共查询到20条相似文献,搜索用时 0 毫秒
1.
Latha Sunderkrishnan 《EDPACS》2016,54(4):19-26
This article seeks to draw the attention of the executive management of enterprises to the growing importance of vendor risk assessments. Given that modern enterprises outsource non-core processes and operations to business partners and vendors, it is immensely important that a thorough risk assessment is performed of all control aspects and at all times—before the outsourcing and continuing risk assessments. Regulators hold enterprises responsible for data leakages by business partners and vendors. Therefore, enterprises need to ensure that appropriate metrics for measurement of vendor and business partner performance is well laid out in the agreements with the vendors and business partners. Indicative reference framework such as COBIT 5 framework for vendor management, how we manage a cloud service provider and key risk assessment processes have been provided to assist the executive management. Third party audits of businesses and operations of key vendor and business partners need to be conducted. 相似文献
2.
风险评估包含资产、威胁、脆弱性的赋值以及风险的计算等。该文以OCTAVE评估模型为基础对风险计算三元组识别与赋值进行研究,提出综合使用头脑风暴、德尔菲法、用群体决策方法进行资产、威胁、脆弱性的识别与赋值,对资产风险价值的加权计算参数采用专家咨询法等;采用马尔可夫方法计算动态信息系统威胁发生概率;对风险的计算模型进行研究,增加安全防护措施一个元组,把风险计算的三元组改进为四元组。 相似文献
3.
4.
《Computer Fraud & Security》2002,2002(12):11-13
Undertaking a complete risk assessment of the information held within an organization is not trivial, particularly if compliance to a standard such as ISO 17799 is sought. For some companies, particularly in the small-to-medium enterprise (SME) range, there may be no appropriately skilled employees and the costs of hiring a consultant may be see as prohibitive. Yet the risks to which these companies are exposed are just as real and potentially destructive as those faced by larger organizations. This dilemma can be solved by applying an off-the-shelf cost effective product that will enable anyone, irrespective of any security knowledge, to identify and address the risks and vulnerabilities 相似文献
5.
6.
浅谈网络安全风险的评估方法 总被引:1,自引:0,他引:1
本文通过分析网络系统风险的概念及评价体系建设原则,针对风险评估的流程进行探讨,并就应注意的几个问题提出几点建议。以期通过本文的阐述为网络管理人员更好地制定安全策略提供有效的技术支持。 相似文献
7.
Threads as contained in a thread algebra are used for the modeling of sequential program behavior. A thread that may use a counter to control its execution is called a ‘one-counter thread’. In this paper the decidability of risk assessment (a certain form of action forecasting) for one-counter threads is proved. This relates to Cohen’s impossibility result on virus detection (Comput. Secur. 6(1), 22–35, 1984). Our decidability result follows from a general property of the traces of one-counter threads: if a state is reachable from some initial state, then it is also reachable along a path in which all counter values stay below a fixed bound that depends only on the initial and final counter value. A further consequence is that the reachability of a state is decidable. These properties are based on a result for ω-one counter machines by Rosier and Yen (SIAM J. Comput. 16(5), 779–807, 1987). 相似文献
8.
胡冰 《网络安全技术与应用》2005,(8):22-24
在风险评估的各个环节,调查研究概念和方法的引入,增强了风险评估工作过程的实操性和风险评估结果的完整性、准确性,从而为风险评估工作持续稳定的发展,注入了一针“强心剂”。本文通过作者的风险评估实践经验简单论述了调查研究的各类方法及其在风险评估工作过程中的的应用。 相似文献
9.
信息安全风险评估方法综述 总被引:2,自引:0,他引:2
彭俊好 《网络安全技术与应用》2006,(1):84-86
对主要的信息安全风险评估方法进行了综述性讨论,指出了以ALE-based为代表的定量方法没能推广的原因,介绍了当前世界上通用的风险评估方法及存在的问题,并指出风险评估方法的发展趋势。 相似文献
10.
风险评估在电子政务系统中的应用 总被引:2,自引:0,他引:2
电子政务系统的特殊性使其对安全性提出了严格要求,如何鉴别系统的安全风险以防范于未然,其重要性不言而喻。安全风险评估是进行风险减缓的基础,是风险管理的关键过程。论文提出对电子政务系统进行风险评估的若干要素及应用这些要素进行风险评估的实施步骤,并以一个电子政务系统实例来具体说明评估的运作过程。 相似文献
11.
12.
13.
14.
《IEEE transactions on pattern analysis and machine intelligence》1985,(1):125-129
Software is increasingly being used to control and monitor systems for which safety and reliability are critical. When comparing software designs for such systems, an evaluation of how each design can contribute to the risk of system failure is desirable. Unfortunately, the science of risk assessment of combined hardware and software systems is in its infancy. Risk assessment of combined hardware/software systems is often based on oversimplified assumptions about software behavior. 相似文献
15.
文章对企业信息安全需求进行了分析,通过对信息安全管理标准BS7799描述,分析了其风险管理各要素间的关系,并定义了一种风险评估的基本流程,在此基础上构建了一种适于企业的风险分析法。 相似文献
16.
当前主流的信息安全风险评估关注于资产损失,而忽视了时业务的影响.提出了一种面向业务的风险评估模型.该模型从业务安全需求出发,将机密性、完整性和可用性等安全属性引入风险评估过程中,通过评估对业务过程的影响来量化风险.将传统风险评估的资产要素视为业务的支撑,采用层次化方法依次分析资产风险、业务过程风险和业务风险.各风险要素采用面向属性归纳和聚类方法进行概化分析,并采用Markov模型描述业务过程的风险传导.最后以某网上银行交易系统风险进行模型验证.理论分析和实验结果表明,该模型能够将传统的资产风险转化为业务风险,从机密性、完整性和可用性3个安全属性进行度量,从而体现业务安全需求. 相似文献
17.
软件开发中的风险评估及其实践 总被引:4,自引:0,他引:4
在软件项目的开发过程中,准确地识别项目中存在的风险、对风险加以分析并采取有效的预防措施是保证项目成功的关键因素之一。风险评估是软件开发风险管理的重要组成部分,目前已经发展成为软件项目开发与控制的常用管理方法。文章叙述了Boehm关于风险评估的经典理论、SEI基于问卷调查的风险评估法、基于成本估算的风险评估法以及该领域的其它最新研究进展。最后对软件开发风险评估方法的发展方向提出了自己的观点。 相似文献
18.
Calculating risk is relatively straightforward when there is reliable statistical evidence on which to base a judgment. However, novel technologies are often characterised by a lack of such historical data, which creates a problem for risk assessment. In fact, numerical risk assessments can be positively misleading in such situations. We describe a decision support system – StAR – that gives quantitative assessments where appropriate, but which is also able to provide qualitative risk assessments based on arguments for and against the presence of risk. The user is presented with a summary statement of risk, together with the arguments that underlie this assessment. Furthermore, the user is able to search beyond these top-level arguments in order to discover more about the available evidence. Here we suggest that this approach is well-suited to the way in which people naturally make decisions, and we show how the StAR approach has been implemented in the domain of toxicological risk assessment. 相似文献
19.
随着信息化的发展,信息系统依赖程度日益增强,采用风险管理的理念去识别安全风险,解决信息安全问题得到了广泛的认识和应用。该文首先介绍了风险评估工作的操作模式,指出了风险评估的实施过程阶段,简要阐述了信息安全风险评估的主要分析方法。 相似文献
20.
从人为差错的辨识、概率计算和后果量化三个方面讨论人因事件风险评估的流程,并针对这三个关键问题设计相关的解决方案。针对人为差错辨识问题,设计一种统一的人为差错基本分类框架,作为差错辨识过程的模板库;针对人为差错概率计算问题,提出首先计算人为差错总体概率,然后结合历史事故统计资料计算具体差错模式发生概率的新方法;针对后果量化问题,按照先定性后定量的原则,设计一种后果量化值的确定方法。 相似文献