I
摘 要
随着计算机和网络信息技术的飞速发展以及移动互联应用的不断深入，作为现代经
济社会主要组成部分的企业，其商务运作中信息系统的大量重要信息交互越来越依赖于
开放、互联的网络环境进行。近期发生的“棱镜事件”使得整个国际社会对 IT 服务企
业的信息安全管理深感担忧，信息技术服务商作为产品、技术和服务的提供者，其产品
和技术的安全性是否可靠、服务外包过程中的信息安全管理是否合规，信息安全保障措
施是否切实有效，已成为企业选择 IT 服务外包首要关注的问题
本文以 IT 服务外包商 M 公司作为研究对象，基于企业信息安全管理的视角，通过
对企业信息安全管理现状的剖析，发现 M 公司存在的信息安全管理问题，并分析原因，
提出改进措施，帮助 M 公司完善信息安全管理，强化企业信息安全监管责任
本文共分为四个部分：第一章绪论部分介绍了研究背景、目的与意义以及相关的研
究理论；第二章围绕 M 公司的安全框架 ESF 详细阐述了企业的信息安全管理现状；第
三章运用安全评估工具 MSAT 和调查问卷的方式对 M 公司存在的信息安全管理问题进
行诊断，并剖析原因；第四章有针对性从 M 公司自身提出对策和建议
现状描述部分，以 M 公司的信息安全框架 ESF 为着手点，分别从安全战略、风险
管理及合规，运维与服务安全管理以及基础安全服务架构三个层级系统地介绍了 M 公
司的信息安全管理状况
问题及原因分析部分，首先，借助 MSAT 信息安全评估工具，从基础架构、应用、
运作及人员安全四个主要领域入手，结合调查问卷的方式对企业信息安全管理的防护措
施和业务环境风险进行测评和分析，主要问题是：基础安全管控漏洞、人为因素安全威
胁、内部安全审计流于形式、外包服务管理不到位；其次，问题形成的主要原因是：信
息安全管理策略认知不同，人员安全职责管理脱节，内部安全审计管理不规范，外包服
务安全监管责任弱化
最后，改进措施部分，对于 IT 服务外包商 M 公司完善信息安全管理，更好地履行
企业责任，从四个方面提出对策：加强基础安全管控策略和防护措施、将人员安全职责
与职能管理有机挂钩、健全内部安全审计制度以及提升服务外包管理责任。从而强化企
业外包服务监管的自律性，将企业盈利和信息安全管理责任并重，树立良好的企业公民
形象，为企业的可持续发展创造有利环境
关键词：信息安全管理 服务外包 服务管理 服务安全 企业社会责任
ABSTRACT
With the rapid development of computer and network information, as well as deepening
of mobile Internet applications, enterprises as main components of modern economic society,
a lot of important information in its information systems of business operations increasingly
rely on open, interconnected a network environment. The recent outbreak of PRISM makes
the whole international community for the information technology enterprise information
security management is concerned. Information technology services business as a provider of
products, technologies and services, reliability of the security of its products and technology,
outsourcing processes management of information security in compliance, information
security is effective, has become the primary issues of concern to business select IT services
outsourcing provider.
The research object of this papers is M company that is an IT Service Outsourcing
Provider, based on the perspective of information security management responsibility,
exploring the details of information security management framework ESF, find out the defects
existed in information security management, analyze root causes, and made corresponding
suggestions and measures of improvement plan to help M company enhance information
security management, reinforced enterprise information security management responsibilities.
This article included 4 parts. Chapter one introduced the background and significance of
analysis as well as the theories and method. Chapter two introduced the detailed situation of
information security management of M company. Chapter three, used MAST tool and
investigation survey to diagnosis problem, and analyzed root causes. Chapter four, based on
the issues to given the solutions and measures from M company internal.
In the description section of the status, information security management framework as a
starting point with M IT Service Provider, respectively introduced the company's information
security management from three levels. First, security governance, risk management and
compliance. The second is the operation security and service security management. The third
is IT infrastructure security framework. To ensure have a comprehensive understanding for
information security management of M company.
In inquiry problem of part, using information security management assessment tool
MSAT to analysis enterprise information security management framework of specific
protection policy and business environment risk indicators from four aspects, which are IT
infrastructure security, application security, operation security and the personnel security. the
main problems are: IT infrastructure security measures vulnerability, and the human factors