The Grading Method Of Information System Security Based On Risk Analysis

With the rapid development of the national economy and society, the information network resources have become the most active factor in our lives. However, information system’s security is facing a serious threat because of the inherent flaws in the information network system. And it becomes an important aspect of IT in the whole community. Thus, the level of security protection of information systems is given in our country. And, it also becomes the basic system of national information security. Grading protection is divided into grading, implementation, grading evaluation and operation. In the process of grading protection, the classification of information systems is particularly important. It is the basis to develope the grading protection and also the key to the follow-up work. However, to the actual implementation, the grading of information system security is subjective but not detailed, and may not reflect the actual situation of the information system accurately.Therefore, in order to solve the problems in the grading, we need to do more in detail during the grading process.Firstly, the paper gives a brief introduction on the domestic and international information security standards. Then it elaborates on the division of security classification in the information system, computational steps and framework in accordance with the specific requirements of the grading protection. Subsequently, according to the require of the comprehensive evaluation of information system’s security and information system security grading which is based on risk analysis, a prototype grading system based on risk analysis is designed and implemented.The functional modules of the prototype system use asset identification, threat dentification and vulnerability identification to get the value of risk. Then, it builds a hierarchical model in risk relative to the degree of the infringement in object with the AHP (Analytic Hierarchy Process) method. And it combines with object and the value of risk to get the security level of each subsystem’s operation and service,then, get the security level of the subsystem and the grade of the information system’s security finally.At last, the paper gets a case study by grading prototype system in information system security, and makes the security rating for an E-government information system.The example demonstrates the functionality and workflow of the grading prototype system.