| Summary: | 碩士 === 國立政治大學 === 資訊管理研究所 === 93 === We are interested in evaluating the information security of a critical business process and its relevant issues. We try to provide a new security investigation method which is concerned with ensuring the continuity of business essential processes even the whole organization. This study will provide a methodology for analyzing the risk of each component of a process to replace the original information security method which was too widespread or too tiny. Base on such investigation, we can realize the security implements in the process and discover what component is needed to changed such as reduce risk or enhance security of that process to an acceptable level within the limited budget.
In our methodology for each decisive business process., the following steps are proposed: (1) to develop the business process table, (2) to figure out all practices of CP/IC/IR corresponding to each function and the related risks, (3) to classify the risk likelihood, risk impact, and security level for each CP/IC/IR of the critical process, (4) to propose the corresponding controls for each CP/IC/IR, and (5) to check the installed controls: The last column, installed check, is took down if the proposed controls are installed or not. A case study of the loan process in a financial institution will be conducted here to illustrate the proposed methodology.
We find that here are a number of benefits offered by the PWIO security investigation approach. It is designed from the higher level view point. It involves more members. It is easier to be supported by managers. It makes systematic analysis and check for the security controls in the business process. It costs less than the conventional risk analysis which is adopted for the whole enterprise. The PWIO security investigation methodology can be used in one of the processes and be modified to fit the unique enterprise, and then it can be followed out by the other processes. It can save time and money via try-and-modify steps.
|
|---|
