摘 要
随着信息技术的发展,数据库在企业中的应用越来越广泛,企业越来越依赖信息技术的应用来提升企业自身的竞争优势和运转效率,然而,伴随而来的信息安全问题也让企业面临着重大的经济损失,因此,在知识经济时代,信息越来越成为企业的重要资产,其安全性直接关系到企业资产的安全性和企业的生存,因此,本文对究企业信息安全控制具有重要意义和价值。
本文通过对信息安全管理中存在的问题,应用利益相关者理论和COSO框架,就企业中存在的信息安全问题、信息安全问题的成因进行了分析。本文认为现阶段企业信息安全控制中存在的主要问题有:人员信息安全意识不强、运行机制尚不完善、责任体系难以到位、缺乏战略思考和决策、原有管理模式与现行管理模式的冲突等问题。对于问题的解决,本文将企业信息安全为中心,利用利益相关者理论对信息安全利益相关者的权利和权力进行了分析,发现出现以上问题的主要原因是:企业员工维护信息安全的激励不够;企业管理人员的管理不到位;股东忽视信息安全管理。而归根结底,利益相关者权利和权力的不对称是由于信息加之对大部分企业还没有显现出来以及企业信息安全技术的制约。针对此,本文就加强信息安全控制的对策从目标框架的构架,到管理措施和技术措施进行了详细分析,并且选择了H公司为案例进行了信息安全控制的分析,得出以下结论:企业的信息安全控制清晰明确的组织框架是实施信息安全控制的基础;将信息安全管理部门独立出来的组织构架有利于企业信息安全管理执行过程中地位的提升和保持独立性;企业人力资源管理中加入信息安全有利于全员信息安全意识的提升,这里主要可通过绩效考核和员工培训来完成;信息安全执行层面上,策略与流程的整合是企业信息安全控制水平得以实质提升的重要条件。
关键词:信息安全控制 COSO框架 管理
Research on Enterprises’ Information Security
——Take H Company Information Security Construction as Example
Abstract
Following with the technology and information development, the database in the enterprise is more and more widely used and companies increasingly rely on the application of IT to enhance their own competitive advantage and operational efficiency. However, information security issues enterprises are facing significant economic losses. So in the knowledge society, information is becoming an important asset of enterprises. The safety of information is relative with the company’s asset safety and the company’s life and this paper is meaningful for the control of company information safety. This paper takes the information security problems existing in enterprises as objects, uses Stakeholder theory and COSO theory to analyze the companies’ information securities problems and the cause of the problems. The main problems are: staff awareness of information security is not strong, the operating mechanism is not perfect, responsibility system is hard to place, the lack of strategic thinking and decision-making, the conflict of original and present management. When it comes to the solutions to these problems, this paper uses stakeholder theory to analyze the problems and give the following conclusion: the staff’s incentive to maintain information security is not enough; the management of enterprise management personnel are not in place; shareholders’ ignoring the information security management. In the final analysis, stakeholder rights and powers of the asymmetry is due to the value of information for most enterprises have not yet emerged and the constraints of enterprise information security technology. And then, this paper take H Company as the example to illustrate the discussion above and gave the following conclusion of H information security management: Clear organizational framework for enterprise information security control is the basis for implementing information security controls; Independent information security management department to enhance the status and independence of corporate information security; Information security as part of the corporate human resource management can enhance staff awareness of information security by performance appraisal and staff training. During information security management processes, strategy and process integration is an important condition for enterprise information security level development.
Key words: Information Security Control; COSO Theory; Management;
目 录
