Research On The Risk Control Framework Of Information System Based On IT Governance

In recent years, the information system has been widely applied in various organizations with the development of technology. In the process of enterprise informatization, the application of information systems really bring to the enterprise more benefits, but more security incidents was increasing at the same time. How to control information risk effectively became a serious problem in the process of enterprise informatization.One of the aims of the IT governance is increase the value of information systems in order to achieve business objectives by balance the risk between information technology and information processes. It also makes IT governance to become a very important work in the informatization process. However, as a very important part of the IT governance process, the research on the risk control of the information system has also been taken serious by a growing number of business leaders. The risk control of the information system based on IT governance not only can reduce the damage to the enterprise information assets for the implementation of enterprise informatization successfully, but also effective use of IT resources to achieve corporate strategic objectives.Firstly, this paper analyzed the risk of information systems, and consulted the popular risk management framework and IT governance standards. On the basis of comparative analysis the characteristics of ERM of COSO and COBIT which are the international popular IT governance standards, the paper combined the control theory of ERMF and process areas of COBIT and introduced system audit into the risk control process, a risk control framework of information system ITG-HRCM was formed, directing by the strategic objectives of the corporate, and referencing to ERMF and COBIT framework. Subsequently based on the ITG-HRCM and combined with the general risk management process (PDCA), the risk control process (HRCM-PDCA) has been divided from three levels of the strategic objectives, risk assessment and audit control, which is in connection with the risk features for domestic enterprises. For the risk analysis and risk quantification in the process HRCM-PDCA, this paper discussed the statisticl method used in risk assessment. Finally, the research was verified by a specific information system and a good result was obtained with which the risk control framework for information systems was executed for risk control, risk analysis and risk quantification method.