CN109670315A - Information technology risk intelligent management, device and computer equipment - Google Patents
Information technology risk intelligent management, device and computer equipment Download PDFInfo
- Publication number
- CN109670315A CN109670315A CN201811341806.1A CN201811341806A CN109670315A CN 109670315 A CN109670315 A CN 109670315A CN 201811341806 A CN201811341806 A CN 201811341806A CN 109670315 A CN109670315 A CN 109670315A
- Authority
- CN
- China
- Prior art keywords
- risk
- information technology
- information
- value
- class value
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Entrepreneurship & Innovation (AREA)
- Physics & Mathematics (AREA)
- Strategic Management (AREA)
- General Physics & Mathematics (AREA)
- Economics (AREA)
- Development Economics (AREA)
- Educational Administration (AREA)
- Game Theory and Decision Science (AREA)
- Computing Systems (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
This application discloses a kind of Information technology risk intelligent management, device, computer equipment and storage mediums, wherein method includes: to obtain Information technology risk information;The risk class value of the Information technology risk information is obtained using preset risk techniques rule according to the Information technology risk information;According to the risk class value, corresponding Information technology risk Disposal Measures are taken to the Information technology risk;Information technology risk monitoring and control is carried out to the Information technology risk for having taken corresponding Information technology risk Disposal Measures;Judge whether the Information technology key risk index is greater than preset Information technology key risk metrics-thresholds;If more than preset Information technology key risk metrics-thresholds, then sending Information technology risk rectification information to realize unification, study plot management information science and technology risk realizes the optimization of risk management processes.
Description
Technical field
This application involves computer field is arrived, especially relate to a kind of Information technology risk intelligent management, device,
Computer equipment and storage medium.
Background technique
The not whole Information technology risk management system of the prior art, the mark that when Decentralization Information technology risk uses
It is quasi- inconsistent, it is unfavorable for risk management and control.Currently for Information technology risk, it is usually scattered in each different system
In, to manage different scientific and technological risks, such as purchasing system External undertaking management risk, information safety system manages security risk,
Operational system manages O&M event, and standard is all inconsistent, not whole Information technology risk management system.Therefore, existing
Technology is unified, standard and effective Information technology risk intelligent management.
Summary of the invention
The main purpose of the application be provide a kind of Information technology risk intelligent management, device, computer equipment and
Storage medium, to realize unification, study plot management information science and technology risk.
In order to achieve the above-mentioned object of the invention, the application proposes a kind of Information technology risk intelligent management, comprising:
Information technology risk information is obtained, the Information technology risk information includes corresponding with the Information technology risk
Risk possibility occurrence value and venture influence degree value;
The Information technology risk is obtained using preset risk techniques rule according to the Information technology risk information
The risk class value of information;
According to the risk class value, corresponding Information technology risk Disposal Measures are taken to the Information technology risk;
Information technology risk monitoring and control is carried out to the Information technology risk for having taken corresponding Information technology risk Disposal Measures,
Wherein the Information technology risk monitoring and control includes being monitored to Information technology key risk index.
Judge whether the Information technology key risk index is greater than preset Information technology key risk metrics-thresholds;
If more than preset Information technology key risk metrics-thresholds, then Information technology risk rectification information is sent.
Further, described according to the Information technology risk information, using preset risk techniques rule, described in acquisition
The step of risk class value of Information technology risk information, comprising:
The risk possibility occurrence value and venture influence degree value are obtained from the Information technology risk information;
Using formula: risk class value=risk possibility occurrence value × venture influence degree value calculates the risk
Grade point.
Further, described according to the risk class value, corresponding Information technology is taken to the Information technology risk
The step of risk Disposal Measures, comprising:
According to the risk class value, the Information technology risk is classified by preset classification rule, described point
Grade includes high risk, risk and high risk;
According to the classification results, corresponding Information technology risk Disposal Measures are taken to the Information technology risk.
Further, described according to the risk class value, by preset classification rule to the Information technology risk into
Row classification, the classification include the steps that high risk, risk and high risk, comprising:
The risk class value and the first risk class value threshold value and the second risk class value threshold value are compared, wherein
The first risk class value threshold value is less than the second risk class value threshold value;
It is low by the Information technology risk stratification if the risk class value is lower than the first risk class value threshold value
Risk;
If the risk class value is greater than or equal to the first risk class value threshold value and is lower than the second risk class value threshold value,
It is risk by the Information technology risk stratification;
If the risk class value is greater than or equal to the second risk class value threshold value, it is by the Information technology risk stratification
High risk.
Further, described according to the classification results, corresponding Information technology wind is taken to the Information technology risk
The step of dangerous Disposal Measures, comprising:
If the classification results are high risks, the Disposal Measures of risk reduction are taken;
If the classification results are risks, the Disposal Measures of risk averse or risk transfer are taken;
If the classification results are low-risks, the Disposal Measures of risk receiving are taken.
Further, described if more than preset Information technology key risk metrics-thresholds, then send Information technology risk
After the step of rectifying and improving information, comprising:
Whether the Information technology key risk index after judging rectification, which is greater than preset Information technology key risk, refers to
Mark threshold value;
If the Information technology key risk index after rectification is not more than preset Information technology key risk index threshold
Value, it is determined that rectification is effective.
Further, described to judge whether the Information technology key risk index is greater than preset Information technology key wind
After the step of dangerous metrics-thresholds, comprising:
It generates Information technology risk and shows table, the Information technology risk shows that table includes the Information technology risk
Information, the risk class value, corresponding Information technology risk Disposal Measures, the Information technology key risk index and
Information technology key risk metrics-thresholds.
The application provides a kind of Information technology risk intelligent management apapratus, comprising:
Information technology risk information acquiring unit, for obtaining Information technology risk information, the Information technology risk letter
Breath includes risk possibility occurrence value corresponding with the Information technology risk and venture influence degree value;
Risk class value acquiring unit, for being advised using preset risk techniques according to the Information technology risk information
Then, the risk class value of the Information technology risk information is obtained;
Disposal Measures take unit, for taking accordingly the Information technology risk according to the risk class value
Information technology risk Disposal Measures;
Monitoring unit, for carrying out information to the Information technology risk for having taken corresponding Information technology risk Disposal Measures
Scientific and technological risk monitoring and control, wherein the Information technology risk monitoring and control includes being monitored to Information technology key risk index.
Information technology key risk metrics-thresholds judging unit, for whether judging the Information technology key risk index
Greater than preset Information technology key risk metrics-thresholds;
Information transmitting unit is rectified and improved, for if more than preset Information technology key risk metrics-thresholds, then sending information
Scientific and technological risk rectifies and improves information.
The application also provides a kind of computer equipment, including memory and processor, and the memory is stored with computer
The step of processor described in program realizes any of the above-described the method when executing the computer program.
The application also provides a kind of computer readable storage medium, is stored thereon with computer program, the computer journey
The step of method described in any of the above embodiments is realized when sequence is executed by processor.
Information technology risk intelligent management, device, computer equipment and the storage medium of the application, using acquisition wind
Dangerous grade point takes corresponding Information technology risk Disposal Measures to the Information technology risk, judges that the Information technology is closed
Whether key risk indicator is greater than preset Information technology key risk metrics-thresholds, if more than preset Information technology key risk
Metrics-thresholds, the then method for sending Information technology risk rectification information, solve unification, study plot management information science and technology risk
Technical problem.
Detailed description of the invention
Fig. 1 is the flow diagram of the Information technology risk intelligent management of one embodiment of the application;
Fig. 2 is the structural schematic block diagram of the Information technology risk intelligent management apapratus of one embodiment of the application;
Fig. 3 is the structural schematic block diagram of the computer equipment of one embodiment of the application.
The embodiments will be further described with reference to the accompanying drawings for realization, functional characteristics and the advantage of the application purpose.
Specific embodiment
It is with reference to the accompanying drawings and embodiments, right in order to which the objects, technical solutions and advantages of the application are more clearly understood
The application is further elaborated.It should be appreciated that specific embodiment described herein is only used to explain the application, not
For limiting the application.
Referring to Fig.1, the embodiment of the present application provides a kind of Information technology risk intelligent management, comprising steps of
S1, Information technology risk information is obtained, the Information technology risk information includes and the Information technology risk phase
Corresponding risk possibility occurrence value and venture influence degree value;
S2, the Information technology wind is obtained using preset risk techniques rule according to the Information technology risk information
The risk class value of dangerous information;
S3, according to the risk class value, take corresponding Information technology risk disposition to arrange the Information technology risk
It applies;
S4, Information technology risk prison is carried out to the Information technology risk for having taken corresponding Information technology risk Disposal Measures
Control, wherein the Information technology risk monitoring and control includes being monitored to Information technology key risk index.
S5, judge whether the Information technology key risk index is greater than preset Information technology key risk index threshold
Value;
S6, if more than preset Information technology key risk metrics-thresholds, then send Information technology risk rectification information.
As described in above-mentioned steps S1, obtain Information technology risk information, the Information technology risk information include with it is described
The corresponding risk possibility occurrence value of Information technology risk and venture influence degree value.Wherein, Information technology risk refers to public affairs
Department during with Information technology, the operation that is generated due to natural cause, human factor, technical leak and management defect,
The risks such as law and reputation.Information technology risk identification is to carry out the basis of Information technology risk assessment, is helped by risk identification
It helps company management and Information technology risk manager to understand to be distributed in each Information technology management process and technical field,
The Information technology risk that may be affected to the service operation of company and daily management.Wherein, Information technology risk information packet
Include risk possibility occurrence value corresponding with the Information technology risk and venture influence degree value." risk possibility occurrence
The assignment range of value " can be any feasible region, the preferably integer in [1-5].Wherein " venture influence degree value " is by right
Assignment is carried out in the influence size of service operation to company after risk generation, assignment is higher, and expression venture influence degree is bigger, assigns
It is smaller to be worth lower expression venture influence degree;The assignment range of " venture influence degree value " can be any feasible region, preferably [1-
5] integer in.
Herein for example: by the Information technology risk be by hacker attack and for the risk of leakage information, then
The Information technology risk information then refers to that the relevant information by hacker attack, the corresponding risk possibility occurrence value refer to
Degree numerical value a possibility that leakage information by hacker attack, the venture influence degree value refer to by hacker attack and leak
The degree numerical value that information impacts company.
Obtaining Information technology risk information includes: to be obtained by query information science and technology risk library, or receive and pass through work
Personnel carry out the Information technology risk information that Information technology risk identification obtains.
Wherein receiving the Information technology risk information obtained by Information technology risk identification includes:
1, the Information technology risk identified after the regulatory requirements and indicating risk of collecting regulatory agency's publication is received;
2, the Information technology risk concluded and identified after corporate risk event is received;
3, it receives inside and outside audit and checks the Information technology risk that identifies after discovery, such as: arrange regulatory agency, the
The inspection and audit finding that tripartite mechanism, audit bureau and external auditing mechanism propose, reinforce and regulatory agency, third party's machine
The communication of structure, audit bureau, external auditing mechanism;
4, it receives and the Information technology risk that risk identification obtains is carried out according to company work personnel's practical work experience.
Information technology risk is for example: there are administrative vulnerabilities in Information technology management;There is leakage of information in information security management
Risk etc..It further, can also include: the Information technology risk information that will acquire by information technology business and/or information
Scientific and technological classification of risks.Wherein information technology business referred in each stage of entire information technology life cycle, including demand, opened
Hair, test, online, O&M etc..Information technology classification of risks refers to business bank's Information technology risk management of Banking Supervision Commission's publication
Defined classification of risks in guide, including Information technology are administered;Information technology risk management;Information security;Development of information system,
Test and maintenance;Information technology operation;Business continuity management;Outsourcing;Internal auditing;External auditing etc..
As described in above-mentioned steps S2, obtained according to the Information technology risk information using preset risk techniques rule
The risk class value of the Information technology risk information.Information technology risk techniques refer to identified Information technology risk into
The process of row grading, in order to the grade height of more different Information technology risks, for the priority of clearly subsequent risk disposition
It does not lay the foundation, the prominent Information technology risk for needing to pay close attention to, dispose in time.
On the basis of identifying Information technology risk, risk techniques are carried out to obtain outlet air to different Information technology risks
Dangerous grade point, so that the Information technology degree of risk that different Information technology risks is faced quantizes.Specific metering formula are as follows:
Risk class value=risk possibility occurrence value × venture influence degree value.Wherein " risk possibility occurrence value " refers to by right
Identify that the generation of risk can be carried out assignment, assignment is higher, and expression risk possibility occurrence is higher, the lower expression risk of assignment
Possibility occurrence is lower;It can assist to judge risk height a possibility that occurring in future by the previous frequency of statistical risk;
Previous risk frequency, and to represent this risk higher in following possibility occurrence;The assignment of " risk possibility occurrence value "
Range can be any feasible region, the preferably integer in [1-5].After wherein " venture influence degree value " is by the way that risk occurs
Assignment is carried out in the influence size of service operation to company, assignment is higher, and expression venture influence degree is bigger, the lower expression of assignment
Venture influence degree is smaller;The assignment range of " venture influence degree value " can be any feasible region, preferably whole in [1-5]
Number.
Further, in addition to using metering formula are as follows: risk class value=risk possibility occurrence value × venture influence journey
Outside the mode of angle value, the methods of risk techniques feasible can also be confirmed using any other.
As described in above-mentioned steps S3, according to the risk class value, corresponding information is taken to the Information technology risk
Scientific and technological risk Disposal Measures.The disposition of Information technology risk refers to overall balance Information technology risk bring consequence and influence, with
And cost needed for risk disposition, corresponding risk Disposal Strategies are determined for different risks, and targetedly control is taken to arrange
The process applied and effectively implemented.
Pass through foregoing teachings, it is known that the specific risk class value of different Information technology risks, to distinguish height
Low-risk.Information technology risk is disposed preferably since the Information technology risk of high risk.Information technology risk Disposal Strategies packet
Include the forms such as risk averse, risk reduction, risk transfer and risk receiving.Specific Information technology risk Disposal Strategies can be tied
Risk possibility occurrence, influence degree and cost-benefit identified etc. is closed because usually determining.For the Information Center of high risk
Skill risk, it is general to manage risk by the way of risk averse, risk transfer by the way of risk reduction,
The form that can also be received in special circumstances using risk.For the Information technology risk of low-risk, occurring in integrated risk can
After the factors such as energy property, influence degree and cost-benefit, the form that can be received using risk, such as risk possibility occurrence,
Influence degree is all that the risk of 1 Information technology risk is extremely low, and the cost for taking risk to reduce is excessively high, therefore is typically chosen wind
The Disposal Strategies nearly received.For the Information technology risk of risk, the general risk Disposal Measures reduced using risk can also
In the form of using risk averse, risk transfer and risk receiving etc..
As described in above-mentioned steps S4, the Information technology risk for having taken corresponding Information technology risk Disposal Measures is carried out
Information technology risk monitoring and control, wherein the Information technology risk monitoring and control includes being monitored to Information technology key risk index.
Information technology risk monitoring and control refers to by periodically, continuously monitor to the Information technology key risk index of setting, in time
It was found that, grasp activity of the variation to Information technology venture influence degree of monitor control index.Once it was found that Information technology risk changes
Higher than acceptable level, risk disposition is carried out in time, is allowed to remain in acceptable interval range.Wherein, Information Center
Skill key risk index refer to can represent company's Information technology risk level situation of change and can periodic monitoring statistical indicator.Refer to
Mark setting is determined according to the content of monitoring, such as system is more than certain proportion etc. by number of times of attack, hard-disk capacity.Index Content can
To cover Information technology risk whole field.
Further, risk monitoring and control is automatic operation, i.e. the achievement data of system automation acquisition monitoring, is obtained specific
Information technology key risk index.
As described in above-mentioned steps S5, judge whether the Information technology key risk index is greater than preset Information technology and closes
Key risk indicator threshold value.The Information technology key risk metrics-thresholds are for judging whether risk can received threshold value.
Such as when using system by number of times of attack as Information technology key risk index when, corresponding Information technology key risk index can be set
Threshold value is 5 times/month.
As described in above-mentioned steps S6, if more than preset Information technology key risk metrics-thresholds, then Information technology is sent
Risk rectifies and improves information.If finding that Information technology key risk index is greater than or equal to Information technology key risk by risk monitoring and control
Metrics-thresholds illustrate that current risk Disposal Strategies are improper, cause risk excessive, need to adjust risk Disposal Strategies.Such as believe
Ceasing scientific and technological key risk index includes system by number of times of attack, and Information technology key risk metrics-thresholds are 5 times/month, work as discovery
System by number of times of attack be 10 time/month when, can assert that risk is excessive, should be rectified and improved, so send Information technology risk rectification
Information gives corresponding staff.
It is described to be obtained according to the Information technology risk information using preset risk techniques rule in one embodiment
Take the step S2 of the risk class value of the Information technology risk information, comprising:
S201, the risk possibility occurrence value and venture influence degree are obtained from the Information technology risk information
Value;
S202, using formula: risk class value=risk possibility occurrence value × venture influence degree value calculates described
Risk class value.
Risk class value is obtained as described above, realizing.Present embodiment is using metering formula are as follows: risk class value=wind
Dangerous possibility occurrence value × venture influence degree value.Wherein " risk possibility occurrence value " refers to by the hair for having identified risk
Life can be carried out assignment, and assignment is higher, and expression risk possibility occurrence is higher, and assignment is lower, and expression risk possibility occurrence is lower;
It can assist to judge risk height a possibility that occurring in future by the previous frequency of statistical risk;Previous risk occurs secondary
Number, and to represent this risk higher in following possibility occurrence;The assignment range of " risk possibility occurrence value " can be arbitrarily may be used
Line range, the preferably integer in [1-5].Wherein " venture influence degree value " is by transporting to company in business after risk occurs
The influence size of battalion carries out assignment, and assignment is higher, and expression venture influence degree is bigger, and the lower expression venture influence degree of assignment is more
It is small;The assignment range of " venture influence degree value " can be any feasible region, the preferably integer in [1-5].
It is described according to the risk class value in one embodiment, corresponding letter is taken to the Information technology risk
Cease the step S3 of scientific and technological risk Disposal Measures, comprising:
S301, according to the risk class value, the Information technology risk is classified by preset classification rule, institute
Stating classification includes high risk, risk and high risk;
S302, according to the classification results, take corresponding Information technology risk disposition to arrange the Information technology risk
It applies.
Corresponding Information technology risk Disposal Measures are taken to the Information technology risk as described above, realizing.Wherein
Classification rule is compared including the use of risk class value with predetermined threshold, to be high wind by the Information technology risk stratification
Danger, risk or high risk.Alternatively, can also be classified by inquiring risk class inquiry table:
Risk class inquiry table
Accordingly, risk class is obtained.And can be high risk, risk or high risk according to risk class, accordingly adopt
Take measure.
It is described according to the risk class value in one embodiment, by preset classification rule to the Information technology
Risk is classified, and the classification includes the steps that high risk, risk and high risk S301, comprising:
S3011, the risk class value and the first risk class value threshold value and the second risk class value threshold value are carried out pair
Than wherein the first risk class value threshold value is less than the second risk class value threshold value;
If S3012, the risk class value are lower than the first risk class value threshold value, by the Information technology risk point
Grade is low-risk;
If S3013, the risk class value are greater than or equal to the first risk class value threshold value and are lower than the second risk class
It is worth threshold value, is risk by the Information technology risk stratification;
If S3014, the risk class value are greater than or equal to the second risk class value threshold value, by the Information technology risk
It is classified as high risk.
As described above, realizing risk stratification.Specifically, according to metering formula are as follows: risk class=risk generation can
Can property × venture influence degree measure risk class value, then the first risk class value threshold value and the second risk class value threshold be set
Value is set to low-risk when the risk class value of risk is lower than the first risk class value threshold value;When the risk class of risk
Value is set to high risk when being greater than or equal to the second risk class value threshold value;When the risk class value of risk is greater than or equal to the
One risk class value threshold value and be lower than the second risk class value threshold value when be set to risk.Wherein the first risk class value threshold
Value can be arranged according to actual needs with the second risk class value threshold value, such as can set the first risk class value threshold value and the second risk
Grade point threshold value is respectively 4 and 12.
In present embodiment, use the risk class value and the first risk class value threshold value and the second risk simultaneously
The mode that grade point threshold value compares, to know which section is the risk class value be in, so as to only pass through one
Step just knows corresponding risk stratification situation, relative to successively comparing the first risk class value threshold value and the second risk class value
Step is omitted in threshold value, has efficient quick technical effect.
It is described according to the classification results in one embodiment, corresponding information is taken to the Information technology risk
The step S302 of scientific and technological risk Disposal Measures, comprising:
If S3021, the classification results are high risks, the Disposal Measures of risk reduction are taken;
If S3022, the classification results are risks, the Disposal Measures of risk averse or risk transfer are taken;
If S3023, the classification results are low-risks, the Disposal Measures of risk receiving are taken.
As described above, taking corresponding Information technology risk Disposal Measures to the Information technology risk.Information technology wind
Danger disposition is preferably since the Information technology risk of high risk.Information technology risk Disposal Strategies include risk averse, risk drop
The forms such as low, risk transfer and risk receiving.Specific Information technology risk Disposal Strategies can be in conjunction with the risk hair identified
Raw possibility, influence degree and cost-benefit etc. are because usually determining.For the Information technology risk of high risk, wind is generally used
The mode nearly reduced can also manage risk by the way of risk averse, risk transfer, can also adopt under special circumstances
The form received with risk.For the Information technology risk of low-risk, integrated risk possibility occurrence, influence degree and at
After the factors such as this income, the form that can be received using risk, such as risk possibility occurrence, influence degree are all 1 information
The risk of scientific and technological risk is extremely low, and the cost for taking risk to reduce is excessively high, therefore is typically chosen the Disposal Strategies of risk receiving.It is right
In the Information technology risk of risk, the general risk Disposal Measures reduced using risk can also use risk averse, risk
The forms such as transfer and risk receiving.
It illustrates herein, when Information technology risk is that hard-disk capacity is more than certain proportion and making to store information has the risk of loss
When, if being classified as high risk, can be reduced by the way of increasing hard disk or replacement larger capacity hard disk as risk
Disposal Measures;If being classified as risk, it can be transferred in other storage equipment or delete inessential using by important information
Information is in a manner of vacateing capacity as risk averse or the Disposal Measures of risk transfer;If being classified as low-risk, such as firmly
There is no important information in disk, then it is assumed that the risk can be received, to hold fire.
It is described if more than preset Information technology key risk metrics-thresholds in one embodiment, then send Information Center
Skill risk is rectified and improved after the step S6 of information, comprising:
S7, judge whether the Information technology key risk index after rectification is greater than preset Information technology key risk
Metrics-thresholds;
If the Information technology key risk index after S8, rectification is not more than preset Information technology key risk index
Threshold value, it is determined that rectification is effective.
As described above, determining whether rectification is effective.In present embodiment, pass through the Information technology key wind after monitoring rectification
Whether dangerous index is still greater than or is equal to Information technology key risk metrics-thresholds;Illustrate rectification if not effectively, risk Disposal Strategies
It is proper;If illustrating that rectification is invalid, risk Disposal Strategies are improper, should readjust risk Disposal Strategies.
It is described to judge whether the Information technology key risk index is greater than preset Information technology in one embodiment
After the step S5 of key risk metrics-thresholds, comprising:
S9, Information technology risk displaying table is generated, the Information technology risk shows that table includes the Information technology
Risk information, the risk class value, corresponding Information technology risk Disposal Measures, the Information technology key risk refer to
Mark and Information technology key risk metrics-thresholds.
As described above, generating Information technology risk shows table.To intuitively show Information technology risk, just
It reads in staff and is managed accordingly.Wherein the Information technology risk shows that table includes the Information technology wind
Dangerous information, the risk class value, corresponding Information technology risk Disposal Measures, the Information technology key risk index
It can store in the database with Information technology key risk metrics-thresholds, obtain number by way of the data of called data library
According to so that generating Information technology risk shows table.
The Information technology risk intelligent management of the application, using risk class value is obtained, to the Information technology wind
Corresponding Information technology risk Disposal Measures are taken in danger, judge whether the Information technology key risk index is greater than preset letter
It ceases scientific and technological key risk metrics-thresholds and then sends Information technology wind if more than preset Information technology key risk metrics-thresholds
The method of danger rectification information, solves the technical issues of unification, study plot management information science and technology risk.
Referring to Fig. 2, the embodiment of the present application provides a kind of Information technology risk intelligent management apapratus, comprising:
Information technology risk information acquiring unit 10, for obtaining Information technology risk information, the Information technology risk
Information includes risk possibility occurrence value corresponding with the Information technology risk and venture influence degree value;
Risk class value acquiring unit 20 is used for according to the Information technology risk information, using preset risk techniques
Rule obtains the risk class value of the Information technology risk information;
Disposal Measures take unit 30, for taking accordingly the Information technology risk according to the risk class value
Information technology risk Disposal Measures;
Monitoring unit 40, for carrying out letter to the Information technology risk for having taken corresponding Information technology risk Disposal Measures
Scientific and technological risk monitoring and control is ceased, wherein the Information technology risk monitoring and control includes being monitored to Information technology key risk index.
Information technology key risk metrics-thresholds judging unit 50, for judging that the Information technology key risk index is
It is no to be greater than preset Information technology key risk metrics-thresholds;
Information transmitting unit 60 is rectified and improved, for if more than preset Information technology key risk metrics-thresholds, then sending letter
It ceases scientific and technological risk and rectifies and improves information.
As described in said units 10, obtain Information technology risk information, the Information technology risk information include with it is described
The corresponding risk possibility occurrence value of Information technology risk and venture influence degree value.Wherein, Information technology risk refers to public affairs
Department during with Information technology, the operation that is generated due to natural cause, human factor, technical leak and management defect,
The risks such as law and reputation.Information technology risk identification is to carry out the basis of Information technology risk assessment, is helped by risk identification
It helps company management and Information technology risk manager to understand to be distributed in each Information technology management process and technical field,
The Information technology risk that may be affected to the service operation of company and daily management.Wherein, Information technology risk information packet
Include risk possibility occurrence value corresponding with the Information technology risk and venture influence degree value." risk possibility occurrence
The assignment range of value " can be any feasible region, the preferably integer in [1-5].Wherein " venture influence degree value " is by right
Assignment is carried out in the influence size of service operation to company after risk generation, assignment is higher, and expression venture influence degree is bigger, assigns
It is smaller to be worth lower expression venture influence degree;The assignment range of " venture influence degree value " can be any feasible region, preferably [1-
5] integer in.
Herein for example: by the Information technology risk be by hacker attack and for the risk of leakage information, then
The Information technology risk information then refers to that the relevant information by hacker attack, the corresponding risk possibility occurrence value refer to
Degree numerical value a possibility that leakage information by hacker attack, the venture influence degree value refer to by hacker attack and leak
The degree numerical value that information impacts company.
Obtaining Information technology risk information includes: to be obtained by query information science and technology risk library, or receive and pass through work
Personnel carry out the Information technology risk information that Information technology risk identification obtains.
Wherein receiving the Information technology risk information obtained by Information technology risk identification includes:
1, the Information technology risk identified after the regulatory requirements and indicating risk of collecting regulatory agency's publication is received;
2, the Information technology risk concluded and identified after corporate risk event is received;
3, it receives inside and outside audit and checks the Information technology risk that identifies after discovery, such as: arrange regulatory agency, the
The inspection and audit finding that tripartite mechanism, audit bureau and external auditing mechanism propose, reinforce and regulatory agency, third party's machine
The communication of structure, audit bureau, external auditing mechanism;
4, it receives and the Information technology risk that risk identification obtains is carried out according to company work personnel's practical work experience.
Information technology risk is for example: there are administrative vulnerabilities in Information technology management;There is leakage of information in information security management
Risk etc..It further, can also include: the Information technology risk information that will acquire by information technology business and/or information
Scientific and technological classification of risks.Wherein information technology business referred in each stage of entire information technology life cycle, including demand, opened
Hair, test, online, O&M etc..Information technology classification of risks refers to business bank's Information technology risk management of Banking Supervision Commission's publication
Defined classification of risks in guide, including Information technology are administered;Information technology risk management;Information security;Development of information system,
Test and maintenance;Information technology operation;Business continuity management;Outsourcing;Internal auditing;External auditing etc..
As described in said units 20, obtained according to the Information technology risk information using preset risk techniques rule
The risk class value of the Information technology risk information.Information technology risk techniques refer to identified Information technology risk into
The process of row grading, in order to the grade height of more different Information technology risks, for the priority of clearly subsequent risk disposition
It does not lay the foundation, the prominent Information technology risk for needing to pay close attention to, dispose in time.
On the basis of identifying Information technology risk, risk techniques are carried out to obtain outlet air to different Information technology risks
Dangerous grade point, so that the Information technology degree of risk that different Information technology risks is faced quantizes.Specific metering formula are as follows:
Risk class value=risk possibility occurrence value × venture influence degree value.Wherein " risk possibility occurrence value " refers to by right
Identify that the generation of risk can be carried out assignment, assignment is higher, and expression risk possibility occurrence is higher, the lower expression risk of assignment
Possibility occurrence is lower;It can assist to judge risk height a possibility that occurring in future by the previous frequency of statistical risk;
Previous risk frequency, and to represent this risk higher in following possibility occurrence;The assignment of " risk possibility occurrence value "
Range can be any feasible region, the preferably integer in [1-5].After wherein " venture influence degree value " is by the way that risk occurs
Assignment is carried out in the influence size of service operation to company, assignment is higher, and expression venture influence degree is bigger, the lower expression of assignment
Venture influence degree is smaller;The assignment range of " venture influence degree value " can be any feasible region, preferably whole in [1-5]
Number.
Further, in addition to using metering formula are as follows: risk class value=risk possibility occurrence value × venture influence journey
Outside the mode of angle value, the methods of risk techniques feasible can also be confirmed using any other.
As described in said units 30, according to the risk class value, corresponding information is taken to the Information technology risk
Scientific and technological risk Disposal Measures.The disposition of Information technology risk refers to overall balance Information technology risk bring consequence and influence, with
And cost needed for risk disposition, corresponding risk Disposal Strategies are determined for different risks, and targetedly control is taken to arrange
The process applied and effectively implemented.
Pass through foregoing teachings, it is known that the specific risk class value of different Information technology risks, to distinguish height
Low-risk.Information technology risk is disposed preferably since the Information technology risk of high risk.Information technology risk Disposal Strategies packet
Include the forms such as risk averse, risk reduction, risk transfer and risk receiving.Specific Information technology risk Disposal Strategies can be tied
Risk possibility occurrence, influence degree and cost-benefit identified etc. is closed because usually determining.For the Information Center of high risk
Skill risk, it is general to manage risk by the way of risk averse, risk transfer by the way of risk reduction,
The form that can also be received in special circumstances using risk.For the Information technology risk of low-risk, occurring in integrated risk can
After the factors such as energy property, influence degree and cost-benefit, the form that can be received using risk, such as risk possibility occurrence,
Influence degree is all that the risk of 1 Information technology risk is extremely low, and the cost for taking risk to reduce is excessively high, therefore is typically chosen wind
The Disposal Strategies nearly received.For the Information technology risk of risk, the general risk Disposal Measures reduced using risk can also
In the form of using risk averse, risk transfer and risk receiving etc..
As described in said units 40, the Information technology risk for having taken corresponding Information technology risk Disposal Measures is carried out
Information technology risk monitoring and control, wherein the Information technology risk monitoring and control includes being monitored to Information technology key risk index.
Information technology risk monitoring and control refers to by periodically, continuously monitor to the Information technology key risk index of setting, in time
It was found that, grasp activity of the variation to Information technology venture influence degree of monitor control index.Once it was found that Information technology risk changes
Higher than acceptable level, risk disposition is carried out in time, is allowed to remain in acceptable interval range.Wherein, Information Center
Skill key risk index refer to can represent company's Information technology risk level situation of change and can periodic monitoring statistical indicator.Refer to
Mark setting is determined according to the content of monitoring, such as system is more than certain proportion etc. by number of times of attack, hard-disk capacity.Index Content can
To cover Information technology risk whole field.
Further, risk monitoring and control is automatic operation, i.e. the achievement data of system automation acquisition monitoring, is obtained specific
Information technology key risk index.
As described in said units 50, judge whether the Information technology key risk index is greater than preset Information technology and closes
Key risk indicator threshold value.The Information technology key risk metrics-thresholds are for judging whether risk can received threshold value.
Such as when using system by number of times of attack as Information technology key risk index when, corresponding Information technology key risk index can be set
Threshold value is 5 times/month.
As described in said units 60, if more than preset Information technology key risk metrics-thresholds, then Information technology is sent
Risk rectifies and improves information.If finding that Information technology key risk index is greater than or equal to Information technology key risk by risk monitoring and control
Metrics-thresholds illustrate that current risk Disposal Strategies are improper, cause risk excessive, need to adjust risk Disposal Strategies.Such as believe
Ceasing scientific and technological key risk index includes system by number of times of attack, and Information technology key risk metrics-thresholds are 5 times/month, work as discovery
System by number of times of attack be 10 time/month when, can assert that risk is excessive, should be rectified and improved, so send Information technology risk rectification
Information gives corresponding staff.
In one embodiment, the risk class value acquiring unit 20, comprising:
Risk possibility occurrence value and venture influence degree value obtain subelement, for believing from the Information technology risk
The risk possibility occurrence value and venture influence degree value are obtained in breath;
Risk class value computation subunit, for using formula: risk class value=risk possibility occurrence value × risk
Influence degree value calculates the risk class value.
Risk class value is obtained as described above, realizing.Present embodiment is using metering formula are as follows: risk class value=wind
Dangerous possibility occurrence value × venture influence degree value.Wherein " risk possibility occurrence value " refers to by the hair for having identified risk
Life can be carried out assignment, and assignment is higher, and expression risk possibility occurrence is higher, and assignment is lower, and expression risk possibility occurrence is lower;
It can assist to judge risk height a possibility that occurring in future by the previous frequency of statistical risk;Previous risk occurs secondary
Number, and to represent this risk higher in following possibility occurrence;The assignment range of " risk possibility occurrence value " can be arbitrarily may be used
Line range, the preferably integer in [1-5].Wherein " venture influence degree value " is by transporting to company in business after risk occurs
The influence size of battalion carries out assignment, and assignment is higher, and expression venture influence degree is bigger, and the lower expression venture influence degree of assignment is more
It is small;The assignment range of " venture influence degree value " can be any feasible region, the preferably integer in [1-5].
In one embodiment, the Disposal Measures take unit 30, comprising:
It is classified subelement, is used for according to the risk class value, by preset classification rule to the Information technology risk
It is classified, the classification includes high risk, risk and high risk;
Disposal Measures take subelement, for taking accordingly the Information technology risk according to the classification results
Information technology risk Disposal Measures.
Corresponding Information technology risk Disposal Measures are taken to the Information technology risk as described above, realizing.Wherein
Classification rule is compared including the use of risk class value with predetermined threshold, to be high wind by the Information technology risk stratification
Danger, risk or high risk.Alternatively, can also be classified by inquiring risk class inquiry table:
Risk class inquiry table
Accordingly, risk class is obtained.And can be high risk, risk or high risk according to risk class, accordingly adopt
Take measure.
In one embodiment, the classification subelement, comprising:
Contrast module is used for the risk class value and the first risk class value threshold value and the second risk class value threshold value
It compares, wherein the first risk class value threshold value is less than the second risk class value threshold value;
Low-risk diversity module will be described if being lower than the first risk class value threshold value for the risk class value
Information technology risk stratification is low-risk;
Risk diversity module, if being greater than or equal to the first risk class value threshold value for the risk class value and being lower than
The Information technology risk stratification is risk by the second risk class value threshold value;
High risk diversity module, if being greater than or equal to the second risk class value threshold value for the risk class value, by institute
Stating Information technology risk stratification is high risk.
As described above, realizing risk stratification.Specifically, according to metering formula are as follows: risk class=risk generation can
Can property × venture influence degree measure risk class value, then the first risk class value threshold value and the second risk class value threshold be set
Value is set to low-risk when the risk class value of risk is lower than the first risk class value threshold value;When the risk class of risk
Value is set to high risk when being greater than or equal to the second risk class value threshold value;When the risk class value of risk is greater than or equal to the
One risk class value threshold value and be lower than the second risk class value threshold value when be set to risk.Wherein the first risk class value threshold
Value can be arranged according to actual needs with the second risk class value threshold value, such as can set the first risk class value threshold value and the second risk
Grade point threshold value is respectively 4 and 12.
In present embodiment, use the risk class value and the first risk class value threshold value and the second risk simultaneously
The mode that grade point threshold value compares, to know which section is the risk class value be in, so as to only pass through one
Step just knows corresponding risk stratification situation, relative to successively comparing the first risk class value threshold value and the second risk class value
Step is omitted in threshold value, has efficient quick technical effect.
In one embodiment, the Disposal Measures take subelement, comprising:
High risk disposes module, if being high risk for the classification results, takes the Disposal Measures of risk reduction;
Risk disposes module and takes risk averse or risk transfer if being risk for the classification results
Disposal Measures;
Low-risk disposes module, if being low-risk for the classification results, takes the Disposal Measures of risk receiving.
As described above, taking corresponding Information technology risk Disposal Measures to the Information technology risk.Information technology wind
Danger disposition is preferably since the Information technology risk of high risk.Information technology risk Disposal Strategies include risk averse, risk drop
The forms such as low, risk transfer and risk receiving.Specific Information technology risk Disposal Strategies can be in conjunction with the risk hair identified
Raw possibility, influence degree and cost-benefit etc. are because usually determining.For the Information technology risk of high risk, wind is generally used
The mode nearly reduced can also manage risk by the way of risk averse, risk transfer, can also adopt under special circumstances
The form received with risk.For the Information technology risk of low-risk, integrated risk possibility occurrence, influence degree and at
After the factors such as this income, the form that can be received using risk, such as risk possibility occurrence, influence degree are all 1 information
The risk of scientific and technological risk is extremely low, and the cost for taking risk to reduce is excessively high, therefore is typically chosen the Disposal Strategies of risk receiving.It is right
In the Information technology risk of risk, the general risk Disposal Measures reduced using risk can also use risk averse, risk
The forms such as transfer and risk receiving.
It illustrates herein, when Information technology risk is that hard-disk capacity is more than certain proportion and making to store information has the risk of loss
When, if being classified as high risk, can be reduced by the way of increasing hard disk or replacement larger capacity hard disk as risk
Disposal Measures;If being classified as risk, it can be transferred in other storage equipment or delete inessential using by important information
Information is in a manner of vacateing capacity as risk averse or the Disposal Measures of risk transfer;If being classified as low-risk, such as firmly
There is no important information in disk, then it is assumed that the risk can be received, to hold fire.
In one embodiment, the Information technology risk intelligent management apapratus, comprising:
Information technology key risk metrics-thresholds judging unit, for judging the Information technology key risk after rectifying and improving
Whether index is greater than preset Information technology key risk metrics-thresholds;
It determines and rectifies and improves effective unit, if being not more than preset letter for the Information technology key risk index after rectifying and improving
Cease scientific and technological key risk metrics-thresholds, it is determined that rectification is effective.
As described above, determining whether rectification is effective.In present embodiment, pass through the Information technology key wind after monitoring rectification
Whether dangerous index is still greater than or is equal to Information technology key risk metrics-thresholds;Illustrate rectification if not effectively, risk Disposal Strategies
It is proper;If illustrating that rectification is invalid, risk Disposal Strategies are improper, should readjust risk Disposal Strategies.
In one embodiment, the Information technology risk intelligent management apapratus, comprising:
Information technology risk shows table generation unit, shows table, the Information Center for generating Information technology risk
Skill risk shows that table includes the Information technology risk information, the risk class value, corresponding Information technology risk
Disposal Measures, the Information technology key risk index and Information technology key risk metrics-thresholds.
As described above, generating Information technology risk shows table.To intuitively show Information technology risk, just
It reads in staff and is managed accordingly.Wherein the Information technology risk shows that table includes the Information technology wind
Dangerous information, the risk class value, corresponding Information technology risk Disposal Measures, the Information technology key risk index
It can store in the database with Information technology key risk metrics-thresholds, obtain number by way of the data of called data library
According to so that generating Information technology risk shows table.
The Information technology risk intelligent management apapratus of the application, using risk class value is obtained, to the Information technology wind
Corresponding Information technology risk Disposal Measures are taken in danger, judge whether the Information technology key risk index is greater than preset letter
It ceases scientific and technological key risk metrics-thresholds and then sends Information technology wind if more than preset Information technology key risk metrics-thresholds
The method of danger rectification information, solves the technical issues of unification, study plot management information science and technology risk.
Referring to Fig. 3, a kind of computer equipment is also provided in the embodiment of the present invention, which can be server,
Its internal structure can be as shown in the figure.The computer equipment includes that the processor, memory, network connected by system bus connects
Mouth and database.Wherein, the processor of the Computer Design is for providing calculating and control ability.The storage of the computer equipment
Device includes non-volatile memory medium, built-in storage.The non-volatile memory medium be stored with operating system, computer program and
Database.The internal memory provides environment for the operation of operating system and computer program in non-volatile memory medium.The meter
The database of machine equipment is calculated for storing data used in Information technology risk intelligent management.The network of the computer equipment connects
Mouth with external terminal by network connection for being communicated.To realize a kind of Information Center when the computer program is executed by processor
Skill risk intelligent management.
Above-mentioned processor executes above- mentioned information science and technology risk intelligent management, comprising: Information technology risk information is obtained,
The Information technology risk information includes risk possibility occurrence value corresponding with the Information technology risk and venture influence
Degree value;The Information technology risk letter is obtained using preset risk techniques rule according to the Information technology risk information
The risk class value of breath;According to the risk class value, the Information technology risk is taken at corresponding Information technology risk
Set measure;Information technology risk monitoring and control is carried out to the Information technology risk for having taken corresponding Information technology risk Disposal Measures,
Wherein the Information technology risk monitoring and control includes being monitored to Information technology key risk index.Judge that the Information technology is closed
Whether key risk indicator is greater than preset Information technology key risk metrics-thresholds;If more than preset Information technology key risk
Metrics-thresholds then send Information technology risk rectification information.
In one embodiment, described according to the Information technology risk information, using preset risk techniques rule,
The step of obtaining the risk class value of the Information technology risk information, comprising: obtained from the Information technology risk information
The risk possibility occurrence value and venture influence degree value;Using formula: risk class value=risk possibility occurrence value ×
Venture influence degree value calculates the risk class value.
In one embodiment, described according to the risk class value, the Information technology risk is taken accordingly
The step of Information technology risk Disposal Measures, comprising: according to the risk class value, by preset classification rule to the information
Scientific and technological risk is classified, and the classification includes high risk, risk and high risk;According to the classification results, to the letter
It ceases scientific and technological risk and takes corresponding Information technology risk Disposal Measures.
In one embodiment, described according to the risk class value, by preset classification rule to the Information Center
Skill risk is classified, and the classification includes the steps that high risk, risk and high risk, comprising: by the risk class value
It is compared with the first risk class value threshold value and the second risk class value threshold value, wherein the first risk class value threshold value is small
In the second risk class value threshold value;If the risk class value is lower than the first risk class value threshold value, by the letter
Ceasing scientific and technological risk stratification is low-risk;If the risk class value is greater than or equal to the first risk class value threshold value and is lower than second
The Information technology risk stratification is risk by risk class value threshold value;If the risk class value is greater than or equal to second
The Information technology risk stratification is high risk by risk class value threshold value.
In one embodiment, described according to the classification results, corresponding letter is taken to the Information technology risk
The step of ceasing scientific and technological risk Disposal Measures, comprising: if the classification results are high risks, the disposition for taking risk to reduce is arranged
It applies;If the classification results are risks, the Disposal Measures of risk averse or risk transfer are taken;If the classification results
It is low-risk, then the Disposal Measures for taking risk to receive.
In one embodiment, described if more than preset Information technology key risk metrics-thresholds, then send information
After the step of scientific and technological risk rectification information, comprising: whether the Information technology key risk index after judging rectification is greater than
Preset Information technology key risk metrics-thresholds;If the Information technology key risk index after rectification is no more than preset
Information technology key risk metrics-thresholds, it is determined that rectification is effective.
In one embodiment, described to judge whether the Information technology key risk index is greater than preset Information Center
After the step of skill key risk metrics-thresholds, comprising: generate Information technology risk and show table, the Information technology risk exhibition
Show table include the Information technology risk information, the risk class value, corresponding Information technology risk Disposal Measures,
The Information technology key risk index and Information technology key risk metrics-thresholds.
It will be understood by those skilled in the art that structure shown in figure, only part relevant to application scheme is tied
The block diagram of structure does not constitute the restriction for the computer equipment being applied thereon to application scheme.
The computer equipment of the application takes corresponding letter to the Information technology risk using risk class value is obtained
Scientific and technological risk Disposal Measures are ceased, judge whether the Information technology key risk index is greater than preset Information technology key risk
Metrics-thresholds then send the side of Information technology risk rectification information if more than preset Information technology key risk metrics-thresholds
Method solves the technical issues of unification, study plot management information science and technology risk.
One embodiment of the application also provides a kind of computer readable storage medium, is stored thereon with computer program, calculates
Information technology risk intelligent management is realized when machine program is executed by processor, comprising: obtain Information technology risk information, institute
Stating Information technology risk information includes risk possibility occurrence value corresponding with the Information technology risk and venture influence journey
Angle value;The Information technology risk information is obtained using preset risk techniques rule according to the Information technology risk information
Risk class value;According to the risk class value, corresponding Information technology risk is taken to dispose the Information technology risk
Measure;Information technology risk monitoring and control is carried out to the Information technology risk for having taken corresponding Information technology risk Disposal Measures,
Described in Information technology risk monitoring and control include being monitored to Information technology key risk index.Judge that the Information technology is crucial
Whether risk indicator is greater than preset Information technology key risk metrics-thresholds;Refer to if more than preset Information technology key risk
Threshold value is marked, then sends Information technology risk rectification information.
In one embodiment, described according to the Information technology risk information, using preset risk techniques rule,
The step of obtaining the risk class value of the Information technology risk information, comprising: obtained from the Information technology risk information
The risk possibility occurrence value and venture influence degree value;Using formula: risk class value=risk possibility occurrence value ×
Venture influence degree value calculates the risk class value.
In one embodiment, described according to the risk class value, the Information technology risk is taken accordingly
The step of Information technology risk Disposal Measures, comprising: according to the risk class value, by preset classification rule to the information
Scientific and technological risk is classified, and the classification includes high risk, risk and high risk;According to the classification results, to the letter
It ceases scientific and technological risk and takes corresponding Information technology risk Disposal Measures.
In one embodiment, described according to the risk class value, by preset classification rule to the Information Center
Skill risk is classified, and the classification includes the steps that high risk, risk and high risk, comprising: by the risk class value
It is compared with the first risk class value threshold value and the second risk class value threshold value, wherein the first risk class value threshold value is small
In the second risk class value threshold value;If the risk class value is lower than the first risk class value threshold value, by the letter
Ceasing scientific and technological risk stratification is low-risk;If the risk class value is greater than or equal to the first risk class value threshold value and is lower than second
The Information technology risk stratification is risk by risk class value threshold value;If the risk class value is greater than or equal to second
The Information technology risk stratification is high risk by risk class value threshold value.
In one embodiment, described according to the classification results, corresponding letter is taken to the Information technology risk
The step of ceasing scientific and technological risk Disposal Measures, comprising: if the classification results are high risks, the disposition for taking risk to reduce is arranged
It applies;If the classification results are risks, the Disposal Measures of risk averse or risk transfer are taken;If the classification results
It is low-risk, then the Disposal Measures for taking risk to receive.
In one embodiment, described if more than preset Information technology key risk metrics-thresholds, then send information
After the step of scientific and technological risk rectification information, comprising: whether the Information technology key risk index after judging rectification is greater than
Preset Information technology key risk metrics-thresholds;If the Information technology key risk index after rectification is no more than preset
Information technology key risk metrics-thresholds, it is determined that rectification is effective.
In one embodiment, described to judge whether the Information technology key risk index is greater than preset Information Center
After the step of skill key risk metrics-thresholds, comprising: generate Information technology risk and show table, the Information technology risk exhibition
Show table include the Information technology risk information, the risk class value, corresponding Information technology risk Disposal Measures,
The Information technology key risk index and Information technology key risk metrics-thresholds.
The computer readable storage medium of the application takes the Information technology risk using risk class value is obtained
Corresponding Information technology risk Disposal Measures, judge whether the Information technology key risk index is greater than preset Information technology
Key risk metrics-thresholds then send the rectification of Information technology risk if more than preset Information technology key risk metrics-thresholds
The method of information solves the technical issues of unification, study plot management information science and technology risk.
Those of ordinary skill in the art will appreciate that realizing all or part of the process in above-described embodiment method, being can be with
Relevant hardware is instructed to complete by computer program, the computer program can be stored in a non-volatile computer
In read/write memory medium, the computer program is when being executed, it may include such as the process of the embodiment of above-mentioned each method.Wherein,
Any reference used in provided herein and embodiment to memory, storage, database or other media,
Including non-volatile and/or volatile memory.Nonvolatile memory may include read-only memory (ROM), programming ROM
(PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM) or flash memory.Volatile memory may include
Random access memory (RAM) or external cache.By way of illustration and not limitation, RAM is available in many forms,
Such as static state RAM (SRAM), dynamic ram (DRAM), synchronous dram (SDRAM), double speed are according to rate SDRAM (SSRSDRAM), enhancing
Type SDRAM (ESDRAM), synchronization link (Synchlink) DRAM (SLDRAM), memory bus (Rambus) direct RAM
(RDRAM), direct memory bus dynamic ram (DRDRAM) and memory bus dynamic ram (RDRAM) etc..
It should be noted that, in this document, the terms "include", "comprise" or its any other variant are intended to non-row
His property includes, so that the process, device, article or the method that include a series of elements not only include those elements, and
And further include other elements that are not explicitly listed, or further include for this process, device, article or method institute it is intrinsic
Element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that including being somebody's turn to do
There is also other identical elements in the process, device of element, article or method.
The foregoing is merely preferred embodiment of the present application, are not intended to limit the scope of the patents of the application, all utilizations
Equivalent structure or equivalent flow shift made by present specification and accompanying drawing content is applied directly or indirectly in other correlations
Technical field, similarly include in the scope of patent protection of the application.
Claims (10)
1. a kind of Information technology risk intelligent management characterized by comprising
Information technology risk information is obtained, the Information technology risk information includes wind corresponding with the Information technology risk
Dangerous possibility occurrence value and venture influence degree value;
The Information technology risk information is obtained using preset risk techniques rule according to the Information technology risk information
Risk class value;
According to the risk class value, corresponding Information technology risk Disposal Measures are taken to the Information technology risk;
Information technology risk monitoring and control is carried out to the Information technology risk for having taken corresponding Information technology risk Disposal Measures, wherein
The Information technology risk monitoring and control includes being monitored to Information technology key risk index;
Judge whether the Information technology key risk index is greater than preset Information technology key risk metrics-thresholds;
If more than preset Information technology key risk metrics-thresholds, then Information technology risk rectification information is sent.
2. Information technology risk intelligent management according to claim 1, which is characterized in that described according to the information
Scientific and technological risk information obtains the step of the risk class value of the Information technology risk information using preset risk techniques rule
Suddenly, comprising:
The risk possibility occurrence value and venture influence degree value are obtained from the Information technology risk information;
Using formula: risk class value=risk possibility occurrence value × venture influence degree value calculates the risk class
Value.
3. Information technology risk intelligent management according to claim 1, which is characterized in that described according to the risk
Grade point, the step of corresponding Information technology risk Disposal Measures are taken to the Information technology risk, comprising:
According to the risk class value, the Information technology risk is classified by preset classification rule, the classification packet
Include high risk, risk and high risk;
According to the classification results, corresponding Information technology risk Disposal Measures are taken to the Information technology risk.
4. Information technology risk intelligent management according to claim 3, which is characterized in that described according to the risk
Grade point is classified the Information technology risk by preset classification rule, the classification include high risk, risk and
The step of high risk, comprising:
The risk class value and the first risk class value threshold value and the second risk class value threshold value are compared, wherein described
First risk class value threshold value is less than the second risk class value threshold value;
It is low wind by the Information technology risk stratification if the risk class value is lower than the first risk class value threshold value
Danger;
If the risk class value is greater than or equal to the first risk class value threshold value and is lower than the second risk class value threshold value, by institute
Stating Information technology risk stratification is risk;
It is high wind by the Information technology risk stratification if the risk class value is greater than or equal to the second risk class value threshold value
Danger.
5. Information technology risk intelligent management according to claim 3, which is characterized in that described according to the classification
As a result, the step of taking corresponding Information technology risk Disposal Measures to the Information technology risk, comprising:
If the classification results are high risks, the Disposal Measures of risk reduction are taken;
If the classification results are risks, the Disposal Measures of risk averse or risk transfer are taken;
If the classification results are low-risks, the Disposal Measures of risk receiving are taken.
6. Information technology risk intelligent management according to claim 1, which is characterized in that described if more than preset
Information technology key risk metrics-thresholds, then send Information technology risk rectification information the step of after, comprising:
Whether the Information technology key risk index after judging rectification is greater than preset Information technology key risk index threshold
Value;
If the Information technology key risk index after rectification is not more than preset Information technology key risk metrics-thresholds,
Determine that rectification is effective.
7. Information technology risk intelligent management according to claim 1, which is characterized in that the judgement information
After the step of whether scientific and technological key risk index is greater than preset Information technology key risk metrics-thresholds, comprising:
It generates Information technology risk and shows table, the Information technology risk shows that table includes the Information technology risk letter
Breath, the risk class value, corresponding Information technology risk Disposal Measures, the Information technology key risk index and letter
Cease scientific and technological key risk metrics-thresholds.
8. a kind of Information technology risk intelligent management apapratus characterized by comprising
Information technology risk information acquiring unit, for obtaining Information technology risk information, the Information technology risk information packet
Include risk possibility occurrence value corresponding with the Information technology risk and venture influence degree value;
Risk class value acquiring unit, for being obtained according to the Information technology risk information using preset risk techniques rule
Take the risk class value of the Information technology risk information;
Disposal Measures take unit, for taking corresponding information to the Information technology risk according to the risk class value
Scientific and technological risk Disposal Measures;
Monitoring unit, for carrying out Information technology to the Information technology risk for having taken corresponding Information technology risk Disposal Measures
Risk monitoring and control, wherein the Information technology risk monitoring and control includes being monitored to Information technology key risk index;
Information technology key risk metrics-thresholds judging unit, for judging whether the Information technology key risk index is greater than
Preset Information technology key risk metrics-thresholds;
Information transmitting unit is rectified and improved, for if more than preset Information technology key risk metrics-thresholds, then sending Information technology
Risk rectifies and improves information.
9. a kind of computer equipment, including memory and processor, the memory are stored with computer program, feature exists
In the step of processor realizes any one of claims 1 to 7 the method when executing the computer program.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the computer program
The step of method described in any one of claims 1 to 7 is realized when being executed by processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811341806.1A CN109670315A (en) | 2018-11-12 | 2018-11-12 | Information technology risk intelligent management, device and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811341806.1A CN109670315A (en) | 2018-11-12 | 2018-11-12 | Information technology risk intelligent management, device and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN109670315A true CN109670315A (en) | 2019-04-23 |
Family
ID=66142477
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811341806.1A Pending CN109670315A (en) | 2018-11-12 | 2018-11-12 | Information technology risk intelligent management, device and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109670315A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110827032A (en) * | 2019-09-26 | 2020-02-21 | 支付宝(杭州)信息技术有限公司 | Intelligent wind control decision method and system and service processing method and system |
| CN112560028A (en) * | 2020-12-24 | 2021-03-26 | 深圳昂楷科技有限公司 | Method and device for protecting key file and server |
| CN118211824A (en) * | 2024-03-12 | 2024-06-18 | 北京市科学技术研究院城市安全与环境科学研究所 | Scientific and technological achievement risk early warning equipment based on distributed acquisition |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20060058186A (en) * | 2004-11-24 | 2006-05-29 | 이형원 | Information technology risk management system and method the same |
| US20120053982A1 (en) * | 2010-09-01 | 2012-03-01 | Bank Of America Corporation | Standardized Technology and Operations Risk Management (STORM) |
| CN107330579A (en) * | 2017-05-26 | 2017-11-07 | 陈曦 | A kind of HSE risk stratifications managing and control system |
-
2018
- 2018-11-12 CN CN201811341806.1A patent/CN109670315A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20060058186A (en) * | 2004-11-24 | 2006-05-29 | 이형원 | Information technology risk management system and method the same |
| US20120053982A1 (en) * | 2010-09-01 | 2012-03-01 | Bank Of America Corporation | Standardized Technology and Operations Risk Management (STORM) |
| CN107330579A (en) * | 2017-05-26 | 2017-11-07 | 陈曦 | A kind of HSE risk stratifications managing and control system |
Non-Patent Citations (2)
| Title |
|---|
| 唱红涛;: "分行IT风险监控与评估平台", 中国金融电脑, no. 06, pages 32 - 35 * |
| 张红蕾 等: "浅议质量风险管理", 《才智》, pages 301 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110827032A (en) * | 2019-09-26 | 2020-02-21 | 支付宝(杭州)信息技术有限公司 | Intelligent wind control decision method and system and service processing method and system |
| CN110827032B (en) * | 2019-09-26 | 2021-08-03 | 支付宝(杭州)信息技术有限公司 | Intelligent wind control decision method and system and service processing method and system |
| CN112560028A (en) * | 2020-12-24 | 2021-03-26 | 深圳昂楷科技有限公司 | Method and device for protecting key file and server |
| CN118211824A (en) * | 2024-03-12 | 2024-06-18 | 北京市科学技术研究院城市安全与环境科学研究所 | Scientific and technological achievement risk early warning equipment based on distributed acquisition |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2018229433B2 (en) | System for the measurement and automated accumulation of diverging cyber risks, and corresponding method thereof | |
| Baldwin et al. | Driving Priorities in Risk‐Based Regulation: What's the Problem? | |
| CN107784067B (en) | Monitoring information processing method, device, server and storage medium | |
| CN109670315A (en) | Information technology risk intelligent management, device and computer equipment | |
| US7693767B2 (en) | Method for generating predictive models for a business problem via supervised learning | |
| CN109146662A (en) | A kind of risk control method and device | |
| Correa-Henao et al. | Using interconnected risk maps to assess the threats faced by electricity infrastructures | |
| CN109658050A (en) | A kind of management method and equipment of wage report | |
| Yarovenko | Evaluating the threat to national information security | |
| De et al. | Privacy risk analysis | |
| CN111709603A (en) | Service request processing method, device and system based on wind control | |
| CN109523124A (en) | Asset data processing method, device, computer equipment and storage medium | |
| Kavun et al. | Estimation of the effectiveness and functioning of enterprises in boards of corporate security | |
| Simić-Draws et al. | Holistic and law compatible IT security evaluation: Integration of common criteria, ISO 27001/IT-Grundschutz and KORA | |
| De et al. | Privacy harm analysis: a case study on smart grids | |
| CN108257018A (en) | The examining report generation method and device of insurance system again | |
| CN115564449A (en) | Risk control method and device for transaction account and electronic equipment | |
| Budiarta et al. | Audit Information System Development using COBIT 5 Framework | |
| Touhiduzzaman et al. | A review of cybersecurity risk and consequences for critical infrastructure | |
| CN110619511A (en) | Electronic bill processing method and device, readable storage medium and computer equipment | |
| Woo et al. | Towards cyber security risks assessment in electric utility SCADA systems | |
| Purnomo | The role of internal audit in governance, risk management, and controls for fraud prevention at PPATK | |
| Horian et al. | Information security ensuring in the financial sector as part of the implementation of the National Program “Data Economy Russia 2024” | |
| Anderson et al. | An enterprise level security requirements specification model | |
| CN110210989A (en) | A kind of security risk reporting system and its method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |