摘要
复杂信息系统(CIS)在系统风险管理和风险评估上因其结构复杂性而存在较大难度。为此,基于Zachman框架,提出一种CIS风险评估框架,并在GB/T 20984-2007信息安全技术-信息安全风险评估规范基础上,建立CIS的风险评估流程。依据风险管理层次与安全域划分原则对CIS进行架构分解,研究安全域内和域间的评估方法。在传统风险要素的基础上增加CIS互联关系的风险要素。引入互信息表征互联关系的关联度,利用层次分析法对风险权重进行评估。结合实例对CIS风险评估流程进行验证,结果表明,该流程可对CIS风险做出客观准确的评估。
Research on Complex Information Systems( CIS) is a big difficulty on a system of risk management and risk assessment because of the complexity of the structure. Based on Enterprise Architecture( EA) Zachman framew ork and GB / T 20984-2007 standard information security risk assessment norms,this paper presents a complex model of information system risk assessment framew ork and establishes a risk assessment process CIS. Based on risk management hierarchy and principle of security domain,it decomposes the architecture of CIS and studies assessment w ithin and betw een domains. On the basis of traditional risk factors,the paper increases interconnection risk factor as the specific factor to the CIS,it introduces correlation to characterize interconnection and AHP method. With examples of CIS risk assessment process is validated,results show that the process can make an objective and accurate assessment for CIS risk.
出处
《计算机工程》
CAS
CSCD
北大核心
2015年第4期156-160,165,共6页
Computer Engineering
关键词
复杂信息系统
企业架构
Zachman框架
风险评估
风险要素
评估流程
Complex Information System(CIS)
Enterprise Architecture(EA)
Zachman framework
risk assessment
risk factor
assessment process