摘要
针对典型的信息安全风险评估要求,提出了综合的评估流程,完成了系统的设计和实现。系统信息库设计时除去了大量繁冗的信息;评估识别时,对资产、威胁和脆弱点的内容进行了详细地分类;评估赋值时,在单一的系统赋值基础上扩展了用户和专家同时参与的功能。同时,在风险矩阵计算的前期工作中加入了对系统、用户和专家赋值综合考量的处理思想。基于JavaEE及XML等上乘主流技术开发方案为该系统的安全性、多平台适应性提供了良好的条件。
Based on the requirements of typical information security risk assessment,a synthetic flow is advanced and its design is implemented via programming by Java.In the system,a great deal of unavailable information is kept out of the XML database,and assets,threats and vulnerabilities are classified in the identification procedure,the values from both users and specialists are added into the evaluation procedure with system values.To balance those three values in the prior period of risk calculation,a new weight formula is created to deal with them.Finally,the new technological project based on JavaEE and XML database improves the further expansible potential of the system.
出处
《计算机工程与设计》
CSCD
北大核心
2010年第13期2943-2946,2965,共5页
Computer Engineering and Design
基金
国家"十一五"科技支撑计划重大基金项目(2006BAK01A07
2006BAC18B06)
国家自然科学基金项目(60573094)
关键词
信息安全
信息库
风险评估
识别
赋值
information security
information database
risk assessment
identification
evaluating