【作者】 张小平；

【导师】 晁罡；

【作者基本信息】 华南理工大学 ， 工商管理（专业学位）， 2014， 硕士

【摘要】 随着计算机和网络信息技术的飞速发展以及移动互联应用的不断深入，作为现代经济社会主要组成部分的企业，其商务运作中信息系统的大量重要信息交互越来越依赖于开放、互联的网络环境进行。近期发生的“棱镜事件”使得整个国际社会对IT服务企业的信息安全管理深感担忧，信息技术服务商作为产品、技术和服务的提供者，其产品和技术的安全性是否可靠、服务外包过程中的信息安全管理是否合规，信息安全保障措施是否切实有效，已成为企业选择IT服务外包首要关注的问题。本文以IT服务外包商M公司作为研究对象，基于企业信息安全管理的视角，通过对企业信息安全管理现状的剖析，发现M公司存在的信息安全管理问题，并分析原因，提出改进措施，帮助M公司完善信息安全管理，强化企业信息安全监管责任。本文共分为四个部分：第一章绪论部分介绍了研究背景、目的与意义以及相关的研究理论；第二章围绕M公司的安全框架ESF详细阐述了企业的信息安全管理现状；第三章运用安全评估工具MSAT和调查问卷的方式对M公司存在的信息安全管理问题进行诊断，并剖析原因；第四章有针对性从M公司自身提出对策和建议。现状描述部分，以M公司的信息安全框架ESF为着手点，分别从安全战略、风险管理及合规，运维与服务安全管理以及基础安全服务架构三个层级系统地介绍了M公司的信息安全管理状况。问题及原因分析部分，首先，借助MSAT信息安全评估工具，从基础架构、应用、运作及人员安全四个主要领域入手，结合调查问卷的方式对企业信息安全管理的防护措施和业务环境风险进行测评和分析，主要问题是：基础安全管控漏洞、人为因素安全威胁、内部安全审计流于形式、外包服务管理不到位；其次，问题形成的主要原因是：信息安全管理策略认知不同，人员安全职责管理脱节，内部安全审计管理不规范，外包服务安全监管责任弱化。最后，改进措施部分，对于IT服务外包商M公司完善信息安全管理，更好地履行企业责任，从四个方面提出对策：加强基础安全管控策略和防护措施、将人员安全职责与职能管理有机挂钩、健全内部安全审计制度以及提升服务外包管理责任。从而强化企业外包服务监管的自律性，将企业盈利和信息安全管理责任并重，树立良好的企业公民形象，为企业的可持续发展创造有利环境。更多还原

【Abstract】 With the rapid development of computer and network information, as well as deepeningof mobile Internet applications, enterprises as main components of modern economic society,a lot of important information in its information systems of business operations increasinglyrely on open, interconnected a network environment. The recent outbreak of "PRISM" makesthe whole international community for the information technology enterprise informationsecurity management is concerned. Information technology services business as a provider ofproducts, technologies and services, reliability of the security of its products and technology,outsourcing processes management of information security in compliance, informationsecurity is effective, has become the primary issues of concern to business select IT servicesoutsourcing provider.The research object of this papers is M company that is an IT Service OutsourcingProvider, based on the perspective of information security management responsibility,exploring the details of information security management framework ESF, find out the defectsexisted in information security management, analyze root causes, and made correspondingsuggestions and measures of improvement plan to help M company enhance informationsecurity management, reinforced enterprise information security management responsibilities.This article included4parts. Chapter one introduced the background and significance ofanalysis as well as the theories and method. Chapter two introduced the detailed situation ofinformation security management of M company. Chapter three, used MAST tool andinvestigation survey to diagnosis problem, and analyzed root causes. Chapter four, based onthe issues to given the solutions and measures from M company internal.In the description section of the status, information security management framework as astarting point with M IT Service Provider, respectively introduced the company’s informationsecurity management from three levels. First, security governance, risk management andcompliance. The second is the operation security and service security management. The thirdis IT infrastructure security framework. To ensure have a comprehensive understanding forinformation security management of M company.In inquiry problem of part, using information security management assessment tool"MSAT" to analysis enterprise information security management framework of specificprotection policy and business environment risk indicators from four aspects, which are ITinfrastructure security, application security, operation security and the personnel security. themain problems are: IT infrastructure security measures vulnerability, and the human factors on information security threat, and internal security audit become a mere formality, and IToutsourcing service management is not in place.In analyzing the causes section, combined with M company information securityoperations management situation, the main reason is: different management cognition oninformation security, staffs security management disjointed, internal control and security auditmanagement is irregularities, weak responsibility on IT outsourcing services management.Last, in order to better fulfill enterprise responsibilities and strengthen informationsecurity management, IT service outsourcing provider M company need to madeimprovement security strategy and measures respectively from four aspects: improve internalIT infrastructure security strategies and defense measures, and strengthened employeesinformation security awareness, training and education, tie the personnel securityresponsibilities with functions of regulations management. enhance enterprise security auditframework; strengthened enterprise outsourcing service regulatory of self-discipline, enhancecorporate social responsibility（CSR）management system, combined enterprise profit andinformation security management responsibility put on the same page and pace, establish agood image of enterprise citizens, to create a favorable environment for the sustainabledevelopment of enterprises.更多还原