CN102063668A - Auditing method and system for information system - Google Patents
Auditing method and system for information system Download PDFInfo
- Publication number
- CN102063668A CN102063668A CN2011100025221A CN201110002522A CN102063668A CN 102063668 A CN102063668 A CN 102063668A CN 2011100025221 A CN2011100025221 A CN 2011100025221A CN 201110002522 A CN201110002522 A CN 201110002522A CN 102063668 A CN102063668 A CN 102063668A
- Authority
- CN
- China
- Prior art keywords
- audit
- infosystem
- assessment
- control
- risk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses an auditing method and system for an information system. The system comprises an investigating and analyzing module, a risk estimating module, a control and auditing framework customizing module, an auditing engine deployment module, an auditing policy formulating module and an estimating and measuring module. Based on the invention, the information system is controlled and a base line of an auditing framework is created by comprehensively utilizing information system background investigation, information system analysis, information system lifecycle risk estimation and control estimation to deploy an auditing engine for continuous auditing so as to obtain the actual operation state information and accurately and comprehensively estimate whether the information system meets the business target or not.
Description
Technical field
The present invention relates to the audit of infosystem, relate in particular to a kind of auditing method and system of infosystem.
Background technology
At present, mainly there is following defective in the audit technique of infosystem:
The first, infosystem audit to as if computer information system, present technology is only paid attention to the audit of infosystem operation maintenance phase data aspect, only be concerned about the correctness that data of information system is handled, and can not carry out comprehensive comprehensively risk assessment and control audit the business objective of infosystem, the whole life of infosystem.
The second, present, many experiences with the auditor are judged as the master in the infosystem audit project, there are not cover infosystem audit integrated, science assessment and measurement facility, come executive information system audit evaluation tasks, simultaneously, for the control and audit assessment of round Realization infosystem, need carry out the analysis-by-synthesis evaluation from the composition of infosystem, the life cycle of infosystem and three latitudes of management of infosystem; But present infosystem audit technique and product all only relate to certain part in these three latitudes, and can not carry out comprehensive control and audit to infosystem, also can't carry out the recruitment evaluation of science for the realization degree of infosystem business objective.
Three, the infosystem audit need be set up IT control and the auditing standard that a cover can be put into practice according to the characteristics and the environment of living in of infosystem, and the practice of combining information system control and audit work on this basis, make up infosystem audit framework and constantly perfect in practice, this process is the process of a continuous study, reference, Continual Improvement.In this process, need a powerful and comprehensive knowledge base as the basis, and present technology and product do not integrate information and correlation technique controlled target (Cobit) framework and risk assessment managerial knowledge storehouse, for the control and the audit of infosystem provides a cover to put into practice definitely.
Four, the more information system audit is only paid close attention to the safety problem in infosystem or the information technology environment, and can not whether effectively utilize information resources, risk that whether effectively management is relevant with information for organizing, aspect such as effective appreciation information technology performance provides method guidance and measurement facility.
Summary of the invention
The object of the present invention is to provide a kind of auditing method and system of infosystem.Based on the present invention, the control of energy round Realization infosystem and audit assessment.
The invention provides a kind of infosystem auditing method, described method comprises the steps: to investigate and analyse step, determines the scope and the service operation situation of the assessment audit target; The risk assessment step according to the scope and the service operation situation of the described assessment audit target, is carried out the risk assessment of infosystem, obtains first assessment result; Control and audit framework customization step, according to described first assessment result, customization control and audit framework; Generate the control measure set simultaneously, according to described control measure set, whether evaluation information system avoids risk, and obtains second assessment result; The deploying step of audit engine according to the described control and the audit framework of customization, is determined the deployment scheme of audit engine; Audit strategy is formulated step, according to the deployment scheme of described audit engine, described first assessment result and second assessment result, formulates the audit strategy that continues monitoring for infosystem; Assessment and metrology step according to described audit strategy, are audited to infosystem; Obtain and analyze data, whether the risk of verification information system is effectively controlled, and whether control measure satisfy controlled target; According to evaluation index, provide infosystem control and the comprehensive assessment conclusion of auditing.
Above-mentioned infosystem auditing method, preferably this method is based on knowledge base, and described knowledge base comprises infosystem analysis and evaluation knowledge base, evaluating information system risk knowledge base and control and audit framework knowledge base; Wherein, described investigation and analysis step is based on described infosystem analysis and evaluation knowledge base; Described risk assessment step is based on described evaluating information system risk knowledge base; The deploying step of described control and audit framework customization step, audit engine, audit strategy are formulated step and described assessment and metrology step based on described control and audit framework knowledge base.
Above-mentioned infosystem auditing method, in preferred described control and the audit framework customization step, the formulation of described control and audit framework comprises: the step of determining the corporate strategy target reached by infosystem; Determine that infosystem satisfies the step of the business objective that supports; Determine according to strategic objective and business objective the step of the required controlled target of reaching of infosystem; Determine according to the step of existence conditions the conclusion that identifies control measure and assessment control measure validity of infosystem; Whether determine the conclusion according to risk assessment and control measure assessment, formulate audit strategy for the lasting monitor audit of infosystem, obtain and analyze data verification infosystem risk and be effectively controlled, whether control measure satisfy the step of controlled target; Determine required satisfied strategic objective of infosystem and business objective are carried out the effect measurement analysis, provide the step of the comprehensive assessment conclusion of infosystem control and audit.
Above-mentioned infosystem auditing method in the deploying step of the engine of preferably auditing, is disposed the audit engine based on bypass mode and the mode that the audit agent way combines.
Above-mentioned infosystem auditing method, preferred described audit strategy are formulated step and further are: risk evaluation result and control measure assessment result are converted into monitoring and audit strategy; With the audit engine of the policy issue after transforming to deployment; The audit engine continues monitoring according to the audit monitoring strategies; As finding to run counter to the incident of strategy, the audit engine will produce warning, and the influence degree of identified event; Behind predetermined period, provide the analysis-by-synthesis conclusion according to the requirement of controlling with audit framework, for the assessment of controlling effect provides the input data.
Above-mentioned infosystem auditing method, in preferred described assessment and the metrology step, described evaluation index is divided into strategic objective, business objective, controlled target tertiary structure; Strategic objective is made up of one or more business objectives, and business objective is made up of one or more controlled target, and controlled target is made up of seven tuples, comprises validity, efficient, confidentiality, integrality, availability, consistance and reliability; Described comprehensive assessment conclusion is determined in the following way: according to strategic objective, business objective, controlled target tertiary structure calculate step by step, Macro or mass analysis from the bottom to top; The tolerance conclusion of evaluated infosystem comprises: strategic objective degree of conformity score value, business objective degree of conformity score value and three results of controlled target degree of conformity score value.
The present invention also provides a kind of infosystem auditing system, comprising: the investigation and analysis module is used for definite scope and service operation situation of assessing the audit target; Risk evaluation module is used for scope and service operation situation according to the described assessment audit target, carries out the risk assessment of infosystem, obtains first assessment result; Control and audit framework customized module are used for according to described first assessment result, customization control and audit framework; Generate the control measure set simultaneously, according to described control measure set, whether evaluation information system avoids risk, and obtains second assessment result; The deployment module of audit engine is used for described control and audit framework according to customization, determines the deployment scheme of audit engine; Audit strategy is formulated module, is used for the deployment scheme according to described audit engine, described first assessment result and second assessment result, formulates the audit strategy that continues monitoring for infosystem; Assessment and metric module are used for according to described audit strategy infosystem being audited; Obtain and analyze data, whether the risk of verification information system is effectively controlled, and whether control measure satisfy controlled target; According to evaluation index, provide infosystem control and the comprehensive assessment conclusion of auditing.
Above-mentioned infosystem auditing system, preferably this system is based on knowledge base, and described knowledge base comprises infosystem analysis and evaluation knowledge base, evaluating information system risk knowledge base and control and audit framework knowledge base; Wherein, described investigation and analysis module is based on described infosystem analysis and evaluation knowledge base; Described risk evaluation module is based on described evaluating information system risk knowledge base; The deployment module of described control and audit framework customized module, audit engine, audit strategy are formulated module and described assessment and metric module based on described control and audit framework knowledge base.
Above-mentioned infosystem auditing system in preferred described control and the audit framework customized module, comprising: the unit that is used for determining the corporate strategy target reached by infosystem; Be used for determining that infosystem satisfies the unit of the business objective that supports; Be used for determining according to strategic objective and business objective the unit of the required controlled target of reaching of infosystem; Be used for determining according to the unit of existence conditions to the conclusion that identifies control measure and assessment control measure validity of infosystem; Whether be used for definite conclusion according to risk assessment and control measure assessment, formulate audit strategy for the lasting monitor audit of infosystem, obtain and analyze data verification infosystem risk and be effectively controlled, whether control measure satisfy the unit of controlled target; Be used for determining required satisfied strategic objective of infosystem and business objective are carried out the effect measurement analysis, provide the unit of the comprehensive assessment conclusion of infosystem control and audit.
Above-mentioned infosystem auditing system in the deployment module of preferred described audit engine, is disposed the audit engine based on bypass mode and the mode that the audit agent way combines.
Above-mentioned infosystem auditing system, preferred audit strategy is formulated module and is further used for: risk evaluation result and control measure assessment result are converted into monitoring and audit strategy; With the audit engine of the policy issue after transforming to deployment; The audit engine continues monitoring according to the audit monitoring strategies; As finding to run counter to the incident of strategy, the audit engine will produce warning, and the influence degree of identified event; Behind predetermined period, provide the analysis-by-synthesis conclusion according to the requirement of controlling with audit framework, for the assessment of controlling effect provides the input data.
Above-mentioned infosystem auditing system, preferred audit strategy is formulated module and is further used for: in described assessment and the metric module, described evaluation index is divided into strategic objective, business objective, controlled target tertiary structure; Strategic objective is made up of one or more business objectives, and business objective is made up of one or more controlled target, and controlled target is made up of seven tuples, comprises validity, efficient, confidentiality, integrality, availability, consistance and reliability; Described comprehensive assessment conclusion is determined in the following way: according to strategic objective, business objective, controlled target tertiary structure calculate step by step, Macro or mass analysis from the bottom to top; The tolerance conclusion of evaluated infosystem comprises: strategic objective degree of conformity score value, business objective degree of conformity score value and three results of controlled target degree of conformity score value.
In terms of existing technologies, the present invention has following advantage:
The first, native system makes full use of the advanced theory of information and correlation technique controlled target (Cobit) framework implementation information system audit, infosystem is controlled and the frame customization of audit provides strong support and solid background for the method for infosystem audit is touched upon, and the practice for the infosystem audit simultaneously provides sufficient guidance.
The second, native system is the audit target with the infosystem, characteristics according to infosystem, composition, running environment with infosystem are background, the Life cycle stage of living in of comprehensive consideration infosystem have a risk, for the infosystem audit provides multidimensional comprehensive control and audit solution, customized control of robotization and audit framework for infosystem audit provides the audit baseline of standard, provide the foundation of science for the tolerance of infosystem effect.
Three, native system is the audit target with the infosystem, provide the method for robotization assessment and checking to the degree of conformity of the risk control degree of infosystem and audit controlled target, and conclusion is converted into continues audit strategy and dispose the audit engine and provide real data to obtain and analytical approach for the operation of infosystem.
Four, the foundation of infosystem control and audit framework baseline is carried out in comprehensive utilization infosystem background check, infosystem analysis, the risk assessment of infosystem Life cycle and control assessment, dispose the audit engine and continue audit, obtain the actual motion status information, fully carry out effect measurement according to the business objective and the controlled target of infosystem, for whether accurate comprehensively evaluation information system satisfies the method for business objective, the running status of infosystem and the degree of reaching target are carried out the method for scientific and effective metric analysis.
Description of drawings
Fig. 1 is the flow chart of steps of the auditing method embodiment of infosystem of the present invention;
Fig. 2 is the structured flowchart of the auditing system embodiment of infosystem of the present invention;
Fig. 3 is the system framework synoptic diagram of infosystem audit;
Fig. 4 is the system framework synoptic diagram of infosystem audit;
Fig. 5 A is the process flow diagram of infosystem auditing system audit;
Fig. 5 B is the functional schematic of infosystem auditing system;
Fig. 5 C is the functional schematic of infosystem auditing system;
Fig. 6 is the synoptic diagram of three administrative centers;
Fig. 7 is an infosystem background check schematic flow sheet;
Fig. 8 is an infosystem analysis process synoptic diagram;
Fig. 9 is an infosystem running environment process flow diagram;
Figure 10 is the process flow diagram of evaluating information system risk and audit;
Figure 11 is the customization process flow diagram of infosystem control with audit framework;
Figure 12 formulates for the infosystem audit strategy and continues the monitoring process flow diagram;
Figure 13 is the structured flowchart at knowledge base management center.
Embodiment
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, the present invention is further detailed explanation below in conjunction with the drawings and specific embodiments.
Among the present invention, the thought of infosystem auditing system design and principle are that Life cycle such as the ingredient of infosystem and planning thereof, exploitation, enforcement, operation, maintenance are examined, and the method for scientific and effective metric analysis is provided for the running status of accurately comprehensive evaluation information system and the degree of reaching target.
The present invention provides a series of feasible risk controls and audit strategy and method by security, reliability, validity and efficient to each stage of infosystem Life cycle, can can efficient using-system resource to infosystem and can help tissue to realize that business objective estimates and audit from the angle of business event operation, also can develop the ability of controlling risk in each stage and the possibility of realization target is measured and assessed to Information System configuration.Native system can provide method to instruct and measurement facility for organizing aspects such as effectively utilizing information resources, the risk that effectively management is relevant with information, effective appreciation information technology performance.
With reference to Fig. 1, Fig. 1 is the flow chart of steps of the auditing method embodiment of infosystem of the present invention.Comprise the steps: to investigate and analyse step S110, determine the scope and the service operation situation of the assessment audit target; Risk assessment step S120 according to the scope and the service operation situation of the described assessment audit target, carries out the risk assessment of infosystem, obtains first assessment result; Control and audit framework customization step S130, according to described first assessment result, customization control and audit framework; Generate the control measure set simultaneously, according to described control measure set, whether evaluation information system avoids risk, and obtains second assessment result; The deploying step S140 of audit engine according to the described control and the audit framework of customization, determines the deployment scheme of audit engine; Audit strategy is formulated step S150, according to the deployment scheme of described audit engine, described first assessment result and second assessment result, formulates the audit strategy that continues monitoring for infosystem; Assessment and metrology step S160 according to described audit strategy, are audited to infosystem; Obtain and analyze data, whether the risk of verification information system is effectively controlled, and whether control measure satisfy controlled target; Provide infosystem control and the comprehensive assessment conclusion of auditing.
On the other hand, the invention allows for a kind of embodiment of auditing system of infosystem, with reference to Fig. 2, this auditing system comprises: investigation and analysis module 21, risk evaluation module 22, control and audit framework customized module 23, the deployment module 24 of audit engine, audit strategy are formulated module 25 and assessment and metric module 26.
Wherein: investigation and analysis module 21 is in scope and the service operation situation of determining the assessment audit target; Risk evaluation module 22 is carried out the risk assessment of infosystem in scope and service operation situation according to the described assessment audit target, obtains first assessment result; Control and described first assessment result of audit framework customized module 23 foundations, customization control and audit framework; Generate the control measure set simultaneously, according to described control measure set, whether evaluation information system avoids risk, and obtains second assessment result; The deployment module 24 of audit engine is determined the deployment scheme of audit engine in described control and audit framework according to customization; Audit strategy is formulated module 25 in according to the deployment scheme of described audit engine, described first assessment result and second assessment result, formulates the audit strategy that continues monitoring for infosystem; Assessment and metric module 26 are audited to infosystem in according to described audit strategy; Obtain and analyze data, whether the risk of verification information system is effectively controlled, and whether control measure satisfy controlled target; Provide infosystem control and the comprehensive assessment conclusion of auditing.
Below, the auditing system of above-mentioned infosystem is described in detail.
Infosystem audit to as if computer information system, relate to the whole life of infosystem.For the control and audit assessment of round Realization infosystem, native system carries out the analysis-by-synthesis evaluation from the composition of infosystem, the life cycle of infosystem and three latitudes of management of infosystem.
With reference to Fig. 3, Fig. 3 is infosystem audit control and audit assessment models synoptic diagram.Infosystem is to be basic running environment with information infrastructure, form by people, Information Technology Equipment and operating standard, handle and storage by information acquisition, transmission, processing, with corporate strategy compete excellent, to raise the efficiency be target, supports the integrated man-machine system of senior enterprise leader decision-making, middle level control and basic unit's running.The system architecture of native system is mainly considered the stage from system, the assessment of auditing of ergasia, data system, the network system, management system, several aspects such as key element.
The process that infosystem has its generation, development, maturation, extinction or upgrades, infosystem in use, variation along with living environment, need constantly to safeguard, revise, when it not too where applicable will be eliminated, replaced by new system, this loop cycle is called the life cycle of infosystem.Gather according to the life cycle of the infosystem stage of living at native system, design customization is suitable for by the controlled target of audit information system, is strict control and control information system, and guarantee information system effectively running provides method and instrument.
From the infosystem inscape, infosystem is made up of hardware platform, software platform, operation system, data file, people and operating standard.Wherein, hardware platform and software platform provide basic running environment for infosystem; Infosystem also needs to choose or develop the application system that meets the business administration demand after installation configures the hardware and software platform; After the gentle application system of software and hardware is installed, be the day-to-day operation of back-up system, must the organization foundation data and it is left in the computing machine, simultaneously, will gather and produce a lot of new data and information in system's day-to-day operation process, also need to be organized into data file and be stored in the computing machine.In computer information system, the form organization and management data of data file active file system, database and data warehouse; The people is not only the infosystem component, and is to stand in outside the system infosystem is managed, the infosystem user that the information of utilizing infosystem to provide is made a strategic decision; Operating standard has been stipulated the operation rule of infosystem itself, and all infosystem users should observe operation rule and remove.
From the infosystem life cycle, the life cycle of infosystem is divided into systems organization, systematic analysis, system design, system implementation, system's operation and six stages of system maintenance.
From the information system management angle, the management and the control activity of infosystem is accompanied by the novel system life cycle all the time, relate to the management and the management in systems life cycle in each stage to the infosystem inscape.The content of information system management comprises systems organization and organization and administration, system development management, system implementation management and four aspects of system's daily operation management.Information system management mainly is by setting up a series of sound rules and regulations and rule of management, and effectively carries out and realize.
Therefore, background information to each evaluated infosystem in native system all can be passed through business background, system architecture, three latitudes of running environment are investigated and analysed, wherein the business background fundamental comprises: business objective, traffic performance, management characteristic, technical characteristic four directions surface information, the system architecture fundamental comprises: system's stage, ergasia, the data system, the network system, management system, six aspect information such as key element, the running environment fundamental comprises: external environment condition, two aspect information such as internal request, investigate and analyse by each fundamental these three latitudes, the background characteristics of comprehensive assessment infosystem, the customization of controlling for infosystem control and audit provides foundation.
With reference to Fig. 4, Fig. 4 is the system framework synoptic diagram of infosystem audit, comprises following three parts:
The first, infosystem control and audit framework knowledge base
Native system be infosystem set up a cover can be according to the characteristics of infosystem and environment of living in and business objective IT control and auditing standard and the metric assessing and put into practice of can be used for for the basis, and the practice of combining information system control and audit work on this basis, make up infosystem audit framework and constantly perfect in practice, realize the process of infosystem risk control and the continuous study of audit, reference, Continual Improvement.
Infosystem control and audit framework knowledge base mainly comprise:
Infosystem analysis and evaluation knowledge base comprises being used for the investigation of support information system background, System Framework analysis and relevant questionnaire and the reference of running environment assessment.
The evaluating information system risk knowledge base comprises risk assessment set of uses case and tool set.
Infosystem control and audit framework knowledge base, comprise the universal standard flow process and the general control that are fit to various infosystem audits, operation flow that has industrial characteristic and in infosystem, can be identified and application controls, controlled target with industry characteristic, and controlled target weight commonly used disposes case in concrete business, has the audit framework template of industry characteristic.
Wherein, infosystem control and audit framework knowledge base, integrated powerful and a comprehensive control and an audit framework model---COB IT (Control Objectives for Information and Related Technology, information and correlation technique controlled target), it is that the IT that generally adopts in the world at present administers framework standard, it provides a cover generally acknowledged criterion authority, global general-use, is intended to standard and improves IT improvement level, effectively takes precautions against to control risk and increase infotech and be worth.COBIT is an IT Governance framework, simultaneously also provides a support facility collection, helps the supvr and makes gap between demand for control, technical matters, the business risk up, and link up control hierarchy with the stakeholder.COBIT is again the aggregate of an IT best practices, also is the umbrella framework of IT management, and it can help to understand the risk and return relationship between relevant with IT with management.COBIT has defined more than 100 control and management target, and it has used for reference the achievement in research of industry, and the IT activity is concluded in 4 process domains of 34 processes, not only for we provide infosystem controlled target and IT standard, and provides the audit guide of infosystem.
In addition, the knowledge base of native system has expanded function, can optimize according to updating of expertise and embodiment and replenishes and perfect.
The second, infosystem Life cycle audit management
The infosystem audit should be in each stage of infosystem life cycle, the control that the infosystem life cycle related in each stage is consistent with the principle of audit and method, but because content, object, the demand for control difference implemented of each, make that the each side such as object, purpose, requirement of infosystem audit are also different in stage.Particularly the planning and design stage, audit to determine the operational strategy target of system by infosystem; The implementation phase, whether reach with the objectives of determining system by infosystem audit, whether meet consumers' demand, whether control measure effective, residue risk assessment etc.; In the operation maintenance stage, constantly implement the risk of the continuous variation that monitor audit faces with recognition system, thereby determine the validity of every control measure, to guarantee infosystem efficiently running under controlled environment.Therefore, the carrying out that need give priority to according to the characteristics in system's stage of living in of the concrete enforcement of each session information system audit.Native system can be audited and appraisal procedure according to the characteristics of infosystem in different customizations with the stage of living in, infosystem is carried out stage audit assessment, simultaneously, native system also can be used for the self-evaluating of infosystem, can carry out the monitor audit of interim assessment or continuation to the validity of the risk of infosystem and control measure.
Three, infosystem control effectiveness of audit assessment management
After stage of living in, native system is controlled audit assessment from tertiary structure, six aspects, seven angles to infosystem according to the characteristics of infosystem in the determination information system.Tertiary structure is strategic objective, business objective, controlled target, hardware platform, software platform, operation system, data file, people and operating standard that these six aspects are respectively infosystems.Seven angles are exactly validity, efficient, confidentiality, integrality, availability, consistance, reliability.Calculate, carry out from the bottom to top Macro or mass analysis step by step according to strategic objective, business objective, controlled target tertiary structure, infosystem is carried out the comprehensive assessment and the tolerance of comprehensive multi-angle.
The following describes the design and the realization of infosystem auditing system.With reference to Fig. 5 A, Fig. 5 B and 5C.
The thought and the principle of the design of infosystem auditing system are by ingredient and planning thereof to infosystem, exploitation, implement, operation, processes such as maintenance are examined, security to each stage of infosystem Life cycle, reliability, validity and efficient provide a series of feasible risk controls and audit strategy and method, can can efficient using-system resource to infosystem and can help tissue to realize that business objective estimates and audit from the angle of business event operation, also can develop the ability of controlling risk in each stage and the possibility of realization target is measured and assessed to Information System configuration.For organizing aspects such as effectively utilizing information resources, the risk that effectively management is relevant with information, effective appreciation information technology performance to provide method to instruct and measurement facility.
The realization flow of infosystem auditing system is as follows, comprising:
(1) scope and the service operation situation of definite assessment audit target
(2) evaluating information system risk and audit
(3) the customized infosystem control of robotization audit framework
(4) dispose audit engine and obtain audit information
(5) the infosystem audit strategy is formulated and is continued monitoring
(6) assessment of infosystem control effectiveness of audit and tolerance
Native system mainly is at the scope of infosystem object and service operation characteristics, with disperse, different types of traffic flow information carries out Macro or mass analysis, organization and administration aspect, technological layer and enforcement aspect to infosystem are carried out comprehensive risk assessment and audit, the inside and outside constraint of reference information system and the monitoring that best practices is formulated audit strategy and continued, in certain cycle recruitment evaluation is carried out in the infosystem risk control, the business demand in conjunction with Cobit frame requirements and infosystem provides tolerance result and recommendation on improvement simultaneously.
Native system requires business event to combine with best practices, static evaluation and dynamic monitoring are organically combined, also will assess in the stage simultaneously and combine with the Life cycle integrated management, so just can be to being assessed audit by a plurality of latitudes of audit information system, to disperse and the single incident of magnanimity gathers, filtration, collection and association analysis, draw the assessment and the tolerance of the risk control effect of overall angle, the unified recommendation on improvement of formation responds and handles.
The infosystem auditing system adopts three grades of frameworks (client layer-service layer-acquisition process layer) design and realizes, client layer and service layer adopt B/S (browser/server) mode, are made up of " three big centers, seven functional modules ".Three administrative centers are the knowledge base management center, Life cycle audit management center and control recruitment evaluation administrative center.With reference to Fig. 6, Fig. 6 is the synoptic diagram of three administrative centers.Seven functional modules are that background information is collected module, risk evaluation module, control audit framework customized module, continued monitor audit module, evaluation index administration module, assessment result computing module, interactive interface module etc.
Infosystem Life cycle audit management center, be used for determining audit scope, business background, system architecture and the running situation of evaluated infosystem, infosystem assets composition is carried out comprehensive risk assessment, robotization customized information system control audit framework, dispose the audit engine according to the control audit framework, controlled target is converted into audit strategy is issued in the audit engine, the monitor audit of continuation is provided, for the control recruitment evaluation provides the tolerance foundation;
Infosystem control recruitment evaluation administrative center, be used for tolerance is assessed in infosystem control and a series of controlled target effectiveness indicator of audit framework, judge whether target is reached, provide method to instruct and measurement facility for organizing aspects such as effectively utilizing information resources, the risk that effectively management is relevant with information, effective appreciation information technology performance.
The function at infosystem audit knowledge base management center has three parts: infosystem analysis and evaluation knowledge base comprises being used for the investigation of support information system background, System Framework analysis and relevant questionnaire and the reference of running environment assessment; The evaluating information system risk knowledge base comprises risk assessment set of uses case and tool set; Infosystem control and audit framework knowledge base, comprise the universal standard flow process and the general control that are fit to various infosystem audits, operation flow that has industrial characteristic and in infosystem, can be identified and application controls, controlled target with industry characteristic, and controlled target weight commonly used disposes case in concrete business, has the audit framework template of industry characteristic.
Below three big centers are introduced.
(1) comprehensive life cycle audit management center
A), determine the scope and the service operation situation of the assessment audit target
Major function is all can pass through business background to the background information of each evaluated infosystem, system architecture, three latitudes of running environment are investigated and analysed, wherein the business background fundamental comprises: business objective, traffic performance, management characteristic, technical characteristic four directions surface information, the system architecture fundamental comprises: system's stage, ergasia, the data system, the network system, management system, six aspect information such as key element, the running environment fundamental comprises: external environment condition, two aspect information such as internal request, each fundamental of these three latitudes has been formed the infosystem background characteristics jointly.
Main method is to carry out information search in the mode of questionnaire, the selection of questionnaire is to obtain the questionnaire collection that is fit to evaluated unit place industry and system business feature automatically from the knowledge base management center in the mode that information is putd question to, simultaneously according to the built-in DSS decision-tree model of native system, can guarantee the continuity of the information of obtaining according to selecting new problem automatically with respondent's information feedback.
I) determine that the infosystem audit target and audit scope are the first steps of infosystem audit, the establishment of object is that the strategic objective of the business objective of audit scope, the audit target for clear and definite infosystem and running environment, institutional affiliation and management system and country, regional goods industry relevant policies, law, rule and standard all are the information of the required understanding of establishment object.
Infosystem background check flow process with reference to Fig. 7, mainly comprises several sections:
● understand the business objective of infosystem.Understanding is by audit target mechanism of living in strategic objective and business background etc., the clearly business objective of being finished by supporting mechanism of audit information system.
● understand the traffic performance of infosystem.Understanding is comprised business tine and operation flow etc., the traffic performance of the infosystem of therefrom clear and definite supporting mechanism service operation by the business of audit target mechanism of living in.
● understand the management characteristic of infosystem.Understanding is comprised organization design, division of duty, rules and regulations etc., the information system management characteristic of clear and definite supporting mechanism service operation by the institutional framework and the management system of mechanism of audit target mechanism of living in.
● understand the technical characteristic of infosystem.Understanding is comprised physical platform, system platform, communications platform, the network platform and application platform by the technology platform of mechanism of audit target mechanism of living in, the technical characteristic of the infosystem of therefrom clear and definite supporting mechanism service operation.
● gather investigation result,, business objective, service environment, management environment and the technological accumulation and inheritance of infosystem carried out comprehensive assessment, as the input of the evaluation module of subsequent module according to the content of questionnaire typing.
Ii) with reference to Fig. 8, the infosystem analysis process mainly comprises following components:
● in the analytical information system stage of living in, understand the infosystem stage of living in, according to stage customization questionnaire of living in.
● the analytical information system of systems, the composition of clear and definite infosystem and each ingredient significance level are analyzed in aspects such as the ergasia of infosystem, data system, the network system, operation architecture, management system.
● the key element of analytical information system, determine that infosystem has the part of crucial and vital role to organizational strategy's target and business objective, exports the key element inventory.
● the Macro or mass analysis result, the typing questionnaire carries out comprehensive assessment to System Framework, key element and the inside and outside constraint etc. of infosystem, for customized information system control audit framework is done the assessment foundation.
Iii), with reference to Fig. 9, infosystem running environment flow process mainly comprises following a few part:
● the outside running environment of analytical information system, the relevant policies, law and the standard that mainly comprise country, area or industry, consider affiliate's contract requirement (CR), the guarantee environment of infosystem analyzed that clear and definite outside operation factor is to the influence and the requirement of infosystem.
● the internal request of analytical information system, system results and key element in the combining information systematic analysis are put out the infosystem internal request in order, comprise that the importance degree of aspects such as security, confidentiality, availability carries out analysis and evaluation.
● gather above-mentioned analysis result, the running environment of infosystem is carried out comprehensive assessment, for customized information system control audit framework is done the assessment foundation.
B), evaluating information system risk and audit
Evaluating information system risk and the assets assembly of audit module based on target information system are finished risk assessment by flow processs such as assets assessment, vulnerability assessment, threat assessment, venture analysis, risk management and controls.Risk assessment launches round fundamentals such as assets, threat, fragility and control measure with the audit module, in evaluation process, take into full account each generic attribute such as the characteristics of business objective, running environment and infosystem of infosystem and key element, the control audit framework provides comprehensive risk assessment in order to build up an information system.The risk assessment tool collection of an integrated cover robotization, the various information that provides according to the infosystem analysis module at the characteristics of the infosystem scheme of design one cover risk assessment automatically, provides risk identification and analysis.Integrated information system analysis and the risk point that identifies customize out a cover control and an audit program, as the input of subsequent module, obtain and analytic function for build up an information system distinctive control and audit framework provide the data on basis.As follows with reference to Figure 10, main flow process:
I), the assets that identify according to the infosystem analysis module, to the value assignment of assets.
Ii), according to the analysis result of infosystem background, infosystem analysis, infosystem running environment, in conjunction with the risk assessment managerial knowledge storehouse at knowledge base management center, robotization customization one cover risk assessment scheme is carried out Risk Identification and analysis.
Iii), obtain infosystem relevant risk point and control measure.
Iv), the integrated risk assessment result is formulated control and audit program.
C), the customized infosystem control of robotization audit framework
Above-mentioned two stage flow processs mainly be input as the information search mode of obtaining evaluated system from the knowledge base management center; Obtain the normal process that meets industry and business characteristic from the knowledge base management center, and infosystem control audit aim.
The output result of above-mentioned two stage flow processs, evaluated system background information analysis conclusion is as the input of knowledge base management center outputting standard flow process and audit aim; Evaluated system background information analysis conclusion is determined the input of controlled target, business objective and strategic objective as control recruitment evaluation administrative center; Evaluated system continues the audit monitoring record, as control recruitment evaluation administrative center calculation control degree of conformity result's input.
Main output in conjunction with above-mentioned two stages, system finishes the customization work of control and audit framework automatically, in customization procedure, need according to requiring that the every key element in the system is carried out the analysis-by-synthesis assessment, thereby can be reached for control and audit framework that a suitable customizing messages system is tailored in the infosystem robotization, this framework provides foundation for next deployment audit engine obtains audit information simultaneously as the baseline of infosystem audit.Infosystem control is the nucleus module of native system with the customization of audit framework, and detailed process is with reference to Figure 11.
The infosystem that customizes out control audit framework is made up of following several parts, with reference to table 1:
Table 1
D), dispose audit engine and obtain audit information
According to the residing physical platform of infosystem, system platform, communications platform, the network platform and application platform, the combining information system controls and the required requirement of obtaining information of audit framework, takes all factors into consideration the deployment scheme of audit engine.With different deployment way, main deployment way is as follows according to the characteristics different mining of the audit target:
I), bypass mode is disposed
The bypass deployment way stays out of by in audit information system and the network environment, obtain data by switch mirror image or by-pass shunt device TAP mode, to undertaken continuously by the audit information system, monitor in real time (or near in real time), complete documentation with by auditing system relevant operation and system status information, realize to gather.This class instrument can not produce any influence to monitored system, thereby the gatherer process of realizing Audit data carries out the pattern of user transparent fully with a kind of, guarantee that the data that collect can truly, effectively, intactly reflect by the operating position of audit information system, carry out reasonable analysis for infosystem audit makes full use of the data that collect, draw correct conclusion and give security.
Ii), the audit agent way is disposed
Audit is acted on behalf of deployment way a little agent application need be installed in by the audit target, obtain infosystem and do not pass through the data manipulation situation and the running status of network mode, be sent to server end in simple mode, thereby can obtain the every operating index and the service data of infosystem.
Have only by these two kinds of deployment way to be used in combination, and reasonably dispose the audit engine, just can reach the target that continues monitoring according to the requirement of infosystem control framework.Formulate for next stage risk assessment and audit and audit strategy and to accomplish fluently the basis of data analysis.
E), the infosystem audit strategy is formulated and is continued monitoring
Major function is can be according to the control of the infosystem after customization audit framework, formulate and continue the monitor audit scheme, the controlled target that infosystem is controlled in the audit framework is converted into audit strategy, and the policy issue after will transforming is to the audit engine modules, identification is also obtained the infosystem action message, is used to judge the activity and the controlled target degree of conformity of infosystem.
The audit engine continues monitoring according to the audit monitoring strategies, if any running counter to strategy is that incident takes place, the audit engine will produce warning, and the influence degree of identified event, behind some cycles, requirement according to control and audit framework provides the analysis-by-synthesis conclusion, for the assessment of controlling effect provides the input data.
With reference to Figure 12, comprise that flow process is as follows: the controlled target of infosystem being controlled audit framework is converted into monitoring and audit strategy; Policy issue after transforming is arrived the audit engine; The audit engine continues monitoring according to the audit monitoring strategies; The incident audit engine of running counter to strategy as discovery will produce warning, and the influence degree of identified event; Behind some cycles, provide the analysis-by-synthesis conclusion according to the requirement of controlling with audit framework, for the assessment of controlling effect provides the input data.
With the interactive interface module at knowledge base management center, main input function has: the information search mode of obtaining evaluated system from the knowledge base management center; Obtain the normal process that meets industry and business characteristic from the knowledge base management center, and infosystem control audit aim.The main output function of this module has: evaluated system background information analysis conclusion, as the input of knowledge base management center outputting standard flow process and audit aim; Evaluated system background information analysis conclusion is determined the input of controlled target, business objective and strategic objective as control recruitment evaluation administrative center; Evaluated system continues the audit monitoring record, as control recruitment evaluation administrative center calculation control degree of conformity result's input.
(2) control recruitment evaluation administrative center
Required satisfied strategic objective of infosystem and business objective are carried out the effect measurement analysis, provide infosystem control and the comprehensive assessment conclusion of auditing.With reference to table 2.
Table 2
Mainly comprise two modules:
The evaluation index administration module, wherein evaluation index is divided into strategic objective, business objective, the controlled target tertiary structure, controlled target seven tuples comprise validity, efficient, confidentiality, integrality, availability, consistance, reliability, system background inquiry module output according to comprehensive life cycle audit management center, determine to be fit to the business objective of evaluated system characteristics, and be the appropriate controlled target set of each professional coupling, and each controlled target weight, the concrete controlled target of assigning for each business objective is one or more from seven tuples of controlled target all; Strategic objective is made up of one or more business objectives, according to the comprehensively system background inquiry module output at life cycle audit management center, is that each strategic objective is distributed concrete business objective, and in this strategic objective the shared weight of each business objective.
The assessment result computing module, according to strategic objective, business objective, controlled target tertiary structure calculate step by step, Macro or mass analysis from the bottom to top.It is the monitored results that continues the audit module according to comprehensive life cycle audit management center that the assessment result of controlled target is calculated, and calculates the degree of conformity score value of each controlled target of evaluated system respectively; The assessment result of business objective calculate be each key element of seven tuples according to controlled target in business objective for the effect proportion of reaching business objective, calculate the degree of conformity score value of evaluated system respectively to each business objective; It is according to realizing that strategic objective requires the proportion of each business objective, utilizing business objective degree of conformity score value to calculate strategic objective degree of conformity score value that the assessment result of strategic objective is calculated; With report form, according to the regular evaluates calculation result that reports of the cycle of configuration; Each result comprises three result of calculations such as strategic objective degree of conformity score value, business objective degree of conformity score value and controlled target degree of conformity score value.
According in some cycles, continuing in the monitor procedure, can take place the influence degree of controlled target is comprehensively analyzed from incident occurrence frequency and incident, for infosystem control provides analysis-by-synthesis conclusion and recommendation on improvement with audit, mainly comprise following several aspect: the information availability of supporting business demand; The risk of integrality and confidentiality forfeiture; The cost efficiency of flow process and operation; Reliability, effect and accordance are confirmed.
The controlled target effectiveness indicator is assessed, judge whether target is reached, whether thereby weighing infosystem function, flow process and moving target reaches, can can efficient using-system resource to infosystem and can help tissue to realize that business objective estimates and audit from the angle of business event operation, also can develop the ability of controlling risk in each stage and the possibility of realization target is measured and assessed to Information System configuration.For organizing aspects such as effectively utilizing information resources, the risk that effectively management is relevant with information, effective appreciation information technology performance to provide method to instruct and measurement facility.
With the interactive interface module at knowledge base management center, main input function: assessment result is calculated as input in life cycle audit management center comprehensively; Evaluation index and index weight are extracted as input in the knowledge base management center; Main output function: the output of this module is to the assessment result of control effect.
(3) knowledge base management center
The function at infosystem knowledge base management center has three parts, with reference to Figure 13.First is an infosystem analysis and evaluation knowledge base, comprises being used for the investigation of support information system background, System Framework analysis and relevant questionnaire and the reference of running environment assessment; Second portion evaluating information system risk knowledge base comprises risk assessment set of uses case and tool set; Control of third part infosystem and audit framework knowledge base, comprise the universal standard flow process and the general control that are fit to various infosystem audits, operation flow that has industrial characteristic and in infosystem, can be identified and application controls, controlled target with industry characteristic, and controlled target weight commonly used disposes case in concrete business, has the audit framework template of industry characteristic.
With the interactive interface module functions of Life cycle audit management center and control recruitment evaluation administrative center be: Life cycle audit management center is as input, output is fit to investigating a matter of evaluated system features after the information interaction, and provides the basis for realizing that audit framework customizes; Commonly used controlled target weight configuration case improved according to the concrete feature of evaluated system as input after the information interaction in life cycle audit management center comprehensively; This module provides the audit information support of necessary base as output for other two big centers.
More than the auditing method and the system of a kind of infosystem provided by the present invention described in detail, used specific embodiment herein principle of the present invention and embodiment are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, part in specific embodiments and applications all can change.In sum, this description should not be construed as limitation of the present invention.
Claims (12)
1. the auditing method of an infosystem is characterized in that, described method comprises the steps:
The investigation and analysis step, the scope and the service operation situation of definite assessment audit target;
The risk assessment step according to the scope and the service operation situation of the described assessment audit target, is carried out the risk assessment of infosystem, obtains first assessment result;
Control and audit framework customization step, according to described first assessment result, customization control and audit framework; Generate the control measure set simultaneously, according to described control measure set, whether evaluation information system avoids risk, and obtains second assessment result;
The deploying step of audit engine according to the described control and the audit framework of customization, is determined the deployment scheme of audit engine;
Audit strategy is formulated step, according to the deployment scheme of described audit engine, described first assessment result and second assessment result, formulates the audit strategy that continues monitoring for infosystem;
Assessment and metrology step according to described audit strategy, are audited to infosystem; Obtain and analyze data, whether the risk of verification information system is effectively controlled, and whether control measure satisfy controlled target; According to evaluation index, provide infosystem control and the comprehensive assessment conclusion of auditing.
2. auditing method according to claim 1 is characterized in that,
This method is based on knowledge base, and described knowledge base comprises infosystem analysis and evaluation knowledge base, evaluating information system risk knowledge base and control and audit framework knowledge base;
Wherein, described investigation and analysis step is based on described infosystem analysis and evaluation knowledge base; Described risk assessment step is based on described evaluating information system risk knowledge base; The deploying step of described control and audit framework customization step, audit engine, audit strategy are formulated step and described assessment and metrology step based on described control and audit framework knowledge base.
3. auditing method according to claim 2 is characterized in that, in described control and the audit framework customization step, the formulation of described control and audit framework comprises:
Determine the step of the corporate strategy target reached by infosystem;
Determine that infosystem satisfies the step of the business objective that supports;
Determine according to strategic objective and business objective the step of the required controlled target of reaching of infosystem;
Determine according to the step of existence conditions the conclusion that identifies control measure and assessment control measure validity of infosystem;
Whether determine the conclusion according to risk assessment and control measure assessment, formulate audit strategy for the lasting monitor audit of infosystem, obtain and analyze data verification infosystem risk and be effectively controlled, whether control measure satisfy the step of controlled target;
Determine required satisfied strategic objective of infosystem and business objective are carried out the effect measurement analysis, provide the step of the comprehensive assessment conclusion of infosystem control and audit.
4. auditing method according to claim 3 is characterized in that,
In the deploying step of described audit engine, dispose the audit engine based on bypass mode and the mode that the audit agent way combines.
5. auditing method according to claim 4 is characterized in that, described audit strategy is formulated step and further is:
Risk evaluation result and control measure assessment result are converted into monitoring and audit strategy;
With the audit engine of the policy issue after transforming to deployment;
The audit engine continues monitoring according to the audit monitoring strategies; As finding to run counter to the incident of strategy, the audit engine will produce warning, and the influence degree of identified event;
Behind predetermined period, provide the analysis-by-synthesis conclusion according to the requirement of controlling with audit framework, for the assessment of controlling effect provides the input data.
6. auditing method according to claim 5 is characterized in that,
In described assessment and the metrology step, described evaluation index is divided into strategic objective, business objective, controlled target tertiary structure; Strategic objective is made up of one or more business objectives, and business objective is made up of one or more controlled target, and controlled target is made up of seven tuples, comprises validity, efficient, confidentiality, integrality, availability, consistance and reliability;
Described comprehensive assessment conclusion is determined in the following way: according to strategic objective, business objective, controlled target tertiary structure calculate step by step, Macro or mass analysis from the bottom to top; The tolerance conclusion of evaluated infosystem comprises: strategic objective degree of conformity score value, business objective degree of conformity score value and three results of controlled target degree of conformity score value.
7. the auditing system of an infosystem is characterized in that, comprising:
The investigation and analysis module is used for definite scope and service operation situation of assessing the audit target;
Risk evaluation module is used for scope and service operation situation according to the described assessment audit target, carries out the risk assessment of infosystem, obtains first assessment result;
Control and audit framework customized module are used for according to described first assessment result, customization control and audit framework; Generate the control measure set simultaneously, according to described control measure set, whether evaluation information system avoids risk, and obtains second assessment result;
The deployment module of audit engine is used for described control and audit framework according to customization, determines the deployment scheme of audit engine;
Audit strategy is formulated module, is used for the deployment scheme according to described audit engine, described first assessment result and second assessment result, formulates the audit strategy that continues monitoring for infosystem;
Assessment and metric module are used for according to described audit strategy infosystem being audited; Obtain and analyze data, whether the risk of verification information system is effectively controlled, and whether control measure satisfy controlled target; According to evaluation index, provide infosystem control and the comprehensive assessment conclusion of auditing.
8. auditing system according to claim 7 is characterized in that,
This system is based on knowledge base, and described knowledge base comprises infosystem analysis and evaluation knowledge base, evaluating information system risk knowledge base and control and audit framework knowledge base;
Wherein, described investigation and analysis module is based on described infosystem analysis and evaluation knowledge base; Described risk evaluation module is based on described evaluating information system risk knowledge base; The deployment module of described control and audit framework customized module, audit engine, audit strategy are formulated module and described assessment and metric module based on described control and audit framework knowledge base.
9. auditing system according to claim 8 is characterized in that, in described control and the audit framework customized module, comprising:
Be used for determining the unit of the corporate strategy target reached by infosystem;
Be used for determining that infosystem satisfies the unit of the business objective that supports;
Be used for determining according to strategic objective and business objective the unit of the required controlled target of reaching of infosystem;
Be used for determining according to the unit of existence conditions to the conclusion that identifies control measure and assessment control measure validity of infosystem;
Whether be used for definite conclusion according to risk assessment and control measure assessment, formulate audit strategy for the lasting monitor audit of infosystem, obtain and analyze data verification infosystem risk and be effectively controlled, whether control measure satisfy the unit of controlled target;
Be used for determining required satisfied strategic objective of infosystem and business objective are carried out the effect measurement analysis, provide the unit of the comprehensive assessment conclusion of infosystem control and audit.
10. auditing system according to claim 9 is characterized in that,
In the deployment module of described audit engine, dispose the audit engine based on bypass mode and the mode that the audit agent way combines.
11. auditing system according to claim 10 is characterized in that, described audit strategy is formulated module and is further used for:
Risk evaluation result and control measure assessment result are converted into monitoring and audit strategy; With the audit engine of the policy issue after transforming to deployment; The audit engine continues monitoring according to the audit monitoring strategies; As finding to run counter to the incident of strategy, the audit engine will produce warning, and the influence degree of identified event; Behind predetermined period, provide the analysis-by-synthesis conclusion according to the requirement of controlling with audit framework, for the assessment of controlling effect provides the input data.
12. auditing system according to claim 11 is characterized in that, described audit strategy is formulated module and is further used for:
In described assessment and the metric module, described evaluation index is divided into strategic objective, business objective, controlled target tertiary structure; Strategic objective is made up of one or more business objectives, and business objective is made up of one or more controlled target, and controlled target is made up of seven tuples, comprises validity, efficient, confidentiality, integrality, availability, consistance and reliability;
Described comprehensive assessment conclusion is determined in the following way: according to strategic objective, business objective, controlled target tertiary structure calculate step by step, Macro or mass analysis from the bottom to top; The tolerance conclusion of evaluated infosystem comprises: strategic objective degree of conformity score value, business objective degree of conformity score value and three results of controlled target degree of conformity score value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100025221A CN102063668A (en) | 2011-01-07 | 2011-01-07 | Auditing method and system for information system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100025221A CN102063668A (en) | 2011-01-07 | 2011-01-07 | Auditing method and system for information system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102063668A true CN102063668A (en) | 2011-05-18 |
Family
ID=43998938
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100025221A Pending CN102063668A (en) | 2011-01-07 | 2011-01-07 | Auditing method and system for information system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102063668A (en) |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102880926A (en) * | 2012-07-09 | 2013-01-16 | 华迪计算机集团有限公司 | Business information data auditing method and device |
| CN103856371A (en) * | 2014-02-28 | 2014-06-11 | 中国人民解放军91655部队 | Safety protection method of information system |
| CN104123603A (en) * | 2013-04-28 | 2014-10-29 | 成都勤智数码科技股份有限公司 | Service monitoring platform based on knowledge base |
| CN106611120A (en) * | 2015-10-26 | 2017-05-03 | 阿里巴巴集团控股有限公司 | Method and device for evaluating risk prevention and control system |
| CN107146150A (en) * | 2017-04-12 | 2017-09-08 | 国家电网公司 | Auditing method, device, storage medium and the processor of the audit target |
| CN107330628A (en) * | 2017-07-06 | 2017-11-07 | 云南电网有限责任公司 | A kind of construction method and device of auditing risk management information bank |
| CN109472558A (en) * | 2018-11-16 | 2019-03-15 | 合肥大能信息科技有限公司 | A kind of Audit data analysis system |
| CN109816357A (en) * | 2019-03-28 | 2019-05-28 | 中国电建集团海外投资有限公司 | A kind of auditing system and its workflow of information system |
| CN109949143A (en) * | 2019-02-20 | 2019-06-28 | 郭磊 | Audit control method and system under Circumstances of Computer Inforsnation System |
| CN111125061A (en) * | 2019-12-18 | 2020-05-08 | 甘肃省卫生健康统计信息中心(西北人口信息中心) | Method for standardizing and promoting health medical big data |
| CN111541643A (en) * | 2020-03-18 | 2020-08-14 | 成都中科合迅科技有限公司 | Method for realizing safety audit of service system without intrusion |
| CN111612437A (en) * | 2020-06-03 | 2020-09-01 | 云南电网有限责任公司 | Audit operation guidance method and device |
| CN111884883A (en) * | 2020-07-29 | 2020-11-03 | 北京宏达隆和科技有限公司 | Quick auditing processing method for service interface |
| CN112465392A (en) * | 2020-12-10 | 2021-03-09 | 浙江大学 | Life cycle evaluation system and method based on cloud service mode |
| CN114219362A (en) * | 2021-12-31 | 2022-03-22 | 中国电建集团成都勘测设计研究院有限公司 | Comprehensive evaluation method based on project management system |
| CN116089392A (en) * | 2022-09-17 | 2023-05-09 | 新疆维吾尔自治区信息中心 | Information system evaluation library building system and method |
-
2011
- 2011-01-07 CN CN2011100025221A patent/CN102063668A/en active Pending
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102880926B (en) * | 2012-07-09 | 2015-07-15 | 华迪计算机集团有限公司 | Business information data auditing method and device |
| CN102880926A (en) * | 2012-07-09 | 2013-01-16 | 华迪计算机集团有限公司 | Business information data auditing method and device |
| CN104123603A (en) * | 2013-04-28 | 2014-10-29 | 成都勤智数码科技股份有限公司 | Service monitoring platform based on knowledge base |
| CN103856371A (en) * | 2014-02-28 | 2014-06-11 | 中国人民解放军91655部队 | Safety protection method of information system |
| CN106611120B (en) * | 2015-10-26 | 2019-10-01 | 阿里巴巴集团控股有限公司 | A kind of appraisal procedure and device of risk prevention system system |
| CN106611120A (en) * | 2015-10-26 | 2017-05-03 | 阿里巴巴集团控股有限公司 | Method and device for evaluating risk prevention and control system |
| CN107146150A (en) * | 2017-04-12 | 2017-09-08 | 国家电网公司 | Auditing method, device, storage medium and the processor of the audit target |
| CN107330628A (en) * | 2017-07-06 | 2017-11-07 | 云南电网有限责任公司 | A kind of construction method and device of auditing risk management information bank |
| CN109472558A (en) * | 2018-11-16 | 2019-03-15 | 合肥大能信息科技有限公司 | A kind of Audit data analysis system |
| CN109949143A (en) * | 2019-02-20 | 2019-06-28 | 郭磊 | Audit control method and system under Circumstances of Computer Inforsnation System |
| CN109816357A (en) * | 2019-03-28 | 2019-05-28 | 中国电建集团海外投资有限公司 | A kind of auditing system and its workflow of information system |
| CN111125061A (en) * | 2019-12-18 | 2020-05-08 | 甘肃省卫生健康统计信息中心(西北人口信息中心) | Method for standardizing and promoting health medical big data |
| CN111541643B (en) * | 2020-03-18 | 2022-02-01 | 成都中科合迅科技有限公司 | Method for realizing safety audit of service system without intrusion |
| CN111541643A (en) * | 2020-03-18 | 2020-08-14 | 成都中科合迅科技有限公司 | Method for realizing safety audit of service system without intrusion |
| CN111612437A (en) * | 2020-06-03 | 2020-09-01 | 云南电网有限责任公司 | Audit operation guidance method and device |
| CN111612437B (en) * | 2020-06-03 | 2023-09-26 | 云南电网有限责任公司 | Audit operation guiding method and device |
| CN111884883A (en) * | 2020-07-29 | 2020-11-03 | 北京宏达隆和科技有限公司 | Quick auditing processing method for service interface |
| CN112465392A (en) * | 2020-12-10 | 2021-03-09 | 浙江大学 | Life cycle evaluation system and method based on cloud service mode |
| CN114219362A (en) * | 2021-12-31 | 2022-03-22 | 中国电建集团成都勘测设计研究院有限公司 | Comprehensive evaluation method based on project management system |
| CN116089392A (en) * | 2022-09-17 | 2023-05-09 | 新疆维吾尔自治区信息中心 | Information system evaluation library building system and method |
| CN116089392B (en) * | 2022-09-17 | 2024-03-08 | 新疆维吾尔自治区信息中心 | Information system evaluation library building system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102063668A (en) | Auditing method and system for information system | |
| US20200226507A1 (en) | Predictive Deconstruction Of Dynamic Complexity | |
| Song et al. | Measuring and modeling labor productivity using historical data | |
| US10083481B2 (en) | IT risk management framework and methods | |
| Stavrou et al. | Business Process Modeling for Insider threat monitoring and handling | |
| US20130085801A1 (en) | Supply Chain Performance Management Tool Having Predictive Capabilities | |
| Prasanna Venkatesan et al. | Supply chain risk prioritisation using a hybrid AHP and PROMETHEE approach | |
| EP1897055A2 (en) | Method and system for determining effectiveness of a compliance program | |
| CN103460228A (en) | Method and apparatus for improving business process management systems | |
| US20150039555A1 (en) | Heuristically modifying dbms environments using performance analytics | |
| CN105868373A (en) | Method and device for processing key data of power service information system | |
| CN102609789A (en) | Information monitoring and abnormality predicting system for library | |
| Patil et al. | Business risk in early design: A business risk assessment approach | |
| Bhowmick et al. | Ibm intelligent operations center for smarter cities administration guide | |
| Sikos et al. | Evaluation and assessment of reliability and availability software for securing an uninterrupted energy supply | |
| da Ponte et al. | Technological sovereignty of the EU in advanced 5G mobile communications: An empirical approach | |
| Solomon et al. | A knowledge based approach for handling supply chain risk management | |
| Al-Marri et al. | Analysis of the performance of TAM in oil and gas industry: Factors and solutions for improvement | |
| Sohail et al. | A gap between Business Process Intelligence and redesign process | |
| CN105023100A (en) | Database and middleware non-index quantitative management platform for platform software | |
| RU48420U1 (en) | SYSTEM OF SUPPORT OF STRATEGIC MANAGEMENT OF THE ENTERPRISE | |
| KR20060058186A (en) | Information technology risk management system and method the same | |
| Fong et al. | A web-based performance monitoring system for e-government services | |
| Liu | [Retracted] Design of Financial Information Management System and IoT Application Based on Fuzzy Comprehensive Evaluation | |
| KR102223531B1 (en) | Measurement method for operating performance of intelligent information system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20110518 |