【作者】 谢崇斌；

【导师】 田玉敏；

【作者基本信息】 西安电子科技大学 ， 计算机系统结构， 2004， 硕士

【摘要】 信息系统是一个组织运作的核心。信息系统的安全管理工作是一个动态循环演化的过程。风险评估作为其中的一个重要环节，为信息系统安全管理动态模型的持续改进提供了目标和要求。以往的信息系统安全管理工作存在与安全技术结合不紧密的缺陷，导致许多组织重视安全技术，忽视安全管理。本文在当前已有理论成果的基础上，提出了与信息安全技术相适应的信息安全纵深管理体系，加强了两者之间的联系，提高了风险管理工作的地位。 本文在上述理论论证的指导下，参考安氏PADIMEE模型，并以ISO／IEC 17799为基础，建立了风险评估改进模型，完成了信息安全体系风险评估工具的数据库设计和程序设计，提高了风险评估工作的效率，增加了其结果的可信度与可比性，促进了国内信息安全管理工作的发展。更多还原

【Abstract】 Information system is the kernel of one organization. The security management of information system is a dynamic circulatory evolutive process. As one important portion of it, risk assessment provides the goal and require for the continual improvement of dynamic information system security management model. By the shortage of incompact integration between security management and security technology, many organizations attach importance to security technology and less notice for security management. Based on the current theory results, this paper builds the Management-in-Depth System of Information Security that adaptive to information security technology. This work enhances the connection between security management and security technology, and heightens the status of risk management.Under the guidance of this theory, this paper build the improved risk assessment model based on PADIMEE model and ISO/IEC 17799, and finishes the database design and software design of information security system risk assessment kit. The result increases the efficiency of risk assessment work, enhances the reliability and comparability of risk assessment result, and develops the information security management of our country.更多还原