银行信息科技风险自评估体系的探究
发布时间:2019-04-23 15:23
【摘要】:自评估是被评估信息系统的拥有者发起的评估工作。目前自评估中使用的模型和方法过于理论化,资产、脆弱性、威胁的度量和评价操作起来比较困难,难以在银行内部推广使用。那么,在基于银行内部信息科技风险管理已较为合规的情况下,如何设计简单而有效的自评估模型和方法论,是我行必须考虑的一个重大课题。 本文以监管机构相关规定为依据,首先对传统的风险评估技术进行了研究,设计了银行内部开展信息科技风险评估的自评估模型和方法论。接着以自评估模型为基础,针对目前行内自评估工作量较大、流程繁琐、科技人员缺乏评估背景等问题,,详细设计并开发搭建了自评估风险管理系统,实现对自评估实施进度的全流程动态管理。最后基于该自评估模型开展试点风险评估工作。 本文解决了传统模型中资产、脆弱性、威胁的度量和评价问题,将银行业务紧密地与专业的风险评估结合起来,并重新规划了我行信息科技及其子领域的风险控制范围,具有良好的适应性、动态性。研究成果对银行内部开展信息科技风险自评估有较强的实践意义,为科技人员开展自评估活动扫清了部分理论和技术障碍。
[Abstract]:Self-assessment is an assessment initiated by the owner of the assessed information system. At present, the models and methods used in self-assessment are too theoretical, the measurement and evaluation of assets, vulnerability, threats are difficult to operate, and it is difficult to popularize them in banks. Therefore, how to design a simple and effective self-assessment model and methodology is an important issue that our bank must consider when it is based on the information technology risk management within the bank. Based on the relevant regulations of regulatory agencies, this paper first studies the traditional risk assessment technology, and designs the self-assessment model and methodology of information technology risk assessment in banks. Then based on the self-assessment model, aiming at the problems such as large workload, cumbersome process, lack of evaluation background and so on, a self-assessment risk management system is designed and developed in detail. To realize the dynamic management of the whole process of self-assessment implementation progress. Finally, the pilot risk assessment is carried out based on the self-assessment model. This paper solves the problem of measurement and evaluation of assets, vulnerabilities and threats in traditional models, combines banking business closely with professional risk assessment, and replans the scope of risk control in the information technology and its sub-fields of our bank. Has good adaptability, dynamic. The research results have strong practical significance to carry out the self-assessment of information science and technology risk within the bank, which clears up some theoretical and technical barriers for the scientific and technological personnel to carry out the self-assessment activities.
【学位授予单位】:上海交通大学
【学位级别】:硕士
【学位授予年份】:2012
【分类号】:TP311.52;F832.2
本文编号:2463585
[Abstract]:Self-assessment is an assessment initiated by the owner of the assessed information system. At present, the models and methods used in self-assessment are too theoretical, the measurement and evaluation of assets, vulnerability, threats are difficult to operate, and it is difficult to popularize them in banks. Therefore, how to design a simple and effective self-assessment model and methodology is an important issue that our bank must consider when it is based on the information technology risk management within the bank. Based on the relevant regulations of regulatory agencies, this paper first studies the traditional risk assessment technology, and designs the self-assessment model and methodology of information technology risk assessment in banks. Then based on the self-assessment model, aiming at the problems such as large workload, cumbersome process, lack of evaluation background and so on, a self-assessment risk management system is designed and developed in detail. To realize the dynamic management of the whole process of self-assessment implementation progress. Finally, the pilot risk assessment is carried out based on the self-assessment model. This paper solves the problem of measurement and evaluation of assets, vulnerabilities and threats in traditional models, combines banking business closely with professional risk assessment, and replans the scope of risk control in the information technology and its sub-fields of our bank. Has good adaptability, dynamic. The research results have strong practical significance to carry out the self-assessment of information science and technology risk within the bank, which clears up some theoretical and technical barriers for the scientific and technological personnel to carry out the self-assessment activities.
【学位授予单位】:上海交通大学
【学位级别】:硕士
【学位授予年份】:2012
【分类号】:TP311.52;F832.2
【参考文献】
相关期刊论文 前6条
1 胡啸 ,吴志刚 ,陈星;关于信息安全标准化的思考[J];信息技术与标准化;2005年04期
2 陈亮;;信息系统安全风险评估模型研究[J];中国人民公安大学学报(自然科学版);2007年04期
3 董良喜,王嘉祯,康广;计算机网络威胁发生可能性评价指标研究[J];计算机工程与应用;2004年26期
4 艾明;向宏;康冶平;;风险评估中威胁发生可能性的定量分析方法[J];微计算机信息;2007年27期
5 徐崇岭;;银行信息安全风险自评估的流程和方法[J];中国金融电脑;2007年02期
6 余志伟;唐任仲;贾东浇;叶范波;;一种基于业务过程的信息系统安全需求分析方法[J];中国机械工程;2007年04期
相关博士学位论文 前1条
1 刘芳;信息系统安全评估理论及其关键技术研究[D];国防科学技术大学;2005年
相关硕士学位论文 前2条
1 彭泽伟;信息系统安全风险量化模型研究及风险评估系统的实现[D];重庆大学;2006年
2 崇小蕾;信息安全风险自评估方法的研究及其辅助工具的设计与实现[D];西安电子科技大学;2006年
本文编号:2463585
本文链接:https://www.wllwen.com/guanlilunwen/huobilw/2463585.html
