风险评估服务能力成熟度模型研究

Risk Assessment Service Capability Maturity Model Research

信息安全风险评估服务是我国信息安全保障工作的重要环节之一,信息安全风险评估技术手段一直为行业内所推崇.目前,因多方面因素影响,信息安全风险评估服务能力的水平在地区、行业间等呈现参差不齐的现象.结合SSE-CMM理论及信息安全风险评估服务的最优实践,提出风险评估服务能力成熟度模型概念,即RAS-CMM.RAS-CMM围绕资源配置、技术过程、项目管理等能力因素对风险评估服务能力等级提出理论评价框架.

Information security risk assessment service is one of the important links of information security assurance in China. The technology of information security risk assessment has been praised highly by the industry. At present, due to the influence of various factors, the level of information security risk assessment service capacity varies among regions and industries. Based on the SSE CMM theory and the optimal practices of information security risk assessment services, this paper proposes the concept of risk assessment service capability maturity model, namely RAS-CMM. RA＆CMM proposes a theoretical evaluation framework for risk assessment service capability level based on resource allocation, technical process and proiect management.