摘要
信息安全风险评估规范以及相关指南的发布指导了评估工作的开展,但在实际评估过程中存在一些操作性不强或容易混淆的评估方法。本文首先回顾了目前的信息安全风险评估方法,分析了其存在的不足;然后提出了一套新的信息系统的资产分类、威胁分类和系统总体风险评估方法,并概述了建议方法的实用效果。
The publications of risk assessment specification for information security and other related operation guides greatly help people to carry out risk assessment, but there are many assessment methods which are not easy to operate or which may cause confusions. Firstly, the paper describes the current information system security risk assessment methods, and it gives their shortcomings. Then the new risk assessment method is suggested, which covers asset classification, threat classification and risk assessment method of the whole information system. In the end, the paper summarizes the practical effect of the suggested method.
出处
《信息技术与信息化》
2008年第6期83-85,共3页
Information Technology and Informatization
关键词
信息安全
风险评估
资产
威胁
分类
Information security Risk assessment Asset Threat Classification
