摘要
信息安全风险评估规范以及相关指南指导了风险评估工作,但在评估过程管理和评估能力改进方面还缺乏系统的理论支持。回顾了目前的信息安全风险评估现状,分析了其中存在的问题;基于信息系统生命周期和系统安全工程相关模型,提出了三维的风险评估能力成熟度模型(IRA-CMM);将该模型应用于风险评估过程管理和评估能力改进。
The risk assessment specification for information security and other related operation guides greatly help people to carry out risk assessment, but there is a lack of systematically theoretical support in the view of assessment process manageing and capacity improving. The paper summarizes the current development in information system security risk assessment, and analyzes some practical problems to be solved. Then based on information system life cycle and system security engineer model, a new threedimension information risk assessment capacity maturity model (IRA-CMM) is suggested. In the end, the IRA-CMM model is applied in information security assessment process managing and capacity improving
出处
《信息技术与标准化》
2009年第5期33-35,42,共4页
Information Technology & Standardization
