| The highly dynamic nature of the IT environment creates a nearly infinite set of risks. How does the management establish and track an information system security when risks are real, risks are nearly infinite, the information environment is highly dynamic, and resources are finite? After all, none of us have unlimited resources. The scenario of unlimited and changing threats and limited resources makes it impossible to avoid all risks. Rather each organization must take an approach that lets it prioritize risks and enables it to make well reasoned decisions for the application of information security resources. The security risk assessment technology is adopted to analyze the system threats, identify the risks, and put forward security countermeasures to improve the assessed information system.As risk assessment is an important component of risk management of information system, it has been studied in these areas:1. The current results of research in risk assessment. areas such as risk assessment criteria, methods and tools both inland and overseas have been studied.2. The author has been engaged in the research on OCTAVE? approach, and applies the quantitative risk analysis to it to get the more detailed and helpful assessment results. And the applications of the improved risk assessment method show the satisfaction of the assessment analysts and validate the significance of the improvement.3. This paper introduces the design and implementation of the OCTAVE Risk Assessment System (ORAS) based on the method proposed in Chapter 3. The assistance system could help the organization managers to evaluate the information system and give the reasonable and efficient improvement advices on risk management.4. Furthermore, this paper synthetically introduces the Common Criteria for IT security evaluation (ISO/IEC15408) and the assistant evaluation tool - CC Toolbox. The working flow and the operating details of CC Toolbox are presented. At last, some improvement on the CC Toolbox is provided.
|
PDF Full Text Request