A Study On Information Security Risk Assessment Based On Configuration Management And User Self-service

Facing the increasingly complex information security risks and the environment, thispaper studies information security risk assessment methodologyand aims todevelop aninformation security risk assessment approach which is feasible and accurate for generalcorporate information security risk assessment.This article first introduces the predecessors for information security risk assessmentstudies, and choose the most suitable enterprise information security risk assessmentstandards GB/T22080and GB/T20984method is used, in combination with analysis ofreal examples, showing the lack of traditional methods, for example, is difficult to makean objective quantitative analysis, risk vulnerability exists in the value calculation process,the evaluation results of subjective evaluation manipulation. And analyze the main causeof all the consequences that GB/T20984method is not effective in the balance establishedbetween the logical relationships, it is difficult to measure the user’s risk. In order toimprove this risk assessment methodology, the study introduced in ITIL configurationmanagement concept requires that all asset management between the cleaned out and jointhe database, plus the fault tree analysis, CORAS other methods of thought, devised asets based configuration management database CMDB information assets model, and withthe support of risk transfer algorithm, first of all assets and relationship informationentered into the database, and then based on the correlation between the calculated risk ofan asset subject to successfully passed to the underlying assets and thus be able to analyzeall of the risks to the organization, leaving the other as less human intervention, theresults are more accurate. For information security risk assessment is the most difficult tomeasure user behavior, but also learn from user self-concept, take the questionnairesurvey to obtain their threat and vulnerability values, and through regular informationsecurity audit, and further the user’s threat and vulnerability property values to be adjustedto make it more close to the real value of a set of final design suitable for general enterprises, convenient and practical, but also more accurate information security riskassessment methods, and successfully deduction once, proved to be feasible.