Generation method of embodiment for information safety evaluation

Abstract

The invention provides a generation method of an embodiment for information safety evaluation, which includes storing safety evaluation contents each evaluative criteria corresponds to; respectively forming evaluation use case templates of different industry types and business types; selecting a corresponding evaluation use case template according to the business type and the industry type of a project to be evaluated to construct an evaluation use case embodiment of the project to be evaluated; and selecting a test method according to the evaluation use case embodiment and a test object in the project to be evaluated to generate a test use case embodiment. Each evaluation use case template comprises safety evaluation contents corresponding to the evaluative criteria included by the industry types and the business types and the test methods the safety evaluation contents correspond to. The generation method is capable of simply, conveniently, flexibly, standardly, systematically generating the embodiment in the information safety evaluation field.

Description

technical field [0001] The invention relates to the field of information security, in particular to a method for generating implementation use cases for information security assessment. Background technique [0002] At present, the system security assessment in the field of information security is generally carried out in a manual manner based on the relevant national information security assessment standards in the actual operation process. Therefore, each evaluation project will have strong individual characteristics due to the differences of the implementers. As a result, under the same standard, the implementation use cases for the final evaluation will also be different, and the quality of the evaluation is difficult to guarantee. [0003] Existing computer-based evaluation systems usually provide a database that saves a large number of test cases, and call the corresponding test cases during actual evaluation; while in the evaluation of information security, the situat...

AI Technical Summary

Problems solved by technology

Therefore, each evaluation project will have strong individual characteristics due to the differences of the implementers. As a result, under the same standard, the implementation use cases for the final evaluation will also be different, and the quality of the evaluation is difficult to guarantee

[0003] Existing computer-based evaluation systems usually provide a database that saves a large number of test cases, and call the corresponding test cases during actual evaluation; while in the evaluation of information security, the situation is more complicated and changeable, evaluation standards, industry types, etc. , application scenarios, and various types of system objects, and the actual evaluation items composed of them are even more diverse; if you copy the organization idea of ​​the conventional test case database, design a set of system security evaluation items for different types of characteristics implementation use cases, then the number of implementation use cases in the final database will be very large, and it is still possible that it cannot cover all types of evaluation items; in addition, whenever new standards or new industry applications appear, relevant test cases need to be rewritten, The work is very complicated, error-prone, and the flexibility and scalability of the application are poor

Therefore, the existing computer-based evaluation system cannot be well applied in the field of information security.

Images