200842736 九、發明說明· 【發明所屬之技術領域】 本發明提供一種物件導向之資訊管理系統及其方法, 、特別是導入物件導向觀念的資訊管理系統與方法,將資訊 : 資產視為不同屬性的獨立物件,透過物件間的關聯進行分 、 析與評估並將結果產生動態内容的文件與報表。 • 4 【先前技術】 • 資訊(Information)可說是企業成功的羞礎與命脈, 如何確保客戶與公司内部資訊的安全性、完整性及可用性 i當今最熱門的課題m安全管理系統(Inf〇rmat腿 Security Management System )正是因應維護資邙安全而發 展出來的管理制度。國際標準級織% 、Organization for Standardization)係於 2〇〇5 年 月 15 日 宣布IS027001資訊安全管理國際標準,提供企業建置資 全官理導入的國際標準規範。其他亦有BS7799 (發展 #· 自英國)所規範的標準,更有不少公家機關、企業及學校 單位已經取得BS7799認證,此IS027〇〇1則是由bS7799 沿伸整合而成之國際標準。為了得到上述有關資訊安全的 認證,各機關團體通常都須透過輔導單位進行資訊安全管 ;. 理制度的導入。 · 、σ 王吕 : .然而,許多組織在推行資訊安全管理制度時仍覺得困 難重重,不知該從何下手,即使請來顧.問進行輔導,卻常 有霧裡看花的感覺,導致在進行輔導後仍看不出成效,或 是通過了驗證卻仍無法有效持續維護所建置的資訊安全管 200842736 理制度,造成日後的困擾◦在習知技術中,建置資訊安全 管理制度時常使用各種辦公室軟體,如微軟的w〇rd °、Excd 寻;進行營運衝擊分析以及威脅弱_估”料處理與文 書報表的產出,如下列—般風險評估的通常公式: 風險=資產價值X威脅X機率 二此類公式除了所引人的參數有限不能產生實質 例如如何決定資產價值?如何決定潛在威 值所種威脅?如何決定風險機率?計算出的風险 因:義?等題目都是在風險評估上造成不確定的 實;所記載之資料與實際訊息無法連貫,在 安,例如風險評话的結果無法與資訊 結果脫節。應,造成㈣安全4目關文件與風險評估 此外,由於辦公室軟體並非專為資 :入與持續運作所設計,工具本身的限; 真正深入問題核心並且對症下藥的資立 用EXcel進行風險評估時,僅能考慮王=度。例如利 仃簡單的運算,益法 二(勺威背項目並進 營運層面可能造成考1各種潛在風險對組織各個 、傳統的標準制度導入與建置至/ 要的辅助工具’即使有號稱具有風μ估7^Excel 工具也僅是套用上述之簡單公式或將的軟體 呈現即稱之為風險評鑑,更無法將文卷方式 果直接連結姻的產出個人讀評估結 許多组織除導人資訊安全㈣制"^件,表’此外, fJ/又丨不卞外,亦同時導入其 200842736 它的管理標準,例如IS020000等,但這些同時導入一項 以上官理標準制度的組織均面臨沒有一套可整合多種管理 制度的工具可供使用的困境,其極需一個能整合各方面特 性與信息間關聯的管理系統。 : 【發明内容】 - 本發明係針對習知技術使用簡單的運算工具進行資气 管理,或是建立資訊管理制度產生許多不確定因素的問 • 題,透過具物件導向(object-onented)資訊處理特性的軟 ,體方法,並配合實際導入管理制度的實際經驗,提供一種 物件導向之資訊管理系統及其方法,徹底解決建置管理制 度時所可能遇到的問題。 .. 本發_件導向之資讀理线及其綠提供了管理 制度生命週期各階段(計晝、行動、檢驗、改善)所需的 完整功能,不但能使各機關圑體能快速簡便地完成各項桿 準的導人,如IS027GG1資訊安全標準、IS〇2_資訊服 矛务標準’更可確保建置完成的管理制度是一套可以持續渾 響 作的有效系統。 、〜 上述物件導向之資訊管理系統係透過一物件導向式的 .軟體手段漆置的系統,其中的資料都視為獨立的物件,此 - 系統包括#—^估手段,係透過軟體手段導人複數個物 : 各物件間建立-或複數個關聯性,藉由評估介面的夂 一· 攔位連結I物件關係,得出受評估對象的評估值;二勹口 有-稽核管f手段,係透過軟體手段導人複數個二1 評估之後,措由稽核管理介面與各物件之關聯性, 八 200842736 汗估對象中的一或複數個人 再包括一控制措施管理、誕出一或禝數個稽核清單; 物件,於評估與稽核之、采係14過軚體手段導入複數個 、之關聯性顯示受評估對^中处過控制項管理介面與各物件 以及一文件報表產生手段,的一或複數個控制項目; 後,透過使用者介面與二估、稽核與產生控制項目 出一或複數個該控制項^,、關聯性,由物件的選取得 文件報表。 、,u產生一或複數個動態内容的 而其資訊管理方、'参夕奋 體手段實施,其中所處王¥二=係透過—物件導向式的軟 步驟包括先建立受評估對=各為獨立的物件,該方法 評估對象之複數個物件與其中接著建立有關受 的關聯性,之後進行 %、即再建立I數個物件間 入複數個物件,並f獅料㈣哺體手段導 即透過物件導向式的。=,’接著產生-稽核清單, 後,針對受評估對複數個物件,於評估之 物件的選取得出—或複數最後,經由 文件報表。 、 、產生動態内容的 本發明之另—實施例係先建立 斟 料,包括威脅、機率、流程、評估條f2象的基本資 產、控制項等所需的資料,再由受評估二广序、貝 資源與軟硬鐘建立弱點與可能威脅項目,=有的人力 •件與威㈣件之間的關聯;建立資產物件、彳點物 ==項物件間樣、建立__與=: 曰、邊知’建立流程物件與機率物件間的關聯;建立資產 200842736 物件、弱點物件與威脅物件之間的關聯;建立該程序物件 • 與該資產物件間的關聯;建立流程物件與程序物件之關 聯;建立流程物件與資產物件之關聯,之後再進行風險評 估,產生一風險評估值,並產生動態内容的個人化稽核清 - 單以及動態内容的個人化報表文件。 【實施方式】 因應習知技術僅使用簡單的運算工具進行標準制度資 訊管理的評估與分析可能產生資訊無法連貫,評估不準確 或是需要耗費大量人力的問題,本發明物件導向之資訊管 理系統及其方法係透過物件導向(obj ect-oriented )特性的 軟體方法,配合實際導入管理制度的實際經驗,建立能隨 時產生動態内容的評估報表與控制措施的資訊管理系統, 藉此,能在隨時變動的組織營運環境中仍提供管理制度生 命週期各階段(計晝、行動、檢驗、改善)所需的完整功 .能,除了能快速簡便地完成各項標準的建置,且能持續有 效地運作。 ⑩ 第一圖顯示為本發明物件導向之資訊管理系統之架構 , 示意圖,特別的是,此系統採用層級式(Multi-Tier )架構, 使其能具備多樣性的資訊組織能力,並為跨平台的系統, 不限作業系統。圖式顯示其系統架構,至少包括有資料層 - (data tier ) 11、企業邏輯層(business tier) 13 與應用服 , 矛务層(presentation tier) 15。 * 其中資料層11為此資訊管理系統所使用的各種資料 庫(111 ),藉以儲存系統與使用者資料,資料庫應用廣泛, 10 200842736 j 、微軟SQL、微軟Access、MySQL,或其他的 貢料來源(113) ^ :接著疋提供後端資料處理與組織資料平台的企業邏輯 f 13,其中至少包括有執行各種軟體工具的應用系統伺服 益(application server) 133與網頁伺服器131,系統透過 此企業邏輯層13的服務擷取資料庫資料。 接著應用服務層15是操作環境的前端使用者介面,使 用者可透過網頁介面151或是系統提供的應用軟體介面200842736 IX. INSTRUCTIONS DESCRIPTION OF THE INVENTION [Technical Field] The present invention provides an object-oriented information management system and method thereof, and particularly an information management system and method for importing an object-oriented concept, which regards information: assets as different attributes A separate object, a file and report that separates, analyzes, and evaluates the results through the association between objects and produces dynamic content. • 4 [Previous Technology] • Information can be said to be the foundation and lifeline of a company's success. How to ensure the security, integrity and availability of customers and internal information. i is the hottest topic of today's security management system (Inf〇 The rmat leg Security Management System is a management system developed in response to the maintenance of asset security. The International Standardization Organization (Organization for Standardization) announced the IS027001 international standard for information security management on the 15th of May, 2005, and provided the international standard specification for the establishment of the enterprise. Others also have BS7799 (Development #·From the UK) standards, and many public institutions, enterprises and school units have obtained BS7799 certification. This IS027〇〇1 is an international standard formed by bS7799. In order to obtain the above-mentioned information security certification, various agencies and organizations usually have to introduce the information security management system through the counseling unit. · σ王吕: . However, many organizations still find it difficult to implement the information security management system. I don’t know where to start, even if I ask for counseling, I often feel the fog, which leads to After the coaching, there is still no effect, or it has passed the verification but it is still unable to effectively maintain the information security management system 200842736 system, which will cause future problems. In the conventional technology, the information security management system is often used. Various office software, such as Microsoft's w〇rd °, Excd search; conduct operational shock analysis and threats to weak estimate the output of the material processing and paper statements, such as the following general formula for risk assessment: risk = asset value X threat X probability 2 This formula can not produce substance in addition to the limited parameters introduced, such as how to determine the value of the asset? How to determine the threat of potential value? How to determine the probability of risk? Calculated risk factor: meaning? The risk assessment results in uncertainty; the recorded information is inconsistent with the actual information, and the results of the risk assessment cannot be combined with the information. Disconnection. Should, cause (4) security 4 documents and risk assessment In addition, because the office software is not designed for the purpose of: entry and continuous operation, the tool itself is limited; truly deep into the core of the problem and the right to use the drug to use EXcel for risk assessment At the time, only Wang = degree can be considered. For example, the simple calculation of the profit, the benefit method 2 (the scooping of the back-to-back project and the operational level may result in various potential risks for the organization, the introduction and construction of the traditional standard system to/or The auxiliary tool 'even if there is a windy estimate 7^Excel tool is only to apply the above simple formula or the software presentation is called risk assessment, and it is impossible to directly read the output of the document. Evaluation of many organizations in addition to the guide information security (four) system " ^ pieces, the table 'in addition, fJ / is not awkward, but also introduced its 200842736 its management standards, such as IS020000, etc., but these imports more than one at the same time The organization of the official standards system faces the dilemma of not having a set of tools that can integrate multiple management systems. It is extremely necessary to integrate all aspects of the characteristics. Management system for inter-information correlation: [Description of the Invention] - The present invention is directed to the use of simple computing tools for the management of resources, or the establishment of an information management system to generate many uncertain factors, through object-oriented (object-onented) The soft and physical methods of information processing features, combined with the actual experience of the actual introduction of management systems, provide an object-oriented information management system and its methods to completely solve the problems that may be encountered in the establishment of the management system. .. The development of the _-oriented reading line and its green provides the complete functions required for each stage of the management system life cycle (calculation, action, inspection, improvement), which not only enables the various bodies to complete quickly and easily The guiding staff of various standards, such as IS027GG1 information security standard, IS〇2_ information service spears standard, can ensure that the completed management system is an effective system that can continue to sound. ~ The above-mentioned object-oriented information management system is a system that is painted by a piece of object-oriented software. The data is regarded as an independent object. This system includes #-^ estimation means, which is guided by software means. A plurality of objects: establishes - or a plurality of associations between the objects, and obtains an evaluation value of the object to be evaluated by evaluating the relationship between the objects of the interface and the I object; After the software has introduced a number of two-one assessments, the audit management interface is related to each object. One or more individuals in the 200842736 Khan assessment object include a control measure management, a birth or a number of audits. List; object, in the evaluation and auditing, mining system 14 through the introduction of a plurality of means, the relevance of the evaluation of the control of the management of the control interface and the object and a document report generation means, one or plural After the control project; through the user interface and the second evaluation, audit and production control items out one or more of the control items ^, relevance, from the selection of the object to obtain a file report. , u generates one or more dynamic content and its information management party, 'the eve of the eve of the implementation of the method, where the king ¥ two = through the - object-oriented soft steps include first establish the evaluation of the pair = each A separate object, the method evaluates the plurality of objects of the object and then establishes the correlation with the subject, and then performs %, that is, re-establishes a number of objects between the I objects, and the fowl material (4) Object oriented. =, 'There is then a - audit list, after which, for the evaluation of a plurality of objects, the selection of the object to be evaluated is obtained - or the plural is finally, via the document report. And another embodiment of the present invention for generating dynamic content is to first establish a data, including threats, probability, process, basic assets of the evaluation strip f2, control items, and the like, and then Shell resources and soft and hard clocks establish weaknesses and possible threats to the project, = the relationship between the manpower and the parts and the (four) pieces; establish asset objects, 彳 points == items, create __ and =: 曰, Knowing the relationship between the process object and the probability object; establishing the association between the object 200842736 object, the weak object and the threat object; establishing the program object • the association with the asset object; establishing the association between the process object and the program object; Establish a relationship between the process object and the asset object, and then conduct a risk assessment to generate a risk assessment value, and generate a personalized audit statement for the dynamic content and a personalized report file for the dynamic content. [Embodiment] The object-oriented information management system of the present invention and the problem that the evaluation and analysis of the standard system information management using only simple computing tools may result in incoherent information, inaccurate evaluation or a large amount of manpower is required. The method is to establish an information management system that can generate dynamic content evaluation reports and control measures at any time through the software method of obj ect-oriented characteristics and the actual experience of the actual introduction management system. The organizational operating environment still provides the complete functions required for each phase of the management system life cycle (plan, action, inspection, improvement), in addition to the rapid and easy completion of the implementation of standards, and can continue to operate effectively . 10 The first figure shows the architecture, schematic diagram of the object-oriented information management system of the present invention. In particular, the system adopts a multi-Tier architecture, which enables it to have diverse information organization capabilities and is cross-platform. System, unlimited operating system. The schema shows its system architecture, including at least the data layer - (data tier) 11, the business logic layer (business tier) 13 and application services, and the presentation tier 15. * Data layer 11 is a variety of databases (111) used by this information management system to store system and user data. The database is widely used, 10 200842736 j , Microsoft SQL, Microsoft Access, MySQL, or other tribute Source (113) ^: Next, provide enterprise logic f13 of the back-end data processing and organization data platform, which at least includes an application server 133 and a web server 131 executing various software tools, through which the system The service of the enterprise logic layer 13 retrieves the database data. Then, the application service layer 15 is a front-end user interface of the operating environment, and the user can use the web interface 151 or the application software interface provided by the system.
153進行操作,如使用Flash技術開發的使用者介面,讓使 用者能依需求將此資訊管理系統建置成如同傳統應用程式 的刼作環境,或是網路應用程式,或是可應用可攜式裝置 的應用程式。 此貪訊管理系統即提供使用者透過上述應用服務層 15所提供的使用者介面,進入企業邏輯層π中的伺服器, 再存取資料層11中的資料,由前端的使用者介面導入各種 物件進行操作。 根據上述架構,本發明之較佳實施例之—敘述如下: 為達到跨平台的作業環境,此資訊管理系統係使用跨 、平台的腦㈣開發環境,透過資料連結層(data c〇nnectlvlty layer)内部的元件(如獅腿,χ·,153 operation, such as the user interface developed using Flash technology, allows users to build this information management system into a production environment like a traditional application, or a web application, or an application portability Application of the device. The credible management system provides a user interface that is accessed by the user through the application service layer 15, enters the server in the enterprise logic layer π, and accesses the data in the data layer 11 to be imported into the user interface of the front end. The object is operated. According to the above architecture, the preferred embodiment of the present invention is described as follows: In order to achieve a cross-platform operating environment, the information management system uses a cross-platform (4) development environment through a data link layer (data c〇nnectlvlty layer). Internal components (such as lion legs, χ·,
Hash R_tmg Wes ),使用標準的資料連結方式(jdbc, ODBC等)連結到資料庫以取γ — . 取钟不同型態的資料。本發明 之貢訊管理系統亦可使用同枵Α冰 +J %、為跨平台的Flash作為使用 者介面開發,透過其中資料管理m , ' 士 μ 7冒 C data management layer ) 來管理前端所使用的資料,將士μ • _由唆端所傳來的標準資料結 200842736Hash R_tmg Wes), using standard data link methods (jdbc, ODBC, etc.) to link to the database to take γ — . The tribute management system of the present invention can also use the same ice ++J% for cross-platform Flash as a user interface development, through which the data management m, 'C μ data management layer' is used to manage the front end. The information, the soldiers μ • _ standard data from the end of the end of the 200842736
構以各種不同的資料型態、文字、影音、 現0 本發明所提供的物件導向之貢_ & 、Constructed with various data types, texts, audio and video, and now the object-oriented tribute provided by the present invention _ &
聯式管理進行所有資料的管理,其中所有的資料^物件關 視為獨立的物件(object ),各種物件皆有其可由卩可以被 訂的屬性(attribute ),使用者可以自訂物件與物用者自 關聯,透過這樣的關聯,系統可以在使用者介面件之間的 依需求呈現各種功能。因為各種獨立的物件之 (Ul)上 建立關聯,故此系統可適用於各種型態的標準可依需求 以下實施例即針對資訊安全管理方面說明,如二度管理, 本發明透過模組化、物件導向式開發的資訊管理了圖所示 盹方塊示意圖,其實施例係針對資訊安全管理中’丁、竦的功 擊分析(21)、資安物件管理(22)、資安政策管2言建種ϊ 咸脅弱點管理(24 )、全面風險分析(25 )、稽核與^平一 (23 )、 文件報表管理(27)等議題提出本方案,列專列特=)·、 1 ·付合各種資訊(安全)管理認證的標準,包括 IS027001、BS7799、IS020000 等。. 舌 2♦全方位多維式的即時風險評估。 3·可依營運流程設定獨立的風險機率。 4. 可依單位狀況調整的營運衝擊分析。 5. 可F返日守依需求產生各類動態内容的個人化文件,文 件内容直接與風險評估結果連結。 6. 可線上編輯並管理各類文件。 7.可依風險控制現況自動產生適用性聲明書 (Statement of Applicability,S0A)。 200842736 8·可線上稽核並答覆的動態内容的個人化稽核清單。 9·可依使用者指派個人化安全控管措施。 1〇.可傲風險評估結杲建議優先資安政策。' 11·可依資安政策成本建議最佳資安政策。 12. 可由线執行的自動倾贿擬演練。 13. 可設㈣尋條件產生多種動態内容的日常報表。 14·可擴充的安全控制措施資料庫。 15. 可擴充的威脅與弱點資料庫。 16. 具備多語言網頁操作介面。 Π.具備電子郵件事件通告功能。 - 18. 可自訂多階層使用者帳號權限。 19. 跨平台系統。 上迷言運銜拏分析(business impactanaiysis) (21) 係ia過本發明之資汛管理系統之營運評估條件之物件,深 入探討霄資訊安全危害事件發生時對營運評估條件在機密 性(confidentiality )、完整性(如哪-办)、可用性 (availability)等各方面對整體營運可能造成的影響; 資訊資產物件管理(information asset management) (22)係將接受檢測的組織營運活動中的資訊資產物件(此 為本發明具體的控管標的)細分複數個類別,並根據運作 流程建立各資訊資產物件間的關聯性,透過此關聯性,能 輕易找出運作流程中最具關鍵性的資訊資產,以及該資訊 資產的潛在風險; 13 200842736 標準條文與控制項管Γ . x V security policy & control item management) (23)^¾ lL 一 V、為此貢訊管理系統中針對各種 標準條文以及*標準條文所延㈣,針對狀資訊資產各 ,弱點與2在射相對應的控制措施,且所有的控制措施 可Γ縱檢討的,此系統能在資訊資產物 件被建立的同時,自動判齡姑一 , _ °玄貝亂資產物件可能面臨的風 fe,進而建議適當的控制措施; 威脅弱點管王里(vulnerablllty & threatnl難ge職t) (24 )於此資訊管理系鲚+_ 成脅,此外,更能提供; 王里弱點與威脅資料庫的功能,ft ;^不=擴兄與、交更官 運環境,即時反映組織=二ΓΓ嶋嶋^ 僅炉土卜' a ” 的風,不同於習知技術中 〜月匕1慮/放煎^且恶擴充能力的窘境; 全,險^t(nskassessmeni) (25)可即時針對包 =达|销m、峡營運舰、f崎產、控制措 :貫行肢、各賴冑與伽可能發线料項 丄 ^狀__性,進行分析與評估,讓使用者隨時都i 閱單地找到資訊安全管理最脆弱的一環; 稽核與評估(audlt & evaluatlon) (26)功能根據被 $險評估的結果、稽核人員的工作内容與個人所接觸到的 資讯資產没计出線上存取的,動態内容的個人化稽核清單; 文件報表管理(document & report) (27)係能由夸 ^自動產生各式標準制度所要求的標準文件功能,可依組 織内各人員的工作性質動態產生動態内容的個人化的標準 夂件,因為是根據系統中各物件的現況而動態調整個人應 14 200842736 執行的控制項目,所以文件報表能即時產生並即時反映當 下資安環境的狀態; ' 系統功能設定(system configufation )( 28 )係提供 簡單的操作介面讓使用者設定整個系統中的功能與參數。 請參閱第三圖顯示利用本發明提供的系統與方法所產 生的物件關聯式資訊管理系統架構示意圖,其中顯示多個 獨立的物件,包括: 此例中資訊管理的受評估對象(如公司、機關圑體、 學校等)内資訊安全上的弱點物件(301),此係顯示受評 估對象的各種資訊安全上的弱點,例如資訊硬體上的缺 失、人員可能造成的危害、受評估對象内建置的網路環境 缺失等;另有威脅物件( 302 ),此物件係建立各種資訊安 全上的弱點所可能產生的威脅項目,例如資料竊取、網路 入侵、病毒等可能的威脅。 接著,使用者可利用本物件導向之資訊管理系統建立 上述弱點物件(301)與威脅物件( 302)間的關聯性(311), 因為各物件為獨立管理的物件,故能提供操作此資訊管理 系統的使用者依需求隨時擴充與變更的弱點與威脅資料 庫,並隨時變更弱點與威脅之間的關聯;因為兩者關聯可 隨時調整,故能隨著不斷變動的内外在環境即時改變内 容,進而即時反應受評估對象可能面臨的風險。徹底改變 傳統資訊安全管理制度於進行風險評估時所遭遇因人力限 制而僅能考慮少數威脅的窘境d本發明並不限制於風險評 估的目的,舉凡透過此評估方式的皆為本發明之目的。 15 200842736 另外’此物件導向之資訊管理系統亦同時建立相料认 口種威脅應的控制措施物件⑽),此即針對^㈣ 點與潛在威脅而提出符合標準要求安^弱 、措施’接著,於建立上述弱點物件⑽)與^制 間的關聯性(311)後,此資訊管理孕统 j ( 02) :;(;。3)與上_性(扣)__(,= 點=〇1)、威脅物件(灣與㈣ 二口故能使所有的安全控制措 依據不同的弱點、威脅而被追W。因為此:= 系統由—物件導向式的軟體手 §理 :咖特徵自動判斷該受評估對象可能面= 動建議適當的安全控制措施。-虹的風險,而自 此貧訊管理系統架構示意圖 ίΓ立其他物件(3°4),再接著與上述關= =關聯性(315),讓新增的物件(3〇4)能 土 (3〇2) ( 303^1^ 如為本發明可應用的特定領域的特徵物件, 應用於不同的標準制度中二系、:中,此等特徵物件 不同的關聯性,如或複數個物件,並有 為客戶滿意度調杳&為服務業,則可能設定 16 200842736 另一方面,此資訊管理系統能根據不同的公司、機關 團體、學校等受評估對象規劃出所屬的營運流程,產生此 架構圖中的流程物件( 3050,各流程中更可衍生出不同的 程序,即程序物件( 306),比如各運作流程應有對應之作 業程序,透過此資訊管理系統,可完整將組織營運活動以 流程、流程中的程序、程序中所使用的各種資產等物件以 及各物件之間的關聯予以呈現。 接著,流程物件( 305 )與程序物件( 306)間建立了 關聯性(317),此例中再與前述的物件( 304)建立另一關 聯性(319),之後,根據上述關聯性(315)與此關聯性(319) 間的分析,產生一風險評估物件( 307)。此時,係由此資 訊管理系統收集衝擊評估條件、弱點、威脅、流程、程序、 資產等資訊進行評估,其間各獨立物件間隨著受評估對象 的營運情況有著不同複雜度的關聯,透過分析,能在複雜 的資訊系統中輕易地找到受評估對象資訊安全管理中最脆 弱的一環。 最後,透過風險評估物件( 307),利用軟體手段能整 合各項資訊,自動產生標準的資訊安全文件,即產生示意 圖中的文件報表物件( 308 ),並可依據各種不同物件的變 動、各人員的變動,產生動態内容的個人化報表與文件。 上述各物件係能根據不同的受評估對象而修正,藉著 抽換其中不同受評估對象的模組’能滿足不同的需求’提 供適合特定對象的標準制度管理的服務。 - 在建立上述風險評估物件( 307)時,本發明所提供 之資訊管理系統提供第四圖所示之風險評估流程示意 17 200842736 圖,並以某公司產品研發設計為例,產品研發之初即可開 始建立風險評估的資料庫。 產品研發設計之初,先有創意,即訂定產品研發設計 流程(41),之後,透過設計建立電子檔,此時即考慮此研 發中的產品對公司資產的變動(43 ); — 接著,因為公司内部員工將對此產品研發產生的電子 檔進行存取,則需考慮其中弱點(45),包括該電子檔有無 安全防護,如檔案加密;包括有無存取控管,即針對此電 子檔,是否有設定存取權限,藉以規範存取人員對該檔的 存取行為;弱點再包括有無備份程序,此關係著檔案損毁 後是否有其他備份可回復; 之後,從各可能弱點中判斷是否有潛在的威脅(47), 如圖式中針對安全防護的項目設定了員工洩密、員工竊 取、廠商洩露資訊、外人竊取、網路入侵與通訊遭攔截等 可能威脅項目; 在各種可能的威脅項目中,以其中再由「通訊遭攔截」 為例,該項目中考慮各種可能產生的風險(49),包括(1) 考慮通訊遭攔截發生的機率;(2)考慮機密性、完整性與可 用性等安全要素的影響層面;(3)營運層面則將會考慮可由 使用者自訂的營運衝擊評估條件,例如到客戶滿意度、作 業停滯時間與財務損失;(4)目前已實施的安全控制措施現 況,例如該公司可能已透過資料交換協定(使用安全的通 訊協定)、電子商務安全(使用全程加密的程序>與網路路 由控制(可藉改變封包路徑降低被攔截的機率)等控制措 施以試圖降低產品研發資料電子檔對公司營運可能帶來的 18 200842736 風險。 ,上述各項目因為彼此有關聯,本發明 段則能有效的評估各種資訊安全上各弱點可能店Ί = 帶來的風險,並即時建議改良措施。 々威月 在系統所提供的使用介面來看,本發 訊管理系統及其方法主要是透過軟體手 ^向之—貝 合,建立各物件之關雜,並透過 =&各物件統 的操作環境,讓使用者對各種評估 {面達成更方便 人員狀況都能-目瞭然,如第五—表、稽核、組織内 之實施例示意圖: 不之本系統評估介面 本發明之評雜馳主要實麵 “ 主,其係為評估—受評估對象中夂广、5險評估」為 對特定:點與咸脅的情況下對所; 執行程度,藉由該使用者介面中的二的有致 係,利用軟體手段計算得出受評D 物件關 評估值)。 泵的矸估值(或風險 圖中使用者介面中顯示各種攔位 目;母個項目前有個 丄亡二中所包括的項 所屬的標號,此利用各物件間—或:^女=目於該攔位中 各欄位包括: <數個關聯性所建立白勺 組織列表「 / 司為名稱;選定’如估對象為-間公司,則以、 運流程列表(‘織列表後,以下攔,顯示組織内夂ΐ 示為人事㈣2),細树單位的業務流程二 莱務、政風室業務與研發室業務等;ϋ中頌 19 200842736 當選定—流程後,程序棚位( 上述選定流程之程序,如選定人事切換嘁示相對於 相關的程序列表(,,此例為人事^淮程序欄則顯示 人力企劃、考核訓練等程序; 〜π準作業程序,有 进疋其中人力企劃後,資產列表# 一 關於所選定人力企㈣序巾所使用 )騰著顯示相 示於此攔位中的員工簡介、。貝產項目,如圖中顯 型電腦A; h人事至貝工A與其使用的桌上 選定此桌上型電腦A後,接著 備未維護、不正確的系統安全設定1[表中减不的设 定、不正確的安全控f設定、缺乏;^確的作業系統設 統更新與無安裝防毒軟體等弱點,^ 作業系 統預設提供,或是由❹者自行設定了 j出的U為系 經選定上述桌上型電腦A後, ( 507)中顯示桌上型n ,將於風險列表 中顯干右人电知叮此面对的相關風險,圖式 中,,、、頁不有人為破壞、惡意破壞資訊及設備、 淹水、惡劣的溫度或濕度與電力中斷等風 二二、 樣可為系統預設提供,或是由使用者自行二 :5定=桌上Α後’同時系統自動^建議控制棚 六、/ 針對電腦Α在面對前述各種弱點與威 背情況下所建議相對的應對控制措施;系統並同時於’已 施之,施攔位(5〇9)顯示對桌上型電腦A已實施的 控繼施及控制措施的實施狀態,關中冑桌上刑 已貫施的控制措施為「資訊的取得、使用及保管。包 20 200842736 則可能顯示客戶滿咅古對象(組織)為服務業, 特徵列表則可能顯;製造為製造業’此 中的使用者於選二述任一攔位 細節(511); 〜、下所貝目的詳細 一或;每個爛位中包括有 表(502)中的項目與有;關=’如營運流程列 性;程序列表⑼4)中6==1)中㈣目有一關聯 :關;^⑽表㈤)與威脅簡 = = ^ = 再與系統建議控制措施齡^ tThe joint management manages all the data, in which all the data objects are regarded as independent objects, and all the objects have their attributes that can be customized, and the user can customize the objects and objects. Through self-association, through such association, the system can present various functions as required between user interface components. Because of the association between the various independent items (Ul), the system can be applied to various types of standards. According to the following embodiments, the information security management is described. For example, the second management, the present invention is modularized, and the object is The information of the guided development manages the schematic diagram of the block diagram shown in the figure. The embodiment is aimed at the analysis of the power of the Ding, the analysis of the power (21), the management of the security object (22), and the management of the security policy. Kinds of 咸 胁 胁 weakness management (24), comprehensive risk analysis (25), audit and ^ Pingyi (23), document report management (27) and other issues proposed this program, listed special =) ·, 1 · Fuhe information (Security) Management certification standards, including IS027001, BS7799, IS020000, etc. Tong 2♦ Omni-directional multi-dimensional, real-time risk assessment. 3. Independent risk probabilities can be set according to the operational process. 4. Operational impact analysis that can be adjusted according to the unit status. 5. Personalized documents of various dynamic contents can be generated according to the demand, and the contents of the documents are directly linked with the risk assessment results. 6. Various types of files can be edited and managed online. 7. The Statement of Applicability (S0A) can be automatically generated according to the current situation of risk control. 200842736 8. Personalized audit list of dynamic content that can be audited and answered online. 9. Personalized security control measures can be assigned by user. 1〇. Proud risk assessment and recommendations for priority capital security policy. '11. The best security policy can be recommended based on the cost of the security policy. 12. An automatic bribery exercise that can be performed by the line. 13. It is possible to set (4) a daily report that generates conditions for generating a variety of dynamic contents. 14. Scalable database of security controls. 15. Expandable threat and vulnerability database. 16. Multi-language web operation interface. Π. E-mail event notification function. - 18. Customizable multi-level user account permissions. 19. Cross-platform system. Business impactanaiysis (21) is an object that evaluates the operational assessment conditions of the asset management system of the invention, and discusses in depth the confidentiality of the operational assessment conditions when the information security hazard event occurs. Integrity (such as where to do), availability, etc., may affect the overall operation; Information asset management (22) is the information asset object in the organization's operational activities that will be tested. (This is a specific control target of the present invention) subdividing a plurality of categories, and establishing an association between information assets according to an operational process, through which the most critical information assets in the operational process can be easily identified. And the potential risks of the information asset; 13 200842736 Standard Provisions and Controls. x V security policy & control project management) (23)^3⁄4 lL-V, for the various standard provisions in the tribute management system and * The standard provisions are extended (4), for each of the information assets, the weaknesses and the control measures corresponding to the 2 shots, and all The control measures can be reviewed in a timely manner. This system can automatically judge the age of the information assets when the information assets are created. _ ° Xuanbei chaotic assets may face the wind, and then recommend appropriate control measures; threat weak points Wang Li (vulnerablllty & threatnl difficult to work t) (24) this information management system 鲚+_ Cheng threat, in addition, more available; Wang Li weakness and threat database function, ft; ^ not = expansion brother and And pay more to the official transport environment, and immediately reflect the organization = ΓΓ嶋嶋 ^ ^ only the soil b' a ” wind, different from the traditional technology in the month ~ month 匕 1 concern / put the fried ^ and the ability to expand the dilemma; ^t(nskassessmeni) (25) can immediately target the package = up | pin m, gorge operation ship, faki production, control measures: through the limbs, each of the 胄 胄 and gamma may send the line item 丄 _ _ _, Analyze and evaluate, let users find the most vulnerable part of information security management at any time; Audit and evaluation (audlt & evaluatlon) (26) function according to the results of the risk assessment, the work of the auditors and The information assets that individuals are exposed to do not count online access, dynamic content Personalized audit checklist; document & report (27) is an individual who can automatically generate dynamic content required by various standard systems according to the nature of the work of each person in the organization. The standard condition is because the control items executed by the individual should be dynamically adjusted according to the current situation of each item in the system, so the file report can be generated immediately and instantly reflect the status of the current security environment; 'system function setting (system configufation) ) ( 28 ) provides a simple interface for the user to set functions and parameters throughout the system. Please refer to the third figure for a schematic diagram of an object-related information management system architecture generated by the system and method provided by the present invention, which displays a plurality of independent objects, including: In this example, the object of evaluation of information management (such as a company or an organization) Weaknesses in information security (301), which show the various information security weaknesses of the object being evaluated, such as the lack of information hardware, the hazards of personnel, and the built-in of the assessed object. There is a lack of network environment, etc.; there is also a threat object (302), which is a threat that may be generated by various information security vulnerabilities, such as data theft, network intrusion, viruses and other possible threats. Then, the user can use the object-oriented information management system to establish the correlation (311) between the weak object (301) and the threat object (302). Since each object is an independently managed object, the information management can be provided. Users of the system can expand and change the vulnerability and threat database at any time according to their needs, and change the relationship between the vulnerability and the threat at any time; because the relationship between the two can be adjusted at any time, the content can be changed instantly with the changing internal and external environment. In turn, the immediate response to the risk that the subject is likely to face. Thoroughly change the traditional information security management system in the risk assessment to encounter only a few threats due to human limitations. The present invention is not limited to the purpose of risk assessment, and all of the evaluation methods are for the purpose of the present invention. 15 200842736 In addition, this object-oriented information management system also establishes control measures (10) for the threat of the threat of the object, which is to meet the standard requirements for the ^(4) point and potential threats. After establishing the relationship between the above-mentioned weak point object (10) and the system (311), this information manages the pregnancy system j ( 02) :; (; 3) and the upper _ sex (deduction) __ (, = point = 〇 1 ), threatening objects (Bay and (4) two, so that all security control measures are chased according to different weaknesses and threats. Because of this: = system by - object-oriented software hand §: coffee features automatically determine the The object to be evaluated may propose appropriate safety control measures. - The risk of the rainbow, and since then the structure of the poor management system Γ 其他 other objects (3 ° 4), and then with the above == correlation (315) Let the new object (3〇4) be able to soil (3〇2) ( 303^1^ as a specific object of the specific field applicable to the invention, applied to the second system of different standard systems, Different characteristics of the object, such as or a plurality of objects, and have customer satisfaction杳 杳 & for the service industry, it may be set 16 200842736 On the other hand, this information management system can plan the operation process according to different companies, organizations, schools and other evaluated objects, and generate the process objects in this architecture diagram. (3050, different processes can be derived from each process, that is, program objects (306). For example, each operation process should have corresponding operation procedures. Through this information management system, the organization operation activities can be completely integrated into the process and process. The program, the various assets used in the program, and the like, and the association between the objects are presented. Next, the relationship between the flow object (305) and the program object (306) is established (317), in this case and the foregoing The object (304) establishes another association (319), and then generates a risk assessment object (307) based on the analysis between the association (315) and the association (319). The system collects information on impact assessment conditions, weaknesses, threats, processes, procedures, assets, etc., and evaluates the individual objects between them. The situation has different complexity correlations. Through analysis, it is easy to find the most vulnerable part of the information security management of the evaluated objects in the complex information system. Finally, through the risk assessment object (307), software can be used to integrate various items. Information, automatically generate standard information security documents, that is, generate document report objects ( 308 ) in the schematic diagram, and generate personalized reports and documents of dynamic content according to changes of various objects and changes of individual personnel. It can be modified according to different evaluated objects, and the standard system management service suitable for a specific object can be provided by replacing the modules of different evaluated objects to meet different needs. - In the establishment of the above risk assessment object (307), the information management system provided by the present invention provides the risk assessment process shown in Figure 4, which is shown in Figure 4, 200842736, and takes the product development design of a company as an example. A database of risk assessments can be established. At the beginning of product development and design, the idea is to set the product development process (41). After that, the electronic file is created through design. At this time, the changes in the company's assets in the R&D are considered (43); Because the company's internal staff will access the electronic file generated by this product development, it needs to consider the weakness (45), including whether the electronic file has security protection, such as file encryption; including the presence or absence of access control, that is, for this electronic file Whether there is a set access right, in order to regulate the access behavior of the access personnel to the file; the weakness includes the presence or absence of a backup program, which is related to whether there are other backups after the file is destroyed, and can be replied; There are potential threats (47). In the figure, the security protection projects set up potential threats such as employee leaks, employee theft, vendor disclosure information, outsider theft, network intrusion and communication interception; In the case of "communication intercepted", the project considers various possible risks (49), including (1) Consider the probability of interception of communications; (2) consider the impact of security factors such as confidentiality, integrity and availability; (3) operational level will consider user-acceptable operational impact assessment conditions, such as customer satisfaction Degree, job stagnation time and financial loss; (4) current status of security control measures implemented, such as the company may have passed data exchange agreements (using secure communication protocols), e-commerce security (using full-encrypted procedures) and Control measures such as network routing control (which can reduce the probability of interception by changing the packet path) in an attempt to reduce the risk of the 2008 200842736 that may result from the electronic file of the product development data to the company's operations. The above items are related to each other. It can effectively assess the risks of various information security weaknesses and possible immediate improvement measures. The Weiweiyue system uses the interface provided by the system to see that the management system and its methods are mainly The soft hand ^^ is the same - the combination of the objects, and through the =& The environment allows the user to make a variety of assessments. It is easy to understand the situation of the personnel. For example, the fifth table, the audit, and the schematic diagram of the examples in the organization: The evaluation system of the system is not the main evaluation of the present invention. The actual "main, the system is the evaluation - the evaluation of the target, the five risk assessment" is specific to: the point and the salty threat situation; the degree of execution, through the two of the user interface , using the software means to calculate the evaluation value of the D object. The pump's 矸 estimate (or the risk map shows the various barriers in the user interface; the parent item has a label belonging to the item included in the demise 2, which uses between the objects - or: ^ female = The fields in the block include: < a list of organizations established by several associations. / / is the name; if the selected object is a company, then the list of operations is selected. The following block shows that the organization is shown as personnel (4) 2), the business process of the fine-tree unit, the business of the government, and the business of the R&D room, etc.; ϋ中颂19 200842736 When the process is selected, the program shed (the above) The program of the selected process, such as the selected personnel switch, is displayed relative to the related program list (, in this case, the personnel and the Huai program bar display the procedures of manpower planning, assessment training, etc.; After that, the asset list #1 is used by the selected human enterprise (four) order towel to display the employee profile displayed in this block. The shell product project, as shown in the figure, shows the computer A; h personnel to the sheller A Select this with the table you use After the computer A, the unmaintained, incorrect system security settings 1 [the settings in the table, the incorrect security control f settings, the lack of; the correct operating system system update and no anti-virus software installed) Wait for weaknesses, ^ the operating system is preset, or the user's own U is selected. After selecting the above desktop computer A, the desktop type n is displayed in (507), which will be displayed in the risk list. The right person knows the risks involved in this situation. In the drawings, there are no people in the picture, such as destruction, malicious destruction of information and equipment, flooding, bad temperature or humidity and power interruption. Provided for the system preset, or by the user's own two: 5 = = after the table 'at the same time, the system automatically ^ recommended control shed six, / for the computer Α in the face of the aforementioned various weaknesses and the situation of the back recommended Coping with control measures; the system is also applied at the same time, the application block (5〇9) shows the implementation status of the control measures that have been implemented on the desktop computer A, and the Guanzhong 胄 table has been applied. The control measures are "acquisition, use and storage of information. Package 2 0 200842736 may show that the customer is full of ancient objects (organizations) for the service industry, the feature list may be obvious; the manufacturing is for the manufacturing industry. The user here selects any of the parking details (511); The details of one or two; each rotten position includes the items in the table (502) and have; off = 'such as the operational process column; in the program list (9) 4) 6 = =1) (4) has an association: off; ^(10)Table (v)) and threats Jane == ^ = again with the system recommended control measures age ^ t
及已貝施控制措施欄位(5〇 ) V ; U 點列表(506)與威脅列声is㈣、、有關聯性;此外弱 欄位(508)亦有關聯性) ’亦分別與建議控制措施 帶來:==密討其’之-物件所 環境。 面心心供方便與-目瞭然的觀看 域51ti述ίΓ各項目選定後’介面中更有風險評估區 或氣、、員不相對於受評估對象中特定資產所面對的威脅與 21 200842736 風險,如此例中被評估的資產為「桌上型電腦A」,其中可 能面對的威脅有供電不穩、電力中斷、地震、淹水、火災、 惡劣的溫度或濕度與人為破壞,此資訊管理系統則針對各 資產在面對各種可能的威脅項目進行評估各威脅可能發生 的機率,當威脅發生時在各項組織衝擊評估條件所可能造 成的影響,以及前述影響的層面為何(風險評估值由積分 表示),並可記錄起來以備曰後觀察是否有改進,區域511 則用以顯示風險評估的歷使紀錄或各項使用者點選項目的 詳細資訊。受評估對象的範圍包含小至一台電腦,大至整 個組織。且因為各攔位各物件間有關聯性,故只要改變其 中之一項目或是改變被評估的對象,各攔位與最後評估值 將即時變動,亦產生不同的評估結果。 於評估後,接著是利用第六圖所示之本系統稽核管理 介面進行為降低風險而採取的控管措施,此稽核管理介面 係利用各物件間一或複數個關聯性建立複數個欄位,各攔 位間具有一動態連結◦此例中,使用者應針對此個人化的 稽核清單中各項控管要求詳細回覆。根據此動態内容的個 人化積核清單,能準確地實施稽核,且稽核結果可於線上 直接處理,被稽核者對各要求控制項目的實施狀能可直接 回饋至本系統並反應於風險評估上。 如圖式之實施例,當人事室員工A (可為複數個)被 評估之後,顯示如第六圖之稽核内容,使用者介面上方顯 示各種受評估對象之基本資料(包括受評估對象之類別、 上級單位等),此例名稱為人事室員工A,風險評估之後, 自動產生要求項目(61),其中弱點(601)顯示人事室員 22 200842736 「技能不足的員工」,其產生可能的威脅(602)為 疏失」,並要求(6〇3)該員工A應稽核項目,此 L 的項目包括「資訊的保護、資訊的使用、資訊 帥:、使=與保管」#,此稽核項目可由該員工A的主 二或2眾夕系統提供的稽核項目中選取’並不限於圖 "的内容。下—個欄位為狀態欄位(604),其中顯示對 項^該員工改進的狀態’其中c代表完成稽核 最代表進行巾(pendmg),並未通過稽核, 灸有為C 5亥狀態的日期(605 )。 的#料(63)的區域,其為上述各要求項目 :月内谷,如點選上述期中之一應 抖則顯示例如「本要求項目已於聰年3月25日=貝 =部門主管核准」以作為員工Α對等定要求控制措施的 第七圖所示本發明控制措施管理介面之實施例示音 圖使用者可透過此介面(即控制項f理介面)預設^ 估對象在面對各種可能的弓弓企 、又又。 (以一或複獅^目ΪΓ)她日輪議控制措施 先選取資歸產_⑽),此例中區 4取;Γ管:;與技術人員」等類型娜 動Ϊ改變l· 他棚位因為彼此已建立的關聯性而將 此係以資安的議題為例,於人員選 =員可能面對的弱點⑽),例二知, 〃、乏使用者教育訓練」、「缺乏工作協商機制」、「缺乏對 23 200842736 缺乏 厂 正版軟體的使用要求「細And the Besch control measures field (5〇) V; the U-point list (506) is related to the threat column is(4), and the weak field (508) is also related) 'is also related to the recommended control measures Bring: == to confuse the environment of the object. The face of the heart is convenient and the view field is clearly understood. Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ Γ The assets evaluated in this case are "Desktop A", which may face threats such as unstable power supply, power outage, earthquake, flooding, fire, bad temperature or humidity and vandalism. This information management system For each asset, in the face of various possible threats, evaluate the probability of each threat, the impact of the threat assessment on the impact of the organization's impact assessment conditions, and the level of the aforementioned impact (risk assessment value by points) Indicates), and can be recorded for later observation to see if there is any improvement, and area 511 is used to display the risk assessment calendar record or detailed information of each user point option. The range of objects to be evaluated ranges from as small as one computer to as large as the entire organization. And because there is a correlation between the objects of each block, as long as one of the items is changed or the object to be evaluated is changed, the positions of the blocks and the final evaluation value will change immediately, and different evaluation results will be produced. After the evaluation, the control measures adopted to reduce the risk are performed by using the system audit management interface shown in the sixth figure. The audit management interface establishes a plurality of fields by using one or a plurality of associations between the objects. There is a dynamic link between each block. In this case, the user should respond to the detailed control requirements in this personalized audit list. According to the personalized checklist of the dynamic content, the audit can be accurately performed, and the audit result can be directly processed on the line. The auditor can directly report back to the system and respond to the risk assessment. . In the embodiment of the figure, after the staff member A (which may be plural) is evaluated, the auditing content as shown in the sixth figure is displayed, and the basic information of the various evaluated objects (including the category of the evaluated object) is displayed above the user interface. , the superior unit, etc.), this example is the personnel of the personnel office A, after the risk assessment, automatically generate the required project (61), wherein the weakness (601) shows the personnel member 22 200842736 "employed employees", which poses a possible threat (602) is negligence, and requires (6〇3) that employee A should audit the project. The items of this L include "protection of information, use of information, information handsome: make = and keep" #, this audit item can be The content of 'not limited to the map' is selected in the audit project provided by the employee A's main 2 or 2 eve system. The next field is the status field (604), which shows the status of the item ^ the employee's improved status, where c represents the most representative of the completion of the audit (pendmg), did not pass the audit, the moxibustion has a C 5 Hai state Date (605). The area of #料(63), which is the above-mentioned various requirements: the valley within the month, if one of the above-mentioned periods should be shaken, it shows, for example, "This requirement item has been approved by Congnian on March 25 = Bayi = department head approval The embodiment of the control device management interface of the present invention shown in the seventh figure as the employee's equivalent request control means can be preset by the interface (ie, the control interface). All kinds of possible bows and arrows, and again. (I or the lion lion ^ witness) her daily round of control measures first select the capital to return to production _ (10)), in this case, the district 4 take; Γ tube:; and the technical staff, etc. type Ϊ Ϊ change l · his shed Because of the established relationship between each other, this is an example of the issue of security, the weaknesses that may be faced by staff selection (10), the second case, the lack of job negotiation mechanism. "The lack of 23 200842736 lack of factory genuine software requirements"
J 使用者認知宣導」、「無營運二;資訊 藉由此資訊管理系統所提供;二」:、其中各項目可 者自行設定; 、的弱點項目中選取’或由使用 接著,可選取中之—# (705)項目,此例中、L有:二則顯示相關的威脅 毒感染」等威脅項目 惡思破壞資訊及設備」及「病 再疋依據此威脅内容由么 a、, 二〇7?:並設定所選擇的控制措施為在 的==嚷。於本;:物= ^貝座,更能以反向式的鱗,如&資產紳 = 乐統即建立資訊資產類型、弱點、 :制:二 種物件之間的關聯。爾後當使用二四 系統即可比對评痛_ 曰任一貧訊賢產時, 措施。 、°、纟弱點具威脅並提出建議的控制 _1顯示應對「-般使用者」類型之使用者,在可 齔有防f涊知的不足」之弱點時,可能發生「孕咅 威脅的情況下建議實施「資關取=二 J保J」,控制措施’·而控制措施的詳細内容( 709) 减不在U巾,此例即針對資訊的取得、使用及保〜 ,各種組織内的資訊需依照組織的政策與程序,本發;更 志提供具體的建議。 X更 特別的是,上述用於資訊安全管理系統令有闕安 王方面的的弱點項目與顯示有_弱點的威#項目更 24 200842736 用於其他標準的特徵項目上 準制度中將顯示不同的項目(—、〜、目應用於不同的標 . (組織)為服務業,'則可能顯示^複==),如受評估對象 如受許估對象為製造業,此士'户滿意度調查的項目、· • 廠商的不良率項目/、 ^項目射能顯示特定製造 經上述風險評估、稽核管理/ 資訊管理系統另—項重要特色··依據爰,本發明 各式動態内容的文件報表, ^而求可隨時產出 ”發明因應複雜的評估流程二 生的流 度,更須兼顧法令要求声事許 丨士象本身的複雜 此具有物件導向特性的;態;二;;= 之間皆以物件的方式呈現,彼此物件 程,對任-ΐ準; 適用範圍等儲存;^f 式所4容例如前言, 過使用者介面進行項目的選取,利用搜則可透 鍵字或是已知的控制措施編號 過關 項目(物件)(步 找相關的控制 介面,由夂㈣g A ,妾者,透過所提供的使用者 • 9 (物件)m目選擇適#需要產生報表文件的控制項 y私S803 ),之後在各控制項目上嗖定立二 :8(〇f)驟 Γ°5 纟主要特徵是可設定被選擇的控制項目為—般 押制項ΓίΓ所有閱讀此文件的人使用,或設定被選擇的 _人=項目,則該項目將僅適合與此控制項目相 …貞使用’本系統即依此產生一般的,全組織適用的 25 200842736 報表文件或針特定人員的個人化報表文件。 >管理ί ::::向之貢訊管理系統係使用物件關聯式 々方去進貝料的管理,所有在此系統中的資'耝挑可 被視2獨立的物件,其中,各種物件都具有特別的屬性 以=谷§亥物件。之後,使用者能自行設定物件與 關聯性,透過這關聯,系統可在上述使用者介上 呈現各種功能(項目)與畫面。 依而求 第九圖顯示本發明資訊管理系統之主要 示意圖(本示意圖以將本物件導 么曰广牌恥 資訊安全管理制度之建立為範例,圖中所; 稱為適用於此範例之錢m .件;間的關聯不限於本圖中所示),其中利用== :編對受評估對象上;= =: )包括有威脅(901)、機率(灣、 Γ ( 估條件(9Q4)、弱點(9G5 )、m Qn〇 單_、風險模擬 流程_、評估條⑼( 9G1 )、機率(902 )、 資產(907)、控制項 i j / (9〇5)、程序( 906)、 評估⑼),而於^ 件物料級象的風險 接著,以下過ΐ、Γ卜 件報表(9〇)。 險評估之初’應决定;估條:=牛)間:=藉在進行風 擊評估條件中選摆义& … ^即由各種不同的衝 估條件建立與各種 :⑽私適用的評估條件,依據並建立評 一 ^程之間的關聯·同時評倍流程⑽) 200842736 可能面臨的威脅⑽)與其發生機率(_, 耘在面臨各式威脅下可能發生的機率,接著分口二 作業流程〈 903 ),由作業流程(9〇3)中 〜莖:早立白、 中的細節Μ (900,iitu#心 以出各流程 .陶中則包括有各種受程序 軟硬體、人力資源等,並建立程序與資貝產產ί 0970 )’如公司 聯(流程與資產(907) 之間的關 序的關聯自動树資產 則透過資產與弱點之間的關聯 B 0關如 人員_不良,自然二象 或疋硬體毀損對系統亦會產生威脅。另外,产… 統亦建立相對於各種威脅(901)與對庫^ 9二=系 應的控制項( 908);控制項(9〇8)之主要奋 :因 種弱=潛在威f而提出符合標準要求的。“措^各 對象的二述^件進行受評估 ==!將動態更新,產生新的風險評叫 相關聯的物件。了獨立進订風險評估’此舉亦將牽動其他 象所;ΐ出種威脅的控制項(908)將產生受評估對 更^nr〜成本(912)。本發明所提供的資訊管理系统 :;i=,(9n)的:力能’係因系 透過夂和:Γ 1由風㈣估後產生控,制的成本(912), 捽剛:二?成本參數,使用者能設定其他參數,故可 曰進订各種弱點、威脅的模擬,產生風險模擬(911), 27 200842736 以此判斷各種控制措施的實施與先後順序,以進行成本控 制,例如使用者可設定威脅發生機率的改變對組織營運的 影響·;或可使用預算的增減對選擇控制措施優先順序的影 響等。 — 另外,透過風險評估亦可建立針對受評估對象中的各 人員的稽核清單( 909),稽核清單( 909)將由上述風險評 估後產生動態的清單,其中特定物件變動,亦因彼此緊密 關聯而產生變動。可針對受評估對象中人員建立個人化的 稽核清單( 909),亦可針對一事業單位或特定群組。 最後,可即時產生動態内容的文件報表(90 ),因為本 發明利用軟體工具依需求建立各種物件,並產生各種物件 間的關聯,故針對特定需求容易產生動態内容的文件報表 (90),甚至針對個人、事業單位,乃至於整個受評估對象, 皆可輕易產生動態内容的文件。 依據上述各物件之架構,本發明之物件導向之資訊管 理方法之主要流程如第十圖所示: 在進行評估之初,建立受評估對象的基本資料,包括 人力資源、軟硬體、所處環境,其中人力資源影響公司運 作效率及軟硬體使用是否正確產生的風險,硬體可能遭受 破壞或毁損而產生損失或資安上的弱點,所處環境更可能 產生不同天災、人禍等威脅(步驟S101); 之後,建立有關該受評估對象之各控管物件與其中細 節,包括各物件可能產生的資安弱點與威脅d如第九圖所 示之各物件(步驟S102),並接著建立各物件間的關聯(步 驟 S103); 28 200842736 特別的是,在此所建〃 象之特徵而建立,舉例來說,=數,物件係針對受評估對 示的機率物件、流程 /、至^建立上述實施例所揭 產物件與控制項物;;件上:估, 資訊:全管,方法的威脅物芯可包括應用於 透過軟體計算-抑值)例為進行風險評估,如 此係透過购;::=驟_);並產她 .κι版乎奴導入稷數個物件並進 平 受評估對象中的—或複數個人員提出“便,針對 (步驟S105),與產生報表文件⑼驟=文固,核清單 =軟體手料入複數個物件,並透過各物件之關=係 I由物件的選取得出一或複數個應控 ;: 内容的文件報表,如第八圖所示。以座生動赔 不同於一般技術利用人力產生各式報表,且 ,的關聯考慮不周全,或是耗費人力物力,本發明= 完整的資料庫(即基本資料)與各物件間的關聯性:一 二^軟體工具取代大量人力運算·,物件與物件間的Γ聯 過使用者介面利用選取方式進行風險評估,更^即 日寸產生各種稽核清單與文件報表。 根據上述主要流程,第十一圖則揭示其中之—實施例: ^開始時,建立基本資料,如第九圖所揭示的資訊管理 系統中的各種物件,包括有威脅、機率、流程、評估條^牛、 弱點、程序、資產、控制項所需的資料(步驟sm\;接 者由X評估對象所擁有的人力資源與軟硬體建立弱點與矸 29 200842736 目,並建立弱點與威 之俊建立受坪估對象之資產類別、弱點;^步,驟S113); 之關聯(步驟S 1〗5 ),· 、 〜威脅與控制項間 ’立产立流程與評估條件間的闕聯(步!fsm、读 立心與風險機率間的關聯 、為sn7)、建 點威脅之間的關聯(步驟S1 、'建^建立資產與弱 聯(步驟s123)、建立流程 =與資產間的關 建立妓與資產之關聯(步驟sm)_ (步驟sm)與 稽核 S13,f Ί上’依控制措施與成本得出最佳方f·(牛_ 方案的方;;t二中;於控制措施與成一 工具二;;=!,數,以本發明所提供的軟體 達到二:::方; 提供=上統所評估的風險,透過本發明所 & “改吾的控制措施,包括透過對受, =,=㈣1陳,以減少資安弱點並降心 曰μ$ " 1曰刀析其中弱點建立更安全的作業程序。 、〜如弟十一圖與第十三圖針對資訊安全方面的控制措施 λπι 程0 » 當各物件產生變動時,其風險評估(如驗評估值 亦h改文,在第十二圖中,其顯示風險發佈之流程(步驟 200842736 訊安全控f的系統發出漏洞通知,本發明所揭 Y、貝σ g理糸統則接收此漏洞通知(步驟S213), 受評估對象巾各相關人員發布修補通知(步驟S2⑴亚、: =,_育的影片、說明或是課程(步驟幻⑺亚 正相/門=成宣導教育後,透過本系統進行查核後,可修 ^關錢’其中各種弱點、威#所 ϋ =評量’故完成宣導教育後,受評估對 人貝的積分將合理改變(步驟s =豆如 估值(步驟S221)。 冲的風險評 先計算受;Γ估;!:導教育流程開始(步驟則), 加),當受坪^7^體興各人之综合積分(步驟 統即接特定項目,系 公司電子郵件,.此由往 牛> ]木呪,琢人員申請 手,經由針對該人C二予可4、發明之資訊管理系統接 是否使用電子郵件^括過去的使用情形、工作 來決定是否發予*減,之學歷(電腦使用能力)等, ^ 丁I子郵件使用權利。 系統則針對該人士乂 分?其主要由該人員、的:::刀來判斷是否達到應有積 S3】7),若該人員、八月’7、/、工作需要來評斷(步驟 驟S319);若該人員貝刀、到應有積分,則派發項目(步 否提供教育剌練?、I ^到應有積分,-則繼續判斷是 工作是否需要謗項目V: S:21)’此步驟將判斷該人員之 並不需提供教育、’久匕括以往的使用情形,若判斷 U ’表㈣人員既無相應有積分亦無 200842736 法接受教育訓練,則進行停權(步驟S323 ),系統決定不 派發該項目;若系統判斷該人員可接受教育訓練,則接著 進行教育訓練,可以網路發出教育訓練内容影片、文件或 是透過教育人員進行教育訓練(步驟S325 ),並於完成後 重新計算該人員之積分(步驟S327)。 配合上述風險發佈與教育訓練的方法,更能提供受評 估對象完整的資訊管理環境。 綜上所述,本發明為一種物件導向之資訊管理系統及 其方法,係利用物件導向技術開發的軟體模組,分別執行 受評估對象中存在的特性,藉由其中各物件間的關聯性, 產生動態的稽核報表與控制措施方案。 惟以上所述僅為本發明之較佳可行實施例,非因此即 拘限本發明之專利範圍9故舉凡運用本發明說明書及圖示 内容所為之等效結構變化,均同理包含於本發明之範圍 内,合予陳明。 〃 【圖式簡單說明】 第一圖顯示為本發明物件導向之資訊管理系統之架構示意 圖; 第二圖顯示本發明模組化、物件導向式的資訊管理系統的 功能方塊不意.圖, 第三圖顯示本發明之物件關聯式資訊管理系統架構示意 圖; ; 第四圖所示為本發明之風險評估流程示意圖; 第五圖所示為本發明評估介面之實施例示意圖: 32 200842736 f六圖所示為本發明稽核管理介面之實施例示意圖; 乐七圖所示為本發明控制項管理介面實施例示意圖; 弟八圖ϋ為本發明文件產生的流程; 。' =九圖顯示本發明之主要物件間的關聯示意圖; 第十圖係為本發明資訊管理方法之步驟流程圖; 料-圖係為本發明資”理方法之實施齡驟流程圖; 乐十為本發明#崎财法之風險發佈實施例步驟 流程圖; - 第十三=為本發明#訊管理方法之即時宣導教育實施例 步騎Α流程圖。 、主要元件符號說明】 資料層11 企業邏輯層13 應用服務層15 資料庫in 貝料來源113 網頁伺服器131 威脅物件302 物件304 程序物件306 文件報表物件308 營運衝擊分析21 資安政策管理23 全面風險分析25 應用系統伺服器133網頁介面151 應用軟體介面153弱點物件301 控制項物件3〇3 流程物件305 風險評估物件3〇7 關聯性 311,313,315,317,319 貢安物件管理22 : 威脅弱點管理24 稽核與評估26 33 200842736 文件報表管理27 系統功能設定28 流程41 變動43 弱點45 ' 風險49 威脅47 組織列表501 流程列表502 程序棚位5 0 3 程序列表504 資產列表505 弱點列表506 風險列表507 措施欄位508, 509 風險評估區域510 區域511 要求項目61 參考資料63 弱點601 威脅602 要求603 日期605 狀態攔位604 類別701 弱點703 威脅705 詳細内容709 要求707 威脅901 機率902 流程903 評估條件904 弱點905 程序906 資產907 控制項908 稽核清單909 風險模擬911 成本912 風險評估91 文件報表90 34J User Cognitive Advocacy, "No Operation 2; Information Provided by the Information Management System; 2": Each item can be set by itself; /, select the 'weakness item' or use it, select -# (705) project, in this case, L has: two shows related threats such as threatened infections, and other threatening items, such as threatening information and equipment, and "illness is based on this threat content", 7?: and set the selected control measures to be ==嚷. In this;: object = ^ bee seat, more in reverse scale, such as & asset 绅 = music is to establish the information asset type, Weakness, system: the relationship between the two kinds of objects. Later, when using the 24th system, you can compare the pain _ 曰 any poor news, measures, °, weak points and threats and suggestions for control _1 It is suggested that in the case of a "negative user" type of user who is vulnerable to anti-failure, it may be recommended to implement "Golden Pass = Two J J" in the case of a "pregnancy threat". Control measures'·The details of the control measures ( 709) minus the U towel, this example is for News of the acquisition, use and protection ~, policies and procedures in accordance with the information to be organized, present in a variety of tissues; Chi provide more specific recommendations. X is more special, the above-mentioned information security management system makes the weakness project of the 阙安王 aspect and the wei# project that shows _weakness. 24 200842736 The feature items used for other standards will show different in the quasi-system. Items (—, ~, are applied to different standards. (Organization) for the service industry, 'may show ^复==), if the object of assessment, such as the subject of the appraisal, is manufacturing, this is a household satisfaction survey. Projects, · Manufacturer's NPL ratio project /, ^ Project shot energy display specific manufacturing through the above risk assessment, audit management / information management system, another important feature · According to 爰, the file report of various dynamic contents of the present invention, ^ And seeking to be able to produce at any time" in response to the complexity of the assessment process, the flow of the second life, but also to take into account the requirements of the law, the requirements of the Xu Shishi complex itself, this object-oriented characteristics; state; two;; = between the objects The way of presenting, the relationship between each other, the right------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Measures Numbering clearance project (object) (step to find the relevant control interface, by 夂 (4) g A, the latter, through the provided user • 9 (object) m mesh selection # need to generate the report file control y private S803), Then, on each control item, set the second: 8 (〇f) Γ Γ 5 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 纟 被 被 被_People=Project, then the project will only be suitable for this control project...贞Using this system will generate a general, organization-wide 25 200842736 report file or a personalized report file for specific personnel. ί ::::To the tribute management system is to use the object-related style to go into the management of the bait, all the assets in this system can be regarded as 2 independent objects, among which all kinds of objects have special After the attribute is used, the user can set the object and relevance. Through this association, the system can present various functions (projects) and pictures on the user interface. hair The main schematic diagram of the information management system (this diagram is based on the establishment of the information security management system of this article, which is referred to in the figure; it is called the money applicable to this example; the relationship is not limited As shown in the figure, where == : is used to compile the object to be evaluated; = =: ) includes threats (901), probability (Bay, Γ (estimate condition (9Q4), weak point (9G5), m Qn〇) Single_, risk simulation process_, evaluation bar (9) (9G1), probability (902), asset (907), control item ij / (9〇5), program (906), evaluation (9)), and at the material level The risk of the image is followed by the following report (9〇). At the beginning of the risk assessment, 'should be decided; estimate: = cows': between the selection of the wind-fighting assessment conditions & ... ^ is established by a variety of different conditions of assessment: (10) privately applicable evaluation conditions According to and establish the relationship between the evaluation process and the simultaneous evaluation process (10)) 200842736 possible threats (10)) and their probability of occurrence (_, 可能 in the face of various threats may occur, then the two operations < 903 ), from the operation process (9〇3) ~ stem: early white, the details of the Μ (900, iitu # heart to the various processes. Tao contains a variety of software and hardware, human resources, etc. And establish a program with Zibei production ί 0970) 'As the company association (process and asset (907) related to the relationship between the automatic tree assets through the relationship between assets and weaknesses B 0 off as personnel _ bad, The damage of the natural elephant or the hard body will also pose a threat to the system. In addition, the system also establishes control items (908) and controls (908) relative to various threats (901) and pairs of libraries. 8) The main excitement: due to the weak = potential threat f "Troubleshooting the two items of each object is evaluated ==! will be dynamically updated to generate new risk assessment related objects. The independent risk assessment will also affect other elephants; The Threat Control (908) will generate an estimated pair of nr~ costs (912). The information management system provided by the present invention: i=, (9n): force can't pass through 夂 and: Γ 1 The wind (4) estimates the cost of production (912), 捽 :: 2? Cost parameters, the user can set other parameters, so you can enter a variety of weaknesses, threat simulation, generate risk simulation (911), 27 200842736 In this way, the implementation and sequence of various control measures are judged for cost control. For example, the user can set the impact of the change in the probability of occurrence of the threat on the operation of the organization; or the use of the increase or decrease of the budget can be used to prioritize the control measures. Impact, etc. — In addition, through the risk assessment, an audit checklist (909) for each person in the assessment target can be established. The audit checklist (909) will generate a dynamic list from the above risk assessment, in which specific items are changed. Dynamically related to each other, a personalized audit list (909) can be established for the person being evaluated, or for a business unit or a specific group. Finally, a file report (90) of dynamic content can be generated immediately because The invention utilizes software tools to establish various objects according to requirements, and generates associations between various objects, so that file reports (90) that are easy to generate dynamic content for specific needs, even for individuals, institutions, and even the entire evaluated object, can be used. A file that easily generates dynamic content. According to the structure of each of the above objects, the main flow of the object-oriented information management method of the present invention is as shown in the tenth figure: At the beginning of the evaluation, basic information of the evaluated object, including human resources, is established. , software and hardware, the environment in which the human resources affect the efficiency of the company's operation and the correct use of hardware and software, the hardware may be damaged or damaged to cause losses or security weaknesses, the environment is more likely to occur Different natural disasters, man-made disasters, etc. (step S101); The control objects of the object and the details thereof, including the security weaknesses and threats d of each object, such as the items shown in the ninth figure (step S102), and then establish the association between the objects (step S103); 200842736 In particular, it is established by the characteristics of the object, for example, the number, the object is for the probability object, the process, or the control item of the above embodiment. On the piece: estimate, information: the whole process, the threat of the core of the method can be applied to the calculation through the software - the value of the risk is evaluated, such as through the purchase;:: = _ _); The .κι version of the slave is imported into several objects and is leveled in the object to be evaluated - or a plurality of people propose "Yes, for (Step S105), and the report file (9) is generated = Wengu, nuclear list = software hand into the plural Objects, and through the relationship of the objects = Department I from the selection of the object to obtain one or more control;: The file report of the content, as shown in Figure 8. The lively compensation is different from the general technology. Manpower is used to generate various reports, and the related considerations are not comprehensive, or the human and material resources are consumed. The invention = the complete database (ie basic data) and the relationship between the objects: The two software tools replace a lot of human computing. The object and the object are connected to the user interface to select the risk assessment method, and the various audit lists and file statements are generated. According to the above main process, the eleventh figure reveals one of them - the embodiment: ^ At the beginning, the establishment of basic information, such as the various items in the information management system disclosed in the ninth figure, including threats, probability, process, evaluation strip ^Required data for cattle, weaknesses, procedures, assets, and control items (step sm\; pick up the human resources and hardware and software possessed by the X evaluation object to establish weaknesses and 矸29 200842736, and establish weaknesses and Wei Zhijun Establish the asset class and weakness of the object to be assessed; ^step, step S113); the association (step S 1 ) 5 ), ·, ~ threat and control between the process of establishing the production process and the evaluation conditions (step !fsm, the relationship between reading the heart and the risk probability, for the sn7), the relationship between the threats (step S1, 'Building the assets and weakly connecting (step s123), establishing the process = establishing the relationship between the assets)妓 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产 资产a tool 2;;=!, number, with the software provided by the present invention 2::: party; provide = risk assessed by the system, through the Institute & "Change my control measures, including through the acceptance of, =, = (4) 1 Chen, to reduce the security weakness and reduce the heart 曰 μ$ " 1 曰 析 析 其中 其中 其中 建立 建立 建立 建立 建立 如 如 如 如 如 十一 十一 十一 十一 十一 十一 十一 十一 十一 十一 十一 十一 十一 十一 十一 十一 十一 十一 十一 十一 针对 针对 针对 针对 针对 针对 针对 针对 针对 针对 » » » » » » The evaluation value is also changed. In the twelfth figure, it shows the process of risk issuance (step 200842736, the system of security control f issues a vulnerability notification, and the invention reveals that Y, σσ g system receives this vulnerability. Notification (step S213), the relevant person in charge of the evaluation object issues a patching notice (step S2 (1) ya,: =, _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ After the system is checked, it can repair the money, including the various weaknesses, and the results of the evaluation. After completing the education, the points determined by the evaluation will be reasonably changed (step s = bean as valuation) Step S221). The risk assessment of the impulse is calculated first; !: The beginning of the educational process (steps), plus), when receiving the comprehensive points of each person in the Ping ^ 7 ^ body (the steps are to pick up a specific item, the company email, this is from the cattle > gt;琢 申请 申请 申请 申请 申请 申请 申请 申请 申请 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 、 , ^ Ding I sub-mail use rights. The system is targeted at this person? It is mainly determined by the person, the ::: knife to determine whether it has reached the expected S3] 7), if the person, August '7, / The work needs to be judged (step S319); if the person has a score and should have points, then the project is distributed (step to provide education training? , I ^ to have points, - continue to judge whether the work needs to be a project V: S: 21) 'This step will judge the person does not need to provide education, 'long-term use of the past, if judged U If the personnel in Table (4) have no corresponding points or no education training in 200842736, they will stop the power (step S323), and the system decides not to distribute the project; if the system judges that the personnel can receive education training, then the education training can be followed. The network issues educational training content videos, documents or educational training through educators (step S325), and recalculates the points of the person upon completion (step S327). In conjunction with the above-mentioned methods of risk release and education training, it is more able to provide a complete information management environment for the evaluated objects. In summary, the present invention is an object-oriented information management system and method thereof, which are software modules developed by object-oriented technology, respectively performing characteristics existing in an object to be evaluated, by which the correlation between the objects is Generate dynamic audit reports and control measures. However, the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Therefore, equivalent structural changes in the description and the contents of the present invention are included in the present invention. Within the scope of the agreement, Chen Ming. 〃 [Simple description of the diagram] The first figure shows the architecture of the information management system oriented by the object of the present invention; the second figure shows the functional block of the modularized, object-oriented information management system of the present invention. The figure shows a schematic diagram of the structure of the related information management system of the object of the present invention; the fourth figure shows the schematic diagram of the risk assessment process of the present invention; the fifth figure shows the schematic diagram of the embodiment of the evaluation interface of the present invention: 32 200842736 A schematic diagram of an embodiment of an audit management interface of the present invention is shown; Le 7 is a schematic diagram of an embodiment of a control item management interface of the present invention; '=Nine diagram shows the schematic diagram of the relationship between the main objects of the present invention; the tenth figure is the flow chart of the steps of the information management method of the present invention; the material-picture is the flow chart of the implementation method of the invention method; The flow chart of the steps for issuing the risk of the invention of the invention is: - thirteenth = the invention of the present invention, the method of instant propaganda of the education method, step by step chart, the description of the main components, the data layer 11 Enterprise Logic Layer 13 Application Service Layer 15 Database in Bunker Source 113 Web Server 131 Threat Object 302 Object 304 Program Object 306 Document Report Object 308 Operational Impact Analysis 21 Security Policy Management 23 Comprehensive Risk Analysis 25 Application System Server 133 Interface 151 Application software interface 153 Weak point object 301 Control item 3〇3 Process object 305 Risk assessment object 3〇7 Relevance 311, 313, 315, 317, 319 Gongan object management 22: Threat vulnerability management 24 Audit and evaluation 26 33 200842736 Document report management 27 System Function Settings 28 Process 41 Change 43 Vulnerability 45 ' Risk 49 Threat 47 Organization List 501 Process List 502 Program Shop 5 0 3 Sequence Listing 504 Asset List 505 Weakness List 506 Risk List 507 Measure Field 508, 509 Risk Assessment Area 510 Area 511 Requirement Item 61 Reference 63 Weakness 601 Threat 602 Requirement 603 Date 605 Status Intercept 604 Category 701 Weakness 703 Threat 705 Details 709 Requirements 707 Threat 901 Probability 902 Process 903 Evaluation Condition 904 Weakness 905 Procedure 906 Asset 907 Control 908 Audit List 909 Risk Simulation 911 Cost 912 Risk Assessment 91 Document Statement 90 34