基于ISO27001的信息安全管理体系的研究和实现

上海交通大学硕士学位论文基于ISO27001的信息安全管理体系的研究和实现姓名：朱璇申请学位级别：硕士专业：软件工程指导教师：陈昊鹏;黄荣瑞20090208ISO27001IISO27001InformationSecurityManagementSystemISMSISMSISO/IEC27001ISO27001ISMSISMSISO/IEC27001ICICICBIFISO27001REMSREMSISO27001IIREMSSDLCREMS,ISO27001,REMSISO27001ISO27001ISO27001CIAISO27001IIIRESEARCHANDIMPLEMENTATIONOFISO27001-BASEDINFORMATIONSECURITYMANAGEMENTSYSTEMABSTRACTTherapiddevelopmentofinformationtechnologyhaschangedpeople'sworkandlife.Theimportanceofinformationiswidelyacceptedandmanycompanieshaveparticularlyconcernedaboutitandtreatitasanimportantasset.TheISMS(InformationSecurityManagementSystem)isaneffectivewaytosolvetheinformationsecurityissuessystematically.ISMSispartoforganizationoverallmanagementsystem,inwhichorganizationestablishestheinformationsecuritypolicyandthegoalwithintheentiretyorspecificallyappointedrange,aswellasachievesthesegoals.Asarepresentationalinformationsecuritymanagementsystemstandardintheworld,ISO/IEC27001hasgotmoreandmorecountries’ratification.ThedissertationdoesalotofresearchaboutthetheoryofISO27001andtheriskmanagement.Thedissertationstudiesthecurrentsituationandsecurityrequirementofamodernenterprise,putsforwardfeasiblemethodsofriskassessment,designsariskassessmentprocess.Duringtheprocessofestablishingtheenterprise’sISMS,designaseriesofformsandsomeadaptivemethodsaccordingtotheenterprise’scharacteristic,whichmaderiskassessmentappliedsuccessfullytotheISMSprocess.Andthentheenterprise’sISMSgotISO27001certificate.Thedissertationcombinestheenterpriseinformationassetcharacteristicandtheinformationsecurityneeds,aswellastherealizationfeasibility,anddesignsasetofqualitativeandquantitativeriskanalysismethods.Thevalueofinformationassets’CIA,threadsandvulnerabilitieswereanalyzedbyqualitativemethod,whichmadeitoperabletoidentifyandassessalargeamountofassets.Thevalueofassetandriskwereworkoutbyquantitativemethod,whichprovidedthefollowingriskmanagementtheexactbasis.Thedissertationachievesthecompleteidentificationofinformationassetsandformlistsofenterpriseinformationassets,afteranalyzethebusinessinformationflow.IntheICISO27001IVmanufactureenterprise,customer’sICdesignisthesourceofproductlineandisthecoreofinformationsecuritymanagementsystem.SotoselectICdesignrelativebusinesstoanalyzebusinessinformationflowensuredthecriticalassetswereidentifiedcompletelyandefficiently.IntheriskassessmentusingthevulnerabilityasmainlineandISO27001standardcontrolpoints,designsthemethodofidentifyingassetvulnerabilityandthreat,whichhelpenterprisetoknowwellandcontrolinformationrisk.Thedissertationselectsenterprise’sproductionmanagementsystem---REMSastypicalsampletodoriskassessmentintheISMSimplementationprocess.Accordingtheassessmentresult,REMSbelongstohigh-risksoftwareassetsandneedtoaddriskcontrolandimproveitssecuritymanagement.Intheriskcontrolplandesignsthedevelopmentflow,viz.systemdevelopmentlifecycle.Andtheninthelifecycle,combinesISO27001standardand“touchpoint”developmentmodeltoimplementsecuritymanagementonREMS.The“touchpoint”developmentmodelgivessecuritymanagementarchitecturebasedonsoftwaredevelopmentlifecycle.AndISO27001standardpointsoutthedetailedimplementationguidelinesfromallsidesofsoftwaredevelopment.AftertheestablishmentofISMSandtheadoptionofISO27001certification,improvedtheenterprise’sconfidentiality,integrityandavailabilityofinformationsecurity,formedasustainableimprovementinformationsecuritymanagementenvironment.KeywordsInformationSecurityManagementSystem,ISO27001,CIA,InformationSecurityRiskAssessmentISO2700132009115ISO27001420091152009115ISO2700111.1.1.19875000020055100752025%260%70%[1]1.2.[2]60%[3]ISO2700121.3.[4]1967101981ComputerSecurityCenter1995NationalComputerSecurityCenterNCSCNCSCTrustedComputerSystemEvaluationCriteriaTCSECOrangeBookTDITNIABCD[5]1988CTCPEC198951991TCSECITSEC10ISO270013CommonCriteriaforITSecurityEvaluationCC199611.0199842.0199912CC2.0CC2.1ISO/ICE154081ProtectionProfilePPSecurityTargetST2TargetofEvaluationTOE37EvaluationAssuranceLevelsEAL[6]CCBritishStandardInstituteBSI19951999BS7799BS7799-11999BS7799-21999[7]BS7799-11999InformationSecurityManagementSystemISMSBS7799-219992000BS7799ISOBS7799-1ISO177992000[8]BS7799-2200020052000BS7799-220200510BS7799-2ISO27001[2]1999GB17859-1999ISO270014[9]20013ISO/ICE15408GB/T1836-201[10]1.4.2004IS027001BS7799IS027001IS027001IS02700110IS027001ISO27001ISO27001IS027001ISO2700152.2.1.[8]:[11][12]1)2)3):;4):.ISO2700165):[13](Confidentiality)(Integrity)(Availability)CIA2-12-1.CIAFig2-1.InforSecurityCIA3-Elements2.2.(InformationSecurityManagementSystem,ISMS)ISMSISO27001:2005(ISMS)ISMS:ISMSIS027001P-D-C-A(Plan,Do,CheckAct)ISMSConfidentialityIntegrityAvailabilityISO270017ISMSISMSISMSISMSISMSISMSP-D-C-AP-D-C-AP-D-C-AP-D-C-AP-D-C-AIS027001ISMS()ISMSISMS2.3.ISMS-2.3.1.PDCAPlanISO27001[14][15]ISO2700182.3.2.1(Asset)DataSoftware/Hardware():U::(UPS)Service()PeopleOther2ValueISO270019CIA3)(Threat)4(Vulnerability)5(Risk)6(Control)()ISO27001102.3.3.2-22-2.Fig2-2.RiskElementsRelationship:CIAISO27001113-----ISO27001123.3.1.IS027001IS027001IS027001IS027001ISO27001133.2.ICICICICICICIC