Shulou(Shulou.com)06/01 Report--

Recently, we have been discussing the issue of information security with many IT brothers, and there are many contents of discussion, such as technology, management, and development direction, but one thing is very clear: in view of the current situation of domestic enterprises, information security has not received enough attention in various enterprises.

In order to strengthen information security, whether it is management means, technical means, or physical means, it will be very difficult to rely solely on IT people to promote it. Even the CISSP Guide has said that information security must be personally concerned by the leaders at the implementation level and take the lead in promoting it in order to achieve better results.

So how to persuade leaders to invest more and pay attention to information security, there are two most effective ways, one is compliance, if the information security is not compliant, it will lead to a series of problems. In China, usually the security audit of the competent department is not up to standard, and the enterprise management will bear the leadership responsibility. In this case, it is easier to promote the investment in the security system. There are those who have experienced pain, due to poor information security management, resulting in the loss of data assets, directly leading to economic losses or intangible assets losses, the leadership finally made tough words to grasp the safety, this belongs to mend.

In the world, there are many mature laws and regulations that require enterprises to provide necessary protection for information security and personal privacy in their business activities, such as the famous HIPA Act, PCI DSS and so on. China also has some norms in this area, but at present, the enforcement is not very strict and there are no mandatory requirements. except for administrative requirements such as military industry, government, and secret dignitaries, the information security management of commercial enterprises is generally weak. In these enterprises, there is another method that can be used to improve management's awareness of information security, that is, to quantify the risk and use the monetary value to measure the loss caused by the damage or loss of data assets. This is also a better approach when leaders are not easy to understand abstract data risks, IT risks.

It is not very difficult to quantify the risk of IT. At present, there are better value estimation models that can be used, but it is difficult to estimate the probability of events and the ratio of losses caused by events in the process of quantification. these key points need to be reasonably evaluated and given by veterans with practical work experience.

The following examples illustrate the value estimation of risk losses

Take a certain CRM system as an example, the customer information, price information and product information of a company are all stored in the company's CRM system, and the value of this information of the company is 1 million yuan.

If the system is leaked or damaged due to data leakage, the information loss is 800000 yuan, and the reconstruction and recovery cost is 100000 yuan, then a single foreseeable loss (Single Loss Expectancy)

SLE= 800000 + 100000 = 900000 yuan, that is to say, once the information security problem occurs on CRM, the foreseeable loss is 900000 yuan, for a total value of 1 million yuan, then the risk factor of this event is 90 Exposure Factor.

However, the * of the system does not happen all the time, even if the CRM system is currently in a state of weak protection, experienced IT managers evaluate that there will be strong * only once every three years and cause the above-mentioned losses. Then the annual incidence rate of this risk ARO (Annualized Rate of Occurrence) is 1 Universe 3, which is about 33.33%.

For this risk, the annual foreseeable loss ALE (Annual Loss Expectancy) = SLE*ARO= 900000 * 33.33%, which is about 300000 yuan.

OK, with the above basic concepts, then if we want to put on a set of security protection system, such as an application-level firewall, the design life of the equipment is 5 years, the total procurement cost is 200000 and the maintenance cost for 5 years is 250000 yuan. The annual cost is 25gambit 5 = 50,000 yuan, the annual cost is 50,000 yuan, and the risk reduction is expected to be 300000 yuan. The value contribution of the firewall to the company is 250000 yuan.

The above is only a simple calculation example, the calculation process of quantifying and evaluating the concept of risk, although simple, can provide a means to value abstract concepts. In other risk assessment models, there are also qualitative analysis methods, such as risk assessment as red, black and other levels, or marked as high-risk, general and other analysis methods, such as the famous Delphi technology method.

Reference material "CISSP All in one exam guide"

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.