摘要: |
互联网的飞速发展带来信息内容的爆炸式增长,对互联网信息安全特别是信息内容安全治理提出了更高挑战。互联网新技术、新应用的发展深刻改变了互联网信息的传播方式,在极大推动数字信息增长和全球化一体化发展的同时,也为各种错误的、歪曲的、低俗的、与社会主流价值观相违背的有害信息提供孕育、发酵、传播和驻留的温床。目前,国内外信息技术/产品、信息系统的安全要求和评估方法,已形成了较为成熟的体系。但是,已有信息安全风险评估模型和评估指标体系很少涉及信息内容安全,专门针对互联网信息内容安全的通用要求和评估体系的研究在全球范围内尚为空白。本文在总结分析国内外已有成熟的信息安全评估标准基础上,从信息论角度对信息空间进行了分层,提出信息技术/产品安全、信息系统安全、信息服务安全三个层次的网络空间安全体系,主要借鉴信息技术安全评估通用准则(ISO/IEC 15408)、信息系统安全保障评估框架(GB/T 20274)等标准设计思路,结合我国互联网信息服务特点、安全现状及发展趋势,深入分析了信息内容安全风险要素之间的关系,提出一套以互联网信息服务为评估对象的安全评估通用要求模型及评估框架。上述模型框架具有良好的可扩展性,可面向不同形式的信息服务编制保护轮廓和安全目标并实施安全评估,为互联网新兴技术应用的安全发展需要和监督管理需求提供了良好的技术基础支撑。相关成果编制为国家推荐性标准,具有一定的先进性和可操作性。 |
关键词: 信息安全 信息内容安全 信息服务 安全要求 安全评估 |
DOI:10.19363/J.cnki.cn10-1380/tn.2022.01.02 |
投稿时间:2020-05-03修订日期:2020-07-03 |
基金项目:本课题得到2018年度互联网新技术新应用安全评估与标准体系研究项目(No.Y8V0971105)、信息安全技术互联网信息安全服务通用要求(No.Y9V1301、No.90SNHTBH-2019111326)资助。 |
|
Security Requirements and Evaluation Framework for Internet Information Service Content |
WANG Yuhang,GUO Tao,ZHANG Xiaodan,MENG Dan,HANG Jizhong,ZHOU Xi |
Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China |
Abstract: |
The rapid development of the Internet has brought about the explosive growth of information content, which poses higher challenges to Internet information security, especially information content security governance. The development of new Internet technologies and new applications has profoundly changed the way Internet information is disseminated. While greatly promoting the growth of digital information and the development of globalization, it has also provided a ground of breeding, fermentation, dissemination and residence for various wrong, distorted, vulgar, and mainstream social values. At present, the security requirements and evaluation methods of information technology/products and information systems at home and abroad have formed a relatively mature system. However, the existing information security risk assessment models and assessment index systems rarely involve information content security, and the research on general requirements and assessment systems specifically for Internet information content security is still blank on a global scale. Based on the summary and analysis of mature information security assessment standards at home and abroad, this paper has carried out a layered analysis of information space from the perspective of information theory, and proposed a cyberspace security system with three levels of information technology/product security, information system security, and information service security. Learning from the standard design ideas of common criteria for information technology security assessment (ISO/IEC 15408) and framework of information system security assurance assessment (GB/T 20274), and combining with the characteristics of China’s Internet information services, security status and development trends, we deeply analyzed the relationship between risk elements of information content security, and proposed a set of general requirements model and evaluation framework for Internet information services. The above model framework has good scalability, can prepare protection profiles and security goals and implement security assessments for different forms of information services, providing a good technical foundation for the needs of security development and supervision and management for emerging Internet technology applications. The relevant results have been compiled as advanced and operable national recommended standards. erable national recommended standards. |
Key words: information security information content security information service security requirements security evaluation |