| The development of modern information technology leads us to the information time. The accurateness, highly effectiveness and interconnection of information system make it indispensable for the enterprise to survive and develop. So the information security risk caused by the application of IT became a focus which the enterprise has to address.Nowadays, the enterprise information security situation actually still is stern. The enterprise has to establish an information security risk management mechanism to evaluate each kind of risk by science method. However, the domestic research often concentrates to not the risk evaluation process but the quantification of risk. The enterprise needs to refer to a complete and easy-operated risk evaluation framework when carries on the information security risk evaluation project.The enterprise information security risk management is a dynamic and period process, which based on risk evaluation. For the goal of risk evaluation is to lead to risk management, it is extremely important to assess information security solutions developed in the evaluation.Based on the digest of IS risk evaluation theory and the experience of IS risk evaluation practices, we propose an enterprise information security risk evaluation implementation framework (EISREF) which composed by four phases: Risk evaluation plan, risk information collection, risk analysis and development information security solution. In the fourth phase, an RROSI method was presented to carry on the quantification to the information security solutions, which helps the enterprise to optimize cost/efficiency security solution.Finally, we carry on the preliminary application of EISREF in the domestic W iron and steel company information security risk evaluation project. |
PDF Full Text Request