基于.NET的铁路安全信息网络管理系统

基于.NET的铁路安全信息网络管理系统,按照路局、段、车站3级管理模式设计。系统分为业务外观层、业务工作流层、业务规则层、数据访问层和业务实体层5层。在Web Service服务器端部署防火墙。系统功能设计以安全问题的分析、处理、反馈为基线,信息分级上报,逐级整改、落实,闭环管理,包括11个子功能模块和9个关键服务模块。业务外观层利用Web Services技术,实现对系统功能模块的封装和系统应用集成,完成对业务工作流层和业务规则层的调用。系统以铁路局为安全信息查询中心,铁路局内外各单位不同模块间的信息通过UDDI注册、认证,互相查询彼此的信息,给出信息查询中心的Web Services模型。     

医院信息网络建设中的安全技术体系

医院网络信息建设是实现医疗系统化的方式,在网络建设中,存在一些安全风险,这就需要建立完整的安全技术体系,保证信息的安全性.本文通过介绍某医院的信息网络建设进行分析,总结保证信息安全的方式,供读者参考.     

Enhancing information security with the information resource management approach

Recently, computer security and incidents of computer crime have received considerable attention. Without a doubt, in computer security the risks are high, and the problems and their solutions are complex; nonetheless, the emphasis of this attention has been misplaced. The emphasis should be primarily on the security of information itself and secondarily on the devices that handle information and on any of the other factors that go into information production. The factors of information production should certainly be considered, but only after planning and analysis based on information has been completed. For example, when considering the possibility that a competitor may steal your firm's proprietary information, it is best to consider first what information should be safequarded and what expenditure is warranted for such protection; then one can consider the environments in which this information appears (paper-based, computerized, verbal, etc.) and controls that are appropriate for these environments.This paper explores the application to the information security area of Information Resource Management (IRM), a new and promising approach that concentrates, on information not on computers. This paper explains the concepts underlying IRM, how they are applied, and what general information systems benefits can be obtained. In a more specifically security-oriented sense, it indicates how IRM can help address a few of the pressing problems now encountered by information security practitioners: controls suboptimization, the Maginot Line syndrome, top management understanding and support, disaster recovery planning, security policy-making, consideration of noncomputerized information, and expeditious resolution of security problems.     

一种新型的实验室信息管理系统(LIMS)

介绍了实验室信息管理系统(LIMS)的概况及其现状。提出了一种新型的LIMS,简述了其主要功能,给出了它的硬件电路和相关的软件流程。     

信息系统安全管理以及风险评估研究

随着信息技术的发展,计算机信息系统逐步成为整个国家机构运转的命脉和社会活动的支柱.计算机信息系统的任何破坏或故障,都将对用户以致整个社会产生巨大影响.研究计算机信息系统的安全性具有重大的、直接的现实意义.本论文重点研究了计算机信息系统应用的安全策略,信息系统开发的安全性原则、安全层次、安全服务和安全结构模型.     

基于内容挖掘的广域信息管理系统业务数据安全

针对广域信息管理系统（SWIM）服务共享中的数据安全问题，分析了SWIM业务流程中的安全隐患，提出了一种基于潜在狄利克雷分配（LDA）主题模型和内容挖掘的恶意数据的过滤方法。首先对SWIM四种业务数据进行大数据分析，然后通过LDA模型对业务数据进行特征抽取完成内容挖掘，最后利用KMP匹配算法在主串中查找模式串，从而检测出含有恶意关键字的SWIM业务数据。在Linux内核中对该检测方法进行测试，实验结果表明该方法能够有效地对SWIM业务数据进行内容挖掘，与潜在语义分析（LSA）和基于概率统计的潜在语义分析（pLSA）的方法相比也具有更好的检测性能。     

Computer crime — Risk management and computer security

An analysis will be made on 95 cases of computer fraud and over 60 cases of computer crime reported in the U.K. from various private and public sources to establish the pattern of abuse and the modus operandi in various crime perpetration — who are the victims, who are the computer criminals, size of loss, penalties and detection and lessons learnt from the reported cases.The paper moves on to discuss the various options of risk control and crime prevention, risk analysis and business impact review, and how to set a budget for control of abuse.The paper closes with a discussion of the future implications from the proliferation of personal computers, office systems and distributed processing. What advantages would the future criminal gain from these activities? What would the auditor or security manager have to do to combat the potential new crime wave?     

Paper: a study on the certification of the information security management systems

Current reliable strategies for information security are all chosen using incomplete information. With standards, problems resulting from incomplete information can be reduced, since with standards, we can decrease the choices and simplify the process for reliable supply and demand decision making. This paper is to study the certification of information security management systems based on specifications promulgated by the Bureau of Standards, Metrology and Inspection (BSMI), Ministry of Economic Affairs in accordance with international standards and their related organizations. And we suggest a certification requirement concept for five different levels of “Information and Communication Security Protection System” in our country, the Republic of China, Taiwan.     

勘察设计企业信息系统安全体系建设

随着信息化程度的提高,勘察设计企业对网络和信息技术的应用程度越来越深入,越来越多的数据、流程、知识成果以电子文档的形式储存于各类信息系统中.依据网络安全理论体系和技术,结合某勘察设计企业实际,以管理为基础,以技术为手段,探讨建立实用的勘察设计企业信息系统安全体系.     

Returns to information security investment: The effect of alternative information security breach functions on optimal investment and sensitivity to vulnerability

Four kinds of marginal returns to security investment to protect an information set are decrease, first increase and then decrease (logistic function), increase, and constancy. Gordon, L. A. and Loeb, M. (ACM Trans. Inf. Syst. Secur., 5:438–457, 2002). find for decreasing marginal returns that a firm invests maximum 37% (1 / e) of the expected loss from a security breach, and that protecting moderately rather than extremely vulnerable information sets may be optimal. This article presents classes of all four kinds where the optimal investment is no longer capped at 1 / e. First, investment in information security activities for the logistic function is zero for low vulnerabilities, jumps in a limited “bang-bang” manner to a positive level for intermediate vulnerabilities, and thereafter increases concavely in absolute terms. Second, we present an alternative class with decreasing marginal returns where the investment increases convexly in the vulnerability until a bound is reached, investing most heavily to protect the extremely vulnerable information sets. For the third and fourth kinds the optimal investment is of an all-out “bang-bang” nature, that is, zero for low vulnerabilities, and jumping to maximum investment for intermediate vulnerabilities.

入侵检测系统在水务网络安全管理中的应用与研究

本文介绍了水务信息化快速发展进程中,水务网络安全管理工作的重要性,水务网络安全管理现状,分析了当前水务网络面临的安全风险,引入入侵检测系统,在分析其面临的安全挑战的基础上,研究了入侵检测系统在水务网络中的部署原则、应用架构和安全管理措施。     

构建海委信息安全管理体系的研究

信息化的发展与信息安全保障是密切相关的,两者相辅相成、密不可分,没有安全保障的信息化必定是不能长久的。建立海委信息安全管理体系,需根据等级保护基本要求,参照国内外相关标准,并结合海委政务外网已有网络与信息安全体系建设的实际情况,最终形成依托于安全保护对象为基础,建立以安全管理中心的一个中心,三重防护的安全管理体系框架,并明晰具体的技术对策,逐步完善安全管理措施。     

A descriptive model of success for computer-based information systems

This article presents a model of the success of computer-based information systems. We hypothesize that the following variables influence the success of the system: involvement of managers in computerization projects: higher-level managerial support; the technical quality of the system; personal factors; the attitude of managers towards EDP personnel and the attitude of managers towards the computerized system. The research finds that the manager's attitudes to computerization are related to all but the last two.Certain classes of variables are difficult to relate to the success of the system (for example, personal factors). If the evidence for the model is considered strong enough to warrant action, the organization should concentrate on several key variables: high quality of the system; good management support, and good training and management involvement.The results of our research should provide better understanding of the variables associated with the success of a computer-based system.     

Threats and countermeasures for information system security: A cross-industry study

IS security threats have increased significantly in recent years. We identified the gaps between manager perceptions of IS security threats and the security countermeasures adopted by firms by collecting empirical data from 109 Taiwanese enterprises. Industry type and organizational use of IT were seen as the two factors that affected the motivation of firms to adopt security countermeasures, but their implementation did not necessarily affect the threat perceptions of the managers. Analyses of responses suggested that the scope of the countermeasures adopted were not commensurate with the severity of the perceived threats. Among the threats, networks were rated as contributing the most severe threat and yet had the lowest level of protection, this was followed by threats due to personnel and administrative issues. We therefore addressed threat mitigation strategies, specifically in terms of the differences between industries.     

Roles in information security – A survey and classification of the research area

The concept of roles has been prevalent in the area of Information Security for more than 15 years already. It promises simplified and flexible user management, reduced administrative costs, improved security, as well as the integration of employees’ business functions into the IT administration. A comprehensive scientific literature collection revealed more than 1300 publications dealing with the application of sociological role theory in the context of Information Security up to now. Although there is an ANSI/NIST standard and an ISO standard proposal, a variety of competing models and interpretations of the role concept have developed. The major contribution of this survey is a categorization of the complete underlying set of publications into different classes. The main part of the work is investigating 32 identified research directions, evaluating their importance and analyzing research tendencies. An electronic bibliography including all surveyed publications together with the classification information is provided additionally. As a final contribution potential future developments in the area of role-research are considered.     

基于GIS的城乡电网管理系统

本文介绍了基于GIS的城乡电网管理系统。系统目标是完成配电自动化的设备管理和用户信息系统。系统核心和用户界面用VisualBasic编写而成;空间数据库和属性数据库分别由MapInfo和Access生成和管理;采用ADO方式连接属性数据库;将MapX控件嵌入VB,实现对图形的操作和控制。     

Effects of sanctions,moral beliefs,and neutralization on information security policy violations across cultures

A principal concern of organizations is the failure of employees to comply with information security policies (ISPs). Deterrence theory is one of the most frequently used theories for examining ISP violations, yet studies using this theory have produced mixed results. Past research has indicated that cultural differences may be one reason for these inconsistent findings and have hence called for cross-cultural research on deterrence in information security. To address this gap, we formulated a model including deterrence, moral beliefs, shame, and neutralization techniques and tested it with the employees from 48 countries working for a large multinational company.     

A hybrid information security risk assessment procedure considering interdependences between controls

Risk assessment is the core process of information security risk management. Organizations use risk assessment to determine the risks within an information system and provide sufficient means to reduce these risks. In this paper, a hybrid procedure for evaluating risk levels of information security under various security controls is proposed. First, this procedure applies the Decision Making Trial and Evaluation Laboratory (DEMATEL) approach to construct interrelations among security control areas. Secondly, likelihood ratings are obtained through the Analytic Network Process (ANP) method; as a result, the proposed procedure can detect the interdependences and feedback between security control families and function in real world situations. Lastly, the Fuzzy Linguistic Quantifiers-guided Maximum Entropy Order-Weighted averaging (FLQ-MEOWA) operator is used to aggregate impact values assessed by experts, applied to diminish the influence of extreme evaluations such as personal views and drastic perspectives. A real world application in a branch office of the health insurance institute in Taiwan was examined to verify the proposed procedure. By analyzing the acquired data, we confirm the proposed procedure certainly detects the influential factors among security control areas. This procedure also evaluates risk levels more accurately by coping with the interdependencies among security control families and determines the information systems safeguards required for better security, therefore enabling organizations to accomplish their missions.     

供电企业生产信息管理系统关键技术的探讨

供电企业生产信息管理系统是实现供电企业信息管理的核心系统之一，其研发工作是供电企业信息化建设的重要组成部分。在长期的供电企业信息化建设中，存在着低水平重复建设、数据一致性、信息孤岛等问题，阻碍了企业信息化的可持续发展。本文介绍了从语义角度进行供电企业生产信息的分析、量化工作和运用面相对象概念构建统一数据模型的方法，并讨论了应用工作流、OLE技术、多层C／S结构、ASP等软件技术在软件开发的应用。该模型与技术已在实际开发工作中得到应用。收到了良好的效果。     

A case study on process modelling — Three questions and three techniques

In this case study we compare three process modelling techniques in order to find common concepts and to identify significant differences. We base this comparison around three general questions:

• What are the objectives of the organisation

• Who is doing what with which resources

• How does the organisation work

The answers to the third of these questions (“How does the organisation work”) are quite similar for all three of the modelling techniques we examine here. The main differences, at the modelling level, appear when considering the answers to the first two.