产品安全治理研究与实践

摘要/Abstract

摘要： 从产品安全治理的角度研究如何保障供应商交付安全可信的产品和服务.首先介绍产品安全的上下文，给出产品安全的定义和目标，提出产品安全是一个安全治理问题.然后建立基于三线模型的产品安全治理组织结构，描述各个组织机构的角色和职责，从组织结构上解决职责分离和利益冲突的问题.接着介绍产品安全策略的概念、框架、体系和实施方法，建立产品安全体系化建设的顶层要求.最后总结主要贡献并指出下一步的研究方向.这些研究结果已在中兴通讯的产品安全实践中得到了应用，取得了良好的治理效果.

关键词: 安全治理, 产品安全, 安全策略, 三线模型, 系统生命周期

Abstract: This paper studies how to ensure that suppliers deliver secure and trustworthy products and services from the perspective of product security governance. First, this paper introduces the context of product security, gives the definition and objectives of product security, and proposes that product security is a security governance problem. Then this paper establishes the organizational structure of product security governance based on the threeline model, describes the roles and responsibilities of each organizational unit, and solves the problems of separation of duties and conflicts of interest from the organizational structure. Next this paper introduces the concept, framework, system and implementation approaches of product security policies, and establishes the toplevel requirements of product security system construction. Finally, the contribution of this paper is summarized and the research direction for the next step is pointed out. These research results have been applied in ZTE’s product security practices and have achieved good governance effects.

Key words: security governance, Product Security, security policy, Three-Line Model, System Lifecycle

中图分类号:

TP309

韦银星, 钟宏, 郑均, . 产品安全治理研究与实践[J]. 信息安全研究, 2023, 9(12): 1218-.

参考文献

［1］Bassett G, Hylender C D, Langlois P, et al. Data breach investigations report［ROL］. New York: Verizon, 2022 ［20230108］. https:www.verizon.combusinessengbresources2022databreachinvestigationsreportdbir.pdf［2］zkan S. CVE details: The ultimate security vulnerability datasource［EBOL］. ［20221113］. https:www.cvedetails.com［3］IT Governance Institute. Information security governance: Guidance for boards of directors and executive management, 2nd edition［R］. Schaumburg, IL: ISACA, 2006［4］IT Governance Institute. Information security governance: Guidance for information security managers［R］. Schaumburg, IL: ISACA, 2008［5］Ahuja S, Chan Y E. IT security governance: A framework based on ISO 38500［EBOL］. 2015 ［20230108］. https:aisel.aisnet.orgconfirm201527［6］Ohki E, Harada Y, Kawaguchi S, et al. Information security governance framework［C］ Proc of the 1st ACM WISG’09. New York: ACM, 2009: 16［7］Volchkov A. Information Security Governance: Framework and Toolset for CISOs and Decision Makers［M］. Boca Raton, FL: CRC Press, 2018［8］严寒冰. 网络安全治理［J］. 信息安全研究, 2022, 8(8): 734735［9］De Bruin R, von Solms S H. Cybersecurity governance: How can we measure it［C］ Proc of ISTAfrica Week Conf. Piscataway, NJ: IEEE, 2016: 19［10］Bodeau D, Boyle S, FabiusGreene J, et al. Cyber security governance: A component of MITRE’s cyber prep methodology［EBOL］. Washington: MITRE Corporation, 2010［20230108］. https:www.mitre.orgsitesdefaultfilespdf10_3710.pdf［11］HamouLhadj A, HamouLhadj A. A governance framework for building secure IT systems［J］. International Journal of Security and its Applications, 2009, 3(2):1519［12］ComplianceForge. ComplianceForge reference model: Hierarchical cybersecurity governance framework (HCGF)［EBOL］. 202202 ［20230108］. https:www.complian ceforge.comreasonshierarchicalcybersecuritygovernanceframework［13］Landoll D J. Information Security Policies, Procedures, and Standards: A Practitioner’s Reference［M］. Boca Raton, FL: CRC Press, 2016［14］Ross R, Mcevilley M, Oren J C. NIST special publication 800160 vol.1 systems security engineering: Considerations for a multidisciplinary approach in the engineering of trustworthy secure systems［EBOL］. 2018 ［20230108］. https:nvlpubs.nist.govnistpubsSpecialPublicationsNIST.SP.800160v1.pdf［15］ISOIEC JTC 1SC 27. ISOIEC 27014:2020 Information Security, Cybersecurity and Privacy Protection—Governance of Information Security［S］. Geneva: ISO, 2020［16］The Institute of Internal Auditors. The IIA’S three lines model: An update of the three lines of defense［EBOL］. 202007［20230108］. https:www.theiia.orgglobalassetssiteaboutusadvocacythreelinesmodelupdated.pdf［17］CROForum. The three lines model［EBOL］.2021［20230108］. https:www.thecroforum.orgwpcontentuploads202105CROWGGovernance.pdf［18］The European Parliament and Council of European Union. Regulation (EU) 2019881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing regulation (EU) No 5262013 (Cybersecurity Act)［EBOL］. (20190607)［20230108］. https:eurlex.europa.euelireg2019881oj［19］Rashid A, Chivers H, Lupu E, et al. CyBOK: The cyber security body of knowledge, Version 1.1.0［EBOL］. (20210731)［20230108］. https:www.cybok.orgmediadownloadsCyBOK_v1.1.0.pdf［20］Stallings W. Effective Cybersecurity: A Guide to Using Best Practices and Standards［M］. Boston: AddisonWesley, 2018［21］Bowen P, Hash J, Wilson M. NIST Special Publication 800100 Information Security Handbook: A Guide for Managers［EBOL］. 2006［20230108］. https:nvlpubs.nist.govnistpubsLegacySPnistspecialpublication800100.pdf［22］Kiely L, Benzel T V. Systemic security management［J］. IEEE Security and Privacy Magazine, 2006, 4(6): 7477［23］Souppaya M, Scarfone K, Dodson D. Secure software development framework (SSDF) Version 1.1［EBOL］. 2022［20230108］. https:nvlpubs.nist.govnistpubsSpecialPublicationsNIST.SP.800218.pdf［24］ISOIEC JTC 1SC 7. ISOIECIEEE 247481: 2018 Systems and Software Engineering—Life Cycle Management—Part 1: Guidelines for Life Cycle Management［S］. Geneva: ISO, 2018［25］Zhong H. ZTE cybersecurity white paper［EBOL］. 2021［20230108］. https:reswww.zte.com.cnmediareszteFilesPDFwhite_book202110301221.pdf?la=en

[1]	张文礼, 彭晓雷, . 银行数据安全解决方案[J]. 信息安全研究, 2023, 9(E2): 37-.
[2]	何晋昊, 陈韵然, 钟强, 程蕾, 金晨, . 全民健康数据安全治理解决方案[J]. 信息安全研究, 2023, 9(E2): 104-.
[3]	张嵩, 李雪岩, 汪诚, 田明, . 数字经济时代数据安全治理的探索和研究[J]. 信息安全研究, 2023, 9(E1): 137-.
[4]	王玉, 安鹏, 栗文科, 王世彪, 喻波, . 政务数据安全治理体系研究与实践[J]. 信息安全研究, 2023, 9(9): 900-.
[5]	董勃, 罗森林, . 小数据集文本语义相似性分析模型的优化与应用[J]. 信息安全研究, 2023, 9(10): 980-.
[6]	纪正坦. 平台数据安全治理优化路径探析——以“滴滴公司网络安全审查案”为切入视角[J]. 信息安全研究, 2023, 9(1): 66-.
[7]	彭长根, . 人工智能安全治理挑战与对策[J]. 信息安全研究, 2022, 8(4): 318-.
[8]	高磊, 赵章界, 宋劲松, 翟志佳, 杨芬, 蒋宋, . 大数据应用中的数据安全治理技术与实践[J]. 信息安全研究, 2022, 8(4): 326-.
[9]	王庆德, 吕欣, 王慧钧, 刘海洋, 秦天雄, . 数据安全治理的行业实践研究[J]. 信息安全研究, 2022, 8(4): 333-.
[10]	李雪莹, 王玮, . 基于业务场景的数据安全治理模型[J]. 信息安全研究, 2022, 8(4): 392-.
[11]	李雪莹, 张锐卿, 杨波, 谢海昌, 马国伟, . 数据安全治理实践[J]. 信息安全研究, 2022, 8(11): 1069-.
[12]	刘建兵王振欣杨华马旭艳. 主动安全网络架构与等保要求[J]. 信息安全研究, 2022, 8(1): 28-.
[13]	王月兵, 覃锦端, 刘隽良, 刘聪, . 医疗行业数据安全治理框架研究[J]. 信息安全研究, 2021, 7(E2): 33-.
[14]	田永健. 新形势下智慧城市数据安全治理研究[J]. 信息安全研究, 2021, 7(E2): 57-.
[15]	刘隽良, 刘羽, 王月兵, 毛菲, . 基于零信任软件定义边界可信设备准入认证技术[J]. 信息安全研究, 2021, 7(E2): 110-.