Design&Implementation Of Risk Management Tool For Information System Security

At present, with the rapid development of modern science and technology, information system in relation to all aspects of the national economy and people’s livelihood fast popularization. Some new concepts and new technologies such as cloud computing and big data constantly emerging, lead to information security incidents more and more serious.In handling information security incidents, we can adopt two methods of technology and management, which is greater than the proportion of management technology. And risk management is an important part of organizational security system, so the identification of risks is every organization must undertake an activity.Risk management process in the ISO/IEC 27001 standard and national level to protect information security related demands information system audit, ISACA sponsors more than domestic and international authority, such as in the standard has specific requirements. ISO/IEC 27005 and GB/T 20984 is special standard, risk management and risk assessment information system audit is to audit resources reasonable allocation based on risk assessment results.In the face of complex and numerous information security control point, human alone or general document to evaluate and control more difficult, need a software. With this, system and management become a trend.Project risk management activities is the first risk assessment, risk assessment methodology of international and domestic multiple related standard for our reference, but specific to each risk factor assignment, qualitative and calculation of the value at risk is the lack of a unified standard, especially for reasons of cost and time, most organizations evaluation is qualitative method, value assigned to each risk factor is difficult to be objective and consistent. In this paper, the SSE- CMM(system security engineering capability maturity model) is introduced into the vulnerability in the process of the assignment, and introduced historical probability interval at the threat value assignment, this paper conclusion a risk assessment method, and the corresponding software was designed and developed tools to implement and verify the effectiveness of the risk assessment process.