CN105956460A - Authority system for information security management - Google Patents
Authority system for information security management Download PDFInfo
- Publication number
- CN105956460A CN105956460A CN201610313523.0A CN201610313523A CN105956460A CN 105956460 A CN105956460 A CN 105956460A CN 201610313523 A CN201610313523 A CN 201610313523A CN 105956460 A CN105956460 A CN 105956460A
- Authority
- CN
- China
- Prior art keywords
- information
- management
- data
- authority
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims description 7
- 238000007726 management method Methods 0.000 description 59
- 238000012550 audit Methods 0.000 description 8
- 238000000926 separation method Methods 0.000 description 4
- 230000006399 behavior Effects 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 1
- 230000011218 segmentation Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides an authority system for information security management, which belongs to the technical field of information and comprises the following components: (1) the system comprises a terminal, (2) a management system, (3) a module, (4) a service, (5) data, (6) service authority and (7) data authority. The authority is subdivided into service authority and data authority. The idea of separating the three rights is deeply applied to the right design of the management system, the right range of each role in the right system is more detailed, and the relationship of mutual restriction among the roles is realized.
Description
Technical field
The present invention relates to areas of information technology, particularly relate to the permission system of a kind of information security management.
Background technology
Along with the development of information technology, the particularly development of the new technique such as cloud computing, big data, the requirement of information security
More and more higher, and Information Security Management System terminal to be managed also gets more and more on value volume and range of product.This is to system itself
Safety and the reasonability of management be proposed higher requirement.Must in the requirement ensureing the safety of system own be
Management system on using convenient rationally, complicated security incident is converted into simple view.
Summary of the invention
In order to solve this problem, the present invention proposes the permission system of a kind of information security management, is industry by refined rights
Business authority and data permission.Transport in the design of privileges of management system system by the in-depth of the thought of separation of the three powers is used, will power
In limit system, the extent of competence of each role more refines, and makes the relation of mutually restriction between each role.This external point
On the idea basis in power point territory, the data permission to system is divided.
The technical scheme is that
A kind of authority module for Information Security Management System
(1) terminal (2) management system (3) module (4) business (5) data (6) service authority (7) data permission
(1), terminal: the least unit that information management system is to be managed, can be an individual PC, a station server or
Platform fictitious host computer etc..
(2), management system: in order to complete the management system that a certain information security management target is set up, the means of management are
By the management of information is completed.System has been divided into corresponding module by the information of management is carried out classification, each module
All correspond to a category information.
(3), module: the module of management system is the function set of some similar close function composition.To an information
For safety management system, module can be divided into following several pieces substantially: (3.1), platform configuration: the basic letter of configuration management system
Breath;(3.2), asset management: the assets that management system contains: personal terminal, server etc.;(3.3), security centre: be to working as
Representing constantly of front security situation;(3.4), journaling: be the management of the daily record to whole system and form.
(4), business: the information content that management system organizes several module to be contained to complete a certain target to need is carried out
Processing, process.This process becomes a business.
(5), data: some letter of some information that the information of system administration contains system itself and the terminal that managed
Breath, the user profile of such as system itself and configuration information, the configuration information etc. of managed terminal.These information are all data.
(6), service authority: some or the administration authority of several module in a certain service needed management system.Segmentation letter
The module of breath system, can ultimately form one group for the demand of a certain business one authority of composition after analyzing business demand
For the delineation of power of management system module, this delineation of power is referred to as service authority.
(7) data permission: some of some information of the least unit that management system is managed and information system itself
Configuration information etc. be all the resource of system be also the data in system.These data are different according to the purpose used, and can divide
For different groups, these packets correspond to an administration authority scope;This administration authority scope becomes data permission;
Management system is by defining service authority to the division of module management authority, by organizing service authority and drawing
Divide and define service authority.Carry out division for the data of system itself and the data of managed terminal and define data rights
Limit.Eventually through service authority and data permission are analyzed establishing role, each role have corresponding service authority and
Data permission is to complete the basic demand of its function.
In service authority, the service authority of Information Security Management System is subdivided into three major types: one, system platform configures
Type;Two, security incident and correlation type;Three, type of audit;Distinguished by this three class and define Three role: system administration
Member, safety officer and audit administrator.This design has met separation of the three powers thought.Make the system user of different role
Each performs its own functions.Use for reference the thought of Authority and Domain Based Management, authority has been segmented, except service authority above-mentioned also proposed
Data permission, by the division of data permission, the substantial amounts of terminal of convenient management.
The permission system based on separation of the three powers and Authority and Domain Based Management thought that the present invention proposes tackles information security management just
The particular/special requirement of information itself.This authority module strengthens the safety of management system itself, and for a large amount of,
The management of magnanimity terminal, simplifies the difficulty of management by the division of data permission.
Accompanying drawing explanation
Fig. 1 is the authority schematic diagram of the present invention.
Detailed description of the invention
Below present disclosure is carried out more detailed elaboration:
The present invention includes: (1) terminal, (2) management system, (3) module, (4) business, (5) data, (6) service authority, (7) number
According to authority;
(1), terminal: the least unit that information management system is to be managed;
(2), management system: in order to complete the management system that an information security management target is set up, the means of management are to pass through
Management to information completes;System has been divided into corresponding module by the information of management is carried out classification, and each module is right
Answer a category information;
(3), module: the module of management system is the function set of similar close function composition.To an information security management
For system, module can be divided into following several pieces substantially: (3.1), platform configuration: the essential information of configuration management system;
(3.2), asset management: the assets that management system contains: personal terminal, server etc.;(3.3), security centre: be to current peace
Representing constantly of full situation;(3.4), journaling: be the management of the daily record to whole system and form;
(4), business: management system needs the information content organizing several module to be contained to add to complete a target
Work, process;This process becomes a business;
(5), data: the information that the information of system administration contains system itself and the information of terminal managed;
(6), service authority: or the administration authority of several module in a certain service needed management system;Subdivided information system
Module, analyze and can ultimately form one group for pipe for the demand of business one authority of composition after business demand
The delineation of power of reason system module, this delineation of power is referred to as service authority;
(7) data permission: the configuration information of the information of the least unit that management system is managed and information system itself etc. are all
Be the resource of system be also the data in system;These data are different according to the purpose used, and can be divided into different groups, this
A little packets correspond to an administration authority scope;This administration authority scope becomes data permission;
Management system is by defining service authority to the division of module management authority, by organizing service authority and drawing
Divide and define service authority;Carry out division for the data of system itself and the data of managed terminal and define data rights
Limit;Eventually through service authority and data permission are analyzed establishing role, each role have corresponding service authority and
Data permission is to complete the basic demand of its function.
The role of Information Security Management System is analyzed by the present invention, defines three under ensureing system operation situation
Role: system manager, safety officer, audit administrator;The principle so divided is: each role has a management
Target, the management objectives of system manager are to be managed management system;The management objectives of safety officer are to safe thing
Part and relevant be managed;The management objectives of audit administrator are the operation behaviors of other roles of audit, and such division completes
Separation of the three powers.
Additionally, in the present invention, the assets scope that system manager can manage user and assets and user can manage,
The operation controlling safety officer can be restricted by this operations systems manager.Audit administrator passes through auditing systematic administration
The Operation Log of member and safety officer has supervised the operation behavior of system manager and safety officer.And, it is contemplated that it is
The operation of system manager itself is also required to people's audit, gives system manager by the administration authority of the Operation Log of audit administrator
Complete.So supervise mutually between Three role, it is ensured that the safety of platform itself.
Finally, the data permission (terminal security that system manager authorizes is divided by system manager for safety officer
Manager could manage), conveniently it is managed terminal quantity is huge when.
Claims (3)
1. the permission system of an information security management, it is characterised in that including:
(1) terminal, (2) management system, (3) module, (4) business, (5) data, (6) service authority, (7) data permission;
Wherein
(1), terminal: the least unit that information management system is to be managed;
(2), management system: in order to complete the management system that an information security management target is set up, the means of management are to pass through
Management to information completes;System has been divided into corresponding module by the information of management is carried out classification, and each module is right
Answer a category information;
(3), module: the module of management system is the function set of similar close function composition;
For an Information Security Management System, module can be divided into following several pieces substantially: (3.1), platform configuration: configuration pipe
The essential information of reason system;(3.2), asset management: the assets that management system contains: personal terminal, server etc.;(3.3), peace
Full center: be representing constantly current safety situation;(3.4), journaling: be the pipe of the daily record to whole system and form
Reason;
(4), business: management system needs the information content organizing several module to be contained to add to complete a target
Work, process;This process becomes a business;
(5), data: the information that the information of system administration contains system itself and the information of terminal managed;
(6), service authority: or the administration authority of several module in a certain service needed management system;Subdivided information system
Module, analyze and can ultimately form one group for pipe for the demand of business one authority of composition after business demand
The delineation of power of reason system module, this delineation of power is referred to as service authority;
(7) data permission: the configuration information of the information of the least unit that management system is managed and information system itself etc. are all
Be the resource of system be also the data in system;These data are different according to the purpose used, and can be divided into different groups, this
A little packets correspond to an administration authority scope;This administration authority scope becomes data permission;
Management system is by defining service authority to the division of module management authority, by organizing service authority and drawing
Divide and define service authority;Carry out division for the data of system itself and the data of managed terminal and define data rights
Limit;Eventually through service authority and data permission are analyzed establishing role, each role have corresponding service authority and
Data permission is to complete the basic demand of its function.
System the most according to claim 1, it is characterised in that terminal can be an individual PC, a station server or
Platform fictitious host computer.
System the most according to claim 1, it is characterised in that the user profile of system itself and configuration information, is managed
The configuration information of terminal is all data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610313523.0A CN105956460A (en) | 2016-05-12 | 2016-05-12 | Authority system for information security management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610313523.0A CN105956460A (en) | 2016-05-12 | 2016-05-12 | Authority system for information security management |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105956460A true CN105956460A (en) | 2016-09-21 |
Family
ID=56912766
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610313523.0A Pending CN105956460A (en) | 2016-05-12 | 2016-05-12 | Authority system for information security management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105956460A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108334757A (en) * | 2017-01-19 | 2018-07-27 | 安徽优数科技有限公司 | A kind of account management system |
| CN109711147A (en) * | 2019-01-02 | 2019-05-03 | 浪潮商用机器有限公司 | Separation of the three powers management method, device, system and the storage medium of operating system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1960252A (en) * | 2006-06-30 | 2007-05-09 | 南京联创科技股份有限公司 | Multidimension object access control method based on roles |
| CN101951384A (en) * | 2010-09-29 | 2011-01-19 | 南京信息工程大学 | Distributed security domain logic boundary protection method |
| CN103166794A (en) * | 2013-02-22 | 2013-06-19 | 中国人民解放军91655部队 | Information security management method with integration security control function |
| CN104376253A (en) * | 2013-08-13 | 2015-02-25 | 苏州广海信息科技有限公司 | Authority management system |
| US9047462B2 (en) * | 2012-03-20 | 2015-06-02 | Guangdong Electronics Industry Institute Ltd. | Computer account management system and realizing method thereof |
-
2016
- 2016-05-12 CN CN201610313523.0A patent/CN105956460A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1960252A (en) * | 2006-06-30 | 2007-05-09 | 南京联创科技股份有限公司 | Multidimension object access control method based on roles |
| CN101951384A (en) * | 2010-09-29 | 2011-01-19 | 南京信息工程大学 | Distributed security domain logic boundary protection method |
| US9047462B2 (en) * | 2012-03-20 | 2015-06-02 | Guangdong Electronics Industry Institute Ltd. | Computer account management system and realizing method thereof |
| CN103166794A (en) * | 2013-02-22 | 2013-06-19 | 中国人民解放军91655部队 | Information security management method with integration security control function |
| CN104376253A (en) * | 2013-08-13 | 2015-02-25 | 苏州广海信息科技有限公司 | Authority management system |
Non-Patent Citations (1)
| Title |
|---|
| 乐光学等: "《基于"三权分立"的信息安全管理体系应用研究》", 《怀化学院学报》 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108334757A (en) * | 2017-01-19 | 2018-07-27 | 安徽优数科技有限公司 | A kind of account management system |
| CN109711147A (en) * | 2019-01-02 | 2019-05-03 | 浪潮商用机器有限公司 | Separation of the three powers management method, device, system and the storage medium of operating system |
| CN109711147B (en) * | 2019-01-02 | 2020-06-02 | 浪潮商用机器有限公司 | Method, device and system for managing three rights separately of operating system and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gupta et al. | Towards detecting fake user accounts in facebook | |
| CN106789964B (en) | Cloud resource pool data security detection method and system | |
| US11799835B2 (en) | Predicting user-file interactions | |
| CN104246786A (en) | Field selection for pattern discovery | |
| Rao et al. | Security solutions for big data analytics in healthcare | |
| CN110222498A (en) | A kind of supervision management system and method based on mobile interchange cloud | |
| KR20160066454A (en) | Data Processing Method for Distributable and Unidentifiable Big Data | |
| CN110020687A (en) | Abnormal behaviour analysis method and device based on operator's Situation Awareness portrait | |
| CN111177480A (en) | Block chain directory file system | |
| CN105956460A (en) | Authority system for information security management | |
| CN207198846U (en) | A kind of intelligent apparatus for the analysis of public security merit | |
| Gabriel et al. | Analyzing malware log data to support security information and event management: Some research results | |
| Venkatesh et al. | User Activity Monitoring Using Keylogger | |
| CN109284913A (en) | A kind of big data application management platform | |
| CN101901245A (en) | Method for auditing webpage based on cloud semantic database | |
| CN103745298A (en) | Statement user permission setting method and statement user permission setting device based on post system | |
| Heikkilä et al. | Modelling crisis management for improved action and preparedness | |
| Conrad | Digital gold: Cybersecurity regulations and establishing the free trade of big data | |
| Sarkar et al. | A state level policy framework for integrating DFaaS with E-Governance | |
| Bondareva et al. | Method of grouping subjects and objects in information systems | |
| Fang et al. | Research on computer information processing technology in the “big data” era | |
| Kim | IT compliance of industrial information systems: Technology management and industrial engineering perspective | |
| Gupta | Review on big data promises for information security | |
| Jin et al. | Correlation analysis in information security checklist based on knowledge network | |
| Liang et al. | Cross-lingual public opinion tracing based on blockchain technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160921 |
|
| RJ01 | Rejection of invention patent application after publication |