关键信息基础设施保护体系建设与漏洞管理标准化研究

Research on Construction of Critical Information Infrastructure Protection System and Standardization of Vulnerability Management

为解决关键信息基础设施运营者在漏洞管理工作中的困惑,深化推进《中华人民共和国网络安全法》和《关键信息基础设施安全保护条例》的落实工作,构建我国关键信息基础设施保护体系.通过系统分析国内外关键信息基础设施保护的发展历程、漏洞管理相关标准、关键信息基础设施漏洞管理前沿理论,论述了关键信息基础设施运营者漏洞管理工作标准化的必要性.将关键信息基础设施漏洞消控管理工作归纳为漏洞管理、资产管理、补丁管理、人员管理、组织管理5要素和准备、规划、执行、监控、变更5阶段的管理模型,漏洞消控管理5要素与5阶段交叉细分为32个工作过程,建议根据该模型编写具有我国特色的关键信息基础设施漏洞运营者漏洞管理指南类标准.

In order to solve the confusion of critical information infrastructure operator in vulnerability management,the implementation of the Cyber Security Law of the People’s Republic of China and the Regulations on the Security and Protection of critical information infrastructure should be further promoted,and the protection system of critical information infrastructure in China should be established.By systematically analyzing the development history of critical information infrastructure protection at home and abroad,relevant standards of vulnerability management,and frontier theories of vulnerability management of critical information infrastructure,the necessity of standardization of vulnerability management for operators of critical information infrastructure is demonstrated.The vulnerability elimination and control management of key information infrastructure is summarized into a management model of 5 elements which includes vulnerability management,asset management,patch management,personnel management and organizational management,as well as 5 stages of preparation,planning,execution,monitoring and change.The 5 elements and 5 stages of vulnerability elimination and control management are cross-subdivided into 32 work processes.It is suggested to compile a vulnerability management guide standard for vulnerability operators of critical information infrastructure with Chinese characteristics according to this model.