和统一的密钥检测和评价体系,消除密码应用的安全隐患,保障密钥的安全、可靠以及高效使用,提升企业密钥管理水平。     

信通中心管理信息系统的研究与实现

信通中心管理信息系统是受国家电网SG186工程的启发(SG186中"1"是一体化企业级信息统一平台,"8"是公司系统管理需求所使用的8大业务应用系统,"6"是6个信息化保障体系),根据渭南供电局信通中心的实际需求开发的内部综合业务系统。该系统开发平台采用ASP.NET,语言选用C#,数据库使用SQL Server,将渭南供电局信通中心自2000年以来逐步开发的7大业务系统重新开发并集成起来,实现单点登录。登录统一平台后可同时访问多个子系统,实现系统间的数据共享,解决繁琐的登录问题。     

信息系统安全等级保护能力构成框架研究

本文首先从威胁与安全保护能力之间的关系出发,说明威胁和安全保护能力通过信息系统中的业务信息和系统服务相互作用、相互影响。同时提出安全保护能力分级,不同安全等级的信息系统应具有与其等级相适应的安全保护能力。然后从安全技术和安全管理两方面,提出信息系统等级保护能力构成框架,把保护能力分为防护类、检测类、恢复响应类、制度类、组织人员类、安全工程类和安全运行类。最后在信息系统等级保护能力构成框架指导下,分析了不同级别保护能力的体现,为信息系统选择措施进行恰当保护以到达相对安全提供指导,也为信息系统安全等级保护基本要求提供理论依据。     

基于PKI的电子商务安全解决方案

公钥基础设施(Public　Key　Infrastructure,简称PKI)是目前网络安全建设的基础与核心,是电子商务安全实施的基本保障,充分利用到各种电子商务安全解决方案之中,因此,对PKI技术的研究和开发成为目前信息安全领域的热点。     

Information Systems, Operational Research and Business Reengineering

There has been much concern expressed during recent times to ensure that information technology (IT) considerations are firmly aligned with business imperatives. For example, two of the top ranked information systems management issues during the 1980s were concerned with the problems incurred in aligning the Information Systems function with that of the organisation as a whole, and in linking information systems and business strategies. Conversely, recent research and practice has provided us with a vision of IT-induced business process redesign, the opportunity for inter-organisational systems and even the redefinition and refocusing of business products and services. The reality for many organisations remains that IT investment is seen as a necessary evil at best, with many questioning whether it represents value for money. There have also been somewhat negative reactions to the topic of business process redesign itself: is it old wine in a new bottle? And is it all too risky a business to suggest that radical change rather than incremental change is what is required? This paper reviews these issues and argues for a refocussing of our attention on (i) information and business systems, and (ii) implementation issues and organisational change, as opposed to the more common practice of concentrating on information technology per se. It takes an organisational, soft operational research perspective on the subject of business reengineering, and provides some outline guidelines for the process of managing the change that is often both necessary and potentially desirable with the introduction and utilisation of new IT. It raises the question whether the lessons from the application of the softer operational research approaches over the past 20 years or so could be used to provide a more informed intervention, given the complexity of the task... and answers that question in the affirmative!     

Aeronautical communication transition from analog to digital data: A network security survey

The objective of this paper is to present a comprehensive survey of security challenges in aeronautical data communication networks. The civil aviation industry is currently going through an evolution of the air traffic management system. The aviation communication technologies are progressively shifting towards the use of digital data instead of analog voice for traffic control, airline business, and passenger onboard entertainment systems. This paper illustrates the cause-to-effect chain link starting from the modernization of the aeronautical communication systems and leading to the network security concern in the civil aviation. The general threats to air–ground communication are depicted and then categorized. The paper gives an overview of the civil aviation industry efforts for securing the future aeronautical data communications. The security mechanisms and protocols proposed for this purpose are discussed. Open research issues and challenges that have to be addressed in the security of current and future aeronautical data communication networks are presented in detail. The paper concludes with some improvement directions which can help to address those security issues. This survey can be used as a reference guide to first understand the factors that urge both the research community and the aviation industry to be concerned about network security in future aeronautical data communications. Also, it can be used as a first reading to have a global overview of network security issues, challenges and potential solutions in air–ground communication networks.     

医院信息网络的安全问题简

随着信息网络技术的不断发展和医院业务的不断拓展,医院信息网络也由仅用满足医院业务需求的封闭网络逐渐发展为一个面向公众的信息系统,在给医院工作带来便利,提高医院运作效率的同时,医院信息网络面临严峻的安全问题。本文在分析医院信息网络中常见安全问题的基础上,提出了解决医院信息网络安全问题的合理化建议。