信息安全风险评估关键技术研究与实现  被引量：63

作　　者：文伟平[1] 郭荣华 孟正[1] 柏皛 

机构地区：[1]北京大学软件与微电子学院,北京102600 [2]洛阳电子装备试验中心,河南洛阳471003

出　　处：《信息网络安全》2015年第2期7-14,共8页Netinfo Security

基　　金：国家自然科学基金[61170282]

摘　　要：信息安全问题是全球信息化发展最关注的问题,随着各机构逐渐进入信息化办公时代,机构的信息资产几乎全部保存在信息系统中,一旦面临威胁和遭遇攻击,造成的危害和损失将难以想象。信息安全风险评估理论最早由国外提出,目前广泛应用于信息安全领域。文章首先研究风险评估的基础理论和流程,对风险评估的定义、风险评估要素之间的关联关系、安全风险模型和常见的风险评估方法进行介绍。然后对风险评估与控制软件进行架构设计和功能模块设计,该软件涉及资产识别、威胁分析、脆弱性分析、现有安全策略的确认与评估、综合风险评估、评估报告输出等多个环节。接下来结合SQL Server数据库和Tomcat中间件技术完成系统的实现,并在测试平台上对其进行测试。文章在评估软件的设计过程中加入了漏洞检测功能,为评估工作的准确性提供了进一步的保障。系统模块结构简洁清晰,评估功能完善强大,效果突出。Information security is the most concerned problem in the development of global information. As organizations get into the era of information office, almost all the information of organizations is stored in the information systems. Once the information system encounters threats and attacks, it will be hard to imagine the damage and loss. The rules for safety risk assessment were initially put forward abroad, now are applied widely in the area of information security. The article fi rstly introduces the theoretical basis and process of risk assessment, including the defi nition of risk assessment, the relationship between risk assessment factors, safety risk model, and the common risk assessment methods. Then the article introduces the structure design and function modules design of risk assessment and control software. The software involves asset identifi cation, threats analysis, vulnerabilities analysis, confi rmation and assessment of the existing security strategies, comprehensive risk assessment and assessment report output. Combining with the SQL server database and Tomcat middleware technology, the risk assessment system is implemented and tested in the test platform. In the process of designing the assessment software, the vulnerability detection function is added, which provides further security safeguard for assessment. The modular structure of the system is simple and clear and the assessment function is strong, achieving the prominent effect.

关 键 词：风险评估 资产识别 脆弱性分析 威胁分析 漏洞检测 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]