摘要
风险是指威胁利用信息资产的脆弱性对企业造成潜在可能的伤害。文章提出了一种基于风险控制的信息安全管理系统的设计方案.这个系统通过确立安全目标,完成对信息资产的风险识别、风险评估等工作,并给出相应的风险控制措施。除此之外,系统与IDS、IPS以及防火墙等安全管理设备的接口对接,获取相关的安全运行数据,实现对潜在风险的监测和预警。在信息安全风险管理的全过程中,管理人员的监控审查以及沟通咨询贯穿始终,为系统的持续改进起到关键的作用。
The risk refers to vulnerability of information set being used by threat causing potential harms for enterprises. In this article, a blue print of information security management system based on risk control has been mentioned. Being established security aims by this system, can achieve in executing risk identification,risk assessment, and pro- vide some measures for risk control. Besides, connecting interfaces between system and equipment in terms of information security management, such as IDS, IPS, firewall and so on,is able to fetch security running data to success in monitor and previous alarming for potential risk. During managing information security risk, administrators are playing important role in continuous improvement for system because monitor & review and communication & consultation im- penetrate whole risk management procedure.
出处
《华北电力技术》
CAS
2013年第9期65-70,共6页
North China Electric Power
关键词
风险
威胁
信息资产
脆弱性
风险控制
风险识别
风险评估
risk
threat
information set
vulnerability
risk control
risk identification
risk assessment
