论文部分内容阅读
信息系统安全是一个动态的复杂过程,它贯穿于信息系统的整个生命周期。信息系统安全威胁来自内部破坏、外部攻击、内外勾结进行的破坏以及信息系统本身所产生的意外事故,因此有必要按照风险管理的思想,对信息系统的安全性进行评估。信息系统是为组织业务服务,风险评估也应采取以业务为导向的风险评估。但在实践中,不可能面面俱到,为了体现重要业务,重要资产,重点保护的原则,这就需要选择重要业务相关的重要资产进行重点评估,如何对庞大数量的资产、脆弱性和威胁进行合理划分处理,是评估过程中一个关键点,本文提出以分类划分方法来解决这些问题,能有效提高数据的处理和分析能力。使风险评估更有可操作性。重要资产评估结果对组织在安全措施的选择、信息安全保障体系的建设等问题中能有效地做出合理的决策,有重要的指导作用。
Information system security is a dynamic and complex process that runs through the entire life cycle of an information system. Information system security threat comes from internal destruction, external attack, internal and external collusion damage and information system itself caused by accidents, it is necessary to risk management in accordance with the idea of information system security assessment. The information system is to organize business services and the risk assessment should also take a business-oriented risk assessment. However, in practice, it is impossible to cover everything. In order to reflect the principle of important business, important assets and key protection, it is necessary to select the important assets related to important business to make a key assessment and how to reasonably divide the huge amount of assets, vulnerabilities and threats Processing is a key point in the evaluation process. This paper proposes to solve these problems by classification method, which can effectively improve the data processing and analysis capabilities. Make risk assessment more manageable. The evaluation result of important assets can effectively make reasonable decisions and has important guiding role in the organization’s selection of safety measures and the construction of information security guarantee system.