摘要
美国东西方研究所(EWI)于2016年发布了由其全球安全ICT产品和服务可及性与使用突破小组编制的"安全信息通信产品与服务采购指南"。早在2015年,该小组就明确表示,政府和企业在ICT市场中扮演着多重角色。政府是政策制定者,有时也是ICT行业的监管者,而企业开发和提供ICT产品和服务。政府和企业又都是ICT产品和服务的采购商。因此,网络空间的利益相关方在提高ICT产品和服务的安全性方面,负有不同程度的责任。EWI在调查基础上所编制的采购指南意在帮助ICT行业的采购商、供应商和使用者更好地了解和应对ICT产品与服务的内在网络安全和隐私风险,其所指的目标人群则包括企业高管和董事会成员、首席信息安全官、风险管控专家、并购官员、保险商、审计人员、其他第三方风险评估人员以及设计、制造和供应链专家等。作为1.0版本的指南为ICT采购商和供应商提供了三条建议:一是加强风险管控对话;二是按指南中的问题设计开展对话;三是参照国际标准,增强对结果的信心。
In 2016, the EastWest Institute' s (EWI) published Purchasing Secure ICT Products and Services: A Buyers Guide, compiled by its Breakthrough Group on Increasing the Global Availability and Use of Secure ICT Products and Services. This group came to the conclusion in 2015 that government and industry act in multiple roles as stakeholders in the ICT marketplace. The government acts as a policymaker and sometimes as a regulator of ICT, industry develops and provides ICT products and services, and both the government and industry are buyers of ICT products and services. Accordingly, cyberspace stakeholders have varying responsibilities and capabilities to increase the security of ICT products and services. Created based on surveys, the Guide is intended to help buyers, suppliers, and users of information and communications technologies better understand and address the cyhersecurity and privacy risks inherent in ICT products and services. These individuals include senior executives and members of their governing boards and parent organizations, chief information and information security officers, risk management professionals, acquisition officers, insurers, auditors, and other third-party risk evaluators, and design, manufacturing and supply chain professionals. The version 1.0 of the Guide provides three recommendations for ICT buyers and suppliers: 1. Engage in a dialogue about risk management; 2. Use questions in this guide to frame the dialogue; 3. Rely on international standards to increase confidence in the results.
出处
《信息安全与通信保密》
2016年第12期76-83,共8页
Information Security and Communications Privacy
关键词
安全信息通信产品与服务采购
管控网络安全风险
国际标准和最佳实践
对话
purchasing secure ICT products and services
management of cybersecurity risks
international standards and best practices, dialogue
