CN110839000B - Method and device for determining security level of network information system - Google Patents
Method and device for determining security level of network information system Download PDFInfo
- Publication number
- CN110839000B CN110839000B CN201810926854.0A CN201810926854A CN110839000B CN 110839000 B CN110839000 B CN 110839000B CN 201810926854 A CN201810926854 A CN 201810926854A CN 110839000 B CN110839000 B CN 110839000B
- Authority
- CN
- China
- Prior art keywords
- vulnerability
- risk
- vulnerabilities
- information system
- determining
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a method and a device for determining the security level of a network information system, wherein the method comprises the following steps: acquiring the risk level of each risk point of a network information system; determining the vulnerability grades of M vulnerabilities of the network information system according to the risk grade of each risk point; determining R vulnerabilities existing in any network information system in the network information system according to the M vulnerabilities and the vulnerability grades, and the vulnerability grades corresponding to the R vulnerabilities respectively, wherein R is an integer not greater than M; and determining the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels. The method can evaluate the security level of the whole network information system based on the risk and the vulnerability.
Description
Technical Field
The invention relates to the technical field of network security and internet service, in particular to a method and a device for determining the security level of an internetwork information system.
Background
The internet service range is wide, and includes various services provided to users through the internet, such as internet access services (broadband, 4G/5G, etc.), cloud computing services (IaaS, PaaS, SaaS, etc.), social network services (microblog, wechat, etc.), electronic commerce services (naobao, kyoto, etc.), internet financial services, and the like.
A cloud computing service is a typical internet service. Cloud computing is a mode of accessing an extensible, flexible physical or virtual shared resource pool through a network, and obtaining and managing resources by self as needed. A cloud computing service is the ability to provide one or more resources via cloud computing using a defined interface.
Cloud computing services can be classified into public clouds, private clouds, and hybrid clouds according to the object of resource sharing. Public clouds generally refer to available clouds provided by third party providers for users, and are generally available via the Internet. Different users, referred to as tenants, share cloud computing resources. Private clouds are built for individual use by a user who owns the cloud computing infrastructure and can control the manner in which applications are deployed on that infrastructure. The private cloud can be deployed in a firewall of an enterprise data center, or can be deployed in a safe host hosting place, and the core attribute of the private cloud is a proprietary resource. The hybrid cloud integrates a public cloud and a private cloud, and a user generally stores data in the private cloud and uses computing resources of the public cloud.
The safety evaluation of the current universal network information system in China comprises information system grade evaluation and information safety risk evaluation. The information system grade evaluation process comprises the steps of system grading, system filing, auditing, protection evaluation and the like. The main criteria followed are as follows:
(1) the security level protection division criterion of the computer information system (GB 17859-;
(2) the safety level protection implementation guide (GB/T25058-2010) of the information system (basic standard);
(3) the information system safety protection level grading guide (GB/T22240-;
(4) the basic requirements (GB/T22239-;
(5) the general safety technical requirement (GB/T20271-2006) of the information system (application type construction standard);
(6) the technical requirements of information system level protection safety design (GB/T25070-;
(7) the safety level protection evaluation requirement (GB/T28448) of the information system (application class evaluation standard);
(8) the safety level protection evaluation process guide (GB/T28449-2012) of the information system (application class evaluation standard);
(9) the information system safety management requirement (GB/T20269-2006) (application class management standard);
(10) and information system safety engineering management requirements (GB/T20282-2006) (application class management standard).
The information security risk assessment is the fundamental work and important link of information security guarantee, and runs through the whole process of network and information system construction and operation. The service provider provides a risk evaluation service for the information system, systematically analyzes threats faced by the network and the information system and the vulnerability of the threats, evaluates the possible damage degree once a security event occurs, provides a protection countermeasure and a security rectification measure for resisting the threats in a targeted manner, prevents and eliminates the information security risk, or controls the risk to an acceptable level, and provides a scientific basis for the network and the information security guarantee. The main standard is GB/T20984 and 2007 information security technology information security risk assessment Specification.
The existing standard analyzes and evaluates the risk of the information system, and does not determine and quantify the security level of the information system.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for determining a security level of a network information system, which can evaluate the security level of the entire network information system based on risk and vulnerability.
In order to solve the technical problem, the technical scheme of the application is realized as follows:
a method for determining a security level of a network information system, the method comprising:
acquiring the risk level of each risk point of a network information system;
determining the vulnerability grades of M vulnerabilities of the network information system according to the risk grade of each risk point;
determining R vulnerabilities existing in any network information system in the network information system according to the M vulnerabilities and the vulnerability grades, and the vulnerability grades corresponding to the R vulnerabilities respectively, wherein R is an integer not greater than M;
and determining the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels.
A security level determination apparatus of a network information system, the apparatus comprising: the device comprises an acquisition unit, a first determination unit, a second determination unit and a third determination unit;
the acquiring unit is used for acquiring the risk level of each risk point of the network information system;
the first determining unit is configured to determine, according to the risk level of each risk point, vulnerability levels of M vulnerabilities of the network information system of the type obtained by the obtaining unit;
the second determining unit is configured to determine, according to the M vulnerabilities and the vulnerability levels determined by the first determining unit, R vulnerabilities existing in any one of the network information systems of the type and vulnerability levels corresponding to the R vulnerabilities, where R is an integer not greater than M;
and the third determining unit is used for determining the security level of the network information system according to the R vulnerabilities determined by the second determining unit and the corresponding vulnerability levels.
According to the technical scheme, the existing process for determining the risk level is cited to reversely determine the vulnerability level of the vulnerability, and then the determined vulnerability level is used for further determining the security level of the network information system. The scheme can evaluate the security level of the whole network information system based on risk and vulnerability.
Drawings
FIG. 1 is a schematic flow chart illustrating the implementation of security levels of an information system in an embodiment of the present application;
fig. 2 is a schematic structural diagram of an apparatus applied to the above-described technology in the embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more clearly apparent, the technical solutions of the present invention are described in detail below with reference to the accompanying drawings and examples.
The embodiment of the application provides a security level determination method of a network information system, which reversely determines the vulnerability level of the vulnerability by citing the existing process of determining the risk level and further determines the security level of the network information system by using the determined vulnerability level. The scheme can evaluate the security level of the whole network information system based on risk and vulnerability.
The following describes in detail a security level determination process implemented in a network information system in an embodiment of the present application with reference to the accompanying drawings.
For convenience of description, a device that performs determining the security level of the network information system is referred to as a device, and the device may perform all the steps of fig. 1 described below, or may perform each step as one device, and in this embodiment of the present application, all the steps of fig. 1 are performed as 1 device as an example.
Referring to fig. 1, fig. 1 is a schematic flowchart illustrating a security level of an information system implemented in an embodiment of the present application. The method comprises the following specific steps:
The implementation of this step may be to obtain the risk level of each risk point of the network information system of the same type determined by any implementation method in the prior art, or may be to directly obtain the risk level from a database stored after being determined in a certain manner, and a description is given below of a process for briefly determining the risk level of each risk point of the network information system of the same type:
the information security risk assessment is to systematically analyze threats faced by an information system and the existing vulnerabilities of the threats from the perspective of risk management by applying scientific methods and means and assess the degree of possible damage once a security event occurs.
Risk assessment is developed around basic elements such as assets, threats, vulnerabilities and safety measures, and various attributes related to the basic elements such as business strategy, asset value, safety requirements, safety events, participation risks and the like need to be fully considered in the assessment process of the basic elements.
Three basic elements of assets, threats and vulnerabilities are involved in risk analysis. Each element has a respective attribute, and the attribute of the asset is an asset value; the attribute of the threat may be the threat subject, the influencing object, the frequency of occurrence, the motivation, etc.; the attribute of vulnerability is the severity of asset vulnerability.
The main contents of the risk analysis are:
a) identifying assets and assigning values to the value of the assets;
b) identifying the threat, describing the attribute of the threat, and assigning a value to the frequency of the threat;
c) identifying the vulnerability and assigning a value to the severity of the vulnerability of the specific asset;
d) judging the possibility of occurrence of the security event according to the threat and the difficulty level of the threat utilization vulnerability;
e) calculating the loss caused by the security event according to the severity of the vulnerability and the asset value acted by the security event;
f) and calculating the influence of the security event on the organization once occurring, namely a risk value according to the possibility of the security event occurring and the loss after the security event occurs.
Carrying out risk analysis on a network information system, and establishing a mapping relation model of risk and elements such as vulnerability, assets and the like; a plurality of risk points may exist in one type of network information system, and a model established for each risk point may be denoted as formula R ═ E (a, V, T), where a represents asset value, V represents vulnerability severity, T represents threat level, E represents a risk analysis model, and R represents a risk level of each risk point.
As for the risk grade fractions, etc., they can be determined according to the specific implementation adopted, and are not limited in the embodiments of the present application. Generally, a ranked class of network information system risk values may be formed based on current international and domestic standards, expert experience, and the like.
In a specific implementation, the relationship between the value of the risk level and the risk level may be as follows:
when the value of the risk grade is larger, the system risk is higher;
or the like, or, alternatively,
the system risk is lower when the value of the risk level is larger.
The present application does not limit this, if some existing way to achieve the risk level is: high, medium, low, which may be quantified as 1, 2, 3, or 3, 2, 1, corresponding to a particular implementation of the present application.
And 102, determining the vulnerability grades of the M vulnerabilities of the network information system according to the risk grade of each risk point by the equipment.
In this step, the vulnerability grades of M vulnerabilities of the network information system are determined according to the determined risk grade of each risk point, and specifically include:
when any vulnerability corresponds to a risk point, determining the vulnerability grade of the vulnerability as the risk grade of the risk point;
when any vulnerability corresponds to a plurality of risk points, determining the vulnerability grade of the vulnerability as the risk grade of the risk point with the highest risk grade value in the plurality of risk points.
M is an integer greater than 0.
In the following, M is 3, and the total number of security levels configured by the system is 4.
The number of corresponding vulnerabilities of the network information system is determined to be 3, namely V1, V2 and V3, and the system security levels are respectively a first level, a second level, a third level and a fourth level. The value for the first level is 1, the value for the second level is 2, the value for the third level is 3, and the value for the fourth level is 4. The greater the value corresponding to the vulnerability class of the vulnerability, the greater the harm to the information system.
If the V1 corresponds to a risk point, the safety level of the V1 is the risk level corresponding to the risk point; if the corresponding risk level is of the second level, the value of the vulnerability level of V1 is 2;
if V2 corresponds to a plurality of risk points, the safety level of V2 is the risk level of the risk point with the highest risk level value in the plurality of risk levels; if the corresponding risk level is third level, the value of the vulnerability level of V1 is 3;
if the V3 corresponds to a risk point, the safety level of the V3 is the risk level corresponding to the risk point; if the corresponding risk level is level three, the vulnerability level of V1 has a value of 3.
The embodiment of the application is applied to a scene that a network information system provides the same type of service, and in the scene, the threats faced by the service provider are consistent no matter who the service provider is, so that the threat degrees are consistent; since the vulnerability is the property of the asset itself, there is a functional relationship between the vulnerability and the asset, which can be transformed, i.e. the vulnerability can be used to represent the asset, so that it is a completely feasible solution to consider only the vulnerability when making the security level determination.
Thus, the established risk model R ═ E (a, V, T) can be simplified to R ═ E (V (a), c (T));
where T is a constant and may be denoted as C (T), vulnerability V is the property of the asset itself, V and A are related quantities and are denoted as V (A).
Thus simplified, the level of each risk point is related only to the variable vulnerability, and it is therefore reasonable to use the risk level to determine the vulnerability level of the vulnerability.
And 103, determining R vulnerabilities existing in any one of the network information systems and vulnerability grades respectively corresponding to the R vulnerabilities according to the M vulnerabilities and the vulnerability grades, wherein R is an integer not greater than M.
In this step, R vulnerabilities existing in any network information system of the network information systems are determined according to M vulnerabilities and vulnerability grades, and the vulnerability grades corresponding to the R vulnerabilities respectively include:
the method comprises the steps of filtering the vulnerability of corresponding vulnerability measures in an information system by using M vulnerabilities in the information system, taking R vulnerabilities existing in the information system after filtering as the vulnerability of the information system, and determining the vulnerability level of the R vulnerabilities according to the M vulnerabilities.
Namely, the vulnerability of the corresponding security measure existing in one information system is filtered, and only the vulnerability which is matched with the information system of the type and does not have the security measure is left.
If M is 100, 80 vulnerabilities out of 100 exist in the network information system, and security measures exist in 30 vulnerabilities, then after filtering, 50 vulnerabilities exist in the network information system.
And step 104, the equipment determines the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels.
In this step, determining the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels includes:
when N-i exists in the values of the vulnerability levels of the R vulnerabilities and a value larger than the N-i does not exist, determining that the value of the security level of the information system is i + 1; wherein N is the total number of the security levels configured by the system; i is an integer from 0 to N-1; when R is 0, the security level of the system is the highest level. And when the R is equal to 0, the network information system is proved to have no vulnerability, and the security of the network information system is the highest.
As an example in step 102, assuming that M is 3 and R is 3, the values of the vulnerability classes corresponding to the three vulnerabilities are: 2. 3 and 3.
In this step, when N is equal to 4, the maximum value is 3, which corresponds to a case where i is 1, and the security level of the information system is determined to be i +1, that is, 1+1 is 2.
In the embodiment of the application, when the value of the risk grade is larger and the system risk is higher, the value of the system vulnerability is larger, the system vulnerability is higher, namely the system vulnerability is larger; the larger the value of the system security level is, the higher the system security is;
when the risk level value is larger and the system risk is lower, the system vulnerability value is larger and the system vulnerability is lower; the larger the value of the system security level, the lower the system security.
Based on the same inventive concept, the embodiment of the application also provides a security level determination device of the network information system. Referring to fig. 2, fig. 2 is a schematic structural diagram of an apparatus applied to the above technology in the embodiment of the present application. The device includes: an acquisition unit 201, a first determination unit 202, a second determination unit 203, and a third determination unit 204;
an obtaining unit 201, configured to obtain a risk level of each risk point of a type of network information system;
a first determining unit 202, configured to determine, according to the risk level of each risk point, vulnerability levels of M vulnerabilities of the network information system of the type obtained by the obtaining unit 201;
a second determining unit 203, configured to determine, according to the M vulnerabilities and the vulnerability levels determined by the first determining unit 202, R vulnerabilities existing in any network information system in the class of network information systems, and vulnerability levels corresponding to the R vulnerabilities, respectively, where R is an integer not greater than M;
a third determining unit 204, configured to determine the security level of the network information system according to the R vulnerabilities determined by the second determining unit 203 and the corresponding vulnerability levels.
Preferably, the first and second liquid crystal films are made of a polymer,
the first determining unit 202 is specifically configured to, when determining vulnerability levels of M vulnerabilities of the network information system according to the risk level of each risk point: when any vulnerability corresponds to a risk point, determining the vulnerability grade of the vulnerability as the risk grade of the risk point; when any vulnerability corresponds to a plurality of risk points, determining the vulnerability grade of the vulnerability as the risk grade of the risk point with the highest risk grade value in the plurality of risk points.
Preferably, the first and second liquid crystal films are made of a polymer,
the third determining unit 204 is specifically configured to, when determining the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels: when N-i exists in the values of the vulnerability levels of the R vulnerabilities and a value larger than the N-i does not exist, determining that the value of the security level of the information system is i + 1; when R is 0, the security level of the system is the highest level; wherein, N is the total number of the security levels of the network information system configured by the system; i is an integer from 0 to N-1.
Preferably, the first and second liquid crystal films are made of a polymer,
when the risk level value is larger and the system risk is higher, the system vulnerability value is larger and the system vulnerability is higher; the larger the value of the system security level is, the higher the system security is;
when the risk level value is larger and the system risk is lower, the system vulnerability value is larger and the system vulnerability is lower; the greater the value of the system security level, the lower the security.
Preferably, the first and second liquid crystal films are made of a polymer,
the second determining unit 203 is specifically configured to, when R vulnerabilities existing in any one of the network information systems of the category are determined according to the M vulnerabilities and the vulnerability levels, and the vulnerability levels corresponding to the R vulnerabilities respectively: the method comprises the steps of filtering the vulnerability of corresponding vulnerability measures in an information system by using M vulnerabilities in the information system, taking R vulnerabilities existing in the information system after filtering as the vulnerability of the information system, and determining the vulnerability level of the R vulnerabilities according to the M vulnerabilities.
The units of the above embodiments may be integrated into one body, or may be separately deployed; may be combined into one unit or further divided into a plurality of sub-units.
In summary, the present application reversely determines the vulnerability level of the vulnerability by referring to the existing process of determining the risk level, and then further determines the security level of the network information system using the determined vulnerability level. The scheme can evaluate the security level of the whole network information system based on risk and vulnerability.
The security of the whole internet service is evaluated from the perspective of risks, and is not purely restricted to some specific technical requirements. The method has the advantages that the method can relate to aspects of Internet service, and can take the security of the whole system into full consideration; secondly, the method can adapt to the development of technology, when the internet has new technology, the safety requirement of the internet is necessarily updated, and the risk-based internet service safety evaluation model is adopted and is not influenced by the new technology.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (8)
1. A method for determining a security level of a network information system, the method comprising:
acquiring the risk level of each risk point of a network information system;
determining the vulnerability grades of M vulnerabilities of the network information system according to the risk grade of each risk point;
determining R vulnerabilities existing in any network information system in the network information system according to the M vulnerabilities and the vulnerability grades, and the vulnerability grades corresponding to the R vulnerabilities respectively, wherein R is an integer not greater than M;
determining the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels;
wherein, the determining the vulnerability grades of M vulnerabilities of the network information system according to the risk grade of each risk point comprises:
when any vulnerability corresponds to a risk point, determining the vulnerability grade of the vulnerability as the risk grade of the risk point;
when any vulnerability corresponds to a plurality of risk points, determining the vulnerability grade of the vulnerability as the risk grade of the risk point with the highest risk grade value in the plurality of risk points.
2. The method of claim 1, wherein determining the security level of the network information system based on the determined R vulnerabilities and corresponding vulnerability levels comprises:
when N-i exists in the values of the vulnerability levels of the R vulnerabilities and a value larger than the N-i does not exist, determining that the value of the security level of the information system is i + 1; wherein, N is the total number of the security levels of the network information system configured by the system; i is an integer from 0 to N-1;
when R is 0, the security level of the system is the highest level.
3. The method of claim 1,
when the risk level value is larger and the system risk is higher, the system vulnerability value is larger and the system vulnerability is higher; the larger the value of the system security level is, the higher the system security is;
when the risk level value is larger and the system risk is lower, the system vulnerability value is larger and the system vulnerability is lower; the larger the value of the system security level, the lower the system security.
4. The method according to any one of claims 1 to 3, wherein the determining, according to the M vulnerabilities and the vulnerability levels, R vulnerabilities existing in any one of the network information systems of the class, and the vulnerability levels corresponding to the R vulnerabilities respectively comprises:
the method comprises the steps of filtering the vulnerability of corresponding vulnerability measures in an information system by using M vulnerabilities in the information system, taking R vulnerabilities existing in the information system after filtering as the vulnerability of the information system, and determining the vulnerability level of the R vulnerabilities according to the M vulnerabilities.
5. An apparatus for determining a security level of a network information system, the apparatus comprising: the device comprises an acquisition unit, a first determination unit, a second determination unit and a third determination unit;
the acquiring unit is used for acquiring the risk level of each risk point of the network information system;
the first determining unit is configured to determine, according to the risk level of each risk point, vulnerability levels of M vulnerabilities of the network information system of the type obtained by the obtaining unit;
the second determining unit is configured to determine, according to the M vulnerabilities and the vulnerability levels determined by the first determining unit, R vulnerabilities existing in any one of the network information systems of the type and vulnerability levels corresponding to the R vulnerabilities, where R is an integer not greater than M;
the third determining unit is used for determining the security level of the network information system according to the R vulnerabilities determined by the second determining unit and the corresponding vulnerability levels;
wherein the content of the first and second substances,
the first determining unit is specifically configured to, when determining vulnerability levels of M vulnerabilities of the network information system of the type according to the risk level of each risk point: when any vulnerability corresponds to a risk point, determining the vulnerability grade of the vulnerability as the risk grade of the risk point; when any vulnerability corresponds to a plurality of risk points, determining the vulnerability grade of the vulnerability as the risk grade of the risk point with the highest risk grade value in the plurality of risk points.
6. The apparatus of claim 5,
the third determining unit is specifically configured to, when determining the security level of the network information system according to the determined R vulnerabilities and the corresponding vulnerability levels: when N-i exists in the values of the vulnerability levels of the R vulnerabilities and a value larger than the N-i does not exist, determining that the value of the security level of the information system is i + 1; when R is 0, determining the security level of the system as the highest level; wherein, N is the total number of the security levels of the network information system configured by the system; i is an integer from 0 to N-1.
7. The apparatus of claim 5,
when the risk level value is larger and the system risk is higher, the system vulnerability value is larger and the system vulnerability is higher; the larger the value of the system security level is, the higher the system security is;
when the risk level value is larger and the system risk is lower, the system vulnerability value is larger and the system vulnerability is lower; the greater the value of the system security level, the lower the security.
8. The apparatus according to any one of claims 5 to 7,
the second determining unit is specifically configured to, when R vulnerabilities existing in any one of the network information systems of the category are determined according to the M vulnerabilities and the vulnerability levels, and the vulnerability levels corresponding to the R vulnerabilities respectively: the method comprises the steps of filtering the vulnerability of corresponding vulnerability measures in an information system by using M vulnerabilities in the information system, taking R vulnerabilities existing in the information system after filtering as the vulnerability of the information system, and determining the vulnerability level of the R vulnerabilities according to the M vulnerabilities.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810926854.0A CN110839000B (en) | 2018-08-15 | 2018-08-15 | Method and device for determining security level of network information system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810926854.0A CN110839000B (en) | 2018-08-15 | 2018-08-15 | Method and device for determining security level of network information system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110839000A CN110839000A (en) | 2020-02-25 |
| CN110839000B true CN110839000B (en) | 2022-02-08 |
Family
ID=69572930
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810926854.0A Active CN110839000B (en) | 2018-08-15 | 2018-08-15 | Method and device for determining security level of network information system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110839000B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113656122B (en) * | 2021-07-28 | 2023-05-16 | 上海纽盾科技股份有限公司 | Information screening method, device and system for equal-protection assessment |
| CN114866434B (en) * | 2022-03-09 | 2023-05-02 | 上海纽盾科技股份有限公司 | Network asset security assessment method and application |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101150432A (en) * | 2007-08-24 | 2008-03-26 | 北京启明星辰信息技术有限公司 | An information system risk evaluation method and system |
| CN101620653A (en) * | 2008-07-04 | 2010-01-06 | 北京启明星辰信息技术股份有限公司 | System and method for evaluating security risk based on asset weak point analysis |
| CN103023889A (en) * | 2012-11-29 | 2013-04-03 | 武汉华中电力电网技术有限公司 | Safety margin risk quantification method |
| CN103716177A (en) * | 2013-11-18 | 2014-04-09 | 国家电网公司 | Security risk assessment method and apparatus |
| CN103927631A (en) * | 2014-04-30 | 2014-07-16 | 南方电网科学研究院有限责任公司 | Safety integrated management platform based on electric system quality system, risk assessment and safety testing and evaluation |
| CN103996006A (en) * | 2013-02-17 | 2014-08-20 | 中国移动通信集团山西有限公司 | Information system security risk assessment method and device |
| EP3116190A1 (en) * | 2015-07-07 | 2017-01-11 | Accenture Global Services Limited | Threat assessment level determination and remediation for a cloud-based multi-layer security architecture |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070067845A1 (en) * | 2005-09-22 | 2007-03-22 | Alcatel | Application of cut-sets to network interdependency security risk assessment |
| US8353045B2 (en) * | 2009-06-29 | 2013-01-08 | Bugra Karabey | Method and tool for information security assessment that integrates enterprise objectives with vulnerabilities |
-
2018
- 2018-08-15 CN CN201810926854.0A patent/CN110839000B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101150432A (en) * | 2007-08-24 | 2008-03-26 | 北京启明星辰信息技术有限公司 | An information system risk evaluation method and system |
| CN101620653A (en) * | 2008-07-04 | 2010-01-06 | 北京启明星辰信息技术股份有限公司 | System and method for evaluating security risk based on asset weak point analysis |
| CN103023889A (en) * | 2012-11-29 | 2013-04-03 | 武汉华中电力电网技术有限公司 | Safety margin risk quantification method |
| CN103996006A (en) * | 2013-02-17 | 2014-08-20 | 中国移动通信集团山西有限公司 | Information system security risk assessment method and device |
| CN103716177A (en) * | 2013-11-18 | 2014-04-09 | 国家电网公司 | Security risk assessment method and apparatus |
| CN103927631A (en) * | 2014-04-30 | 2014-07-16 | 南方电网科学研究院有限责任公司 | Safety integrated management platform based on electric system quality system, risk assessment and safety testing and evaluation |
| EP3116190A1 (en) * | 2015-07-07 | 2017-01-11 | Accenture Global Services Limited | Threat assessment level determination and remediation for a cloud-based multi-layer security architecture |
Non-Patent Citations (3)
| Title |
|---|
| Modeling Risk in Distributed Healthcare Information Systems;Ilias Maglogiannis;《Proceedings of the 28th IEEE EMBS Annual International Conference》;20161215;全文 * |
| 信息安全风险结构特征分析;程建华;《情报科学》;20080315(第03期);全文 * |
| 关于企业信息安全风险管理系统的研究;石磊;《华北电力技术》;20130925(第09期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110839000A (en) | 2020-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9356961B1 (en) | Privacy scoring for cloud services | |
| US10262149B2 (en) | Role access to information assets based on risk model | |
| US10108803B2 (en) | Automatic generation of data-centric attack graphs | |
| CN107563203B (en) | Integrated security policy and event management | |
| EP2529321B1 (en) | Url filtering based on user browser history | |
| US9467466B2 (en) | Certification of correct behavior of cloud services using shadow rank | |
| CN112396521B (en) | Method and system for reducing risk of intelligent contracts in blockchain | |
| US9288219B2 (en) | Data protection in a networked computing environment | |
| US10223329B2 (en) | Policy based data collection, processing, and negotiation for analytics | |
| US10069842B1 (en) | Secure resource access based on psychometrics | |
| US10362052B2 (en) | Generating a virtual database to test data security of a real database | |
| CN105989275B (en) | Method and system for certification | |
| US11727142B2 (en) | Identifying sensitive data risks in cloud-based enterprise deployments based on graph analytics | |
| US10282461B2 (en) | Structure-based entity analysis | |
| DE112019001433T5 (en) | DATA ANONYMIZATION | |
| DE112020002552T5 (en) | SYSTEM AND PROCEDURES FOR A SIEM RULE ORDER AND CONDITIONAL EXECUTION | |
| CN110839000B (en) | Method and device for determining security level of network information system | |
| CN104320271B (en) | A kind of network equipment safety evaluation method and device | |
| Lahmar et al. | Security-aware multi-cloud service composition by exploiting rough sets and fuzzy FCA | |
| Zhou et al. | Measuring web service security in the era of Internet of Things | |
| US8931048B2 (en) | Data system forensics system and method | |
| US11228619B2 (en) | Security threat management framework | |
| CN111209403A (en) | Data processing method, device, medium and electronic equipment | |
| Habbal et al. | Design and assessment of an experimental SDN-enabled private cloud using Openstack | |
| Rajasingham et al. | Efficient agent based trust threshold model for healthcare cloud applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |