CN110956347A - Method and device for calculating risk coefficient of data, storage medium and processor - Google Patents
Method and device for calculating risk coefficient of data, storage medium and processor Download PDFInfo
- Publication number
- CN110956347A CN110956347A CN201811131508.XA CN201811131508A CN110956347A CN 110956347 A CN110956347 A CN 110956347A CN 201811131508 A CN201811131508 A CN 201811131508A CN 110956347 A CN110956347 A CN 110956347A
- Authority
- CN
- China
- Prior art keywords
- data
- risk
- level
- historical
- grade
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 61
- 238000004364 calculation method Methods 0.000 claims abstract description 19
- 230000000875 corresponding effect Effects 0.000 claims description 27
- 238000013507 mapping Methods 0.000 claims description 20
- 230000035945 sensitivity Effects 0.000 claims description 16
- 238000010276 construction Methods 0.000 claims description 8
- 238000004422 calculation algorithm Methods 0.000 claims description 7
- 230000002596 correlated effect Effects 0.000 claims description 7
- 238000004590 computer program Methods 0.000 description 10
- 238000010586 diagram Methods 0.000 description 9
- 238000012545 processing Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 230000003287 optical effect Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 239000011159 matrix material Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000002411 adverse Effects 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012827 research and development Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0635—Risk analysis of enterprise or organisation activities
Landscapes
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Engineering & Computer Science (AREA)
- Strategic Management (AREA)
- Entrepreneurship & Innovation (AREA)
- Economics (AREA)
- Operations Research (AREA)
- Game Theory and Decision Science (AREA)
- Development Economics (AREA)
- Marketing (AREA)
- Educational Administration (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- General Physics & Mathematics (AREA)
- Theoretical Computer Science (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention provides a method for calculating a risk coefficient of data, which comprises the following steps: identifying data needing risk coefficient calculation; constructing a risk attribute grade of the data based on the importance degree of the data and the risk; and calculating the risk coefficient of the data according to the risk attribute grade of the data. The risk coefficient of the data is obtained by identifying the data which needs to be subjected to risk coefficient calculation and calculating the risk coefficient of the data according to the risk attribute grade for constructing the data from the data, the risk coefficient of the data is considered from the perspective of the data, and the risk of the data can be known from the obtained risk coefficient of the data. The invention also provides a device for calculating the risk coefficient of the data, a storage medium and a processor corresponding to the method.
Description
Technical Field
The present invention relates to the field of information security, and in particular, to a method and an apparatus for calculating a risk coefficient of data, a storage medium, and a processor.
Background
At present, many enterprises establish their own information security centers for data security. The information security center is a set of centralized management equipment for managing user identity authentication, firewall and the like, thereby monitoring the running state of the network equipment, protecting the security of the data processing process, and being responsible for collecting audit information of the network security equipment and the like. Therefore, the information security center is mainly used for executing attack prevention processing and prevention processing of potential threats of the network device, the server, the operating system and the application system, and ensuring that the network device, the server, the operating system and the application system are in a safe state, namely, the risk of data existence is considered from the aspects.
Even then, the enterprise data still has the problem of leakage, and the data still has a great risk, which indicates that the security of the data information is not comprehensive only in these aspects.
Disclosure of Invention
In view of the above, the present invention provides a method and an apparatus for calculating a risk factor of data, a storage medium, and a processor, so as to consider the risk of data from the perspective of data.
One aspect of the present invention provides a method for calculating a risk coefficient of data, including:
identifying data needing risk coefficient calculation;
constructing a risk attribute grade of the data based on the importance degree of the data and the risk;
and calculating the risk coefficient of the data according to the risk attribute grade of the data.
Optionally, in the above method, the constructing a risk attribute rating of the data based on the importance degree and the risk includes:
constructing an asset value rating of the data based on the importance of the data;
constructing a vulnerability level and a threat level of the data based on the risks the data is exposed to.
Optionally, in the above method, the constructing the asset value rating of the data based on the importance degree of the data includes:
classifying the data to obtain a data classification catalogue;
setting a security level for each category in the data classification catalog to obtain a data classification grading catalog;
and according to the security level corresponding to each category of data in the data classification grading catalog, constructing the asset value level of the data belonging to the category, wherein the asset value level of each category of data is positively correlated with the security level corresponding to the asset value level.
Optionally, in the above method, the constructing the vulnerability level and the threat level of the data based on the risk faced by the data includes:
obtaining historical risk data associated with the data;
based on the historical risk data, constructing a vulnerability level of the data and constructing a threat level of the data.
Optionally, in the above method, the historical risk data includes a historical vulnerability rating of each server, and constructing the vulnerability rating of the data based on the historical risk data includes:
determining a server to which the data belongs;
searching the historical vulnerability grade of the server to which the data belongs from the historical vulnerability grade of each server;
and mapping the historical vulnerability grade of the server to which the data belongs to the vulnerability grade of the data stored on the server.
Optionally, in the above method, the historical risk data includes data information in a historical data leakage event and its corresponding event sensitivity level and the server to which the data belongs, and at this time, constructing a threat level of the data based on the historical risk data includes:
matching data information in the data to the historical data leak events;
mapping the sensitivity level of the event associated with the data of the leakage event into the threat level of the matched data;
and mapping the threat level of the server to which the data information in the historical data leakage event belongs to the threat level of the data stored in the server to which the data information in the historical data leakage event belongs in the data.
Optionally, in the above method, the calculating a risk coefficient of the data according to the risk attribute level of the data includes:
respectively assigning the asset value grade, the vulnerability grade and the threat grade of the data;
and calculating the risk coefficient of the data by adopting a preset algorithm according to the asset value grade assignment, the vulnerability grade assignment and the threat grade assignment.
Another aspect of the present invention provides an apparatus for calculating a risk factor of data, including:
the identification unit is used for identifying data needing risk coefficient calculation;
the construction unit is used for constructing the risk attribute grade of the data based on the importance degree and the risk;
and the calculating unit is used for calculating the risk coefficient of the data according to the risk attribute grade of the data.
Optionally, in the above apparatus, the building unit includes:
a first construction subunit, configured to construct an asset value level of the data based on the importance degree of the data;
a second construction subunit for constructing a vulnerability class of the data based on the risk faced by the data;
a third construction subunit for constructing a threat level of the data based on the risk faced by the data.
Optionally, in the above apparatus, the first building subunit includes:
the catalog generation unit is used for classifying the data to obtain a classified catalog;
the setting unit is used for setting a security level for each category of data in the data classification catalogue to obtain a data classification catalogue;
and the asset value grade building unit is used for building an asset value grade for each class of data in the data classification catalogue, and the asset value grade of each class of data is positively correlated with the corresponding privacy grade.
Optionally, in the above apparatus, the second constructing subunit performs constructing the vulnerability class of the data, including:
obtaining historical risk data associated with the data;
constructing a vulnerability rating for the data based on the historical risk data.
Optionally, in the above apparatus, the historical risk data includes a historical vulnerability level of each server, and the constructing of the vulnerability level of the data by the second constructing subunit using the historical risk data includes:
determining the server to which the data belong, finding out the historical vulnerability grade of the server to which the data belong from the historical vulnerability grades of the servers, mapping the historical vulnerability grade of the server to which the data belong to the vulnerability grade of the data stored on the server, and constructing the vulnerability grade of the data.
Optionally, in the above apparatus, the third constructing subunit performs constructing a threat level of the data, including:
obtaining historical risk data associated with the data;
and constructing a threat level of the sending data based on the historical risk data.
Optionally, in the above apparatus, the historical risk data includes data information in a historical data leakage event and its corresponding event sensitivity level and the server, and the third constructing subunit constructs the vulnerability level of the delivered data based on the historical risk data, including:
matching data information in the historical data leakage event in the data, and mapping the sensitivity level of the event related to the data of the leakage event into the threat level of the matched data; and mapping the threat level of the server to which the data information in the historical data leakage event belongs to a threat level mode of the data stored by the server to which the data information in the historical data leakage event belongs in the data, and constructing the threat level of the data.
Optionally, in the above apparatus, the calculating unit includes:
the assignment unit is used for assigning the asset value grade, the vulnerability grade and the threat grade of the data respectively;
and the calculating subunit is used for calculating the risk coefficient of the data by adopting a preset algorithm according to the asset value grade assignment, the vulnerability grade assignment and the threat grade assignment.
A storage medium storing a program for implementing the method of calculating a risk coefficient of data according to any one of the above when the program is executed.
A processor for executing a program, wherein the program is executed to perform: a method of calculating a risk factor for data as described in any of the above.
According to the method for calculating the risk coefficient of the data, the risk coefficient of the data is calculated by identifying the data needing risk coefficient calculation and starting from the data, according to the risk attribute grade for constructing the data, so that the risk coefficient of the data is obtained, the risk of the data is considered from the perspective of the data, and the risk of the data can be known from the obtained risk coefficient of the data.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a flowchart of a method for calculating a risk coefficient of data according to an embodiment of the present invention;
FIG. 2 is a flow chart of a method for calculating a risk factor of data according to another embodiment of the present invention;
FIG. 3 is a flow chart of building an asset value rating provided by another embodiment of the present invention;
fig. 4 is a schematic diagram of a device for calculating a risk coefficient of data according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention discloses a method for calculating a risk coefficient of data, which is shown in figure 1 and comprises the following steps:
and S101, identifying data needing risk coefficient calculation.
It should be noted that not all data need be subjected to risk factor calculation. Generally, the calculation of the risk factor is required only for data that needs to be kept secret.
For data which is in an open state, has low importance or has large data quantity, leakage does not cause too large adverse effect, therefore, the part of data does not need to be kept secret, and the risk coefficient calculation of the part of data does not make much sense, so the data does not need to be subjected to the risk coefficient calculation. Such as: published information of products that have been sold, completed exhibition plans, and programming of holiday events, among others.
Therefore, in this step, in response to the privacy requirement of the user, the data that needs to be subjected to the risk coefficient calculation is identified from all the data, that is, the data that needs to be kept secret is identified, and the risk coefficient is calculated for the data, for example: financial statements, customer information, etc.
And S102, constructing a risk attribute grade of the data based on the importance degree and the risk of the data.
Optionally, in another specific embodiment disclosed in the present invention, one implementation manner of this step includes: and respectively constructing an asset value grade of the data based on the importance degree of the data and constructing a vulnerability grade and a threat grade of the data based on the risks faced by the data.
Referring to fig. 2, after step S201 is executed, the asset value level, the vulnerability level, and the threat level of the data are constructed in the execution order of step S202, step S203, and step S204. Of course, in addition to the sequence of building the asset value level of the data first, building the vulnerability level of the data second, and building the threat level of the data later shown in fig. 2, three risk levels of the data may be built simultaneously or in other sequences.
It should also be noted that other risk attribute ratings that can be used to analyze the risk of data can also be constructed, such as: the timeliness level can be built according to the date of storage or generation of the data, longer data is relatively less risky, and the built level is correspondingly lower.
Optionally, in the method provided by another embodiment of the present invention, the asset value rating of the data is constructed based on the importance degree of the data, referring to fig. 3, which may specifically include:
s301, classifying the data to obtain the data classification catalogue.
And classifying the data according to the category of the data to obtain a data classification catalogue. The data mentioned in this embodiment all refer to data names and do not include data contents. Thus, the resulting data classification catalog includes: each directory obtained by classifying the data name, and the data name included under the directory. For example: each directory of data includes: scientific information, sales information, etc.
It should be noted that after the data is classified according to the category to which the data belongs, the data in each directory may be further classified to obtain each sub-directory in each directory. For example: and classifying the scientific and technological information directory to obtain subdirectories such as product research and development data, equipment management passwords and the like. In this case, the data classification directory includes: each directory and its subdirectory after data classification also includes the data name included under each subdirectory.
S302, setting a security level for each category in the data classification catalog to obtain the data classification grading catalog.
It should be noted that, in order to reflect the asset value level of the data more accurately, a privacy level may be set for each category in the classification directory. Specifically, in the case where the data classification directory includes each directory to which data belongs, this step is to set a security level for each directory to which data belongs. In the case that the data classification directory includes each directory to which the data belongs and subdirectories under the directory, the step is to set a security level for each subdirectory to which the data belongs.
And setting a privacy level for each category, and aiming at the harm degree to enterprises and countries after data leakage. The importance or degree of privacy required of the data under each category is determined. A corresponding security level is set for each category depending on the importance or degree of security required of the data under each category, for example: set the privacy level high, medium, low.
S303, constructing the asset value grade of the data belonging to the category according to the security grade corresponding to each category of data in the data classification and grading catalogue.
Wherein the asset value rating of the data is positively correlated with the privacy rating of the categories in the data taxonomy hierarchical directory. The property value grade of the data is positively correlated with the security grade of the category in the data classification hierarchical directory, which means that the property value grade of the data and the security grade of the category of the data are in the same direction, that is, the security grade of the category of the data has a high value, and the corresponding property value grade of the data has a high value. For example: the security level of the category of the first data is four levels, and the security level of the category of the second data is five levels, so that the asset value level capable of correspondingly constructing the first data is three levels, and the asset value level capable of constructing the second data is four levels. Of course, the two levels may be identical, that is, the asset value level of the first data is four levels, and the asset value level of the second data is five levels.
Optionally, in a method provided by another embodiment of the present invention, the constructing the vulnerability level of the data and defining the threat level of the data based on the risk faced by the data may be:
historical risk data related to the data is obtained, and based on the historical risk data, a vulnerability level of the data and a threat level of the data are constructed.
Optionally, in another specific embodiment of the present invention, the historical risk data includes a historical vulnerability level of each server, and at this time, the vulnerability level of the data is constructed based on the historical risk data, which may be: determining the server to which the data belong, finding out the historical vulnerability level of the server to which the data belong from the historical vulnerability levels of the servers, and mapping the historical vulnerability level of the server to the vulnerability level of the data stored in the server.
The historical vulnerability level of the server to which the data belongs can be obtained from an information security center, the information security center has a corresponding historical vulnerability level for each server, and the historical vulnerability level of the server actually and indirectly represents the vulnerability of the data stored in the server, so that the historical vulnerability level of the information security center to the server can be mapped to the vulnerability level of the data stored in the server.
Optionally, in another specific embodiment of the present invention, the historical risk data includes data information in the historical data leakage event, an event sensitivity level corresponding to the data information, and the server to which the data belongs, and at this time, constructing the threat level of the data based on the historical risk data may include:
matching data information in the historical data leak events in the data.
The data information of the leakage event detected by the information security center is acquired. And inquiring the data of the leakage event in the data to obtain data matched with the data of the leakage event.
And mapping the sensitivity level of the event associated with the data of the leakage event to the threat level of the matched data.
And taking the sensitivity level of the event related to the data of the leakage event as the threat level of the matched data. Specifically, the event associated with the data of the leakage event is basically the leakage event, and the sensitivity level of the leakage event is set as the threat level of the matched data.
And mapping the threat level of the server to which the data information in the historical data leakage event belongs to the threat level of the data stored in the server to which the data information in the historical data leakage event belongs in the data. And similarly, the threat level of the information security center to the server is obtained at the information security center, and the threat level of the information security center to the server is set as the threat level of the data which belongs to the data stored by the server in the data.
And S103, calculating the risk coefficient of the data according to the risk attribute grade of the data.
In the embodiment provided by the invention, data needing risk coefficient calculation is identified from the data, the risk attribute grade of the data is constructed, three risk attribute grades of the asset value grade, the vulnerability grade and the threat grade are constructed, the risk of the data is comprehensively considered, the risk coefficient of the data is calculated according to the constructed risk grade of the data, and the risk of the data is reflected according to the obtained risk coefficient of the data from the perspective of the data.
Optionally, in another embodiment of the present invention, an implementation manner of step S103, as shown in fig. 2, includes:
s205, respectively assigning the asset value grade, the vulnerability grade and the threat grade of the data.
The risk coefficient of the data is calculated, and the asset value grade, the vulnerability grade and the threat grade of the data need to be respectively assigned. Specifically, corresponding assignment is carried out according to the asset value grade, the vulnerability grade and the threat grade of the data. For example: in the three levels of the asset value level, the vulnerability level and the threat level of the data, if the three levels comprise a high level, the value is correspondingly assigned as the maximum number; if the intermediate level is included, the corresponding value is assigned to a slightly smaller number; if a low level is included, the corresponding value is assigned to the smallest number.
And S206, calculating the risk coefficient of the data by adopting a preset algorithm according to the asset value grade assignment, the vulnerability grade assignment and the threat grade assignment.
After assignment is completed, the assignment can be calculated by adopting methods such as risk matrix measurement, threat classification calculation and the like, and the risk coefficient of the data is obtained.
Optionally, the asset value grade assignment, the vulnerability grade assignment and the threat grade assignment are measured and calculated by using a risk matrix to obtain a risk coefficient of the data, and the method specifically includes:
and obtaining the possibility assignment of the data risk according to the vulnerability grade assignment and the threat grade assignment.
And obtaining loss assignment of data risk according to the asset value grade assignment and the vulnerability grade assignment.
And obtaining the risk coefficient assignment of the data risk, namely the risk coefficient of the data according to the possibility assignment of the data risk and the loss assignment of the data risk.
Another embodiment of the present invention further provides a device for calculating a risk coefficient of data, as shown in fig. 4, including:
an identifying unit 401 is configured to identify data that needs to be subjected to risk coefficient calculation.
A building unit 402, configured to build a risk attribute rating of the data based on the importance of the data and the risk faced.
Optionally, in another specific embodiment of the present invention, the constructing unit 402, as also shown in fig. 4, includes:
a first construction subunit 4021, configured to construct an asset worth rating of the data based on the importance degree of the data.
Optionally, in another specific embodiment of the present invention, the first building subunit includes:
and the catalog generation unit is used for classifying the data to obtain a classified catalog.
And the setting unit is used for setting a security level for the data of each category in the data classification catalogue to obtain the data classification catalogue.
And the asset value grade building unit is used for building an asset value grade for each category of data in the data classification catalogue.
A second construction subunit 4022 for constructing a vulnerability class of the data based on the risks faced by the data.
A third building subunit 4023, configured to build a threat level of the data based on the risk the data is exposed to.
Optionally, in another specific embodiment of the present invention, when the second constructing subunit 4022 executes constructing the vulnerability class of the data, it is configured to: historical risk data related to the data is obtained, and based on the historical risk data, vulnerability levels of the data are constructed.
In addition, when the historical risk data includes the historical vulnerability class of each server, the second constructing subunit 4022 constructs the vulnerability class of the data by determining the server to which the data belongs, finding the historical vulnerability class of the server to which the data belongs from the historical vulnerability classes of each server, and mapping the historical vulnerability class of the server to which the data belongs to the vulnerability class of the data stored in the server.
Similarly, when the third constructing subunit 4023 constructs the threat level of the data, it is configured to acquire historical risk data related to the data, and construct the threat level of the data based on the historical risk data.
When the historical risk data includes data information in a historical data leakage event, an event sensitivity level corresponding to the data information and a server to which the data information belongs, the third constructing subunit 4023 matches the data information in the historical data leakage event in the data, and maps the sensitivity level of the event associated with the data of the leakage event to a threat level of the matched data; and mapping the threat level of the server to which the data information in the historical data leakage event belongs to a threat level mode of the data stored by the server to which the data information in the historical data leakage event belongs in the data, and constructing the threat level of the data.
And a calculating unit 403 for calculating a risk coefficient of the data according to the risk attribute level of the data.
Optionally, in another specific embodiment of the present invention, referring to fig. 4, the calculating unit 403 includes:
a value assigning unit 4031, configured to assign an asset value level, a vulnerability level, and a threat level of the data, respectively.
And the calculating subunit 4032 is used for calculating asset value grade assignment, vulnerability grade assignment and threat grade assignment by using a predetermined algorithm to obtain the risk coefficient of the data.
In the above embodiments of the present application, the specific execution process of each unit may refer to the content of the corresponding method embodiment, and is not described herein again.
The device for calculating the risk coefficient of the data comprises a processor and a memory, wherein the identification unit, the construction unit, the calculation unit and the like are stored in the memory as program units, and the processor executes the program units stored in the memory to realize corresponding functions.
The processor comprises a kernel, and the kernel calls the corresponding program unit from the memory. The kernel can be set to be one or more, and corresponding functions are realized by adjusting kernel parameters.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or nonvolatile memory such as Read Only Memory (ROM) or flash memory (flash RAM), and the memory includes at least one memory chip.
An embodiment of the present invention provides a storage medium on which a program is stored, the program implementing a method of calculating a risk coefficient of the data when executed by a processor.
The embodiment of the invention provides a processor, which is used for running a program, wherein the method for calculating the risk coefficient of the data is executed when the program runs.
The embodiment of the invention provides equipment, and the equipment can be a server, a PC, a PAD, a mobile phone and the like. The device comprises a processor, a memory and a program stored on the memory and capable of running on the processor, and the processor realizes the following steps when executing the program:
data requiring risk factor calculation is identified.
And constructing a risk attribute grade of the data based on the importance degree of the data and the risk.
And calculating the risk coefficient of the data according to the risk attribute grade of the data.
Optionally, in the above method, the constructing a risk attribute rating of the data based on the importance degree and the risk includes:
an asset value rating for the data is constructed based on the importance of the data.
Constructing a vulnerability level and a threat level of the data based on the risks the data is exposed to.
Optionally, in the above method, the constructing the asset value rating of the data based on the importance degree of the data includes:
and classifying the data to obtain a data classification catalogue.
And setting a security level for each category in the data classification catalog to obtain the data classification grading catalog.
And according to the security level corresponding to each category of data in the data classification grading catalog, constructing the asset value level of the data belonging to the category, wherein the asset value level of each category of data is positively correlated with the security level corresponding to the asset value level.
Optionally, in the above method, the constructing the vulnerability level and the threat level of the data based on the risk faced by the data includes:
obtaining historical risk data associated with the data;
based on the historical risk data, constructing a vulnerability level of the data and constructing a threat level of the data.
Optionally, in the above method, the historical risk data includes a historical vulnerability rating of each server, and constructing the vulnerability rating of the data based on the historical risk data includes:
and determining a server to which the data belongs.
And searching the historical vulnerability grade of the server to which the data belongs from the historical vulnerability grades of the servers.
And mapping the historical vulnerability grade of the server to which the data belongs to the vulnerability grade of the data stored on the server.
Optionally, in the above method, the historical risk data includes data information in a historical data leakage event and its corresponding event sensitivity level and the server to which the data belongs, and at this time, constructing a threat level of the data based on the historical risk data includes:
matching data information in the historical data leak events in the data.
And mapping the sensitivity level of the event associated with the data of the leakage event to the threat level of the matched data.
And mapping the threat level of the server to which the data information in the historical data leakage event belongs to the threat level of the data stored in the server to which the data information in the historical data leakage event belongs in the data.
Optionally, in the above method, the calculating a risk coefficient of the data according to the risk attribute level of the data includes:
respectively assigning the asset value grade, the vulnerability grade and the threat grade of the data;
and calculating the risk coefficient of the data by adopting a preset algorithm according to the asset value grade assignment, the vulnerability grade assignment and the threat grade assignment.
The invention also provides a computer program product adapted to perform a program for initializing the following method steps when executed on a computing means of risk coefficients of data:
data requiring risk factor calculation is identified.
And constructing a risk attribute grade of the data based on the importance degree of the data and the risk.
And calculating the risk coefficient of the data according to the risk attribute grade of the data.
Optionally, in the above method, the constructing a risk attribute rating of the data based on the importance degree and the risk includes:
an asset value rating for the data is constructed based on the importance of the data.
Constructing a vulnerability level and a threat level of the data based on the risks the data is exposed to.
Optionally, in the above method, the constructing the asset value rating of the data based on the importance degree of the data includes:
and classifying the data to obtain a data classification catalogue.
And setting a security level for each category in the data classification catalog to obtain the data classification grading catalog.
And according to the security level corresponding to each category of data in the data classification grading catalog, constructing the asset value level of the data belonging to the category, wherein the asset value level of each category of data is positively correlated with the security level corresponding to the asset value level.
Optionally, in the above method, the constructing the vulnerability level and the threat level of the data based on the risk faced by the data includes:
historical risk data associated with the data is obtained.
Based on the historical risk data, constructing a vulnerability level of the data and constructing a threat level of the data.
Optionally, in the above method, the historical risk data includes a historical vulnerability rating of each server, and constructing the vulnerability rating of the data based on the historical risk data includes:
and determining a server to which the data belongs.
And searching the historical vulnerability grade of the server to which the data belongs from the historical vulnerability grades of the servers.
And mapping the historical vulnerability grade of the server to which the data belongs to the vulnerability grade of the data stored on the server.
Optionally, in the above method, the historical risk data includes data information in a historical data leakage event and its corresponding event sensitivity level and the server to which the data belongs, and at this time, constructing a threat level of the data based on the historical risk data includes:
matching data information in the historical data leak events in the data.
And mapping the sensitivity level of the event associated with the data of the leakage event to the threat level of the matched data.
And mapping the threat level of the server to which the data information in the historical data leakage event belongs to the threat level of the data stored in the server to which the data information in the historical data leakage event belongs in the data.
Optionally, in the above method, the calculating a risk coefficient of the data according to the risk attribute level of the data includes:
respectively assigning the asset value grade, the vulnerability grade and the threat grade of the data;
and calculating the risk coefficient of the data by adopting a preset algorithm according to the asset value grade assignment, the vulnerability grade assignment and the threat grade assignment.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include transitory computer readable media (transmyedia) such as modulated data signals and carrier waves.
It is also noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or even more
Including as an element of a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above are merely examples of the present application and are not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A method for calculating a risk coefficient of data, comprising:
identifying data needing risk coefficient calculation;
constructing a risk attribute grade of the data based on the importance degree of the data and the risk;
and calculating the risk coefficient of the data according to the risk attribute grade of the data.
2. The method of claim 1, wherein constructing a risk attribute rating for the data based on the importance of the data and the risk faced comprises:
constructing an asset value rating of the data based on the importance of the data;
constructing a vulnerability level and a threat level of the data based on the risks the data is exposed to.
3. The method of claim 2, wherein said building an asset value rating for said data based on a degree of importance of said data comprises:
classifying the data to obtain a data classification catalogue;
setting a security level for each category in the data classification catalog to obtain a data classification grading catalog;
and according to the security level corresponding to each category of data in the data classification grading catalog, constructing the asset value level of the data belonging to the category, wherein the asset value level of each category of data is positively correlated with the security level corresponding to the asset value level.
4. The method of claim 2, wherein said constructing a level of vulnerability and a level of threat of said data based on the risk to which said data is exposed comprises:
obtaining historical risk data associated with the data;
based on the historical risk data, a vulnerability level of the data and a threat level of the data are constructed.
5. The method of claim 4, wherein the historical risk data comprises historical vulnerability ratings for each server, and wherein constructing the vulnerability ratings for the data based on the historical risk data comprises:
determining a server to which the data belongs;
searching the historical vulnerability grade of the server to which the data belongs from the historical vulnerability grade of each server;
and mapping the historical vulnerability grade of the server to which the data belongs to the vulnerability grade of the data stored on the server.
6. The method of claim 4, wherein the historical risk data includes data information in historical data leak events and their corresponding event sensitivity levels and servers to which the data belongs, and wherein constructing the threat level for the data based on the historical risk data comprises:
matching data information in the data to the historical data leak events;
mapping the sensitivity level of the event associated with the data of the leakage event into the threat level of the matched data;
and mapping the threat level of the server to which the data information in the historical data leakage event belongs to the threat level of the data stored in the server to which the data information in the historical data leakage event belongs in the data.
7. The method according to any one of claims 2-6, wherein the calculating a risk factor for the data based on the risk attribute rating of the data comprises:
respectively assigning the asset value grade, the vulnerability grade and the threat grade of the data;
and calculating the risk coefficient of the data by adopting a preset algorithm according to the asset value grade assignment, the vulnerability grade assignment and the threat grade assignment.
8. An apparatus for calculating a risk factor of data, comprising:
the identification unit is used for identifying data needing risk coefficient calculation;
the construction unit is used for constructing the risk attribute grade of the data based on the importance degree and the risk;
and the calculating unit is used for calculating the risk coefficient of the data according to the risk attribute grade of the data.
9. A storage medium storing a program for implementing a method of calculating a risk factor of data according to any one of claims 1 to 7 when the program is executed.
10. A processor configured to execute a program, wherein the program is configured to perform: a method of calculating a risk factor for data according to any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811131508.XA CN110956347A (en) | 2018-09-27 | 2018-09-27 | Method and device for calculating risk coefficient of data, storage medium and processor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811131508.XA CN110956347A (en) | 2018-09-27 | 2018-09-27 | Method and device for calculating risk coefficient of data, storage medium and processor |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110956347A true CN110956347A (en) | 2020-04-03 |
Family
ID=69967936
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811131508.XA Pending CN110956347A (en) | 2018-09-27 | 2018-09-27 | Method and device for calculating risk coefficient of data, storage medium and processor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110956347A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112560046A (en) * | 2020-12-14 | 2021-03-26 | 北京明朝万达科技股份有限公司 | Method and device for evaluating service data security index |
| CN115766138A (en) * | 2022-11-03 | 2023-03-07 | 国家工业信息安全发展研究中心 | Industrial internet enterprise network security grading evaluation method and system |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6842737B1 (en) * | 2000-07-19 | 2005-01-11 | Ijet Travel Intelligence, Inc. | Travel information method and associated system |
| US20140337086A1 (en) * | 2013-05-09 | 2014-11-13 | Rockwell Authomation Technologies, Inc. | Risk assessment for industrial systems using big data |
| CN106656996A (en) * | 2016-11-09 | 2017-05-10 | 航天科工智慧产业发展有限公司 | Information safety risk assessment method |
| CN106790198A (en) * | 2016-12-30 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method for evaluating information system risk and system |
| CN107819771A (en) * | 2017-11-16 | 2018-03-20 | 国网湖南省电力有限公司 | A kind of Information Security Risk Assessment Methods and system based on assets dependence |
| CN108092981A (en) * | 2017-12-22 | 2018-05-29 | 北京明朝万达科技股份有限公司 | A kind of data security protection method and device |
-
2018
- 2018-09-27 CN CN201811131508.XA patent/CN110956347A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6842737B1 (en) * | 2000-07-19 | 2005-01-11 | Ijet Travel Intelligence, Inc. | Travel information method and associated system |
| US20140337086A1 (en) * | 2013-05-09 | 2014-11-13 | Rockwell Authomation Technologies, Inc. | Risk assessment for industrial systems using big data |
| CN106656996A (en) * | 2016-11-09 | 2017-05-10 | 航天科工智慧产业发展有限公司 | Information safety risk assessment method |
| CN106790198A (en) * | 2016-12-30 | 2017-05-31 | 北京神州绿盟信息安全科技股份有限公司 | A kind of method for evaluating information system risk and system |
| CN107819771A (en) * | 2017-11-16 | 2018-03-20 | 国网湖南省电力有限公司 | A kind of Information Security Risk Assessment Methods and system based on assets dependence |
| CN108092981A (en) * | 2017-12-22 | 2018-05-29 | 北京明朝万达科技股份有限公司 | A kind of data security protection method and device |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112560046A (en) * | 2020-12-14 | 2021-03-26 | 北京明朝万达科技股份有限公司 | Method and device for evaluating service data security index |
| CN115766138A (en) * | 2022-11-03 | 2023-03-07 | 国家工业信息安全发展研究中心 | Industrial internet enterprise network security grading evaluation method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11710131B2 (en) | Method and apparatus of identifying a transaction risk | |
| US10375115B2 (en) | Compliance configuration management | |
| CN107111626B (en) | Data management for tenants | |
| US11106820B2 (en) | Data anonymization | |
| CN105095970A (en) | Execution method and system of third-party application | |
| CN106033461A (en) | Sensitive information query method and apparatus | |
| US10733609B2 (en) | Dynamically generated payment token ratings | |
| US20160132896A1 (en) | Global Regulatory Compliance Optimization Tool | |
| Diez et al. | Govcloud: Using cloud computing in public organizations | |
| CN110956347A (en) | Method and device for calculating risk coefficient of data, storage medium and processor | |
| CN114511235A (en) | Process evaluation method and system | |
| US20200387813A1 (en) | Dynamically adaptable rules and communication system to manage process control-based use cases | |
| Ahmed et al. | Modeling cloud computing risk assessment using machine learning | |
| CN111131474A (en) | Method, device and medium for managing user protocol based on block chain | |
| US11195179B2 (en) | Detecting cashback and other related reimbursement frauds using blockchain technology | |
| CN111639998A (en) | Method, device and medium for guaranteeing user deposit rights and interests based on block chain | |
| CN112650748A (en) | Business clue distribution method and device, electronic equipment and readable storage medium | |
| CN113327169B (en) | Claims settlement method and device based on block chain and electronic equipment | |
| Goodman et al. | Deficiencies of Compliancy for Data and Storage: Isolating the CIA Triad Components to Identify Gaps to Security | |
| Handa et al. | Approach to reduce operational risks in business organizations | |
| US10956384B2 (en) | Assessing aggregated data quality | |
| WO2020251866A1 (en) | Risk management of processes utilizing personal data | |
| CN114297689B (en) | Financial wind control method and device based on privacy calculation and storage medium | |
| CN111737672A (en) | Block chain-based remote office method, equipment and medium | |
| CN111242624A (en) | Removal compensation method, device and medium based on block chain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20200403 |
|
| RJ01 | Rejection of invention patent application after publication |