發(fā)布時間：2018-01-27 05:26

  本文關鍵詞： 風險評估 風險管理 IS027001標準 信息安全管理體系 J2EE技術　出處：《電子科技大學》2014年碩士論文　論文類型：學位論文

【摘要】：隨著計算機技術高速發(fā)展,網(wǎng)絡安全也面臨著重大挑戰(zhàn),特別是金融行業(yè)。金融行業(yè)中的網(wǎng)絡安全問題是隨著銀行策略、組織架構、信息系統(tǒng)和操作流程的改變而改變。為了防止和減少風險,需要新的安全管理體系去預防金融網(wǎng)絡安全的方法。全面風險管理作為金融業(yè)乃至信息安全也是新的管理方法,它采用了定性與定量考評方法的風險管理的模式實現(xiàn)銀行內外環(huán)境變化風險評估。本論文以對金融類公司的調研為基礎,結合金融類公司的實際需求進行了系統(tǒng)的需求分析,并可以根據(jù)用戶的具體要求和未來可能需要添加的功能,該系統(tǒng)在體系結構上采用基于三層的B/S模式,數(shù)據(jù)層采用oracle數(shù)據(jù)庫作為數(shù)據(jù)存儲與管理,利用oracle管理系統(tǒng)大容量數(shù)據(jù)與保持數(shù)據(jù)一致性。Oracle強大的安全性與易用性為系統(tǒng)設計與數(shù)據(jù)存儲提供了基礎條件,在加上與J2EE技術的集合,使網(wǎng)頁數(shù)據(jù)更新與后臺數(shù)據(jù)庫更新同步成為可能,有效擴展了金融業(yè)對外提供實時服務的可能性,在結構上采用基于SOA的多層軟件設計和基于Struts和Hibernate的數(shù)據(jù)庫中間件,并定義了統(tǒng)一的數(shù)據(jù)訪問接口實現(xiàn)上層應用訪問底層數(shù)據(jù)庫,同時進行了基于UDDI注冊服務中心的信息系統(tǒng)服務訪問實現(xiàn)。在功能上,系統(tǒng)提供了良好的業(yè)務模塊管理、數(shù)據(jù)庫管理、數(shù)據(jù)容災管理、風險計算管理、項目風險管理、項目信息管理頁面,通過該頁面可以實現(xiàn)信息增加、刪除、修改,數(shù)據(jù)庫容災備份與恢復,自動生成項目風險報表,實現(xiàn)項目信息編集操作等。在論文最后通過IS027001評估用例與測試架構對金融信息安全風險評估測試。本系統(tǒng)主要研究ISO27001風險評估與風險管理相關理論,并結合銀行風險評估與風險管理實際需求完成銀行風險評估與風險指標量化,并重點將網(wǎng)絡資產(chǎn)細化表、威脅明細表、網(wǎng)絡安全威脅的風險系數(shù)矩陣的參考表用于銀行安全風險、信息資產(chǎn)、系統(tǒng)脆弱性、安全預警、安全響應、網(wǎng)絡安全管理、安全時間管理中,從而實現(xiàn)銀行威脅及其脆弱性進行定性、定量的風險分析,對于研究銀行信息安全具有普遍的意義。
[Abstract]:With the rapid development of computer technology, network security is also facing major challenges, especially in the financial industry. The network security problem in the financial industry is with the banking strategy, organizational structure. Changes in information systems and operating procedures. To prevent and mitigate risks. A new security management system is needed to prevent the financial network security. The overall risk management is also a new management method as the financial industry and even information security. It adopts the risk management model of qualitative and quantitative evaluation methods to realize the risk assessment of the change of internal and external environment of banks. This paper is based on the investigation of financial companies. Combined with the actual needs of financial companies, the system needs analysis, and according to the specific requirements of users and possible future needs to add functions, the system in the architecture of the system based on the three-tier B / S model. Data layer uses oracle database as data storage and management. Make use of oracle management system large capacity data and maintain data consistency. Oracle strong security and ease of use for the system design and data storage provides the basic conditions. With the combination of J2EE technology, it is possible to synchronize the update of web page data with the update of background database, which effectively expands the possibility of the financial industry providing real-time services to the outside world. In the structure, multi-tier software design based on SOA and database middleware based on Struts and Hibernate are adopted. The unified data access interface is defined to realize the upper application access to the underlying database. At the same time, the information system service access implementation based on UDDI registration service center is carried out. The system provides good business module management, database management, data disaster recovery management, risk calculation management, project risk management, project information management page, through which information can be added and deleted. Modify, database disaster recovery and backup, automatically generate project risk report. At the end of this paper, we test the financial information security risk assessment by using IS027001 evaluation case and test architecture. This system mainly studies ISO27001 risk assessment and testing. Theory of risk management. And combined with the actual needs of bank risk assessment and risk management to complete the bank risk assessment and risk index quantification, and focus on the network assets detailed table, threat list. The reference table of the risk coefficient matrix of network security threat is used in bank security risk, information assets, system vulnerability, security early warning, security response, network security management, security time management. Therefore, the qualitative and quantitative risk analysis of bank threat and its vulnerability is of universal significance for the study of bank information security.
【學位授予單位】：電子科技大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.08
，

本文編號：1467691