关键信息基础设施网络安全框架研究(上)

Research on Critical Information Infrastructure Cyber Security Framework(Part One)

关键信息基础设施的安全防护应以风险管控为出发点,建立一套识别、保护、检测、响应、恢复为核心的基础性、通用性安全框架,关键信息基础设施运营单位可以根据统一的安全框架,制定符合自身应用需求的标准或行业实践指南。通过研究NIST《改善关键基础设施网络安全的框架》的制定、实施和持续改进过程,分析了该框架的网络安全能力成熟度模型(C2M2)实践和该框架应用于我国的可行性,并对我国进行关键信息基础设施保护的方法与标准化工作提出建议。

The security protection of critical information infrastructure should take the risk control as the starting point, and establish a set of basic and general security framework with identification, protection, detection, response and recovery as the core. The critical information infrastructure operating unit can formulates its application requirements and practice guidelines according to the unified security framework. In this paper, we study the NIST ＂Framework for Improving Critical Infrastructure Cyber Security＂ formulation, implementation and continuous improvement process, analyze the framework of Cybersecurity Capability Maturity Model （C2M2） practice and the feasibility of the framework applied in our country. The method for protection of critical information infrastructure in our country and standardization are also proposed.