摘要 |
PROBLEM TO BE SOLVED: To provide an information technology risk management system and method for maximizing the efficiency of consultation.SOLUTION: An information technology risk management method includes: a control database construction process for decomposing a control policy into the minimum units, and for defining and storing one control item, a control action, control-categorized performer and observant from each control element; a current situation analysis process for performing analysis to the current situations of an organization control maturity; an asset evaluation process for identifying an information asset to be managed by the organization, and for evaluating the significance; a risk evaluation process for extracting a brittle point by defining control elements to a reverse direction, and for evaluating a risk on the basis of a correlation relation between the control element and an information asset and threat; a risk processing process for determining the control guarantee standard of the risk by using the risk as a standard, and for selecting control elements for relaxing a risk, and for establishing a risk processing plan, and for revising a policy; and a control execution process for executing the management examination of a manager for the risk processing plan, and for generating a report related with the applicability of an internal control structure and an international/domestic standard, and for executing user education for control execution. |