The issue of information security and data privacy is assuming tremendous importance among global organizations, particularly in an environment marked by computer virus and terrorist attacks, hackings and destruction of vital data owing to natural disasters. When it comes to information security, most companies fall somewhere between two extreme boundaries: complete access and complete security. A completely secure computer is one that is not connected to any network and physically unreachable by anyone. A computer like this is unusable and does not serve much of a practical purpose. On the other hand, a computer with complete access is very easy to use, requiring no passwords or authorization to provide any information. Unfortunately, having a computer with complete access is also not practical because it would expose every bit of information publicly, from customer records to financial documents. Obviously, there is a middle ground—this is the art of information security.
信息安全和数据保密的问题在全球的组织中非常重要,尤其在一个计算机病海、恐怖分子、黑客攻击以自然灾害造成重要数据破坏的环境。涉及到信息安全,很多公司会处于两种极端的边界:完全访问和完全安全。一个完全安全的计算机是这样的,不连接任何网络,并且也不让任何人接触。像这样的计算机是不能用的并且也没有多少实际用途。另一方面,完全访问的计算机容易使用,提供任何信息不需要密码和权限。不幸的是拥有完全访问的计算机也是不实际的,因为它会公开暴露每一点信息,从客户记录到财政文件。显然可以有一个中间区域或——这就是信息安全的技术。
The concept of information security is centered on the following components:
Integrity: gathering and maintaining accurate information and avoiding malicious modification
Availability: providing access to the information when and where desired
Confidentiality: avoiding disclosure to unauthorized or unwanted persons
机密性:避免向未授权或不必要的人泄漏信息。
For an information system to be secure, it must have a number of properties:
安全的信息系统需要具有如下的特性:
service integrity. This is a property of an information system whereby its availability, reliability, completeness and promptness are assured;
服务完整性。这是信息系统的一个特性,以保证信息系统具有有效性、可靠性、完整性和敏捷性。
data integrity. This is a property whereby records are authentic, reliable, complete, unaltered and useable, and the processes that operate on them are reliable, compliant with regulatory requirements, comprehensive, systematic, and prevent unauthorized access, destruction, alteration or removal of records. These requirements apply to machine-readable databases, files and archives, and to manual records;
数据完整性。这是信息系统的一个特性,以保证纪录是可信的、可靠的、完全的、无改变的并且是可用的。对记录进行的操作是可靠的、适成调整要求的、全面的、系统的并且能阻止未授权者访问、破坏、改变或刪除纪录。这些要求适用于机器可读的以及人工的数据库、文件和档案。
data secrecy . This is a property of an information system whereby information is available only to those people authorized to receive it. Many sources discuss secrecy as though it was only an issue during the transmission of data; but it is just as vital in the context of data storage and data use;
数据保密。这是信息系统的一个特性,使得信息只对有授权的人可用。很多资料把安全仅作为数据传输中的问题讨论,但是在数据存储和使用环境中安全问题同样杆重要。
authentication. Authentication is a property of an information system whereby assertions are checked. Forms of assertion that are subjected to authentication include:
鉴定。这是信息系统的一个特性,使行为可以被检查。可以鉴定的行为方式包括:
"data authentication", whereby captured data's authenticity, accuracy, timeliness, completeness and other quality aspects are checked;
数据鉴定,得到的数据的真实性、精确性、时效性、完全性以及其他方面的性能可以被检查。
"identity authentication", whereby an entity's claim as to its identity is checked.
This applies to all of the following:
身份鉴定,对实体宣称的身份的鉴定。可成用于下面:the identity of a person;the identity of an organizational entity;the identity of a software agent;the identity of a device.
人员身份、组织实体的身份、软件代理的身份和设备的身份。
"attribute authentication", whereby an entity's claim to have a particular attribute is checked, typically by inspecting a "credential". Of especial relevance in advanced electronic communications is claim of being an authorized agent, i.e. an assertion by a person, a software agent or a device to represent an organization or a person.
属性鉴定,实体要求的以证书检查作为代表的特殊属性的鉴定。特别适用于先进的电子通信的是声明授权代理。也就是个人、软件代理商或设备代表某个组织或个人所做的声明。
Non-repudiation. This is a property of an information system whereby an entity is unable to convincingly deny an action it has taken.
不可否认性这是信息系统的一个特性,使实体不能否认所执行过的行为。
There is a strong tendency in the information systems security literature to focus on the security of data communications. But security is important throughout the information life-cycle, i.e. during the collection, storage, processing, use and disclosure phases, as well as transmission. Each of the properties of a secure system identified above needs to be applied to all of the information life-cycle phases.
在信息系统安全的文献中有个很强的倾向就是关注数据通信中的安全。但是安全在整个信息处理周期中都是很重要的,也就是说,安全在信息的收集、存储、处理、使用和公布阶段,与传输阶段同样重要。上述安全系统的特性需要应用于信息处理周期的各阶段。
评论
打印
