Information system risk assessment method and apparatus

Abstract

The invention discloses an information system risk assessment method and apparatus. The method comprises the following steps: determining values of basic risk elements of each assessment object in aninformation system, wherein the basic risk elements at least comprise three basic elements, namely assets, threats and vulnerability; for any basic risk element of any security domain in the information system, using the values of the basic risk elements of the assessment objects in the security domain as model factors, performing calculation by using a preset probability calculation model to obtain the values of the basic risk elements of the assessment objects in the security domain, wherein the weight value corresponding to the maximum value of the basic risk elements of the assessment objects in the security domain is the maximum; and performing calculation according to the above method to obtain the value of each basic risk element in the security domain, and figuring out the risk value of the security domain by using a risk assessment algorithm according to the value of each basic risk element in the security domain. A method for performing accurate risk assessment method on asset units and an entire security operation and maintenance center is provided.

Description

technical field [0001] The invention relates to the field of network security, in particular to an information system risk assessment method and device. Background technique [0002] Information system risk assessment is to use scientific methods and means from the perspective of risk management to systematically analyze the threats faced by information systems and their existing vulnerabilities, and to assess the degree of harm that may be caused by security incidents. Targeted protection countermeasures and rectification measures against threats provide a scientific basis for preventing and resolving information security risks, controlling risks at an acceptable level, and maximizing information security. [0003] The current national standard GB / T 20984-2007 information system risk assessment specification introduces the three basic elements involved in risk analysis: assets, threats, and vulnerabilities. Each element has its own attribute. The attribute of asset is asse...

AI Technical Summary

Problems solved by technology

[0006] Since the specification only introduces the basic process and principle of single asset risk analysis, that is, how to identify and assign values ​​to the three major elements (assets, vulnerabilities, threats), and use multiplication or matrix methods to calculate the risk value, there is no Given the calculation methods for the vulnerability value, threat value, and risk value of the asset group composed of a single asset and the entire security operation and maintenance center, the existing technology lacks a risk assessment method for the asset group and the entire security operation and maintenance center

Images