关键信息基础设施保护水平评价指标体系研究
|
摘要
关键信息基础设施的安全稳定运行关系着国家安全、经济繁荣以及人民福祉,其重要性不言而喻,为了有效衡量我国关键信息基础设施的保护水平,为关键信息基础设施保护工作部门和运营者提供客观衡量标准,有必要设计一套适合我国的关键信息基础设施保护水平评价指标体系.依据我国相关政策和法律法规,总结了关键信息基础设施保护的12类重点要求,并从衡量安全保护措施的有效性和控制风险的能力出发,提出了关键信息基础设施保护水平的四级评价指标体系.在重要行业领域进行的试点结果表明,该指标体系和评价方法具有可操作性和适用性,能够反映我国关键信息基础设施保护的现实状况,并为关键信息基础设施保护工作提供参考.
The safe and stable operation of critical information infrastructure(CII) is crucial to the national security, economic prosperity and people's well-being. In order to effectively measure the protection level of China's CII and provide objective measurement standards or work guidelines for the protection departments and operators of CII, it is necessary to design a set of evaluation indicator system for the level of critical information infrastructure protection(CIIP). In accordance with relevant policies, laws and regulations in China, we summarize 12 major requirements of CII,and propose a four-level evaluation indicator system for CIIP based on the effectiveness of safety measures and the ability to control risks. Pilot results in the key fields show that this evaluation indicator system is operable and applicable, which can reflect the current situation of CIIP in China and provide references for the CIIP.
The safe and stable operation of critical information infrastructure(CII) is crucial to the national security, economic prosperity and people's well-being. In order to effectively measure the protection level of China's CII and provide objective measurement standards or work guidelines for the protection departments and operators of CII, it is necessary to design a set of evaluation indicator system for the level of critical information infrastructure protection(CIIP). In accordance with relevant policies, laws and regulations in China, we summarize 12 major requirements of CII,and propose a four-level evaluation indicator system for CIIP based on the effectiveness of safety measures and the ability to control risks. Pilot results in the key fields show that this evaluation indicator system is operable and applicable, which can reflect the current situation of CIIP in China and provide references for the CIIP.
引文
[1]陆宝华.建立科学的网络安全人才评价体系[J].信息安全研究,2018, 4(12):1068-1070
[2]马民虎.网络安全法适用指南[M].北京:中国民主法制出版社,2018
[3]王闪闪.IS027000与等级保护系列标准对比研究[D].西安:陕西师范大学,2010
[4]谢棕晓,王静漪.ISO/IEC 270001与ISO/IEC 27002标准的演变[J].中国标准导报,2015(7):48-52
[5]全国信息安全标准化技术委员会.信息技术安全技术信息安全管理体系要求[S].北京:中国标准出版社,2006
[6]全国信息安全标准化技术委员会.信息技术安全技术信息安全控制实用规则[S].北京:中国标准出版社,2006
[7] U.S. Department of Commerce. Special Publication 800-53Security and Privacy Controls for Federal Information Systems and Organizations[S]. Gaithersburg, USA:NIST, 2013
[8] U.S. Department of Commerce. Special Publication 800-53A SP 800-53A Guidelines for Assessment of Security Control in Federal Information Systems[S]. Gaithersburg,USA:NIST, 2010
[9] Jason D. Christopher. Cybersecurity Capability Maturity Model(C2M2)Version 1.1[S]. America:DOE and DHS,2014
[10] Christopher J D. Cybersecurity Capability Maturity Model(C2M2)Facilitator Guide Version 1. la[S]. America:DOE and DHS, 2017
[11]全国信息安全标准化技术委员会.信息安全技术关键信息基础设施网络安全保护基本要求(标准征求意见稿)[S/OL].北京:中国标准出版社,2018[2019-04-05].https://www. tc260. org. cn/front/bzzqyjDetail. html? id=20180613180740102919&norm_id=20180523160438&recode_id=29222
[12]全国信息安全标准化技术委员会.信息安全技术网络安全等级保护基本要求(标准征求意见稿)[S/OL].北京:中国标准出版社,2017[2019-04-05]. https://www.tc260.org.cn/front/bzzqyjList.html?postType=&start=110&length=10
[13]全国信息安全标准化技术委员会.信息安全技术关键信息基础设施安全控制措施(标准征求意见稿)[S/OL].北京:中国标准出版社,2018[2019-04-05]. https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20180613180739993240&norm_id=20180523160435&recode_id=29216
[2]马民虎.网络安全法适用指南[M].北京:中国民主法制出版社,2018
[3]王闪闪.IS027000与等级保护系列标准对比研究[D].西安:陕西师范大学,2010
[4]谢棕晓,王静漪.ISO/IEC 270001与ISO/IEC 27002标准的演变[J].中国标准导报,2015(7):48-52
[5]全国信息安全标准化技术委员会.信息技术安全技术信息安全管理体系要求[S].北京:中国标准出版社,2006
[6]全国信息安全标准化技术委员会.信息技术安全技术信息安全控制实用规则[S].北京:中国标准出版社,2006
[7] U.S. Department of Commerce. Special Publication 800-53Security and Privacy Controls for Federal Information Systems and Organizations[S]. Gaithersburg, USA:NIST, 2013
[8] U.S. Department of Commerce. Special Publication 800-53A SP 800-53A Guidelines for Assessment of Security Control in Federal Information Systems[S]. Gaithersburg,USA:NIST, 2010
[9] Jason D. Christopher. Cybersecurity Capability Maturity Model(C2M2)Version 1.1[S]. America:DOE and DHS,2014
[10] Christopher J D. Cybersecurity Capability Maturity Model(C2M2)Facilitator Guide Version 1. la[S]. America:DOE and DHS, 2017
[11]全国信息安全标准化技术委员会.信息安全技术关键信息基础设施网络安全保护基本要求(标准征求意见稿)[S/OL].北京:中国标准出版社,2018[2019-04-05].https://www. tc260. org. cn/front/bzzqyjDetail. html? id=20180613180740102919&norm_id=20180523160438&recode_id=29222
[12]全国信息安全标准化技术委员会.信息安全技术网络安全等级保护基本要求(标准征求意见稿)[S/OL].北京:中国标准出版社,2017[2019-04-05]. https://www.tc260.org.cn/front/bzzqyjList.html?postType=&start=110&length=10
[13]全国信息安全标准化技术委员会.信息安全技术关键信息基础设施安全控制措施(标准征求意见稿)[S/OL].北京:中国标准出版社,2018[2019-04-05]. https://www.tc260.org.cn/front/bzzqyjDetail.html?id=20180613180739993240&norm_id=20180523160435&recode_id=29216