摘要
对于对外提供信息安全风险评估服务的组织来说,通过信息安全风险评估服务资质认证是体现其技术与管理能力的重要方式.中国网络安全审查技术与认证中心在对外开展风险评估服务资质认证过程中,发现大多数组织在实施风险评估项目的过程中往往存在缺乏依据、不够客观、说服性不足等问题,在风险评估结果输出时,往往偏重于各种图表及计算模型的罗列,而缺乏相应的文字解释说明.将对发现的问题进行说明,同时基于风险评估工作实践给出问题解决和处理思路,推动信息安全风险评估技术实践及标准不断完善,提高信息安全风险评估服务能力.
For organizations that provide information security risk assessment services to the outside world, certification of information security risk assessment service qualification is an important way to embody their technical and management capabilities. During the process of qualification certification for risk assessment services, our center found that most units often lack the basis, objectivity and persuasiveness in the implementation of risk assessment. When the risk assessment results are exported, they tend to focus on various charts and calculation models. This paper will explain the problems found, and based on the practice of risk assessment, give the idea of problem solving and handling, promote the practice and standards of information security risk assessment technology to improve constantly, and improve the level of information security risk assessment service capacity building.
作者
王笑
成林芳
翟亚红
Wang Xiao;Cheng Linfang;Zhai Yahong(China Cybersecurity Review Technology and Certification Center,Beijing 100020;Hunan Electronic Information Industry Institute,Changsha 410001)
出处
《信息安全研究》
2018年第10期946-953,共8页
Journal of Information Security Research
关键词
风险评估
服务资质认证
信息安全风险评估服务能力
计算模型
风险评估技术实践
risk assessment
service qualificatioassessment service capability
calculation models
security risk assessment technologythe practice andinformation security riskstandards of information
