I. Definition
Information security risk assessment refers to the process of analyzing the asset value, potential threats, weak links and protective measures of information systems with reference to risk assessment standards and management norms, judging the probability of security incidents and possible losses, and proposing risk management measures. The application of risk assessment to IT field is the risk assessment of information security.
Risk assessment has gradually changed from simple technical operations such as vulnerability scanning, manual auditing and penetration testing to methods such as BS7799, ISO 17799, and the national standard "Information System Security Level Assessment Criteria", which fully embodies the comprehensive method and operation mode of information security risk assessment with assets as the starting point, threats as the triggering factor and loopholes in technology/management/operation as the inducement.
Second, the importance of risk assessment to enterprises
Enterprises are increasingly dependent on information systems, and security threats and risks are everywhere. From the needs of the organization's own business and the requirements of laws and regulations, it is even more necessary to strengthen the management of information risk. Risk assessment is the basis of risk management, which depends on the results of risk assessment to determine the follow-up risk control and audit approval activities, so that organizations can accurately "locate" the strategies, practices and tools of risk management. Therefore, the focus of safety activities will be on important issues, and reasonable and applicable safety countermeasures will be selected.
Risk assessment can make clear the security situation of information system and determine the main security risks of information system, which is the basis for the construction of information system security technology system and management system.
Three steps of risk assessment:
Step 1: Describe the system characteristics.
Step 2: Identify threats (threat assessment)
Step 3: Identify vulnerabilities (vulnerability assessment)
Step 4: Analyze the security control
Step 5: Determine the possibility.
Step 6: Analyze the impact
Step 7: Determine the risk
Step 8: Put forward suggestions on safety control.
Step 9: Record the evaluation results.
Fourth, the role of risk assessment.
The security of any system can be measured by risk. The process of scientifically analyzing the security risks of the system and comprehensively weighing risks and costs is risk assessment. Risk assessment is not unique to a certain system (including information system). In daily life and work, risk assessment can also be seen everywhere. In order to analyze and determine the system risk and risk size, and then decide what measures to take to reduce and avoid risks and control the remaining risks within a tolerable range. People often ask the question: When and where may something go wrong? What are the chances of something going wrong? What are the consequences of these problems? What measures should be taken to avoid and make up? And always try to find the most reasonable answer. This process is actually a risk assessment.
Wanfang Security has been engaged in information security for more than ten years, and there are many successful cases of security services in various industries. Is a information security service manufacturer providing one-stop professional security services, and has profound experience in the information security industry.