信息系统是由计算机硬件、网络和通信设备、计算机软件、信息支援、信息用户和规章制度组成的以处理信息流为目的的人机一体化系统。其中任何一个组成模块的安全隐患,都将影响信息系统的安全,针对信息系统的运行特点,信息系统安全包括以下几个部分。
计算机安全
计算机硬件:计算机硬件存在如硬件损坏、固件BUG,因此需要对损坏的硬件进行更换、对固件进行安全升级。
计算机软件:计算机操作系统、软件会存在漏洞、病毒、恶意代码等威胁,因此需要对计算机进行漏洞修复、入侵检测、访问控制等操作实现对非授权访问或越权访问的限制。
通讯与网络安全
网络架构:单点故障导致业务中断,因此网络架构需要一定的冗余,包括设备冗余和线路冗余。
通讯传输:由于IP报文本身没有任何安全特性,会面临各种威胁,因此通讯传输需要校验或者加密,保证数据的完整性和安全性。
应用与数据安全
应用安全:常见应用如WEB、E-Mail、DNS等均容易遭受攻击。以WEB为例,存在DDoS攻击、未知攻击等,因此需要针对WEB应用部署入侵防御。
数据安全:数据存在存储风险、处理风险、共享风险、销毁风险等,因此需要对数据进行备份、容灾、归档、加密、脱敏、授权、软擦除、物理销毁等。
英文翻译:
Information system is a man-machine integrated system which is composed of computer hardware, network and communication equipment, computer software, information support, information users and rules and regulations for the purpose of processing information flow. Any one of the components of the module security risks, will affect the security of the information system, for the operation of the information system characteristics, information system security includes the following parts.
Computer security
Computer hardware: Computer hardware has hardware damage, firmware bugs, so you need to replace the damaged hardware, firmware security upgrade.
Computer software: The computer operating system and software may have vulnerabilities, viruses, malicious code and other threats, so it is necessary to perform vulnerability repair, intrusion detection, access control and other operations on the computer to limit unauthorized access or unauthorized access.
Communication and network security
Network architecture: A single point of failure causes service interruption, so the network architecture requires a certain degree of redundancy, including device redundancy and line redundancy.
Communication and transmission: IP packets do not have any security features and are exposed to various threats. Therefore, IP packets must be verified or encrypted to ensure data integrity and security.
Application and data security
Application security: Common applications, such as WEB, E-Mail, and DNS, are vulnerable to attacks. Take the WEB as an example. DDoS attacks and unknown attacks exist. Therefore, you need to deploy intrusion prevention for WEB applications.
Data security: Data has storage risks, processing risks, sharing risks, and destruction risks. Therefore, data needs to be backed up, disaster recovery, archiving, encryption, desensitization, authorization, soft erasure, and physical destruction.
本文由数字化转型网(www.szhzxw.cn)转载而成,来源于网络;编辑/翻译:数字化转型网默然。
