电力信息安全风险评估研究-工业工程专业论文.docx

摘要 随着电力自动化应用的迅速发展，电力企业越来越依赖于信息技术和服务。信息 的保密性、完整性和可用性成为企业信息安全保障的核心。企业的信息安全管理是一 个动态的复杂过程，它涉及到许多方面，贯穿于信息系统的整个生命周期。信息安全 管理的本质是风险管理，这是因为没有绝对的安全也没有彻底的风险，安全和风险密 不可分。所谓的安全信息系统，就是通过最优的风险管理策略，把信息系统上客观存 在的风险，逐步降低到一个可以接受的程度。而风险评估是风险管理的第一步工作， 是保障信息安全的重要手段，其作用被越来越多的人所认可。 信息安全风险评估实际上就是根据有关的信息安全测评标准，对信息资产存在的 脆弱性、面临的威胁以及脆弱性被威胁利用会产生的负面影响和危害事件发生的可能 性，进行科学评价的过程。对信息安全风险而言，脆弱性和威胁是原因，负面影响和 可能性是结果。 本文以有关信息安全的国际标准为理论基础，提出了以风险管理为核心理念的信 息安全风险评估模型，详细论述了以该模型为主导的风险评估方法，通过电力信息系 统评估后的风险值等级，对整个电力信息网进行了分区，对重点防护区提供了重点防 护设备投入，达到了少花钱获得高可靠性的效果。经 2006 年运行可见，这种防范投资 及措施达到了预期目标。目前企业通过实施信息安全的集成和加固项目，逐步建立起 了规范的信息安全管理体系。 关键词：信息，安全，风险，评估，模型 ABSTRACT With the rapid development of power automation applications, power enterprises are increasingly dependent on information technology and services. Information confidentiality, integrity and availability are of the most importance for enterprise information security. Enterprise information security management is a dynamic process, and it involves many aspects throughout the entire life cycle of the information systems. The essence of the information security management is the management of risk because security and risk can never be separated. There is neither absolute security nor absolute risk. The so-called security information system is to reduce the risk to a certain degree gradually through adopting the best policy of management of risk. Risk assessment is the first step in approaching risk management, and it is an important means for ensuring information secure too. Its function has been recognized widely. What information security risk assessment does is, according to relational evaluating standards, the procedure of evaluating the vulnerability and the threat of information asset, along with the negative impact and the likelihood of harmful things. For the risk of information security, the vulnerability and the threat would be the reason, while the impact and the possibility would be the result. Based on international standards about information security, a m