基于业务过程建模的信息安全风险评估

信息安全风险评估中,一般根据资产的表现形式给出分类的资产列表并孤立地为资产赋值,没有考虑到资产对业务的支持和资产之间的关联性。以业务过程建模方法 IDEF0(Integration DEFinition Method 0)为基础,建立层次化的业务过程功能模型,并识别与每个过程功能实现有关的输入、机制、控制三类支持性资产,从而得到以业务过程为中心的层次化的资产关联图。图中的业务过程构成了一个典型的具有内部依赖的递阶层次结构,利用网络分析法可以评估业务过程针对系统总目标的重要性排序,根据所支持的业务过程的重要性及其数量评估支持性资产的重要性。该方法实现了层次化的资产关联、识别与评估,电子购物网站的应用实例证实了此方法的可行性。

Information Asset Identification and Assessment based on Business Process Modeling

In the information security risk assessment,it is often to give a list of assets that are classified based on the manifestations of assets and evaluate every asset isolated. This study presents a hierarchical functional model of business process based on IDEF0 and identifies three kinds of supporting assets-input, machine and control and finally a business process-centric hierarchical correlation graph of assets is obtained. In the graph,the business processes constitute a typical hierarchy with internal dependences,and thus,ANP can be used to assess the priorities of business processes with respect to objective of the system and the other supporting assets are evaluated according to importance and number of business processes that they support. The method achieves hi-erarchical association,identification and assessment of assets and its application to online shopping website shows it is feasi-ble.