Information Security Risk Assessment Model ¡V A Case Study of a Semiconductor Assembly Company

Hu, Ruei-shian

30 July 2008

The information security incidents have most often been reported. The loss of enterprise operation is more and more serious because of information security incidents. There are more and more operation risks happening inside the enterprise because of such informational and electronic transformation. Consequently, the requirement to have an effective management framework of information security is more and more urgent. The research adopts the international standard ISO 27001 as the foundation of the information security management framework. And then, risk assessment is the main process of the informational security management framework. This process includes five stages: identification and classification of information assets, value evaluation of information assets, vulnerability assessment of information assets, threats assessment of information assets, and measurement of information security risks. The operational definition, implementation steps and measurement of the information security risks are worked out through review of relevant literature and interview with experts in the semiconductor assembly company. Finally, the experts of the consulting firm of the informational security are entrusted to verify the availability of the model. The result of this informational security risk assessment model will be used as the basis for future improvement. It is hoped that this research can offer a guideline for the information security risk assessment suitable for the semiconductor company and can be used as a reference for internal auditors and management.

Assets Threats

Assets Vulnerability

Assets Evaluation

Risk Assessment

Information Security