摘要 |
PROBLEM TO BE SOLVED: To provide an information technology risk management system and method for maximizing consulting efficiency.SOLUTION: An information technology risk management method includes; a control database construction process S100 for defining and storing one control item, a control action and a control-categorized performer and observant from each control element; a current situation analysis process S200 for analyzing the current situations of an organization control maturity; an asset evaluation process S300 for evaluating the identification and significance of information asset to be managed; a risk evaluation process S400 for extracting the brittle point of the control element, and for evaluating a risk on the basis of a correlation relation between the control elements and an information asset and threat; a risk processing process S500 for selecting the control elements for risk relaxation by determining the control guarantee standard of a risk, and for establishing a risk processing plan, and for revising a policy; and a control execution process S600 for executing the management examination of a manager for the risk processing plan, and for generating a report related with the applicability of an internal control structure and an international/domestic standard, and for executing user education for control execution. |