关键词: 信息安全, 风险评估, 服务, 过程域, 基本实施, 公共特征, 通用实施, 能力成熟度模型

Abstract: Information security risk assessment service is one of the important links of information security assurance in China. The technology of information security risk assessment has been praised highly by the industry. At present, due to the influence of various factors, the level of information security risk assessment service capacity varies among regions and industries. Based on the SSE-CMM theory and the optimal practices of information security risk assessment services, this paper proposes the concept of risk assessment service capability maturity model, namely RAS-CMM. RAS-CMM proposes a theoretical evaluation framework for risk assessment service capability level based on resource allocation, technical process and project management.

Key words: information security, risk assessment, service, process areas, base practices, common function, generic practices, capability maturity