Information Security Risk Assessment Method Based On Business Process Research

Information security risk assessment is a key link for the information system of the organization the information security risk assessment that related to the confidentiality, availability and completeness of information assets. The accurate identification of information assets that is to establishment of information systems for the organization. at the same time focuses the content of the information security risk assessment. Therefore, the use of an effective and full of practical significance of the relationship between information security risk assessment methodology to identify the organization for the next stage information security risk management that can determine whether a reasonable standard, but also is an important basis for the implementation of sound risk control methods.Nowadays, the most popular information security risk assessment methods in academic circle are mainly qualitative methods and quantitative methods, combination of qualitative and quantitative methods and so on. However the Qualitative methods is through the experts who have many years experience about the information systems that though the experience to determine the risk profile which drawn form a general summary of the concept of risk, although this method takes in small of the implementation process of economic costs and human costs, but the risk assessment results are too broad and vague and in the implementation process is not very accurate. Which are likely to lead to the control methods of the implementation of information security risk that deviate from the range of effective control However, the later researchers in order to overcome the limitations of the qualitative methods though the he use of quantitative methods for information security risk assessment that have a great achievement, but now there are big problems, such as the quantitative data may be difficult to obtain, or the obtain process that consume enormous human and material resources, which will created a huge obstacle for the next phase of the implementation of information security risk assessment. Therefore, a new qualitative and quantitative evaluation methods have been widespread concerned by people. Which is the most popular method. In these combination of qualitative and quantitative methods, the AHP is the best. However, up to days the AHP method is used to information security risk assessment research which mainly focused on the overall of the information system risk assessment. such as information systems that set up by qualitative methods of risk assessment indicators and though the quantitative method to overall information system risk value risk level which by the delineation of the scope of information systems to determine the level of risk. However this method can not accurately determine the risk to the each lever of information assets information assets include software, hardware, officer, data and services. Because the information assets is the main constituent elements, if not detailed identifying information for each level of risk assets. But only as a risk control basis to the information system’s overall risk, Which accurately determine the specific information security control policies methods. In fact, the constitute a risk of information assets is varied, if the information system based on past results of risk assessment control measures which used to control risk. Although the purpose of risk reduction can be achieved, the risk control process is usually not clear under the control of specific risks that arising from assets is not conducive to the information assets that according to their potential risk characteristics to implement protection. This paper made from considerations which based on business process of information security risk assessment methodology, which identify the information assets through business processes and determine the importance of information assets、information assets of the risk assent to determine priorities and than identify information assets and business processes where the risk of type utimatimately determine the specific size of the risk information assets.This major research work and innovation are as follows:1.In this paper, We defined the relationship between the five asset categories for the classification analysis in GB/T20984-2007.we include that data and service is the core assets that need to protected, and the hardware、software which support data and service. Today, the organization’s business processes, each one needs to carry out by the support of information system. The information systems constitute the main assets include the five assets, but in business processes among the five asset relationship is not independent of each other.In the business process,the data is the object to processed. However, the hardware and the software which are a carrier of data.most important of all, the processed data is required for organization to make decision or engage in business activities.so the data is the core information assets and it need to protection. In addition, hardware and software、staff is organized to support internal and external office services.and they support the organization of services that related the normal business activities, so the data is the core information assets and it need to protection. And they support the organization of services that related the normal business activities, so the service is the organization’s core assets.2. In this paper, the business processes, though the support by the information assets of the organization business operation and analyses the liquidity position of the location of the information assets classified as assets、fixed assets and changes in position, so as to effectively identify the information assets.3. This article insisted to identify information assets and determine its importance in business processes. In business processes we rely on the impact indicators of the information assets to determine whether the assets is important or not. Our aim is to create the importance of information system files. Risk assessment of information assets in process and the importance of information assets which based on the different risk assessment to determine the priority order. At the same time, the risk of the introduction of process models. The business processes were identified by the risk of the type of information assets, and information assets to build the level of risk evaluation. We use the AHP method to determine the size of various types of risk assets and created the risk management file for the information assets.