| The work of the information security management in an information system (IS) is a dynamic circulating and changing process, and the information security risk assessment (ISRA) is the most important beginning in the process. The work of ISRA in an information system includes both the managing part and the technical part, however the past ways of ISRA always have the defect that the two parts have not been properly integrated in the work. In order to resolve this problem, an independent and integrated methodology of ISRA, Methodology of Layered Information Security Risk Assessment Based on Business Flows, has been created in this paper. By layer_decomposing to construct a layered system characteristic descriptive modeling (LSCDM), the ingredients of sorts (Organization and management, Application system, Infrastructure etc) in IS have been described. The risk analysis based on both the actual business flows and LSCDM has been combined with the assessment of the information value to realize the whole work of ISRA. LSCDM is the most critical point to realize the properly combining of the managing part and the technical part. It includes the management of IS in the process of risk assessment, and technologically analyzes the risk of information in IS. So, the proper combination and quantification of management and technology has been realized eventually. It deeply improves the development of ISRA in our country. The tool of ISRA based on the above methodology provides a referential database of control policy constructed by ISO/IEC 17799. It is very easy to extend the referential database, and the referential database may include many more information security standards. The tool constructed in this paper improved both the efficiency of the assessing works of sorts and the credibility and comparability of their results.
|
PDF Full Text Request