Research Of Risk Analysis And Risk Management In BCP

As the development of information technology (IT) with computer and network technologies as representatives, governmental departments, financial institutions, enterprises, and business organizations increasingly depend upon information technology in modern times. IT infiltrates into almost every organization. Such a high dependence requires a secure function of the information system.However, both the internal and external threats to the information system are rising together with the importance of the system. How to minimize the possible threats beforehand and the damages afterwards? This issue is attached greater and greater importance to and gives birth to the Business continuity planning (BCP).Based upon the analyses and quantification of risk and business impact, BCP works out the emergency and resuming plan, measures, and procedures so as to reduce the damage on enterprises by disasters. It includes not only the resumption of basic IT architecture, but also the resumption and continuance of key business operations, personnel, and vital sources. Briefly speaking, BCP is a prevention and response mechanism to disastrous accidents; a series of plans and procedures to enable key elements to effectively and timely play their roles then accidents occurred and finally guarantee a stable and continuous service.BCP is important in maintaining the continuous operation of enterprises' business. However, the establishment of a high-effective BCP requires a complicated process, during which the analyses of risk and business impact are the key procedure. Only the accurate analyses can lead to an accurate and effective BCP. This is the cornerstone of the dissertation.This dissertation attempts to do research on the risk analysis and management in BCP, and further provides a method of risk analysis and evaluation on the basis of information flow model.Firstly, some cases are listed to show the significance and necessity of BCP. In these cases, enterprises without BCP suffered great losses.Secondly, relevant knowledge and main procedures in BCP are introduced. A flow chart of BCP is drawn with detailed description based on the previous statement.Finally, risk analyses and management, the focus of the dissertation, is arrived. During thecourse of analyzing, managing, and studying the information system's risks, four main aspects are included: asset identification, vulnerability identification, threat identification and risk identification. During the course of asset identifying, the information flow model is applied. As for risk identification, during its qualitative analysis, risk-level matrix is adopted, and a general grade description of information system's risks is provided. During its quantitative analysis, multilevel fuzzy comprehensive risk evaluation is adopted, and an accurate quantitative description is attained.Bring identified risks under control, make a choice from risk control measures according to enterprise's regulation, and do relative cost-effectiveness analysis.Finally, the risk evaluation software based on the information flow model is designed. Through risk identification and evaluation on the information system, a detailed and accurate understanding of the risk distribution is attained, appropriate protective measures can be accordingly applied to businesses when BCP is mad.