Research On Risk Management For Security Project Of Secret-Involved Information System

As an important part of Chinese national information security work, information security construction for secret-involved information system is getting more and more attention in recent years. For information security projects, effective risk management in the project implementation period is essential to the success of the projects. Therefor the scientific and systematic risk management work must been taken in order to effective analyze and identify the potential risk factors for the secret-involved information system. And base on it, measures and response should be carried out. It is an urgent issue to be solved in China secret-involved information security field, and it also has important theoretical value and practical significance.This paper analyzes the characteristics of secret-involved information system security projects, and the existing problems of current risk management. To improve information security protection of secret-involved information systems, this paper focuses on the analysis and research of risk identification, risk assessment, risk management measures and workflow for the two main stages in security project which are design phase and construction phase. In the design phase of security project, the risk of physical security, operational safety, information security, and the security management is identified and analyzed. The FMEA method is applied to evaluate all these four kinds risk, and the risk management strategies and detailed risk response plan are developed. In the construction phase of the security project, the risk of the terminals security reconstruction, security product construction, security system reconstruction, and reconstruction of secret-involved computers is analyzed and decomposed. The risk factors in construction phase of security project are comprehensively evaluated with the fuzzy evaluation method. And base on the evaluation results, the risk management measures are developed. Through above studies, the risk identification, risk evaluation, risk management method and workflow are established in the secret-involved information system security field.Finally, the risk management method is applied in the real secret-involved information system security project of an institute to enhance the effectiveness of risk response measures. The traditional rash decisions and subjective decisions in the risk management are avoided. The success rate of the project is improved. The method is verified in the application, and it also provides guidance and suggestions for future security risk management of secret-involved information system in China.