簡易檢索 / 詳目顯示
| 研究生: |
俞柏丞 Po-Chen Yu |
|---|---|
| 論文名稱: |
流程導向之資產價值校正方法之實作 On Design and Implementation of a Process-Oriented Approach to Validate Asset Value for Risk Evaluation |
| 指導教授: |
查士朝
Shi-Cho Cha |
| 口試委員: |
楊傳凱
Chuan-Kai Yang 周子銓 Tzu-Chuan Chou |
| 學位類別: |
碩士 Master |
| 系所名稱: |
管理學院 - 資訊管理系 Department of Information Management |
| 論文出版年: | 2010 |
| 畢業學年度: | 98 |
| 語文別: | 英文 |
| 論文頁數: | 47 |
| 中文關鍵詞: | 風險管理 、風險評估 、資產價值 、流程圖 |
| 外文關鍵詞: | Risk Management, Risk Assessment, Information Asset Value, Process Diagram |
| 相關次數: | 點閱:303 下載:2 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
由於近年來組織流程依靠資訊系統的程度日益增加,當有資訊安全事件發生時,往往會造成嚴重的損失,甚至威脅到組織的生存。有鑑於此,組織通常會去了解其目前整體工作環境所可能遭受到的威脅,並且採取適當的保護措施去避免其發生,而風險管理的概念則提供了辨識風險並採取考慮成本效益的解決方案。
目前所提出標準、指引與方法大部份都是以資產為主要的評估依據,即從識別出工作環境之所有資產後,再去評估資產價值及其所可能有的弱點或可能面臨之威脅去進一步計算出風險值。因此,正確的資產價值可說是整個風險評估成敗的一個極重要因素,但目前的資產價值評估方法往往都缺乏全面性的考量,而大大影響到風險評估的有效度,資產價值若是能夠進一步地校正,則將有助於提升風險值的正確性。
此文即延續本研究室所提出之流程導向資產價值校正方法,並且將其理論予以實作,讓使用者能夠透過圖形介面去描繪出企業流程,並且指出其所使用到的相關資產,透過每項資產對於隱密性、完整性和可用性的需求給予不同標記,最後再透過系統化的方式去自動校正每一項資產的價值,協助降低繪製流程圖之成本並且能夠提高風險評估之效度。
As organizations become more dependent on information systems in recent years, they may suffer serious impact as security incidents happen to their information systems. Because of this, an organization will take actions to understand the threats within the operational environment. In this case, the concept of risk management provides a cost-effective solution to protect them from happening.
Current standards, guidelines and methodologies related to risk management mainly adapt an asset-driven approach. That is, organizations use assets and its value to find the threats and vulnerabilities that threatened those assets in order to obtain a risk value. As risk value is determined by the value of assets, the accuracy of asset valuation is crucial. However, current asset valuation methods often lack of comprehensive considerations to an asset, so that the effectiveness of a risk assessment would be affected. Therefore, it is helpful to improve the accuracy of a risk value by validating the assets' value.
This study bases on our previous work and implements the theoretical model of a process-oriented approach to validate asset value. Letting users to illustrate business processes and represent the related assets through the graphical interface. Given different marks base on the requirement on confidentiality, integrity and availability, each asset can be validated automatically through a systematic manner. The tool presented in this work is able to reduce the cost of illustrating business processes and improve the effectiveness of a risk assessment.
[1] ISO/IEC TR 13335-1. Information technology - Guidelines for the management of IT Security - Part 1: Concepts and models for IT Security. International Organization for Standardization, Geneva, Switzerland, 1996.
[2] ISO/IEC 17799. Information technology - Security techniques - Code of practice for information security management. International Organization for Standardization, Geneva, Switzerland, 2005.
[3] ISO/IEC 27005. Information technology - Security techniques - Information security risk management. International Organization for Standardization, Geneva, Switzerland, 2008.
[4] Richard Baskerville. Information systems security design methods: implications for information systems development. ACM Comput. Surv., 25(4):375–414, 1993.
[5] Karabacak Bilge and Sogukpinar Ibrahim. Isram: information security risk analysis method. Computers and Security, 24(2):147–159, 2005.
[6] Shi-Cho Cha, Li-Ting Liu, and Bo-Chen Yu. Process-oriented approach for validating asset value for evaluating information security risk. In CSE’09: Proceedings of the 2009 International Conference on Computational Science and Engineering, pages 379–385, Washington, DC, USA, 2009. IEEE Computer Society.
[7] J. Alberts Christopher, G. Behrens Sandra, D. Pethia Richard, and R. Wilson William. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0. Software Engineering Institute, Carnegie Mellon University, 1999.
[8] COSO. http://www.coso.org/.
[9] CRAMM. http://www.cramm.com/.
[10] Francisco Lopez Crespo, Miguel Angel Amutio Gomez, and Javier Candau. MAGERIT - version 2: Book I - The Method. MINISTERIO DE ADMINISTRACIONES PUBLICAS, Madrid, 2006.
[11] Jan H. P. Eloff, L. Labuschagne, and K. P. Badenhorst. A comparative framework for risk analysis methods. Computers and Security, 12(6):597– 603, 1993.
[12] Jung-Ho Eom, Seon-Ho Park, Young-Ju Han, and Tai-Myoung Chung. Risk assessment method based on business process-oriented asset evaluation for information system security. In ICCS ’07: Proceedings of the 7th international conference on Computational Science, Part III, pages 1024–1031, Berlin, Heidelberg, 2007. Springer-Verlag.
[13] Jung-Ho Eom, Seon-Ho Park, Tae-Kyung Kim, and Tai-Myoung Chung. Two-dimensional qualitative asset analysis method based on business process-oriented asset evaluation. Journal of Information Processing Systems, 1(1):79–85, 2005.
[14] S. Fenz, A. Ekelhart, and T. Neubauer. Business process-based resource importance determination. In Proceedings of the 7th International Conference on Business Process Management (BPM’2009), pages 113–127, 2009.
[15] Stoneburner Gary, Goguen Alice, and Feringa Alexis. NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology, Gaithersburg, U.S., 2002.
[16] Hoh Peter In, Young-Gab Kim, Taek Lee, Chang-Joo Moon, Yoonjung Jung, and Injung Kim. A security risk analysis model for information systems. In Systems Modeling and Simulation: Theory and Applications, pages 505–513. Springer Berlin / Heidelberg, 2005.
[17] Philippe Jorion. Value at Risk, 3rd Ed.: The New Benchmark for Managing Financial Risk. McGraw-Hill, 2006.
[18] Michael McShea. Communicating it’s value in a modern business climate. IT Professional, 9(1):42–45, 2007.
[19] Schwartz Melvin. Computer security: Planning to protect corporate assets. Journal of Business Strategy, 11(1):38–41, 1990.
[20] CSE MG-3. A Guide to Risk Assessment and Safeguard Selection for Information Technology Systems. Government of Canada, Communications Security Establishment (CSE), 1996.
[21] E. Whitman Michael and J Mattord Herbert. Principles of Information Security, Second Edition. Thomson Course Technology, Boston, Massachusetts, 2005.
[22] Risk Mosaic. http://www.riskmosaic.com/.
[23] Charles Pak. The near real time statistical asset priority driven (nrtsapd) risk assessment methodology. In SIGITE ’08: Proceedings of the 9th ACM SIGITE conference on Information technology education, pages 105–112, New York, NY, USA, 2008. ACM.
[24] Charles Pak and James Cannady. Asset priority risk assessment using hidden markov models. In SIGITE ’09: Proceedings of the 10th ACM conference on SIG-information technology education, pages 65–73, New York, NY, USA, 2009. ACM.
[25] Michael Stamatelatos. Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners. NASA, 2002.
[26] Ketil Stolen. Coras - a framework for risk analysis of security critical syetems. In International Conference on Dependable Systems and Networks, pages D4–D11, Gothenburg, Sweden, 2001.
[27] Bomil Suh and Ingoo Han. The is risk analysis based on a business model. Inf. Manage., 41(2):149–158, 2003.
[28] Anita Vorster and Les Labuschagne. A framework for comparing different information security risk analysis methodologies. In SAICSIT ’05: Proceedings of the 2005 annual research conference of the South African institute of computer scientists and information technologists on IT research in developing countries, pages 95–103, Republic of South Africa, 2005. South African Institute for Computer Scientists and Information Technologists.
[29] Edward Yourdon. Modern structured analysis. Yourdon Press, Upper Saddle River, NJ, USA, 1989.
[30] Ciechanowicz Zbigniew. Risk analysis: requirements, conflicts and problems. Computers and Security, 16(3):223–232, 1997.
