信息安全风险评估综述

257JOURNALOFCHINAINSTITUTEOFCOMMUNICATIONSJuly200420047Vol.25No.71.1000392.100080*TP309A100-436X(2004)07-0010-09SurveyofinformationsecurityriskassessmentFENGDeng-guo,ZHANGYang,ZHANGYu-qing(1.StateKeyLaboratoryofInformationSecurity(GraduateSchoolofChineseAcademyofSciences),Beijing100039,China;2.InstituteofSoftwareofChineseAcademyofSciences,Beijing100080,China)Abstract:Intheinformationsecurityengineering,RiskAssessmentplaysanimportantpart.Itisthebasisoftheinformationsystemsecuritysystematism.Thearticlediscussesindetailthecontentsofriskassessment,forexample:presentsituation,models,standards,methods,process,thenintroducesinformationsecuritytestandevaluationsystem,finally,thepaperanalyzestheproblemsexistinginRiskAssessmentandthefutureprospect.Keywords:informationsecurity;vulnerability;risk;riskassessment12004-02-10973G19990358600252057112320IT207080[1~5]4PDRP2DRAPPDRRPADIMEE™WPDRRCP2DRPADIMEE™PADIMEE™1“”122004policy(assessment)(design)(implementation)(management)(emergencyresponse)(education)PADIMEE™1PADIMEE51985TCSECTCSEC2090(ITSEC);1993CTCPEC1993FC67NISTNSA2090CCBSIBS779(ISO17799)ISOSSE-CMM(ISO/IEC21827:2002)GB17859[6]GB/T183365.1CCCCITSEcommoncriteriaofinformationtechnicalsecurityevaluationCCISO/IEC15408-146719936CCTCSECTCSECCCITSECFC123CC41CCPDR2CC7133CC4)CCCEMcommonevaluationmethodology5.2BS7799(ISO/IEC17799)BS7799(BSI)BS7799-1:1999BS7799-2:2002BS7799-1:1999200012ISOISO/IEC17799:2000BS7799-1:1999BS7799-2:2002BS7799-1:1999PDCAISMS5.3ISO/IEC21827:2002(SSE-CMM)systemsecurityengineeringcapabilitymaturitymodelSSE-CMMSSE-CMM————“”——5.4GB178591999955.5BS7799BS7799CCTCSECBS7799BS7799BS7799,CCSSE-CMMSSE-CMMSSE-CMM,GB/T18336ISO/IEC1540814200466.16.26.36.4(AHP)TL20701)7152)72AHP3)77.1SAFESuiteSAFESuiteInternetSecuritySystemsISSInternetSAFESuite7.2WebTrendsSecurityAnalyzerWebTrendsSecurityAnalyzerWebNetIQ-WebTrends:WebTrendsReportingCenterAnalysisSuiteWebTrendsLogAnalyzerSecurityAnalyzerWebTrendsFirewallSuiteandWebTrendsLiveLinuxWindowsWebHTML7.3CobraCobraISO17799Cobra3CobraCobra7.4CCtoolsCCtoolsCCCCPP()STCobra16200488.18.28.3//8.438.58.69717CB19911991(BSI)1998CC1997NIAPCC22101820041965-1971-1966-11[1]UnitedStatesGeneralAccountingOffice,AccountingandInformationManagementDivision.InformationSecurityRiskAssessment[Z].Augest1999.[2]NationalInstituteofStandardsandTechnology.SpecialPublications800-30,RiskManagementGuide(DRAFT)[Z].June2001.[3]BUTLERSA,FISCHBECKP.Multi-AttributeRiskAssessment,TechnicalReportCMD-CS-01-169[R].December2001.[4]BUTLERSA.SecurityAttributeEvaluationMethod:ACost-BenefitApproach[Z].ComputerScience.Department,2001.[5]PELTIERTR.InformationSecurityRiskAnalysis[Z].RothsteinAssociatesInc,2001.[6].BS7799[M].:,2002.