If you do not know the weaknesses in the system can not be a good protection system; If you know the weaknesses in the system if it is leaked, it will bring greater, unimaginable risks. In this dilemma the state of information security risk assessment lingered for years.
Now, there is a large number of security vulnerabilities and security incidents after another to the risk assessment can not avoid. In March, the State Council Information Office in succession in Beijing, Kunming, will be held Publicizing and promoting the comprehensive risk assessment theory landing.
March 7, 2006 and March 18, the State Council Information Office of the continuous held in Beijing and Kunming, "" Information Security Risk Assessment on the views of "Publicizing will." This is the second in February 2005 to September 2005, State Council Informatization Office in Beijing, Shanghai, Heilongjiang, Yunnan, tax, banking, State Power, e-government outside the net eight units of the risk assessment of pilot work, the promotion of risk assessment theory the importance of a comprehensive ground operation.
Although the State Council Information Office Network and Information Security Team Leader Wang Yu plays the Secretary has repeatedly said that risk assessment is determined by analyzing the risk of appropriate information systems to promote the safety, do not want to rush into action, we must first find out, like understand that after repeating the mistake, but the meeting was enthusiastic beyond the imagination of journalists.
On the one hand, including the Central and State Council departments, the NPC, the High Court Prosecutors, Supreme Court, the armed forces more than 100 information security executives and national director of information security in all provinces were participating in Beijing and Kunming will Publicizing. In the study "of information security risk assessment on the view" ("the" opinion "") and listen to the pilot units of work experience, the information security executives on the "opinions" and their actual work may be carried out difficult problems debate, so that discussion of the time delay to the day after 6 pm.
On the other hand, to provincial and municipal local governments in charge of information security for the object Publicizing the meeting in Kunming, a little size of almost all domestic security firm arrived at the scene, such as TOPSEC, Venus, Lenovo network Yu, Neusoft, net Royal Divine , Wei, in dot com. First, China's security business and government-related national policy is very sensitive to movement; Second, these enterprises are concentrated mainly in the government sector market, which is a close contact and end-user opportunity.
Some industry sources, a nationwide Publicizing a "view" the information security industry will play a positive role in the network and information systems security, potential threats, weaknesses, protective measures, analysis of assessment, the relevant security products, solutions in the increasing demand for the same time, will be more effective closer to user needs.
In fact, the Chinese government attaches great importance to information security risk assessment. In 2003, the State Council issued Document No. 27 made it clear that "should pay attention to information security risk assessment." The subsequent two years, the State Council Information Office set up a risk assessment expert discussion group, based on extensive research, formed the theoretical basis for the work of "Information Security Risk Assessment Guide (Exposure Draft)", in February 2005 from in 8 units lasted 7 months of experimental work.
In the "sub-health" status
According to experts, discussion group of a risk assessment experts say, two years ago in the developed areas of the national economy more than 50 units for Shen Ru survey were as following: information security risk assessment that our country in a very Buping Heng, Zhiyoushaoshu unit Kaizhan Information Security assessment, but most units because no accident and lack of information security risk assessment Ji Zhi, even Baokuo some of the units in relation Dao people's livelihood; Guonei lack of information security risk Guifan Tong Yi, Biaozhunyiji Gongju, Falv Jiansheqianque, but has no policy Xing Guo Jia guidance.
"Information technology in itself means that the risk and did not dare say that their system is Paizhexiongfu foolproof." The expert view, but worth the risk assessment of information, it is placed in front of the leadership of some units was a big concern that this fear is determined by a variety of reasons.
First, information risks are global, infectious, complex, hidden features, bigger the more complex information systems, the more vulnerabilities that exist, but the losses caused by accidents in the greater. If you do not know the weaknesses in the system can not be a good protection system; If you know the weaknesses in the system if it is leaked, it will bring greater risk of disastrous.
Second, security incidents at the time, or are low probability events. For example, although the network has been infected by viruses are common, but not necessarily in the key system will be regularly broke out, resulting in a catastrophic event. Many leaders are too busy to production tasks, and information security incidents have not come across a few years. "Keep a group of people, spend money, there is always something nothing on the system of risk assessment, and in 2035 never crash, you will naturally hesitate leadership."
State Information Center Ning Jiajun researchers believe that information security assessment is to overcome the information security 'sub-health' is the only way. "Medical experts believe that the majority of adults in sub-health status, how to recognize and identify problems, to physical examination; information systems, too, in a safe state, it is often in a 'sub-health' and even sick state, so have 'physical' - This is the risk assessment. "
In Ning Jiajun view, information security "sub-health" is information no boundaries, low-cost, open and anonymous nature of the characteristics of the decision, the reasons are many: natural disasters; misuse and production safety accidents ; viruses, worms and network attacks; trust system as inadequate, with the help of information tools for fraud; caused by internal factors, information, data modification and loss, and internal leakage; information due to external factors, data leaks, tampering and lost; security measures are not in place of high-end technology.
"In China, information security risk also has its own unique formation mechanism of the seven." Ning Jiajun think. The seven generation mechanism include: first, a lack of strategic planning is not clear; Second, leadership and organizational skills are not in place, poor co-ordination; Third, poor information management, management system, immature; fourth, security subsystem budget funds for construction and management ability, capital investment budget for the lack of security subsystem scientific basis; general lack of financial support; Fifth, human resources, lack of information security risk management personnel, the lack of available information security management capabilities and qualifications personnel; Sixth, regulations, standards and policy lags behind the development of information technology, legal work related to lag behind the demand for information technology; seventh, privacy, data security, technology management deficiencies.
Therefore, from China's actual conditions, carry out risk assessment to diagnosis of various important health information systems. First, we must bring into full play and mobilize the forces, the use of risk management thinking, through risk assessment, control and reduce risks, enhance the defensive capabilities of information systems to meet information security needs, and gradually built with Chinese characteristics, the risk assessment system; Second, to assess the basis of the information network in China and important information systems, master basic information network in China and important information systems 鐨?safe, timely appropriate treatment, Baozhangtamen of normal operation; 3 yes on the national key through e-government systems, e-commerce critical information infrastructure systems and risk assessment, from which to explore the experience, continuing to explore and gradually improve the management of our risk assessment mechanism.
"Test" Methodology form
The State Council Information Office Network and Information Security Team Leader Wang Yu plays the Secretary stressed that "Information Security Risk Assessment Guide (Exposure Draft)" is a crystallization of collective wisdom, is a technology based on established scientific methods, it focus on various aspects of practical experience, theory and practice is the result of combining.
Early in the twentieth century, seven 80's, developed a risk assessment began and related systems to explore, develop and publish assessment guidelines and related documents, clearly the risk assessment requirements. China's information security risk assessment is a late start, the first major banks and other business information systems industry relies heavily on behavior, up to the national level was introduced in China in July 2003 the first programmatic document of information security (in the Office issued 2003 [27] text), proposed the establishment of information security level of protection, the "information security risk assessment carried out" as the building of China's information security system an important task.
Some of the basic national security experts agree that China's information security risk assessment has gone through three stages: in 2003 for the study phase, preparation phase in 2004 as the standard in 2005 in the experimental stage.
By the end of July 2003, the State Council Information Office network and information security group for the implementation of 27 requests for documents, commissioned by the State Information Center organized the "information security risk assessment discussion group", the joint public security, confidentiality, the PLA and the Chinese Academy of Sciences and other departments and research institutions for information security risk assessment research and practical work. Discussion group on information security risk assessment of the status of a comprehensive and in-depth understanding of, and put forward our risk assessment of Information Security Measures, methods and standards, carry out information security risk assessment tool for model development, the implementation of information security risk assessment work to enhance information security in preparation for the construction and management.
8 December 2003, the research group has in Beijing, Guangzhou, Shenzhen and Shanghai, more than 10 industries over 50 units of in-depth research, completed about 10 million words of "information security risk assessment report", "Information Security Risk Assessment Study "and" strengthen the information security risk assessment on the proposal. "
March 2004, "Information security risk assessment discussion group" started a risk assessment guide to the preparation of such standards, and in that year have been completed by the end of October, "Information Security Risk Assessment Guide" and "Information Security Risk Management Guide," two standards the exposure draft.
In early 2005, State Council Informatization Office decided two years ago on the basis of risk assessment, carried out a bold attempt to set up headed by Wang Yu plays the Secretary of information security risk assessment pilot project leading group. First of all key systems in a number of risk assessment pilot to gain experience and improve relevant policies and standards, in all the important information system to promote. In addition to leading group, but also established a National Information Center Ning Jiajun, director for the leader of the group of experts to help pilot the pilot units to solve technical problems and provide training and consulting services.
February 2005, the People's Bank, State Administration of Taxation, the State Grid Corporation, the National e-government, Beijing, Shanghai, Heilongjiang, Yunnan and other 8 experimental units in a period of 7 months of information security risk assessment pilot . September 8, 2005, State Council Informatization Office pilot project was held in Shanghai, concluded the General Assembly.
On the one hand, this time the results of experimental work to achieve the expected goal: to explore the information security risk assessment of the basic Guilv, designing relevant documents provide practical; training and tempering of the Dui Wu, enhancing the personnel concerned Fengxianyishi; explored various methods of risk assessment, testing the standard of operation.
On the other hand, the experimental units for the actual work and ideas, the research group has the "Information Security Risk Assessment Guide" was further modified and strengthened, and, respectively, in September 2005, October and December by the three experts review has been submitted to the national security standard committee.
"In 2006, we will actively promote the" Information Security Risk Assessment Guide "enacted." The State Council Informatization Office Network and Information Security Team Leader Wang Yu plays the Secretary said, the work in 2006 will be three steps.
The first step has been completed, mainly organization "of information security risk assessment on the views of" the Publicizing, in the "Information Security Risk Assessment Guide" was formally promulgated prior to the State Council Informatization Office documents in the form of the "Guide" published in the internal draft for reference.
The second step is to organize the establishment of information security risk assessment expert. Mandate of the group focused on information security risk assessment, do a good job of technical training, technology exchange and the preparation of teaching materials; the same time, carry out research and guidance to departments and local information security risk assessment to provide technical advice.
The third step is to grasp the basis of information networks and people's livelihood, the importance of information systems security risk assessment. For this work, the State Council Informatization Office will convene a meeting to make special arrangements.
Practical problems facing
Although the delegates agreed that a national risk assessment model, and gradually extended, means to build national information security system of the building to a new phase - the implementation and practice of stage.
"Before playing more virtual, and now very real." E-government in accordance with the Director of Guangdong Province, Chi-hung of God understanding, 27, is a text setting the overall security system framework, level of protection system is a complete policy The "Information Security Risk Assessment Guide" is a scientific and technical guidance on methods of risk assessment provides the content, methods, forms, etc., so they have real operational.
For example, the "Guide" on the relationship between risk factors and risk calculation model has a more definite statement. According to the State Information Center, introduced Dr. Fan Hong, a risk calculation process is basically like this: first, to identify information assets, and assign the value of information assets; further identification of threats, and threats to the frequency assignment; then on information assets to identify vulnerabilities, and the severity of the vulnerability of the assignment; then under threat and vulnerability identification results calculated the likelihood of security incidents; Finally, the likelihood of security incidents and the role of asset security incidents VaR value.
However, some representatives pointed out that the assessment team's qualification status and the technical strength of the risk assessment will likely become a major problem in practice. Risk assessment form is divided into self-assessment and inspection and evaluation, the former owner of the system, on their own or entrust a third party on their own information systems risk assessment; which is owned by the system's higher authorities or competent business authorities initiated a mandatory means of inspection activities.
"In Guangdong Province, on its own technology to do the risk assessment is not much, unless it is as big as the Daya Bay Nuclear Power Plant industries and enterprises, the strength is stronger, can teach how to do it." God, Chi-hung told reporters, "most of the self- assessment must rely on third-party evaluation institutions. "
Currently, third-party evaluation organization composed mainly of two aspects: the national and local information security evaluation center, a purely commercial nature of information security evaluation teams. "But three types of third-party evaluation institutions each have their own deficiencies."
From the credibility of the terms, national and local information security evaluation centers is strong, but the staff is clearly insufficient in some places, lack of financial and technical strength formed Information Security Evaluation Center. Even the capital city of Beijing, have felt the power is not enough evaluation. Beijing since 2001, started a number of important services to the people to conduct regular risk assessment system, but still can not reach an ideal state. Information Security Services Centre in Beijing Li Song, deputy director of introduction, the original plan more than 60 systems on the two-year cycle in accordance to do, but only 15 six professional evaluation staff work hard to complete even if the ideal overload detection scheme .
Figure has assessed the proportion of industrial distribution systems
Purely commercial information security evaluation team although many, but not much can really solve the problem, but some of the information security vendors from the security services to act as. "Rely on them for system owners, particularly those involving national security interests of the public information systems, risk assessment is difficult to control will result in unimaginable consequences." God, Chi-hung said that the recent Hong Kong SAR, out of a major event , more than 2,000 complaints against police data was leaked, the specific causes have not yet identified.
God Zhixiong that service personnel organized by the manufacturers of third-party evaluation, there are two shortcomings. First, the impartiality to be questioned. "Assessment and sell products they do so, certainly not fair. Just as He did not see a doctor as they sell drugs, you do not need the drugs will force upon you." Second, China's security companies has been less stable than restructuring is split. "Experience tells us that even large companies selected will Nieba Han." For example, Lenovo's net assessment of Royal finished product procurement procedures have finished that, suddenly a major turn of events, scared of God Zhixiong rushed Beijing, Lenovo Royal said that no change in net still the same. But God Zhixiong worried that China's security Qualification is certified, but no certification qualification evaluation, especially evaluation staff qualifications and no certification.
People's Liberation Army Information Security Research Center Li Jingchun that make the whole process of assessment is to ensure strict management of the problem not the key to assessing his three suggestions. First, before the assessment is the assessment of personnel to conduct security education, development of security measures, configure the security device, security and confidentiality agreements signed.
Second, in the assessment of the situation by assessing the internal units should be kept strictly confidential and secret information; on information assets are assessed units, detected the vulnerability and security incidents occurred in such circumstances the scope of information should be strictly controlled; on detection and evaluation equipment, mobile media to strictly control; evaluation process to focus on the participation of personnel management of closed
Third, the assessment should be carefully and return all documents, information and data; of the assessment process and the outcome document to be signed document archiving; on the detection and evaluation of data to be centrally managed by hand, and clear the testing equipment in the data; in its foreign relations shall not be assessed in the unit involved in the secret, sensitive situation.
Glossary
Risk Assessment
Risk assessment information and information processing facilities, threats, impacts, vulnerability and assessment of the likelihood of the three. It is confirmed that the process of security risk and size, namely the use of appropriate risk assessment tools, including qualitative and quantitative methods to determine the risk level of information assets and priority order of risk control.
Risk assessment is the basis for information security management system, is the security of existing network analysis of first-hand information, is also a network security one of the most important elements, the risk of it down a network, the implementation of risk management and risk control provide a direct basis. Enterprises in network security equipment selection, network security needs analysis, network construction, network transformation, application trials, intranet and extranet connectivity, and third party business partners online business data transmission, e-government services, are referred risk assessment should be conducted.
Risk assessment process
In risk assessment, considering the main factors include: information assets and their value; of these assets as well as their probability of occurrence; the weak point; existing security controls.
The basic process of risk assessment are: first, in accordance with enterprise business processes and information assets and identify the operation and information assets under the valuation principles of valuation; the second step, the environment of the asset identification and evaluation of the threat; the third step, corresponding to each of a threat to the existence of assets or organization to identify the weak points and evaluation; fourth step, the security controls that have been taken to confirm; fifth step, a risk measurement method and level of risk assessment principles, to determine the size of the risk and grade.
Risk assessment form
Assessment of risk assessment in the form of the perpetrators in accordance with the different forms of risk assessment can be divided into self-assessment and inspection and evaluation into two categories. Since the evaluation is to be assessed by the owners of information systems on their own, their own information systems risk assessment. Check assessment is usually assessed information systems are the owner of the higher authorities, initiated by the competent authority or business, according to the laws and regulations have been enacted or standards, and mandatory means of inspection activities, through administrative means to enhance information security important measures.
Self-assessment and inspection and evaluation can be through the information security risk assessment services for risk assessment consulting, services, training and risk assessment tools available. The self-evaluation is most essential for safety assessment methods, it is to check the foundation and necessary condition assessment. Both for enterprise information system to ensure the normal operation of day to day, or to meet the higher level examination assessment, self-assessment plays an important role.
相关链接:
NINETOWNS submitted to the U.S. SEC Annual Report FY08 net profit down 72% correctionmp3 TO aacDual disc engraved with me8-year Restructuring Neusoft NormalizedAcala Video mp3 Ripperavi to 3gpintroduction Graphic EditorsAVS Data BurnerBUSINESS is business had to kindYoutube video formatKids Education InfomationGod used to measure BIconvert flv to movLearning regular expressions entirely Manual: Getting Started guide rookie