Study On Standardization Management Of Digital Library Information Security

Since the concept of 'Digital Library' was put forward in 1991, the relevant research and practice developed quickly in the global scope. Because the development of Digital Library widely depends on computer technology, network technology, data communications and other high-tech professional technology, information security risk in Digital Library is much higher than that of traditional library. The information security problems have become an important topic of research and practice in Digital Library. In the United States, after three development stages of technical, management and system, Digital Library information security management system has been tried to established, in order to deal with all kinds of information security problems by way of risk assessment, establishing prevention mechanism, active intervention etc. While information security of most libraries' in our country is still in the stage of technical support. According to the survey, in our country, information security incident occurs at least once in all digital libraries annually. Main reasons are weak consciousness, lack of management and management strategy of information security. Therefore, it is imperative to implement the golden rule of "three points technology, seven points management", and establish management system for information security of Digital Library.The purpose of this paper has 4 points. The first one is to provide complete operable solution meeting international and national standards for establishment of the ISMS of Digital Library. The second one is to solve key issues about the standards and specifications of information security management in Digital Library. The third one is to promote the standardization of information security in Digital Library. The last one is to introduce the basic principles and ideas of the ISO 27000 into information security of Digital Library fully, so to promote the information security management with advanced international standards in Digital Library. This paper studied the implementation framework, methods &models and standard draft, solved the key issues in the process of establishing information security standardized management of Digital Library, formed the recommendation, and layed the foundation for the information security management standards of Digital Library which has clear goals, complete system, practical function and well operability. The specific research contents and achievements of this paper are the following five aspects.(1) Implementation framework of information security standardized management of Digital LibraryFirst of this part, the author analyzed status quo of information security management and standards in Digital Library, and then analyzed process approach of PDCA, management processes, core elements and so on in ISO/IEC 27001,transformed the process and model of ISO/IEC 27001 into Digital Library field combined with requirements and characteristics of Digital Library. Firstly, this paper confirmed process approach and connotation of information security management in Digital Library. Secondly, the author combed management process from developing schemes to risk assessment and risk control in Digital Library field and implementation flow in each process. Thirdly, analysed and determined the core elements of risk assessment and risk control. The core elements of risk assessment include direct elements (assets, threat, vulnerability, control measures) and indirect elements(confidentiality, integrity, availability, importance of confidentiality, integrity and availability for the asset,the possibility of threats, the loss for the assets' confidentiality,integrity and availability, when threat occurs). The core elements of risk control include cost and effectiveness.(2) Method and model of information security risk assessment in Digital LibraryThe paper summarized methods and models about information security risk assessment, analyzed the balance relations of quantitative and qualitative, operability,result acceptability and other problems in the existing methods and models, and explained why these methods are not applicable to Digital Library. Based on this work,the author confirmed selection basis of the method and model in Digital Library. This paper identified influential factors of assets, threats and vulnerabilities during the digital libraries' risk assessment. Then constructed calculation models about the value of asset and threat based on multi-factor fuzzy comprehensive evaluation matrix, calculation models about the value of the vulnerability based on the multi-channel weighted average model, information security risk assessment model in Digital Library based on GB/T 20984. In the end, it made empirical study and comparative analysis.(3) Method and model of information security risk control in Digital LibraryThe paper summarized methods and models about information security risk control, analyzed disjoint problem between risk assessment and control, complex operation and so on of the existing methods and models, and explained why these methods are not applicable to Digital Library. Then confirmed that semi-quantitative method (comprehensive analysis method) which linked up with risk assessment based on ISO 27000 is suitable for information security risk control in Digital Library. Based on this work, the author investigated and analyzed the risk control measures in ISO/IEC 27002:2005 and ISO/IEC 27002:2013, determined collection of core and reference control elements of Digital Library based on ISO/IEC 27002. Finally, the author built decision model of risk control based on linear programming and fuzzy mathematics according to requirement of the lowest cost and the best effect in Digital Library, and then expounded the strategies of data collection and analysis, which can ensure maneuverability and validity of this model.(4) Standard draft of information security management in Digital LibraryBased on study of process and model of information security management,methods of risk assessment and control in Digital Library, the paper discussed problems in the process of formation, implementation and promotion of information security standards in Digital Library, including purpose, significance, scope, structure, process,core content, implementing obstacles and implement strategies, etc of the standard,which was combined with conversion and application in the fields of telecommunications, health using and financial services of ISO/IEC 27001 and ISO/IEC 27002. Finally, the author made the standard draft of information security management in Digital Library.(5) The empirical research of the processes and standards about information security management in Digital LibraryThe paper chose a domestic famous university and city library as empirical research object, and practiced according to the processes, methods, requirements and so on of this study. The work includes the first-phase preparations (objectives, scope,methods,team, plan and so on of this library's information security management), risk assessment (identify, computation of valuation of the assets, threat and vulnerability),risk control (recognition of influence elements, effectiveness calculation, and measures recommending of the control measures). In the end of this part, the author reviewed ISMS of this library according to the result and investigation, and verified rationality and validity of this process, methods and standard.This study aims to establish a common, standardized, feasible and effective implementation framework of Digital Library's information security management, in order to solve the key problems in process of standardized management. This paper has four innovativeness. (1) Build a management framework of information security management in digital libray, which is strong operability and time-boxed. The framework can not only satisfy the requirement of ISO 27000, but also short implementing cycle within a month. It can save time and cost for information security management of digital library. (2) Build the application model of risk assessment and risk control of digital library information security, which is operable and validity. These models simplified the quantitative calculation process, and conformed to requirements and status quo of information security management in digital library. (3) Selected core and reference control element of digital library based on ISO 27002:2013. This elements collection provides foundation and basis for the decision and implementation of digital library. (4) Developed the standard draft, which both obey ISO 27000 and considered characteristics of Digital Library industry. The draft lays foundation for establishing information security standards in digital library, and it can be used to guide the practice of information security standardization management in digital library. In addition, the methods, model, lists and templates in this paper can give some reference for other industries to study and use the series standards of ISO 27000.