论文部分内容阅读
风险评估是信息安全管理体系(ISMS)建立的基础,是组织平衡安全风险和安全投入的依据,也是ISMS测量业绩、发现改进机会的最重要途径。 BS 7799并没有准确定义风险评估的方法,组织可以根据自身的情况,开发适合自己的风险评估方法。即便如此,靠一个临时小组的头脑风暴提出组织信息安全风险的做法也是不合适的。因为标准要求组织选择系统性的风险评估方法,从威胁、薄弱点、影响、可能性四个方面来识别风险、评
Risk assessment is the basis for the establishment of Information Security Management System (ISMS). It is the basis for organizations to balance security risk and security investment. It is also the most important way for ISMS to measure performance and find opportunities for improvement. BS 7799 does not accurately define the method of risk assessment, the organization can develop its own risk assessment methods. Even so, it is not appropriate to rely on a temporary team brainstorming to organize information security risks. Because the standard requires organizations to choose a systematic approach to risk assessment that identifies risks from four perspectives: threats, vulnerabilities, impacts, and probabilities