TW200947325A - Risk management system of information security and method thereof - Google Patents

Risk management system of information security and method thereof Download PDF

Info

Publication number
TW200947325A
TW200947325A TW97117641A TW97117641A TW200947325A TW 200947325 A TW200947325 A TW 200947325A TW 97117641 A TW97117641 A TW 97117641A TW 97117641 A TW97117641 A TW 97117641A TW 200947325 A TW200947325 A TW 200947325A
Authority
TW
Taiwan
Prior art keywords
risk
information
information security
asset
risk management
Prior art date
Application number
TW97117641A
Other languages
Chinese (zh)
Inventor
you-zhi Wei
Hao-Yang Zheng
Hui-Ru Liao
You-Ling Xie
Can-Xiong Liu
Original Assignee
Chunghwa Telecom Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Chunghwa Telecom Co Ltd filed Critical Chunghwa Telecom Co Ltd
Priority to TW97117641A priority Critical patent/TW200947325A/en
Publication of TW200947325A publication Critical patent/TW200947325A/en

Links

Landscapes

  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A risk management system for information security and method thereof are disclosed. The system includes an asset evaluation sub-system, a risk evaluation sub-system for information security, a risk processing sub-system for information security, and a risk assessment knowledge base. This invention utilizes computers to perform risk analysis, assessment, processing and planning for information security according to collected information assets and the risk information thereof to speed up the procedure of risk management for information security and effectively evaluate the risk of information security.

Description

200947325 九、發明説明: 【發明所屬之技術領域】 本發明係關於一種資訊安全風險管理系統及其方法,特別是指一種可 有效節省進行資訊安全風險分析、評鑑與處理規劃的執行時間,並進行有 效控管的系統與方法。 【先前技術】 資訊安全風險評鑑為導入資訊安全管理系統(Inf〇rmati〇n Security ❹ Management System )時評鑑組織資訊安全風險之用,在驗證IS〇/IE(: 27〇〇1 時資訊安全風險評鑑為必要之查驗項目,因此風險評鑑於資訊安全管理體 系(ISMS)佔有重要的地位。在 iS0/IEC 27〇〇1、IS〇/ffic 17799、CNS 17799、 CNS 27001與ISO/IEC 13335皆有對於資訊安全風險評鑑相關描述,其中 BS7799-3更提出資訊安全風險管理的準貝[主要都是為了提供實施資訊安 全風險評鑑一個可遵行的處理程序。 在本案之前餘物之技術可賴級果,離糖資赃全風險分 析、評估,多表格方式進行集,E集格式並無統―,僅利用人 • 讀人而無有效工具輔助將使得資料Μ時間冗長,造成執行效率低落, .且因荒集與評鑑過程繁瑣而使得執行風險評鑑的過程容易因為缺乏參考資 訊與輔祕議崎造成_,辟職聰的縣,賴使得資訊安全控 制措施與執行風險改善的優先順序造成辟,使得有限之資源未集中運用 於真正高風險的地方。 ,因此會在一定的週期内 另由於風險評鑑必須反覆進行以達有效管理 5 200947325 重覆執行,敍術遍__咖雜,蚁自福統輔助 較難出風險評職行㈣異性與成效,且所需花費的人力及時間成本亦較 難有效縮減。 由此可見,上述習用方式仍有諸多不足,實非一良善之設計,而亟待 加以改良,鑛機㈣献撕娜瓣進行資訊安 全風險評鑑’时持觀时理之有效工具,·足各雜雜資訊安全 風險評鑑之需求。 ❿ 本案發明人鑑於上述習用方式所衍生的各項缺點,乃虽思加以改良創 新’並經多年苦心職潛心研究後,成功研發絲树資訊安全風險 管理系統及其方法。 【發明内容】 β本發明之目的即在於提供—種資訊安全風險管理系統及其方法以有 效提升資訊安全風險評鑑時所遭遇_難題,使有魏㈣集資訊資產並 提供簡便操作平台進行資產評價。 本發明之次-目_、在於提供—種資訊安全驗管理緖及其方法, 以提供構面完整轉決方法灿資«產或祕雜愤·及其發生之 嚴重性及可能遭遇之威脅及其發生機率。 本發明之另-目的係在於提供—種魏安全驗管理減及其方法, 以整合脆弱點域脅選項,提供㈣措施之選擇,並轉換純告文件,以 降低撰寫驗處理計晝_度與撰寫時間。 本發明之又-目的係在於提供―種資減全驗管理纽及其方法, 6 200947325 以符合ISO/IEC 27001要求之資訊安全風險評鑑要求。 可達成上述發明目的之資訊安全風險管理系統及其方法,係依據蒐集 的資訊資產及其風險資料,利用電腦進行資訊安全風險分析、評鑑與處理 規劃’以域f赃全赌管_纽有效評職訊安全驗。其組成包 含下列模組: -資產評價子祕,其主要功能在於提供1集資訊f產之使用者界 面,可引導賴者將適當的資產依其類型歸納為使用者所需之之資訊資產 ❺群組’並提供資產評價魏鄕助賴者決定資崎產的賴法則;進而 —進行資訊資產之評價作業,評定所H集之資訊資產價值,並將所得到之資 訊資產藉由適當之正規化程序處理; -資訊安全風險評估子系統,其主要功能在於該子純可定義資訊安 全風險等級、脆弱點發生的辟程度等級及咸#發生之可能性等級與風險 評估項目等’並提供-風險評估計算公式辅助功能,協助使用者確定資訊 好驗評料算公式,制者可依據個別需求罐計算公式及其權重 _值’ _助使时進行資„產之驗_健,本子祕亦可供列印完 ’ 爾表軸蝴,歌_全觸鑑執行結 果稽核之用; 一資訊安纽喊理子祕,其主要魏為提供_規劃輔助, ^用者可選擇或自訂朗點之㈣措施,並依據所轉的控冊施與資訊 =產的類別’提供風險處理建議,提供簡潔之彙整編輯功_使用者編 域險處理建齡^錢訊安全顺處理^賊雜錢者更可 7 200947325 依據工作需轉驗處祕麟果歧件^―,以作為魏安全管理 審查時之佐證資料供管理委員核定; 一風險魏知識庫’為儲存資訊資產分_助_及脆祕與可能之 威脅資訊、驗評料算公式與獅麟之齡庫,f訊安全風險處理子 系統之控概施及踰處理建親驗處理建議方案細人本知識庫 中0 【實施方式】 « 料M- ’為本發财訊安全風时_統及其方法之钱架構 圖,其組姐要包含:資產評價子_丨、資訊安全驗評估子系統2、資 訊安全風險處理子系統3及風險評鑑知識庫4;各子纽之運側係為首 先由資產評價子系統1負責資產資訊的蒐集與評價,包括:⑴提供一笼 集資訊資產之使用者界面,引導使用者將適當的資產依其類型歸納為使用 者所需之資訊資產群組;⑵提供資產評價功能與資產的評價法則,進行 藝貝峨之評價健,以決賴集之資訊資產價值;⑴將評價後之資 2資產藉由輕之正規化程序處理;⑷將轉之資賴人風險評鑑知識 庫4中,進行儲存β ^«產领作業後,其次㈣贿全驗評估子祕2對完成評價 =進行驗職,包括:⑴提供制__全驗等級、脆 Γ發生的影響程度輪及威脅發生之可紐·與風險評估項目等;⑵ 提供一風險評估計算公式辅助,簡行資崎產之風險賴作業’·⑶提 _印4之風_估執行結果報表作為輸出文件,以供資訊安全風險評 200947325 鑑執行結果稽核之用。 • 〜成資訊安全顺評估後,最後將風險評估絲交由資訊安全風險處 理子系統3處理,包括.其巾各子祕之處理結果或所需之輔助資訊由風 險擅知識庫4儲存或提供。各組成具備之功能包括:⑴提供使用者可 選擇或自訂資絲全風險評估子系統2決定之㈣點控讎施;⑵依據 控制措施的選擇與資訊資產的_,提供處理風險之建議與可行之風險處 理建議;⑴提供簡潔之囊整編輯功能協助使用者編輯風險處理建議方案; © ⑷提供錢者可依據工作需求將驗處理細結果蚊件方式輸出,以 作為資訊安全管理審查時的佐證資料供管理委員核定;⑸將風險處理計 畫中脆弱點控制措施等資訊储存於風險評鑑知識庫4中。 請參閱圖二’為本發明資訊安全風險管理系統及其方法之作業流程 圖’由圖中可知,其步驟包含: (A)策集資產資訊1(n,利用f產評價子系統i所提供之界面,進行 資訊資產的絲作業,後匯人風險評識庫4 ; β ⑻資訊資產評價102,利用1〇1崎集之資訊資產進行資訊資產評 業’資tfL資產之練可輯祕轉紐蚊量方式定義 - 之後’匯入風險評鑑知識庫4 ; (C)資產正規化處理1〇3 ’經脱執行完資訊資產評價作業後,將評 價資料利用正規化程序將資產價值分為所欲區分之資產定性等 級後輸入風險評鑑知識庫4 ; 1後,利用此程序 (D)辨識脆弱點與威脅201 ’執行資產評價子系統 9 200947325 找出資訊資產可能的脆弱點與可能的咸脅,其中脆弱點資訊與 可能的威脅於界面中協助選取; ⑻評估衝擊與發生機率2()2,找出可_脆_與威魏,判別其 由脆弱點敏之風險發生所造成的業務_程度及麟可能造 成風險發生的可能性; 07)訂定可接受驗等級203 ’魏訂定可接受踰雜,決定需要 進行處理的風險及風險處理的優先順序; ⑹疋否符合風險可接受等級斯,由此程序判斷風險是否可接受, 如風險等級低於可接受風險等級則不需處理,如不可接受則需 要進行風險處理,並進入後續風險處理程序; (H)評選控制措施3〇2,當該資產風險高於可接受風險等級,則需要 選擇降低該資產風險,並針對該資產風險的脆弱點與威脅選擇 適當的安全控制措施; ⑴決定風險處理方式3〇3,執行評選控制措施观後,依據控制措 施選擇可能的風險處理方式及其處理程序,其處理方式可以是 降低風險、轉移風險及迴避風險; ⑴產出風險處理計t 3〇4 ’當執行完評選控制措施3〇2、決定風險 處理方式3〇3後,由風險評鑑知識庫4查詢並產出風險處理計 畫; ⑻評贼餘風險3G5,根觀險處理計晝之實施姐,再行評估各 項資訊資產之脆弱點造成的衝擊程度及咸脅發生的可能性,並 200947325 . +量法令規範及合約要求等相關風險’衡量經過控制措施施行 後之風險是否確實調降,以確定是否符合可接受風險等級。 本發明所提狀資訊安全舰管理系概其方法,與其他習用技術相 互比較時,更具備下列優點: 1·本發明使有彡統的E集資訊資j:並提供簡便操作平台進行資產 評價。 2·本發縣資«產價值可執行正規化較量舰轉為定性資產 ❹ 價值。 3. 本發明提供構面完整的解決方法找出資訊f產或業務流程中脆 弱點及其發生之嚴及可能遭敎威脅及其發生機率。 4. 本發明整合麵點域#選項,提供控㈣施之選擇,並轉換為 報告文件’以降低撰寫風險處理計畫的難度與撰寫時間。 5. 本發明符合ISO/IEC27001 |求之資訊安全風險評鑑要求。 W雜制係針對本發狀—可行實關之具魏明惟該實施例 ❿並_以限制本發明之專利,凡未脫離本發明技_神所為之等效實 施或變更,均應包含於本案之專利範圍中。 ' 综上所述,本案不但在技術思想上確屬鑛,並能較習用物品增進上 述多項功效,應以充分符合新齡及進步性之法定發财利要件,表依法 提出申s青’懇4貴局核准本件發明專利申請案以勵發明,至感德便。 【圖式簡單說明】 圖一為本發明資訊安全風險管理系統及其方法之系統架構圖;以及 200947325 圖二為該資訊安全風險管理系統及其方法之作業流程圖 【主要元件符號說明】 1 資產評價子系統 2 3 資訊安全風險評估子系統 資訊安全風險處理子系統 4 風險評鑑知識庫 101 蒐集資產資訊 ❹ 1〇2 資訊資產評價 103 資產正規化處理 2〇 1 辨識脆弱點與威脅 202 評估衝擊與發生機率 203 訂定可接受風險等級 301 是否符合風險可接受等級 302 303 評選控制措施 決定風險處理方式 ' 304 產出風險處理計畫 305 評鑑殘餘風險200947325 IX. Description of the invention: [Technical field of invention] The present invention relates to an information security risk management system and method thereof, and particularly to an execution time for effectively saving information security risk analysis, evaluation and processing planning, and Systems and methods for effective control. [Prior Art] The information security risk assessment is used to evaluate the organization's information security risk when importing the information security management system (Inf〇rmati〇n Security ❹ Management System), and verify the IS〇/IE (: 27〇〇1 information) The security risk assessment is a necessary inspection item, so the risk assessment takes an important place in the Information Security Management System (ISMS). In iS0/IEC 27〇〇1, IS〇/ffic 17799, CNS 17799, CNS 27001 and ISO/ IEC 13335 has a description of information security risk assessment. BS7799-3 also proposes the standard of information security risk management [mainly to provide a compliance process for implementing information security risk assessment. The technology can be based on the level of fruit, from the risk analysis, evaluation, and multi-table methods. The E-set format is not unified. Only using people • reading people without effective tools will make the data time-long, resulting in The implementation efficiency is low, and the process of performing risk assessment is easy due to the cumbersome process of collecting and appraising the lack of reference information and auxiliary secrets. This has led to the prioritization of information security control measures and implementation risk improvement, so that limited resources are not concentrated in real high-risk areas. Therefore, in a certain period, risk assessment must be repeated to achieve effective management. 200947325 Repeatedly executed, the narration is __ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ There are still many shortcomings in the practice. It is not a good design, but it needs to be improved. The mining machine (4) is dedicated to tearing down the information for the information security risk assessment, and it is an effective tool for the information security. The needs of the appraisal. 发明 In view of the shortcomings derived from the above-mentioned methods of use, the inventors of this case have improved and innovated, and after years of painstaking research, successfully developed the silk tree information security risk management system and its methods. SUMMARY OF THE INVENTION The purpose of the present invention is to provide an information security risk management system and method thereof for effectively improving information security. The problem encountered in the risk assessment is that Wei (four) gathers information assets and provides a simple operation platform for asset evaluation. The second-mesh of the present invention is to provide an information security inspection management method and method thereof to provide a facet. Complete conversion method: □ 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 产 灿 灿 灿 灿 灿 灿 灿 灿 灿 灿 灿 灿 灿Integrate the vulnerability point domain threat option, provide (4) the choice of measures, and convert the pure report file to reduce the writing process and the writing time. The present invention is also aimed at providing the “planting and reducing the total inspection management and The method, 6 200947325, meets the requirements of ISO/IEC 27001 for information security risk assessment. The information security risk management system and method for achieving the above object of the invention are based on the collected information assets and risk data, and use the computer for information security risk analysis, evaluation and processing planning. Comment on the safety inspection of the service. Its composition consists of the following modules: - Asset appraisal sub-function, whose main function is to provide a user interface of 1 set of information, which can guide the appreciator to classify the appropriate assets according to their types into the information assets required by the user. Group 'and provide asset evaluation Wei Wei assists the person to determine the law of Ziqi production; and then - conduct evaluation of information assets, assess the value of the information assets of the collection, and use the appropriate formalization procedures Handling; - Information security risk assessment subsystem, whose main function is to define the level of information security risk, the level of vulnerability occurrence, and the probability level and risk assessment project of the salt # occurrence and risk assessment Calculate the auxiliary function of the formula to assist the user to determine the information for the good evaluation formula. The system can calculate the formula according to the individual demand tank and its weight _ value ' _ help when the time to test the production _ health, this sub-secret is also available Printed the 'Axis axis butterfly, song _ full touch the implementation of the results of the audit; a message An Nu called the child secret, its main Wei provide _ planning assistance, ^ users Select or customize the (4) measures of the Langdian, and provide risk management suggestions based on the information of the transferred control book = the category of production, and provide a concise compilation and editing function. Dealing with thieves and miscellaneous money can be more than 7 200947325 According to the work needs to be transferred to the Department of Secrets of the Ministry of Health, in order to serve as the supporting evidence for the Wei security management review for the management committee to verify; a risk Wei knowledge base 'for storing information assets _Help_ and Crisp and Possible Threat Information, Appraisal Calculation Formula and Lion Lin's Age Library, F-Security Risk Processing Subsystem Control and Over-Processing and Pro-Test Processing Suggestion Scheme 0 [Implementation] « Material M- ' is the money structure diagram of the financial security wind _ system and its method, the group sister should include: asset evaluation _ 丨, information security assessment subsystem 2, information security The risk processing subsystem 3 and the risk assessment knowledge base 4; the transport side of each sub-news is firstly the asset evaluation subsystem 1 is responsible for the collection and evaluation of asset information, including: (1) providing a user interface for gathering information assets, Guide the user will be appropriate The assets are classified into the information asset groups required by the users according to their types; (2) the evaluation rules of asset evaluation functions and assets are provided, and the evaluation of Yibei is carried out to determine the value of the information assets; (1) Capital 2 assets are handled by the light formalization process; (4) will be transferred to the arbitrage risk assessment knowledge base 4, after storage β ^ « production operations, and then (four) bribe full evaluation evaluation sub-secret 2 complete evaluation = Conducting the inspection, including: (1) providing the system __ full inspection level, the impact degree of the occurrence of brittle cockroaches and the risk occurrence of the risk and risk assessment project; (2) providing a risk assessment calculation formula to assist, Jane The risk-based operation '·(3) mentions the _print 4 wind _ estimated execution result report as an output file for the information security risk assessment 200947325 鉴 Execution results audit. • After the information security assessment, the final risk assessment It is processed by the information security risk processing subsystem 3, including the processing results of the individual secrets or the required auxiliary information, which are stored or provided by the risk knowledge base 4. The functions of each component include: (1) providing the user with a choice of or custom-made risk assessment subsystem 2 (4) point control facilities; (2) providing advice on handling risks based on the choice of control measures and information assets Possible risk management suggestions; (1) Provide a simple package editing function to assist users in editing risk management suggestions; © (4) The money provider can output the results of the inspection according to the work requirements as a data security management review. The supporting information is approved by the management committee; (5) The information such as the vulnerability control measures in the risk management plan is stored in the risk assessment knowledge base 4. Please refer to FIG. 2 'the operation flow chart of the information security risk management system and method thereof for the present invention'. It can be seen from the figure that the steps include: (A) the asset information 1 (n, provided by the evaluation subsystem i The interface, the silk operation of information assets, the post-recognition risk assessment library 4; β (8) information asset evaluation 102, using the information assets of the 1〇1 崎集集 for the information asset evaluation 'TfL asset training can be secretly transferred The definition of the new mosquito quantity method - after 'received the risk assessment knowledge base 4; (C) the formalization of the asset processing 1〇3 After the completion of the information asset evaluation operation, the evaluation data is divided into the asset value by using the formalization procedure. After entering the risk assessment knowledge base 4; 1 , use this procedure (D) to identify vulnerabilities and threats 201 'Execution Asset Evaluation Subsystem 9 200947325 Find out the possible vulnerabilities and possible information assets Salty threats, where vulnerable information and possible threats are assisted in the interface; (8) Evaluate the impact and probability of occurrence 2()2, find out the business that can be caused by the risk of vulnerability _ Cheng Degree and Lin may cause the possibility of risk; 07) Set the acceptable level of inspection 203 'Wei will be able to accept the excess, determine the risk of risk and the priority of risk management; (6) 符合 No compliance with risk acceptable level Therefore, the program determines whether the risk is acceptable. If the risk level is lower than the acceptable risk level, it does not need to be dealt with. If it is unacceptable, it needs to be dealt with risk and enter the follow-up risk processing procedure; (H) Selection control measures 3〇2 When the risk of the asset is higher than the acceptable risk level, it is necessary to choose to reduce the risk of the asset and select appropriate safety control measures for the vulnerabilities and threats of the asset risk; (1) Determine the risk management method 3〇3 and implement the selection control measures After the observation, according to the control measures, the possible risk treatment methods and their treatment procedures can be selected, which can be reduced, risked and avoided. (1) Output risk processing t 3〇4 'When the selection control measures are implemented 3〇 2. After determining the risk management method 3〇3, the risk assessment knowledge base 4 queries and outputs the risk management plan; (8) 3G5, the implementation of the root risk management plan, and then assess the impact of the vulnerability of various information assets and the possibility of salty threats, and 200947325. + Volume laws and contract requirements and other related risks' Measure whether the risk after the implementation of the control measures is actually reduced to determine whether it meets the acceptable risk level. The method of the information security ship management system of the present invention has the following advantages when compared with other conventional technologies: 1. The present invention enables the E-set information of the system to provide a simple operation platform for asset evaluation. . 2. The value of the production of the county's capital can be converted into a qualitative asset ❹ value. 3. The present invention provides a well-formed solution to identify the vulnerability of the information or business process and its rigorous and potentially devastating threats and their probability of occurrence. 4. The present invention integrates the facet field # option, provides control (4) selection, and converts to a report file' to reduce the difficulty and writing time of writing a risk management plan. 5. The present invention complies with the requirements of ISO/IEC 27001 | for information security risk assessment. 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 In the scope of patents. In summary, this case is not only a mine in terms of technical thinking, but also can enhance the above-mentioned multiple functions compared with the customary items. It should be submitted in accordance with the legal requirements of the new age and progressiveness. 4 You have approved this invention patent application to encourage the invention. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a system architecture diagram of an information security risk management system and method thereof according to the present invention; and 200947325. FIG. 2 is a flowchart of operations of the information security risk management system and method thereof [Key component symbol description] 1 Assets Evaluation Subsystem 2 3 Information Security Risk Assessment Subsystem Information Security Risk Processing Subsystem 4 Risk Assessment Knowledge Base 101 Collecting Asset Information ❹ 1〇2 Information Asset Evaluation 103 Asset Normalization Processing 2〇1 Identifying Vulnerabilities and Threats 202 Assessing Impact And the probability of occurrence 203 determine whether the acceptable risk level 301 meets the risk acceptability level 302 303 The selection control measures determine the risk management method ' 304 Output Risk Management Plan 305 Evaluation of residual risk

Claims (1)

200947325 .. 十、申請專利範圍: 1' 種資訊安全風險管理系統,係依據蒐集的資訊資產及其風險資料, 利用電腦進行資訊*全風險分析、評鍛與處理觸,以加速資訊安全 風險管理程序及有效評鑑資訊安全風險,其中包括: •資產6平價子系統,用來協助蒐集資訊資產,協助給予資訊資產評價; -資訊安全風險評估子祕,用蚊義資產之#訊安全風險等級,脆 弱點發生之影響程度及威脅發生之可能性; Ϊ 胃喊全顺處理子祕,肖來触控制麻賴_、決定脆弱 點控制措施,並依據控制措施的選擇與資產類別提供處理風險之建議; -風險評鑑知識庫,用來提供讀存產分類顧、闕點與威 脅資訊及風險評估計算公式與辅助選擇。 2·如申請專利範圍第丨項所述之資訊安全風險管理系統,其巾該資產評 價子系統之資產定義包括單一資產或多筆資產構成之群組。 3·如中請專利範圍第1項所述之資訊安全風險管理系統,其中該資產評 > 價子系統之資產價值之定義方式包括定性或定量方式。 4_如巾請專利細第丨項所述之資訊安全風时理祕,其巾該資產評 價子系統之^產更依據使用者需求與資產之類別決定資產之分^^貝類 別。 5.如申凊專利範圍第i項所述之資訊安全風險管理系統,其中該資產評 價子系統之資產價值疋義方式更依據資產分類或使用者定義決定資產 價值。 6·如巾料利範圍第丨項所述之資訊安全風險管理祕,其巾該資訊安 13 200947325 . 全驗冊子祕更雜抑的資產賴及資產屬性,決定該風險之 脆弱點。 7.如申請專利範圍第1項所述之資訊安全風險管理系統,其中該資訊安 全風險評估子祕裝賴點列表依其資產_選取其脆弱點。 8·如巾請專纖圍第i頓述之資訊安全風險管理线,其中該資訊安 全風險評估子祕係由威脅列表依其資產_蚊該f產之威脅。 9_如帽專利範圍第丨項所述之資訊安全風險管理魏,其中該資訊安 •❹ 全驗評好祕縣轉_度係崎絲值、衫酬及資產特 性決定脆弱點衝擊分數。 1〇.如中請專利範圍第i項所述之資訊安全風險管理系統,其中該資訊安 全風險評奸綠係域脅發钱可祕紐生鱗職計決定威脅 可能性分數。 11·如中請專利_第丨顿述之資訊安全風險管理系統,其中該資訊安 全風險評估子系統更依據業務特性決定風險評估運算公式。 β 12·如中3f專利範圍第i項所述之資訊安全風險管理系統,其中該資訊安 - 钱險評估衫社爾個顺求奴難之職聰項目。 、13·如巾請專利麵第1項所述之資訊安全風險管理系統,其中該資訊安 全風險處理子祕更依據資產之脆弱點與IS〇標準蚊風險處理控制 措施。 14·如中請專利範圍第1項所述之資訊安全風險管理系統,其中該資訊安 全風險處理子系統更依據脆弱點、威脅及選擇之風險處理控制措施決 14 200947325 定風險處理計畫報告内容。 15·如帽專利範㈣1項所述之資訊安全風險管理系統,其巾該資訊安 全風險處理子系統之風險處理計畫報告格式包括RTF、DOC、PDF及 HTML多種格式。 16·如巾請專利範圍第1項所述之資訊安全風險管理系統,其中該資訊安 全風降處軒_更依雜狀控讎施及執行絲,決定資產之殘 餘風險。 © ;7· 一種資訊安全風險管理方法:,其步驟為: (Λ)蒐集資產資訊,進行資訊資產的蒐集作業,找出所有對組織有 價值的資產; (B) 資訊資產評價,利用所蒐集之資訊資產進行資訊資產評價; (C) 資產正規化處理,將資產評價資訊利用正規化程序將資產價值 定性處理; (D) 辨識脆弱點與威脅,找出資訊資產的脆弱點與可能的威脅; • ⑻評估衝擊與發生解,觸其由麵_生之風險壯所造成的 . 業務衝擊程度及威脅可能造成風險發生的可能性; . (F)訂定可接受風險等級,透過訂定可接受風險等級,決定需要進行 處理的風險及風險處理的優先順序; (G)疋否符合風險可接受等級,判斷所蒐集之資訊資產風險是否可 接受; ⑻評選控制措施,當資產風險高於可接受風險等級,選擇降低該 200947325 資產風險所能施行的控制措施進行控制; (I) 決定風險處理方式,依據控制措施選擇可能的風險處理方式及其 處理程序; (J) 產出風險處理計畫,依據決定的風險處理方式產出風險處理計畫; (K) 評鑑殘餘風險,根據風險處理計晝之實施成效,衡量經過控制 措施施行後之風險是否調降至可接受風險等級。 ❹200947325 .. X. Patent application scope: 1' Information security risk management system, based on collected information assets and risk data, using computer for information* full risk analysis, evaluation and processing, to accelerate information security risk management Procedures and effective assessment of information security risks, including: • Asset 6 parity subsystem to assist in the collection of information assets to assist in the evaluation of information assets; - Information security risk assessment sub-secret, use of mosquito-based assets The extent of the impact of the vulnerability and the possibility of the threat; Ϊ The stomach calls for the smooth handling of the sub-sense, and Xiao comes to control the control of the Malay _, decides the vulnerability control measures, and provides suggestions for dealing with risks based on the choice of control measures and asset classes. ; - Risk assessment knowledge base, used to provide reading and storage classification, defect and threat information and risk assessment calculation formula and auxiliary selection. 2. For the information security risk management system described in the scope of the patent application, the asset definition of the asset evaluation subsystem includes a single asset or a group of multiple assets. 3. The information security risk management system described in item 1 of the patent scope, wherein the asset value of the asset evaluation > price subsystem is defined in a qualitative or quantitative manner. 4_If the information is as described in the patent fine item, the information on the asset evaluation subsystem is determined by the category of the user and the category of the asset. 5. The information security risk management system described in item i of the patent scope, wherein the asset value method of the asset evaluation subsystem determines the asset value based on the asset classification or user definition. 6. If the information security risk management secret mentioned in item 利 of the scope of the towel is the same as the information security risk, the information of the whole book will depend on the asset attributes and determine the vulnerability of the risk. 7. The information security risk management system described in claim 1 of the patent scope, wherein the information security risk assessment sub-prefix list selects its vulnerability according to its asset_. 8·If you want to cover the information security risk management line, the information security risk assessment sub-system is threatened by the threat list according to its assets. 9_ The information security risk management Wei mentioned in the scope of the patent scope of the cap, in which the information is safe and comprehensive, the evaluation of the secret county, the value of the silk, the value of the shirt and the asset characteristics determine the vulnerability score. 1〇. The information security risk management system described in item i of the patent scope, wherein the information security risk assessment system is responsible for threatening the probability score. 11. In the case of the patent _ Dixon's information security risk management system, the information security risk assessment subsystem determines the risk assessment calculation formula based on the business characteristics. β 12· The information security risk management system described in item 3 of the 3F patent scope, in which the information security - money insurance evaluation shirts are a slavish job. 13. For information, please refer to the information security risk management system described in item 1 of the patent. The information security risk handling sub-secret is based on the vulnerability of the asset and the IS〇 standard mosquito risk management control measures. 14. The information security risk management system described in item 1 of the patent scope, wherein the information security risk processing subsystem is based on risk management measures for vulnerabilities, threats and choices. 14 200947325 Risk Management Plan Report Contents . 15. The information security risk management system described in Item 1 of the Cap Patent (4), the risk processing report format of the information security risk processing subsystem includes RTF, DOC, PDF and HTML formats. 16. The information security risk management system mentioned in item 1 of the patent scope, in which the information security windfall Xuan _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ © ;7· An information security risk management method: The steps are as follows: (Λ) Collecting asset information, collecting information assets, and identifying all assets valuable to the organization; (B) Information asset evaluation, using the collected information Information assets for information asset evaluation; (C) Asset formalization, using asset normalization procedures to formalize asset value; (D) Identify vulnerabilities and threats, identify vulnerabilities and possible threats of information assets • (8) Assessing the impact and occurrence of the solution, which may be caused by the risk of the business. The degree of business impact and the possibility of threats may cause the risk to occur. (F) The acceptable risk level can be determined by Accept the risk level, determine the risk that needs to be dealt with and the priority of risk management; (G) 符合 Whether it meets the acceptable level of risk, and judge whether the risk of the collected information assets is acceptable; (8) The selection of control measures, when the asset risk is higher than Accept the risk level and choose to control the control measures that can be implemented to reduce the 200947325 asset risk; (I) Determine the risk location Ways, according to the control measures to select possible risk treatment methods and their processing procedures; (J) Output risk management plan, based on the determined risk management method to produce risk management plans; (K) Review residual risks, according to risk management Calculate the effectiveness of the implementation and measure whether the risk after the implementation of the control measures is reduced to an acceptable level of risk. ❹
TW97117641A 2008-05-14 2008-05-14 Risk management system of information security and method thereof TW200947325A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW97117641A TW200947325A (en) 2008-05-14 2008-05-14 Risk management system of information security and method thereof

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW97117641A TW200947325A (en) 2008-05-14 2008-05-14 Risk management system of information security and method thereof

Publications (1)

Publication Number Publication Date
TW200947325A true TW200947325A (en) 2009-11-16

Family

ID=44870308

Family Applications (1)

Application Number Title Priority Date Filing Date
TW97117641A TW200947325A (en) 2008-05-14 2008-05-14 Risk management system of information security and method thereof

Country Status (1)

Country Link
TW (1) TW200947325A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI482047B (en) * 2012-11-06 2015-04-21 Inst Information Industry Information security audit method, system and computer readable storage medium for storing thereof
TWI560577B (en) * 2014-09-29 2016-12-01 Chunghwa Telecom Co Ltd

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI482047B (en) * 2012-11-06 2015-04-21 Inst Information Industry Information security audit method, system and computer readable storage medium for storing thereof
TWI560577B (en) * 2014-09-29 2016-12-01 Chunghwa Telecom Co Ltd

Similar Documents

Publication Publication Date Title
JP5586373B2 (en) Computer-readable storage medium storing a program for causing a computer system to realize the function of a component that processes a payment request, and a method of operating a computer system that causes a computer system to process a payment request
JP5551187B2 (en) Literature analysis system
Al-Shaer et al. Creating sustainability reports that matter: an investigation of factors behind the narratives
CN109285076A (en) Intelligent core protects processing method, server and storage medium
WO2013123182A1 (en) Computer-implemented systems and methods of performing contract review
WO2004061714A1 (en) Technique evaluating device, technique evaluating program, and technique evaluating method
CN109102394A (en) Methods of risk assessment, device and computer readable storage medium
TW202004636A (en) Insurance service optimization method and system and computer program product thereof
US9304991B2 (en) Method and apparatus for using monitoring intent to match business processes or monitoring templates
US11645449B1 (en) Computing system for data annotation
CN111179051A (en) Financial target customer determination method and device and electronic equipment
EP3997657A1 (en) Quantifiying privacy impact
Kanaparthi AI-based personalization and trust in digital finance
CN109522301A (en) A kind of data processing method, electronic equipment and storage medium
Albrecht et al. Forensic accounting
Damaraju Data Privacy Regulations and Their Impact on Global Businesses
Liu et al. Tracking disclosure change trajectories for financial fraud detection
Li et al. What threatens stock market returns under the COVID-19 crisis in China: the pandemic itself or the media hype around it?
Azeema et al. Impact of Artificial Intelligence on Financial Markets: Possibilities & Challenges
TW200947325A (en) Risk management system of information security and method thereof
JP2020102069A (en) Examination support system, examination support method, and examination support program
Othman et al. Text readability and fraud detection
Teitler Regev et al. Analyzing the varied impact of COVID-19 on stock markets: A comparative study of low-and high-infection-rate countries
US20210049140A1 (en) System and method for analyzing and structuring data records
Sun Deep learning applications in audit decision making