TW201102958A - System and method for information risk management - Google Patents

Abstract

The present invention provides a system and method for evaluating risk associated with information access requests. The information access requests are collected, assigned a risk level according to user defined policies, a total risk is calculated and presented to user. The user can select a high risk event for further analysis. The system will break down the event into basic elements, so the user can ascertain the risk. The system allows a user to customize a report and the customized report can be saved as a template for future use.

Description

201102958 VI. Description of the invention: [Technical field to which the invention pertains] In particular, there are systems and methods for managing and accessing information in relation to information security and information. [Prior Art] Today, information is power and has the right information. The watch has the advantage of competition. Every enterprise, Ziyu, Mintian, ',, ', its own fresh side, MM, industry, we are not very cautious, if you are traditional, confidential information is limited to a few: _ personnel Can be accessed. This::=method_simple and easy to implement, but when the demand changes, the J user is judged to have a high risk, then his access to the system is considered to be safe, then he The system's existence is often "two, to control. But 'general authority is generally given to a user.. 5. Once given, the risk of his access will not be evaluated again. (4). And the system is usually Does not have such real time auditing

p. Therefore, a user with high authority but malicious can abuse his or her authority until the hazard or major loss occurs. There is a need to estimate and monitor the risks associated with various accesses, and the present invention addresses the creation of such requirements. SUMMARY OF THE INVENTION In the present invention, the present invention provides a method for calculating the total risk of information access in a computing system. This method contains the following steps. First, a multi-dimensional risk model is established, in which each dimension represents a type of risk, and then an information access is received from an information access monitoring unit (_it〇ring unit) 201102958; Each of the (policy = coordinates) 'takes the risk from the & dimensions (in the other embodiment of the present invention, the present invention provides a risk management method). The method includes the following Steps: First, from the second] the criteria obtained by the policy storage unit, the multiple risks of the information access; then, the information is stored in a storage ΪμΪ, on a controller (eGntn) lle〇 Calculate the risk from these risks; then 're-create-event (event) to associate the overall risk with the -bein access; then, through multiple conditions, conditions (filtering criteria) picking out a plurality of events; presenting the events to a 瀚 ^ Γ or Γ display device; and, creating the transition conditions as a - I template (template). , Bribery--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Quasi-Lin Weiwei αχ calculates its risk, and Na Fanben produces a report of the control. The controller can also create a template based on the filter conditions. The re-real aspect of the present invention provides a pre-defined and poor The access method has a method of _reporting. The method includes a τ column step. Ιί" receives multiple information accesses from a poor access monitoring unit; and then connects each of the two mortal accesses to the risk, The risk is based on a number of criteria stored in a standard: 准 obtained by quasi-riding; next, from the user interface unit to the second report selection; New 'difficult to select (four) Si Lailian filter conditions; 'Retrieve information access according to the selected report; finally, present the information 201102958 access, and the selected report. The advantage of the system and method provided is that the information that can identify the abnormality will be coordinated with the following figure. example The above and other objects and advantages of the present invention will be described in detail below. However, the singularity of the present invention is set forth to explain the spirit of the present invention, and is not considered to be the definition of the present invention. For the definition of Fan Hong of the present invention, please refer to the attached application [Embodiment] In the context of the article "Application (here). (raw (aggrefed data), _ patch (p), and other code segments (code The term “eXemPlary” does not mean a preference for the described example. In addition, the “baseline” ase me & 土 & ( ( base (baseline inf〇rmati〇n ), "Reference database mfZ2!" TlQi} ^ # tfL j (historical behavior ί i": r .,. The system that is out of the way reveals a model of risk management. The system proposed by the present invention is based on two groups = It (risk ievei), which analyzes the adimmstrator of information access, and can be chosen because of the choice of IW: the system 100 of the information risk management mechanism 102 that is known. t shell insurance management mechanism 1 〇 2 package Risk analysis 1G4, customized report 1G6, and multiple orders 201102958 1 insurance points 104 refers to the analysis of information access in the system. The set of information for information access may be based on different risk criteria 8.1, different risk aspects 110, and different time and conditions 112. The application of risk criteria 108 is triggered by events and alarms that occur within the system. After the risk is analyzed, the results are presented to the system administrator. The party that is presented = by the department, the manager selects the pre-established template 114, ιΐ6. f The system of the risk management mechanism 1〇2 can record the risk analysis performed by the system administrator as a new model for future reusability.

Figure 2 shows the model of the risk criteria implemented by the present invention. The risk criteria 22 (4) are often defined by the system administrator to apply to the various information stores 201. The system is based on risk criteria 22 and then triggers events and alerts with the same risk. Risks can be classified into access risks (% of the base, behavioral risk (behaviorrisk) 204, content risk (c〇ntentrisk) 2〇6, and performance risk (perf__ risk) 208. Each risk is by a user Defined risk criteria. For example, some inside: elephant = card, library, and content related to this content wind = two more risk level 4. Risk criteria can also include regular expressions (_eXp_Gn) The indicated _ word touch search, with some confidential information and information.

Department, there are risks associated with the use of slavish standards. For example, a system administrator can set a risk level for certain Js related to information access (a request for access to five (Jho) for access (ie, access). (that is, the method and method of access), 2G8 of access, ^where access (ie access), and when (when) (foot access time = In the case of the creator of the case, the system file method of the abnormal information access behavior ^ National invention patent application (application date June 1st, 1998, application case number __ = 6 201102958) has a detailed description Each information access will be assigned a risk level when it meets a risk criterion, as well as an event that triggers an audit or an action that triggers an alert. Behavioral risk 204 is related to the aforementioned requirements 'eg user settings (user Profile ), object profile, method setting (meth〇d proflle),

The risk specified by the location profile and time proflle. When a user's behavior deviates from his user's settings, the level of risk behavior should be increased. Similarly, when a data item is accessed by a user who has not regularly accessed the object at the usual time, or is accessed in a non-universal manner, the risk level should be increased. The behavioral risk 2〇4 is applied to the concepts disclosed in the aforementioned patent application, such as requirements, members, and groups. Behavioral risk 2〇4 is associated with a behavior profile, and behavioral settings are further related to each member of each member group. The behavior setting itself is defined by the relationship between the elements. These associations are implemented using bit maps, counters, each counter further having at least one limit ^threshold), and a level of risk when the limit is exceeded. When a counter reaches its limit, an alert is issued and the system administrator can then take certain actions. ... The effect of the monthly b risk 208 is related to the reaction time (reSp〇nse tjme), and it is also the setting of the g f type. The response of each information access _ contains the time of the ship's departure, and the time of transmission by the network. Each reaction time is given a fine value. For each parent, it is also possible to assign a transaction time (transactiontime) and a limit. Similarly, each link (deliberation (10) can also be given a link time (eGnneetiQn time) and limits, which can be risky, and some information accesses may need to be spent on micro-hairs (: com!) When the time exceeds χ microsecond, or exceeds the limit of the asset (4), the risk level should be as high as before. The invention provides four risks (access). , behavior, content, effectiveness =) 'and each risk has a risk level. Because of these different types of risks = day = step provides a presentation of the overall risk (, rlsk) representing an information access. Figure 3 shows the actual image of the overall risk-space model (spatial m〇dd). Such as = kg? = model marriage] each risk is presented by the - coordinate axis. For example, the access risk is expressed by the coordinate Χ on the X-axis (relative to the origin 〇) = is represented by the coordinate y on the Υ axis, and the performance risk is represented by the coordinate z on the z-axis. Said. The overall risk is the "distance" D obtained by a calculation method using 5 and various risks i:.^iqi^y2+2tw2) 'where sqr is a function of the square root, ^ RT=sqr((aV+ b2y2+ cV+ dV )/( a2 +b2 +c2 +d2)) ^ Φ ah M represents the weight of access, behavior, content, and performance risk, respectively. As stated above, the present invention provides a clear overview of the “system” from a risk perspective. The invention further defines various models to repeatedly impose pre-defined criteria to confer risk. An event with a certain risk of information storage-events and urgency constitutes an alarm. Chu 4 ί pieces, warnings will be processed by the dishes and processed in advance to facilitate the future of the second, this side analyzes the risk of turning over the schematic ®. First, the information of the step is presented in time series 'that is, the event is based on the first side of the occurrence, the fish is j', the step 404 is used to filter the condition (fllter) and these things such as 'a certain condition is to pick out and these are The requirements of the most information i name) 'Assume that the requirement for this is a cow i, ^ ^ 个 个 ^ 属于 属于 属于 属于 属于 属于 , , , , , , , , , , , , , , , 406 406 406 406 406 406 406 406 406 406 406 406 406 406 406 406 These difficulties are * 要 要 贞 贞 ' ' ' ' ' ' ' ' ' ' ' ' ' ' 呈 呈 呈 呈 呈 呈 呈 呈 _ _ _ 咖 咖If the system administrator intends to explore these events further, he can view these events and alerts using other filters at step 408. Finally, in step 410, the system administrator can view the raw data that constitutes the access to the information behind these events and alerts. As described above, the present invention thus allows the system administrator to have an overview of the risk profile of information access in the system and then further explore the details of some high risk events and alerts.

The figure is a schematic diagram of a system architecture 5 according to an embodiment of the present invention. As a matter of fact, all information access is recorded and given a risk. These information accesses can be filtered based on specific time and filter conditions of 5〇2. Time and conditions, conditions 5〇2 can also be used to deal with risk-related information 5〇4 and warnings. The results of the risk-related capital 5〇4 S application criteria, and the information that can be used to produce the requirements after the data is 5〇6 (each risk-related information 5〇4 can deconstruct the requirements of the tfl): the requirements of the 5G6 The connection between the tributes can be analyzed and processed in the intelligence center (5:8). ί ί ϊΐϊ 有 有 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情 情= and , the filter condition can be further used to select and process the access _, ie information 2 3) alarm / 14, event radar (eVentradar) 516. 518 off the education 5〇4, the relevant information 506, the first 1 ^ name 矜 a a a ι / \ filter, condition 5G2 can also be used by the emotional center 5Q8 to deal with the police ^ 51 ^ 1Ve) event and Alert 510, and raw material 512. Immediately dispose of immediately. If there is an urgent event, it is sent directly to the Emotional Center 508, or because it is a high-risk __, it immediately touches the condition of notifying the user. The instant alert 514 will usually be involved in immediate transmission, such as by email, SMS, or voice message, etc. The instant alert 514 can also be divided into high, medium, and _all things, and the radar 516 is a subsystem, w Wang see ',, " system official. Since the number of events may be very large, 201102958, the events can be classified and then rendered. In addition, you can also ΐί, appropriate, after the election of the top N event 518. Resources (deleted) 520 $v^rrhat"', w' requirements and their shells. More specifically, the resource owes 1 2 ί users, databases, instructions. Resources 520 can be used by the emotional center 508 Handling and interpreting events and warnings. The locality of n-ages for online access to f-monitoring. 2 The information access to each of the #库库, and then the object of the second-two control can be not limited to access, but also The number of accesses, the number of records accessed, and the frequency of accesses can be collected and analyzed. Transport 1 _. As shown, the first spider is 6〇2 «Prepare 2L/L' and then evaluate and store it in step 604. By taking the access, send, etc., access J according to user = two = two = and 苡 ^ to be given several risks 'Then again step 606 is classified as high risk, step _ will be applied to the template. Then select one report in the step number template and present it to the system administrator. If = two, this output analysis selects one Yang Fanben, the revision of the book 'he can also choose this, step 61 transmission piece == 201102958 analysis. For example, if the matter The analysis of the personnel or step 614 indicates that the use of the risk is severe, causing the risk of such an increase. For example, the event or 氅 = 贝 或是 或是 质 质 质 又 又 又 又 如果 如果 如果 如果 如果 如果 如果 如果 如果 如果 如果The nature of the mouth is too high for the number of failures, and the analysis of step 614 can be of the nature of the failed access of the shell. I, in purely at step 616 = the event of taking the risk access _ is taken in step 618. ==

News. Then, after the results are presented in step 620 for the analysis and presentation of the two-customized customization, the system administrator can; Guang Chengting = conditions are recorded and stored in a new model. This ^ future step 624 was chosen to repeat the same points for other events or warnings. The model records the skillful conditions used by the gambler, so the same filtering can be done in the future. According to the report produced by the model, the user can modify the miscellaneous pieces, and the results can be established. - Side model. The method proposed by Ming can be executed by a program stored in a computer readable medium ir^tereadablemedium. The program causes a similar (four) brain level (four) computing device to perform the various steps of the method. The brain can read the memory of the device, or the clock of the database of _ j. Or 'the t-brain readable medium can also be an auxiliary storage medium (i-ndary storage media) for iJT-connected computers, = disk, tape, CD, hard disk, flash memory, or other sip Store media. Figure 7 is a diagram showing a system supporting the method of the present invention. 201102958. The system 700 includes a __ caution 1 - criterion storage η V access '^ control early element (m (mitc) ringunit) 702, p ystwageunit) 7G4 , the manufacturer interface unit storage unit 7G6^i; two = 71G 'and one or more monitoring pairs in one system are located in one or more left % missing, get to Beixun access monitoring unit 702. These information is stored in the storage unit 7〇6 and processed by the controller 710 in accordance with the criteria storage generation criteria. When the storage unit 706 (five) is stored, there is a wind product and a dry copy. Based on these things, the controller 710 will get various sets of these risks that can be calculated - the overall risk. The general skill 耙1 t knowing criterion storage unit 704 and the storage unit view can be integrated in the different criteria storage unit 704. The processing is used to display the system management table through the user interface unit, and the user interface unit 708 selects the newspaper to be viewed by the user interface unit 708 to read the 73⁄4°^ field, which is generated according to the template according to which it is generated. come out. The user can also modify the conditions in the & This controller is connected to the function of =H^=5()8. The system administrator can use the ®^) (display unit) f Ilf, and the figure shown in Figure 6 does not require or imply any specific sequence of actions. This is done in a sequential or parallel manner. The method can be implemented in a network device or a network server to execute a series of instructions (machine readable instructi〇n). These referents can carry a variety of signals, data, data, data, built-in media, such as random access memory, and can also contain the following machine-readable digits or Analog j storage media. DASE) (direct access st〇mge, for example, to replace disc or disk array), tape, electronic read-only memory (eg r〇m search 12 201102958 ΕΓ: Μ), Naojia , optical storage devices (such as ROM, WORM, DVD, digital optical tape), computer paper core. 4, 5, and 6 are shown in the figure when the instructions are executed by a computer. The details of the music i example, I hope to more clearly describe this issue ίίϋϊί plus = limit. On the contrary, it is intended to cover various modifications that are within the scope of the invention as claimed.

[Simple description of the map] ^ 1 map; the model of the Yu Shipi implementation of the Yuxian County, the display of the model. A schematic diagram of the collimation model implemented by this judgment in the S-picture. The figure shown in the figure is a schematic diagram of the model for expressing the overall risk of the present invention. The figure is not a schematic diagram of the model for analyzing risk of the present invention. 2 is a schematic diagram of a system architecture in accordance with the present invention. The drawings are not in accordance with an operational flow diagram in accordance with an embodiment of the present invention. The figure shows a schematic diagram of a system that supports the method of the present invention. [Key component symbol description] 100 Risk management model 104 Risk analysis 108 Risk criteria 112 Time and conditions 116 Template 200 Risk criteria model 202 Access risk 102 Information risk management mechanism 106 Customized report 110 Risk item 114 Template 118 Events and alerts 201 Information access 204 behavioral risk

13 201102958

206 Content Risk 208 Effectiveness Risk 300 Overall Risk Model 400 Risk Analysis Model 402~410 Step 500 System Architecture 502 Time and Filtering Conditions 504 Risk Related Information 506 Requirements Related Information 508 Information Center 510 Archived Events and Alerts 512 Source 514 Instant Warning 516 Event Radar 518 Top N Event 520 Resource 600 Operation Flow 600-626 Step 700 System 702 Information Access Monitoring Unit 704 Criterion Storage Unit 706 Storage Unit 708 User Interface Unit 710 Controller D Distance 0 Origin Rt Overall Risk X, Y, Z, W coordinate by x, y, z, w coordinates

14

Claims (1)

201102958 VII. Patent application scope: 1. A method for calculating the overall risk of information access, comprising at least the following steps: Establishing a risk space model comprising a plurality of coordinate axes, wherein each vehicle represents a type of risk; The access monitoring unit receives information access to one of the databases; and determines, for each coordinate axis, a risk of the information access according to a criterion defined by the user, wherein the risks determine one of the risk space models Each coordinate value; and an overall risk of the information access is calculated by the coordinate values of the point. 2. The method for calculating the total risk of access to information in the scope of the patent application, wherein the coordinate axes represent the following types of risks: risk exposure, valley risk, behavioral risk, and performance risk. 3. The method for calculating the information access risk of a patent application 帛1 further includes the following steps: • For a risk of a target axis, the risk is expressed as a point on the coordinate axis. 4. A method for managing the risk of information access, comprising at least the following steps: For each information access, based on criteria obtained from a standard storage unit, a plurality of risks associated with the access to the information are calculated; The information is accessed in a storage unit; and each of the information is accessed by the controller, and based on the risks of the information access, one of the information accesses is calculated to always link the information access with the overall risk. Create a number of events; [S] 15 201102958 Use a plurality of filter conditions to select a plurality of events; present a selected event to a report through a display device; and establish a document to record a far filter condition. 5. The method of applying for the risk of information access in the fourth aspect of the patent application scope further includes the following steps: receiving a plurality of information accesses from an information access monitoring unit. 6 'If the method of managing the risk of information access in item 4 of the patent application scope further comprises the following steps: If the overall risk of an information access exceeds an upper limit, an indication is generated. The method of managing the information access risk insurance according to item 6 of the patent application further includes the following steps: transmitting the warning to a system administrator. 8. The method of managing the risk of information access in accordance with item 7 of the patent application, wherein the warning is transmitted by email. 9. The method of managing the risk of information access in accordance with item 7 of the patent application, wherein the warning is transmitted via a short message. 10. The method of managing the risk of information access in item 4 of the patent application scope, wherein the events are presented in time series. For example, the method of managing the risk of information access in item 4 of the patent application scope, wherein the plurality of risks include the following types of risks: access risk, content risk, behavior risk, and performance risk. 12. The method of managing the risk of information access as set forth in claim 4 of the patent application, further comprising the steps of: receiving the filter conditions from a user interface. 201102958 13. ί固准--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- At least one risk, w, and a model based on the access to the Haoshen student report, the controller further establishes at least one template based on the filter condition. y 14. The device for the risk of information access on the eve of the patent application, further comprising: a storage unit for storing the information access and the templates. 15. The device for managing the risk of information access in item 13 of the patent scope further comprises: a user 7 face unit to present the risks to a system administrator and to receive the write filter condition. 16. Management of information access risks in accordance with item 13 of the scope of application for patents = device, wherein the controller further calculates an overall risk for each information access calculation. The method for presenting a pre-defined report relating to the risk of information access includes at least the following steps: receiving a plurality of information accesses from an information access monitoring unit; and accessing each information based on a standard storage unit a criterion for calculating a risk of accessing the information; receiving a report selection from a user interface unit; adjusting a filter condition of the selected report; 201102958 extracting information access according to the selected report; Select the report and the information you have accessed. 18. The method for presenting a pre-defined report on information access risk, as set out in claim 17 of the patent application, further comprises the steps of: creating a new template based on the adjusted filter conditions; and storing the new template in a store unit. 19. The method for presenting a pre-defined report on information access risk, as set out in claim 17 of the patent application, further includes the following steps: If the risk exceeds an upper limit, a warning is issued. 18