摘要： 复杂信息系统(CIS)在系统风险管理和风险评估上因其结构复杂性而存在较大难度。为此,基于Zachman框架,提出一种CIS 风险评估框架,并在GB / T 20984-2007 信息安全技术-信息安全风险评估规范基础上,建立CIS的风险评估流程。依据风险管理层次与安全域划分原则对CIS 进行架构分解,研究安全域内和域间的评估方法。在传统风险要素的基础上增加CIS 互联关系的风险要素。引入互信息表征互联关系的关联度,利用层次分析法对风险权重进行评估。结合实例对CIS 风险评估流程进行验证,结果表明,该流程可对CIS 风险做出客观准确的评估。

关键词: 复杂信息系统, 企业架构, Zachman 框架, 风险评估, 风险要素, 评估流程

Abstract: Research on Complex Information Systems(CIS)is a big difficulty on a system of risk management and risk assessment because of the complexity of the structure. Based on Enterprise Architecture(EA)Zachman framework and GB / T 20984-2007 standard information security risk assessment norms, this paper presents a complex model of information system risk assessment framework and establishes a risk assessment process CIS. Based on risk management hierarchy and principle of security domain,it decomposes the architecture of CIS and studies assessment within and between domains. On the basis of traditional risk factors,the paper increases interconnection risk factor as the specific factor to the CIS,it introduces correlation to characterize interconnection and AHP method. With examples of CIS risk assessment process is validated,results show that the process can make an objective and accurate assessment for CIS risk.

Key words: Complex Information System(CIS), Enterprise Architecture(EA), Zachman framework, risk assessmen, risk factor, assessment process

中图分类号: 

• TP309