| As the coming of the information society, information resources are more and more important. Information resources are essential to daily lives of people, operations of organizations and management of countries, which are supporting development of modern societies. However, the security of Information resources is more and more critical. Nowadays, many organizations have published their information security management system standards and models, which are used efficiently by many business companies. Many business companies have put information security management crucial position. However, if a company only builds documents of information security management according information security management system standards, information security management does not execute efficiently without the support of information security management platform. The effect of information security management platform is very crucial to information security management executed efficiently.First, the paper analyzes characteristics of security management systems in China and finds four general problems existing in security management systems in China:(1) There has no relationship with properties and business system, all security management systems are able to reflect security levels of properties, however, only few security management systems are able to reflect security levels of business system as a whole.(2) Nowadays, many security management systems in China are executed passively, only when accidents happens, can systems detect threats, which cannot managed actively.(3) Many security management systems are lack of topology management, which do not support creation, deletion, modification and viewing of topology.(4) Many security management systems are lack of dynamic risk management, which cannot support creation, deletion and modification of risks through system life cycle. Second, according to these four general problems, the paper designs a new model of security management system that can solve the problems. Third, according to the new model of security management system, the paper implements a new information security management system and verifies how the new information security managefnent system can solve the problems existing in security management systems in China. However, the new information security management system is based on traditional methods of risk evaluation, when it is used by complex information systems, such as industrial control systems, electrical systems and so on, the new information security management system is not effective and appropriate. Forth, the paper analyze the reason why traditional methods of risk evaluation are not appropriate to complex information systems, and then, the paper introduces a new method of riks evaluation and vulnerable systems identification for industrial control system under lack of risk evaluation methods and lack of simulation platform for industrial control system environment. The new method of risk evaluation identifies system vulnerabilities from a kind of documents such as system requirements specification, system safety requirements and so on in order to solve the problems that industrial system can not be scanned by vulnerability scanning tool. The new methods of risk system identification can identify the most vulnerable systems efficiently using bayesian networks in order to solve the problems that the most vulnerable systems cannot be identified by huge vulnerability scanning tool results efficiently. At last, this paper gives an example to verify the effectiveness of the new methods of risk evaluation and vulnerable systems identification. |
PDF Full Text Request