Research Of Information Security Risk Assessment Module Based On Modularization

Information Security has been already the important component of National Security, as to ensure the Information Security. It is the most important task of security construct to build Information Security Guarantee system. The guarantee system refers to many aspects and among them Information Security Management is one of key link. As the important content of Information Security Management, Risk Assessment plays an important role in each stage of building the information security administration. Now with that the Risk Assessment study going deep, various assessment methods have appeared. As a result of composition and the logical relations complexity of the Information System, the existing methods all have the different limitation. The risk assessment is a synthesis assessment process, establishing the simplification and effective assessment model is the foundation that smoothly completes the Risk Assessment. Based on the deep study on national and international assessment standards, modules and methods, proposed Modularization based Risk Assessment Model. Through a typical network system risk assessment example, introduced the algorithm realization process and easy operating feature of Modularization based Risk Assessment Model.Firstly in this article discusses the interrelation of Information Security Guarantee, Information Security Management and Risk Assessment and the significance of Risk Assessment in Information Security Guarantee, introduces the international and nation situation and development trend of Security Management and Risk Assessment, emphasizes the disparity of our country with the developed country in the risk assessment domain, promulgates the practical significance that researches this topic and then studies the classical standards and modules, like BS 7799, ISO 13335, GB 17859, P2DR and PDAMEE etc. With reference to the international standards and classical modules the Modularization based Risk Evaluation Module links Risk Assessment and modularization method which has applied successfully to all professions now. Then carries out the feasibility analysis and achieve the feasibility and rationality that modularization method is applied to Risk Assessment.Secondly the Information System is broken up into seven modules: manage module, core module, distribution layer module, sever module, margin distribution module, Internet module and outer circumstance module, and their content and interrelation is introduced detailedly. Then linking the ISO17799 standard, deduces one kind of modularization-based Risk Assessment process. It according to system security requirement carries out qualitative analysis on secrecy, integrality and usability of assets, divides modules by clustering method and ascertains the standard modules according to centre entities attribute of the module. Then analyzes threat and vulnerability of each module and reference to the available safeguard and algorithm achieves the risk grade of modules and system. These will provide a basis to the Risk Management.Finally in the application of the Modularization based Risk Assessment Module built common databases such as the module database, the assets database, threat database as well as vulnerability database, provided an effective method for security mechanism simulation design and the periodic risk assessment of the complex information system.