【摘要】：自1991年數(shù)字圖書館概念被提出以來,其研究和實踐在全球范圍內(nèi)蓬勃發(fā)展。然而數(shù)字圖書館廣泛依賴于計算機技術(shù)、網(wǎng)絡(luò)技術(shù)和數(shù)據(jù)通信技術(shù)等高科技專業(yè)技術(shù)而存在和發(fā)展,其面臨的安全風(fēng)險遠遠高于傳統(tǒng)圖書館。信息安全問題成為數(shù)字圖書館研究和實踐的重大命題。美國的圖書館在經(jīng)歷了技術(shù)保障、管理保障和制度保障三個發(fā)展階段后,開始嘗試建立信息安全管理體系,通過風(fēng)險評估、建立預(yù)防機制和主動干預(yù)等方式應(yīng)對各類突發(fā)信息安全問題。而我國圖書館在信息安全方面大多數(shù)還處于技術(shù)保障階段。據(jù)調(diào)查,我國100%的數(shù)字圖書館每年至少發(fā)生一次信息安全事件,而信息安全意識薄弱、信息安全管理人員不足、缺乏信息安全管理策略等原因首當(dāng)其沖�？梢�,貫徹“三分技術(shù),七分管理”的黃金定律,建立信息安全管理體系對于數(shù)字圖書館信息安全保障而言勢在必行。為了能夠給數(shù)字圖書館信息安全管理體系的建立提供符合國際標(biāo)準(zhǔn)與國家標(biāo)準(zhǔn)的、具有可操作性的完整解決方案,同時解決數(shù)字圖書館標(biāo)準(zhǔn)與規(guī)范建設(shè)中較少涉獵的信息安全規(guī)范化管理的關(guān)鍵性問題,完善數(shù)字圖書館標(biāo)準(zhǔn)規(guī)范體系,推動數(shù)字圖書館信息安全領(lǐng)域的規(guī)范化、標(biāo)準(zhǔn)化,將ISO 27000的基本原則與思想完整地引入數(shù)字圖書館信息安全領(lǐng)域,使數(shù)字圖書館信息安全規(guī)范化管理工作與先進的國際標(biāo)準(zhǔn)相接軌。本文對數(shù)字圖書館信息安全規(guī)范化管理的實施框架、方法模型和標(biāo)準(zhǔn)規(guī)范草案進行研究,解決了數(shù)字圖書館信息安全規(guī)范化管理過程中涉及的關(guān)鍵性問題,形成建議方案,為制定數(shù)字圖書館行業(yè)目標(biāo)明確、體系完備、功能實用、可操作性強的信息安全管理標(biāo)準(zhǔn)規(guī)范奠定基礎(chǔ)。具體研究內(nèi)容和成果包括以下五個方面:(1)數(shù)字圖書館信息安全規(guī)范化管理的實施框架研究通過對ISO/IEC 27001標(biāo)準(zhǔn)中涉及的PDCA過程方法、主要因素、管理流程等內(nèi)容進行梳理分析,結(jié)合數(shù)字圖書館自身的需求和特點,完成了ISO/IEC 27001過程模式在圖書館領(lǐng)域的轉(zhuǎn)化。包括:明確了數(shù)字圖書館信息安全管理的PDCA過程方法與內(nèi)涵;梳理了數(shù)字圖書館信息安全管理從制定方案到風(fēng)險評估再到風(fēng)險控制的管理流程,以及其中每個過程的實施流程;分析并確定了風(fēng)險評估和風(fēng)險控制的主要影響因素,其中,風(fēng)險評估的主要因素包括直接因素(資產(chǎn),威脅,脆弱性,控制措施)與間接因素(保密性,完整性,可用性,保密性、完整性、可用性對資產(chǎn)價值的重要程度,威脅發(fā)生的可能性,威脅發(fā)生后對資產(chǎn)的保密性、完整性、可用性產(chǎn)生的損失)兩種類型,風(fēng)險控制的主要因素包括直接因素(實施成本和有效性)和間接因素(時間、人力、費用、難度、對每項風(fēng)險的有效性等)兩種類型。(2)數(shù)字圖書館信息安全風(fēng)險評估方法模型研究從已有的信息安全風(fēng)險評估方法和模型總結(jié)入手,分析了現(xiàn)有風(fēng)險評估模型在平衡定量與定性關(guān)系、可操作性、結(jié)果可接受性等方面存在的問題,闡述了現(xiàn)有的風(fēng)險評估方法不適用于數(shù)字圖書館信息安全風(fēng)險評估的原因。進而,確定了數(shù)字圖書館信息安全風(fēng)險評估方法和模型的選擇依據(jù)。最終,研究構(gòu)建了具有可操作性的基于GB/T 20984的數(shù)字圖書館信息安全風(fēng)險評估模型、基于多因素模糊綜合評判矩陣的資產(chǎn)價值和威脅大小的計算模型、以及基于多渠道加權(quán)平均的脆弱性大小計算模型,詳細闡述了評估模型的數(shù)據(jù)采集和分析計算策略,并通過實證研究的方式對該風(fēng)險評估方法模型的可行性及實際評估效果進行了驗證。(3)數(shù)字圖書館信息安全風(fēng)險控制方法模型研究從已有的信息安全風(fēng)險控制方法和模型總結(jié)入手,分析了現(xiàn)有風(fēng)險控制模型存在與風(fēng)險評估環(huán)節(jié)相脫離、操作繁瑣復(fù)雜等問題,并闡述了現(xiàn)有的風(fēng)險控制方法不適用于數(shù)字圖書館信息安全風(fēng)險評估的原因,明確了基于ISO 27000、與風(fēng)險評估相銜接的、半定量方法或綜合分析方法更適用于數(shù)字圖書館的信息安全風(fēng)險控制�；诖饲疤�,對ISO/IEC 27002:2005和ISO/IEC 27002:2013中的風(fēng)險控制措施進行了調(diào)研分析,最終確定了基于ISO/IEC 27002的數(shù)字圖書館風(fēng)險控制核心要素和參考要素集合。并以數(shù)字圖書館領(lǐng)域成本最低、成效最佳的風(fēng)險控制要求,構(gòu)建了基于線性規(guī)劃和模糊數(shù)學(xué)的風(fēng)險控制決策模型,并詳細闡述了控制決策模型的數(shù)據(jù)采集和分析計算策略,確保了該模型的可操作性和有效性。(4)數(shù)字圖書館信息安全管理的標(biāo)準(zhǔn)規(guī)范草案研究在對數(shù)字圖書館信息安全管理過程模式、風(fēng)險評估和風(fēng)險控制的方法模型進行研究的基礎(chǔ)上,結(jié)合ISO/IEC 27001和ISO/IEC 27002在電信、金融、醫(yī)療行業(yè)的標(biāo)準(zhǔn)轉(zhuǎn)化和應(yīng)用分析,探討了在數(shù)字圖書館領(lǐng)域信息安全標(biāo)準(zhǔn)規(guī)范形成和實施推廣過程中還應(yīng)注意的問題,包括標(biāo)準(zhǔn)確立的目的、意義、范圍、結(jié)構(gòu)、流程、核心、實施障礙、推行策略等方面內(nèi)容。最終,初步制定并撰寫了數(shù)字圖書館信息安全管理標(biāo)準(zhǔn)的草案,為數(shù)字圖書館信息安全規(guī)范化管理提供了長效的機制保障。(5)數(shù)字圖書館信息安全規(guī)范化管理的實證研究選擇了國內(nèi)某知名的大學(xué)城圖書館作為實證研究對象,嚴(yán)格按照數(shù)字圖書館信息安全管理標(biāo)準(zhǔn)草案中涉及的流程、方法、要求等進行了實證研究,包括該圖書館信息安全管理的目標(biāo)、范圍、方法、團隊、計劃等前期準(zhǔn)備工作,資產(chǎn)、威脅、脆弱性等識別、估值、計算等風(fēng)險評估工作,控制措施的影響要素識別、有效性計算、措施推薦等風(fēng)險控制工作,并最終根據(jù)實施結(jié)果和實際訪談?wù){(diào)研,對該數(shù)字圖書館已建立的信息安全管理體系進行審查,驗證了數(shù)字圖書館信息安全風(fēng)險管理的方法流程和標(biāo)準(zhǔn)規(guī)范的合理性和有效性。本文研究旨在建立通用、規(guī)范、可行、有效的數(shù)字圖書館信息安全管理的實施框架,解決數(shù)字圖書館規(guī)范化管理過程中的關(guān)鍵問題。研究成果的創(chuàng)新性體現(xiàn)在:(1)構(gòu)建了可操作性強、周期可控的數(shù)字圖書館信息安全管理的實施框架。該框架不僅能夠滿足ISO 27000思想要求和數(shù)字圖書館的具體要求,而且能夠?qū)⒃跀?shù)字圖書館的調(diào)研實施周期縮短在一個月之內(nèi),節(jié)省了數(shù)字圖書館信息安全管理的時間與資金成本。(2)構(gòu)建了具有可操作性和有效性的數(shù)字圖書館信息安全風(fēng)險評估和風(fēng)險控制的應(yīng)用模型。該模型模型使得風(fēng)險評估和風(fēng)險控制定量化計算流程簡化有效,同時又能符合數(shù)字圖書館的信息安全管理要求和現(xiàn)狀。(3)以2013版ISO 27002為依據(jù)篩選適合于數(shù)字圖書館領(lǐng)域的核心控制要素和參考控制要素。該要素集合為數(shù)字圖書館風(fēng)險控制措施的決策實施提供了基礎(chǔ)和依據(jù)。(4)設(shè)計了一套既遵守IS0 27000基本原則與思想、又照顧到數(shù)字圖書館行業(yè)特點的標(biāo)準(zhǔn)規(guī)范草案。該草案為數(shù)字圖書館信息安全管理標(biāo)準(zhǔn)與規(guī)范的制定打下了基礎(chǔ),能夠用于指導(dǎo)數(shù)字圖書館信息安全規(guī)范化管理的實踐。另外,本文所研究的方法、模型以及各種清單、模板還可以為其它行業(yè)研究利用ISO 27000系列標(biāo)準(zhǔn)進行信息安全規(guī)范化管理提供一定的參考和思路。
[Abstract]:Since the concept of digital library was put forward in 1991, its research and practice have flourished all over the world. However, digital libraries exist and develop on the basis of computer technology, network technology and high-tech professional technology such as data communication technology. The security risks they face are far higher than those of traditional libraries. American libraries have gone through three stages of development: technical support, management support and institutional support. They have begun to try to establish an information security management system to deal with all kinds of unexpected information security problems through risk assessment, prevention mechanism and active intervention. According to the survey, 100% of Digital Libraries in China have at least once a year information security incidents, which are mainly caused by weak awareness of information security, insufficient information security managers and lack of information security management strategies. It is imperative for digital libraries to establish information security management system according to the golden law. In order to provide an operable and complete solution to the establishment of information security management system in digital libraries which conforms to international standards and national standards, and to solve the construction of digital library standards and specifications at the same time. In order to improve the standard system of digital libraries, promote the standardization and standardization of the information security field of digital libraries, introduce the basic principles and ideas of ISO 27000 into the information security field of digital libraries, and make the information security standardization of digital libraries managers. This paper studies the implementation framework, method model and standard draft of information security standardization management in digital libraries, solves the key problems involved in the process of information security standardization management in digital libraries, forms a proposal scheme, and makes clear the objectives of digital library industry. The specific research contents and achievements include the following five aspects: (1) Research on the implementation framework of information security standardization management in digital libraries through the PDCA process methods, main factors, management processes involved in ISO/IEC 27001 standards. Combining with the demand and characteristics of digital library, this paper completes the transformation of ISO/IEC 27001 process mode in the field of library. It includes: defining the PDCA process method and connotation of information security management in digital library; combing the management of information security management in digital library from formulating scheme to risk assessment to risk control. The main influencing factors of risk assessment and risk control are analyzed and identified. The main factors of risk assessment include direct factors (assets, threats, vulnerability, control measures) and indirect factors (confidentiality, integrity, availability, confidentiality, integrity, availability) and asset value. There are two types of risk control: direct factors (cost and effectiveness of implementation) and indirect factors (time, manpower, cost, difficulty, effectiveness of each risk, etc.). (2) Digital Chart This paper begins with the summary of the existing methods and models of information security risk assessment, analyzes on the problems existing in the existing risk assessment models in balancing quantitative and qualitative relationships, operability and acceptability of results, and expounds that the existing risk assessment methods are not applicable to digital library credit. Finally, the paper studies and constructs an operable information security risk assessment model for digital libraries based on GB/T 20984, and the asset value and threat size based on multi-factor fuzzy comprehensive evaluation matrix. Computing model and vulnerability calculation model based on multi-channel weighted average are introduced in detail. The data collection and analysis calculation strategies of the evaluation model are elaborated. The feasibility and actual evaluation effect of the risk assessment model are verified by empirical research. (3) Information security risk control method of Digital Library Starting with the existing methods and models of information security risk control, this paper analyzes the problems existing in the existing risk control models, such as separation from the risk assessment link and complicated operation, and expounds the reasons why the existing risk control methods are not applicable to the risk assessment of information security in digital libraries. The semi-quantitative method or comprehensive analysis method is more suitable for information security risk control of digital libraries, which is connected with risk assessment. Based on the previous research, the risk control measures of ISO/IEC 27002:2005 and ISO/IEC 27002:2013 are investigated and analyzed. Finally, the core elements of risk control of digital libraries based on ISO/IEC 27002 are determined. According to the requirement of the lowest cost and the best effect in the field of digital library, a risk control decision-making model based on linear programming and fuzzy mathematics is constructed, and the data acquisition, analysis and calculation strategies of the control decision-making model are expounded in detail to ensure the operability and effectiveness of the model. (4) Digital map On the basis of the research on the process model, risk assessment and risk control model of information security management in digital libraries, this paper discusses the standard transformation and application analysis of ISO/IEC 27001 and ISO/IEC 27002 in the telecommunication, finance and medical industries, and discusses the application in the field of digital libraries. In the process of the formation and implementation of information security standards, some problems should be paid attention to, including the purpose, significance, scope, structure, process, core, implementation obstacles and implementation strategies of the standards. Management provides a long-term mechanism to ensure. (5) The empirical study of standardized management of information security in digital libraries selects a well-known university library in China as the research object, and strictly follows the procedures, methods and requirements involved in the draft information security management standards for digital libraries, including the library. Information security management objectives, scope, methods, teams, plans and other preparatory work, assets, threats, vulnerability identification, valuation, calculation and other risk assessment work, control measures impact factors identification, effectiveness calculation, measures recommended risk control work, and ultimately based on the results of implementation and actual interviews and research, the digital library The established information security management system has been examined to verify the rationality and validity of the methods, procedures and standards of information security risk management in digital libraries. The innovations of the research results are as follows: (1) The implementation framework of information security management in digital libraries with strong operability and controllable cycle is constructed. The framework can not only meet the requirements of ISO 27000 and the specific requirements of digital libraries, but also shorten the investigation and implementation cycle of digital libraries by one month. (2) An operational and effective application model of information security risk assessment and risk control in digital libraries is constructed. The model simplifies and validates the quantitative calculation process of risk assessment and risk control, and at the same time conforms to digital maps. The requirements and current situation of information security management in libraries. (3) Selecting core control elements and reference control elements suitable for digital libraries based on ISO 27002 of 2013 edition. This set of elements provides the basis and basis for decision-making and implementation of risk control measures in digital libraries. (4) Designing a set of basic principles and thoughts that comply with IS0 27000. It lays a foundation for the establishment of information security management standards and norms for digital libraries, and can be used to guide the practice of standardized information security management in digital libraries. It provides some references and ideas for the industry to study the standardized management of information security using ISO 27000 series standards.
【學(xué)位授予單位】：南京農(nóng)業(yè)大學(xué)
【學(xué)位級別】：博士
【學(xué)位授予年份】：2016
【分類號】：G250.76;TP309

【參考文獻】

相關(guān)期刊論文 前10條

1 任妮;黃水清;;新版ISO 27000要求下的數(shù)字圖書館信息安全管理[J];圖書與情報;2015年06期

2 朱益e，

本文編號：2208917