| After system of Enterprise information and infrastructure established, the information technology focus on improvement of application. An effective internal control for enterprise information is very important, and the effective internal control for information system's improvement is a circulation of implementation, daily application and assessment. This paper focuses on the assessment method of internal control for information system, which suited for retail chain's enterprises. This method supports improvements on internal controls for information systems and makes use of the program technology to develop the assessment of internal control for information system.This paper use assessment standard of information security risk GB/T 20984-2007 for reference, and improve it to suit for assessment of internal control in retail chain's enterprises. The improvement of assessment method mainly refers to the control points' selection, the expansion of control point, the introduction of the weight calculation method and some sub-class of threats or vulnerabilities content. Specifically, the control points' selection not only have an significant impact on the retail chain's enterprises, and also refer to world-class advanced framework; threat subclass make a consider of characteristic of information system and common threats; vulnerability make a consider of the characteristics of information system in the retail chain's enterprise. This paper determine the control points according to enterprises'situation,and set up the standard library to management; then, calculate the value of control points by AHP, expert scoring method and weighted average method, and evaluate the threat and vulnerability with threat subclass and vulnerability content; Finally, calculate the level of risk by phase multiplication, and present assessment report.Assessment reports include the information of control point, occurred threats, identification and classification of threats, vulnerability of information systems and risk level. Assessment report can deem as information source of improvement for information system's internal control.In addition, These papers propose a new risk calculation model for internal control of information system. After calculation of control points, valuation of threats and vulnerability, Enterprise calculate loss which caused by threat; then calculate the risk value by phase multiplication according the possibility of the incontrollable time and loss of security events.Finally, this paper using program technology, assessment model of internal control for information system and risk calculate model of internal control for information system, design and develop the internal control assessment system for information system. |
PDF Full Text Request