标题: 一个针对共通作业环境中资讯资产风险评估模式
A Risk Assessment Model for Information Asset of Common Operation Environment
作者: 王秀文
Hsiu-Wen wang
罗济群
Chi-Chun Lo
管理学院资讯管理学程
关键字: 资讯安全;风险评估;资产;资讯资产;弱点;威胁;Information Security;Risk Assessment;Assets;Information Assets;Vulnerability;Threat
公开日期: 2003
摘要: 随着网路科技的发达,使用资讯系统的规模,以及对资讯环境的依赖程度日益增加,使得共通作业环境安全的重要性逐渐突显出来,针对资讯系统进行风险管理的概念便日渐受到重视。世界标准组织为此也特别出版了ISO / IEC 17799资讯技术──资讯安全管理实施要则,以便组织了解自身资讯安全需求,并进行风险评估。
基于上述原因,如何在共通作业环境下,建立一个符合国际标准相关规定的风险评估模式,是一个值得深入研究的范畴。根据ISO / IEC Guide 73的定义,风险管理包括风险评鉴、风险处理、风险承受与风险沟通,本论文将焦点锁定在资讯资产的风险评鉴上,因此,针对资讯资产进行风险分析与风险评估,成为本论文讨论主轴与研究目标。
本论文将应用RRF二阶段式风险分析的方法论、导入修正后的Microsoft风险计算公式、结合AHP层级分析的决策模式,建立一个二阶段式风险评估模型,最后以工研院电通所的风险分析自动化程式为蓝图,实作一个二阶段式资讯资产风险评估模型。经过实验评估,证明此模型能有效找出关键性的资讯资产,并排列出优先等级顺序。
The concept of carrying on risk management to protect information system is more important today, because the development of network technology and the degree of dependence to the information environment increases and computer virus attacks. The international Organization for Standardization has published ISO / IEC 17799 Information Technology – Code of Practice for Information Security Management, to help the organization find their demand of information security and risk assessment.
In this research, we will propose a two phase risk assess model which is based on RRF two stage risk analysis with Microsoft risk calculate formula and AHP decision mode to find out critical information assets and help enterprise build security protection effectively.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT009164514
http://hdl.handle.net/11536/62646
显示于类别:Thesis