联邦信息系统和组织风险管理分析与研究

美国国家标准和技术研究院信息技术实验室为保护联邦信息系统的安全和隐私，开发了管理、技术、物理相关标准和指南。特别是在风险管理方面的研究，发布了特殊出版物800系列的研究报告，从项目建设规划、风险管理、安全意识培训等多方面形成一整套信息系统风险管理体系，成为美国和国际安全界广泛认可的实施标准和权威指南。风险评估是风险管理过程的核心内容，我国的风险评估研究尚处起步阶段，相关标准体系仍不完善。研究美国联邦信息系统和组织的风险管理体系，对美国联邦信息系统风险管理的原理和实施步骤进行了较为详细的阐释，这对促进我国风险管理标准体系的建立和风险评估业务的开展均具有重要意义。

Analysis and Study on Risk Management for Federal Information System and Organization

The Information Technology Laboratory （ITL） at the National Institute of Standards and Technol- ogy （NIST） develops administrative, technical, and physical standards and guidelines for the security and privacy of information in federal information systems. Especially in term of risk management for federal in- formation system, NIST issues a serial of Special Publication 800-series reports on ITL＇ s research, inclu- ding the plan of project implementation, risk management, security awareness training and so on. These publications, as the widely accepted standards and guidelines in the security industry provide a systematic process for risk management. Risk assessment is the key task in the process of risk management. However, in China, the study on the risk assessment is still in its initial stage and the standards on risk management are still insufficient. This paper makes a study on the risk management-related publications in NIST and gives an overview on the process of risk management in detail. It is very important and meaningful for pro- moting the establishing process of risk management standards system.