A Designing And Implementation Of Risk Evaluation System Based On Transfer Of Information

With the pushes of technology of computer and communication network, information becomes one of the decisive strength of controlling the process of human social development rapidly. However, as sharing and exchange of information being more and more extensive and convenient, information faces more dangers too: Steal, destroy, pollute or distort etc.. At present, the information Security in every field, especially in Internet becomes the problem badly in need of solution.Information Security has already become the important component of National Security, so in order to guarantee the Information Security, setting up Information Security Guarantee System has already become primary task of Information Security Construction at present. The Information Security involves many aspects, among them, Information Security Management is one of the key links, as the important content of Information Security Management, Risk Evaluation plays an important role at each stages of construction of Information Security Management System. Processing of Risk Evaluation is due to the risk assessment tool, on the basis of further investigating international and domestic various kinds of evaluation standards, models and evaluating methods, in this dissertation, we expressly study the implementation problem of Risk Evaluation based on transfer of information.In this dissertation, at first, we have probed into the importance and relationship between Information Security Guarantee System, Information Security Management and Risk Evaluation; Then discussed the current situations and development trends of domestic Security Management; and then studied some classical and commonly usedcriterion and model, for instance such documents and model as BS 7799, ISO 13335, GB 17859, P2DR and PDAMEE, etc.. We have emphatically expatiated on several questions in designing and realizing of Risk Evaluation System based on transfer of information.Assessment model and method that this dissertation consults, stem from the risk model and method based on transfer of information that advanced in recent years by Sichuan university information security institute, it studied the valuation method and distributing rulers of security risk in information system from source to destination of communication, combined with protective grade, found the security needs, and compared conformity with the protective measure being used or used later in its system, and gained the risk value. It divides the resource into 9 risk domains from information source to information destination. According to its value, analyses its risks land from such aspects as confidentiality, integrality and usability, etc., formally described its resource and risk with mathematics method, then applied Analytic Hierarchy Process and Fuzzy Mathematics to value every risk. On this basis, we got hold of the security needs and security measure needs of the system being assessed, and carry on comparison with security measure conformity being used by the information system, to confirm the total security state of information system, offer basis on which the information system be designed or security be improved. According to these research results, this dissertation realized a primordial system for risk assessment. According to relevant parameters of information system being given, This system can create and export several reports, such as report of resource distribution, report of vulnerability distribution, report of risk distribution and report of risk evaluation.