HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (1 Dec 2024)

GB/T 20984-2007 (GB/T 20984-2022 Newer Version) PDF English


GB/T 20984-2007 (GB/T20984-2007, GBT 20984-2007, GBT20984-2007)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 20984-2022English470 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Risk assessment method for information security Valid
GB/T 20984-2007English225 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Risk assessment specification for information security Obsolete
Newer version: GB/T 20984-2022     Standards related to (historical): GB/T 20984-2022
PDF Preview

GB/T 20984-2007: PDF in English (GBT 20984-2007)

GB/T 20984-2007 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information security technology - Risk assessment specification for information security ISSUED ON. JUNE 14, 2007 IMPLEMENTED ON. NOVEMBER 01, 2007 Issued by. General Administration of Quality Supervision, Inspection and Quarantine; Standardization Administration of PRC. Table of Contents Foreword ... 4  Introduction ... 5  1 Scope ... 6  2 Normative references ... 6  3 Terms and definitions ... 6  4 Framework and process for risk assessment ... 10  4.1 Relationship of risk elements ... 10  4.2 Principles of risk analysis ... 11  4.3 Implementation process ... 12  5 Implementation of risk assessment ... 13  5.1 Preparation of risk assessment ... 13  5.2 Identification of asset ... 16  5.3 Identification of threats ... 20  5.4 Identification of vulnerability ... 23  5.5 Confirmation of existing security measures... 25  5.6 Risk analysis ... 26  5.7 Documentation of risk assessment ... 29  6 Risk assessment at each phase of the life cycle of information system ... 31  6.1 Overview of life cycle of information system ... 31  6.2 Risk assessment in the planning phase ... 31  6.3 Risk assessment in the design phase ... 32  6.4 Risk assessment in the implementation phase ... 33  6.5 Risk assessment in the operation-maintenance phase ... 35  6.6 Risk assessment in the obsolete phase ... 36  7 Working form of risk assessment ... 37  7.1 Overview ... 37  7.2 Self-assessment ... 37  7.3 Inspection-assessment ... 38  Appendix A (Informative) Calculation method of risk ... 40  A.1 Risk calculation by matrix method ... 40  A.2 Calculation of risk by multiplication method... 46  Appendix B (Informative) Risk assessment tool ... 50  B.1 Risk assessment and management tools ... 50  B.2 System fundamental platform’s risk assessment tool ... 52  B.3 Risk assessment aids ... 53  References ... 55  Information security technology - Risk assessment specification for information security 1 Scope This standard proposes the basic concepts, element relationships, analysis principles, implementation processes, assessment methods of risk assessment, as well as the implementation key-points and working forms of risk assessment at different stages of the life cycle of information system. This standard applies to normalizing the risk assessment work carried out by the organization. 2 Normative references The provisions in following documents become the provisions of this standard through reference in this standard. For the dated references, the subsequent amendments (excluding corrections) or revisions do not apply to this standard; however, parties who reach an agreement based on this standard are encouraged to study if the latest versions of these documents are applicable. For undated references, the latest edition of the referenced document applies. GB/T 9361 Security requirements for computer field GB 17859-1999 Classified criteria for security protection of computer information system GB/T 18336-2001 Information technology - Security techniques - Assessment criteria for IT security (idt ISO/IEC 15408.1999) GB/T 19716-2005 Information technology - Code of practice for information security management (ISO/IEC 17799.2000, MOD) 3 Terms and definitions The following terms and definitions apply to this standard. 3.1 Asset c) Risk is caused by threats. The more threats an asset faces, the greater the risk, which may evolve into a security incident; d) The vulnerability of an asset may expose the value of the asset. The more vulnerable the asset is, the greater the risk; e) Vulnerability is an unsatisfied security requirement, that threatens to exploit vulnerabilities to harm assets; f) The existence of risks and knowledge of risks to derive security requirements; g) Security requirements can be met through security measures, the implementation costs need to be considered in conjunction with asset values; h) Security measures can protect against threats and reduce risks; i) Some residual risks are risks due to improper or ineffective security measures, such risks can be controlled through enhancing the security measures; some other residual risks are those that are not controlled after comprehensively considering the security costs and benefits; j) Residual risks shall be closely monitored, it may induce new security incidents in the future. 4.2 Principles of risk analysis The principle of risk analysis is as shown in Figure 2. Risk analysis involves three basic elements. assets, threats, vulnerabilities. Each element has its own attribute. The attribute of the asset is the asset value; the attribute of the threat can be the subject of threat, the object of impact, the frequency of occurrence, the motivation, etc.; the attribute of vulnerability is the severity of the weakness of the asset. The main contents of the risk analysis are. a) Identify the assets, assign values to the assets; b) Identify the threat, describe the attributes of the threat, assign a value to the frequency of the threat; c) Identify the vulnerabilities, assign values to the severity of the vulnerability of specific assets; d) Judge the likelihood of the occurrence of a security incident based on the a) Determine the objectives of the risk assessment; b) Determine the scope of the risk assessment; c) Form an appropriate team for the management and implementation of assessment; d) Conduct the systematic research; e) Determine the basis and method of assessment; f) Develop a risk assessment plan; g) Get top management’s support for risk assessment work. 5.1.2 Determination of target Based on the security requirements of the organization's continuous business development as well as the legal and regulatory requirements, identify the deficiencies of the existing information systems and management, as well as the possible risks caused. 5.1.3 Determination of scope The scope of risk assessment may be the organization's entire information and various assets and management related to information processing, or it may be an independent information system, key business processes, systems or departments related to customer’s intellectual property. 5.1.4 Formation of team For the implementation team of risk assessment, the management grade, the relevant business backbones, the information technology personnel, etc. form the risk assessment team. If necessary, it may establish a risk assessment leading team which consists of the leaders of the assessing party, the leaders of the assessed party, the person in charge of the relevant department. It shall hire the relevant technical experts and technical backbones to form an expert team. The implementation team of assessment shall do well in all preparation works including forms, documents, testing tools, etc. Before the assessment, conduct technical training and confidential education on risk assessment, formulate relevant provisions for the management of risk assessment process. According to the requirements of the assessed party, both parties may sign a confidentiality contract and, if necessary, sign a personal confidentiality agreement. 5.1.5 System research effect, personnel quality and other elements of the assessment, to select the specific method of risk calculation; based on the requirements of the implementation of business for the security operation of the system, determine the relevant basis for judgement, to make it be appropriate to the organizational environment and security requirements. 5.1.7 Establishment of plan The purpose of the risk assessment plan is to provide a master plan for the subsequent activities of implementing risk assessment, to guide the implementers to carry out the follow-up work. The content of the risk assessment plan generally includes (but is not limited to). a) Team organization. including assessment of team members, organizational structure, roles, responsibilities, etc.; b) Work plan. work plan of each stage of risk assessment, including work content, work form, work result, etc.; c) Time schedule. time schedule for the implementation of project. 5.1.8 Getting support After determining all the above contents, it shall form a relatively complete risk assessment implementation plan, which shall be supported and approved by the top management of the organization. It shall be communicated to the management and technical personnel, carry out training on the relevant contents of risk assessment within the organization’s scope, so as to define the task of personnel in risk assessment. 5.2 Identification of asset 5.2.1 Classification of asset Confidentiality, integrity and availability are three security attributes for assessing assets. The value of an asset in a risk assessment is not measured by the economic value of the asset, but by the extent to which the asset's achievement in these three security attributes or the extent to which it causes when its security attributes are not achieved. The different degree of achievement of security attributes will make assets have different values, whilst the threats faced, the vulnerabilities existed, the security measures adopted of assets will have an impact on the degree of achievement of asset’s security attributes. Therefore, it shall identify the assets in the organization. In an organization, assets have multiple manifestations. The same two assets are also of different importance because they belong to different information Security measures can be divided into two types. preventive security measures and protective security measures. Preventive security measures can reduce the likelihood of the occurrence of security incident due to the threat exploiting the vulnerability, such as an intrusion detection system. Protective security measures can reduce the impact on an organization or system after a security incident occurs. The confirmation of the existing security measures has a certain relationship with the identification of vulnerability. In general, the use of security measures will reduce the system’s vulnerabilities in technology or management, but the confirmation of security measures does not need to be as specific to the vulnerability of each asset and component as that of the identification process of vulnerability, but rather a set of specific measures. It provides basis and reference for the establishment of the risk management plan. 5.6 Risk analysis 5.6.1 Principle of risk calculation After finishing asset identification, threat identification, vulnerability identification, as well as the confirmation of the existing security measures, it will use appropriate methods and tools to determine the likelihood of occurrence of security incident due to the threat’s exploiting of vulnerability. Combine the value of asset on which the security incident acts and the severity of vulnerability, to judge the impact of the loss caused by the security incident on the organization, that is, the security risk. This standard gives the principle of risk calculation, which is explained by the following paradigm. Risk value = R (A, T, V) = R (L (T, V), F (Ia, Va)). Where R is the calculation function of security risk; A is the asset; T is the threat; V is the vulnerability; Ia is the value of the asset that the security incident is acting on; Va is the severity of the vulnerability; L is the likelihood of occurrence of security incident as caused by the threat’s exploiting of vulnerability; F is the loss caused by a security incident. There are three key calculations as below. a) Calculate the likelihood of a security incident Based on the frequency of threats and the status of vulnerability, calculate the likelihood of occurrence of security incident which is caused by a threat’s exploiting of vulnerability, namely. The likelihood of a security incident = L (the frequency of threats, vulnerability) = L (T, V). In the specific assessment, it shall combine the technical capabilities of the attacker (professional skill grade, attacking equipment, etc.), the difficulty of exploiting the vulnerability (accessibility time, disclosure degree of design and operational knowledge, etc.), asset attractiveness and other elements, to judge the likelihood of occurrence of a security incident. b) Calculate the loss caused by the occurrence of a security incident Based on the asset value and the severity of vulnerability, calculate the loss caused by the occurrence of a security incident, i.e.. Loss caused by security incidents = F (asset value, vulnerability severity) = F (Ia, Va). The loss caused by the occurrence of some security incidents is not only for the asset itself, but also for the continuity of the business; the impact of different security incidents on the organization is also different. When calculating the loss of a security incident, the impact on the organization shall also be taken into account. The judgment of the loss caused by some security incidents shall also refer to the likelihood results of the occurrence of security incidents. For the security incidents of very-low likelihood (such as earthquake threats in non-seismic zones, power failure threats under the condition of complete power supply measures, etc.), it may not calculate its loss. c) Calculate the risk value Based on the calculated likelihood of a security incident and the loss caused by the security incident, calculate the risk value, that is. Risk value = R (likelihood of security incident, loss due to security incident) = R (L (T, V), F (Ia, Va)). The assessor may, based on its own conditions, select the corresponding risk calculation method, to calculate the risk value, such as matrix method or multiplication method. The matrix method constructs a two- dimensional matrix, to form a two-dimensional relationship between the likelihood of a security incident and the loss caused by a security incident; the multiplication method constructs an empirical function, to compute the likelihood of a security incident and the loss caused by a security incident, thereby obtaining the risk value. Appendix A gives an example of risk calculations by matrix method and multiplication method. 5.6.2 Judgement of risk results choice of security measures shall be considered in terms of management and technology. The selection and implementation of security measures shall be carried out in accordance with relevant standards for information security. 5.6.4 Assessment of residual risk For the unacceptable risks, after selecting appropriate security measures, to ensure the effectiveness of the security measures, it may perform a reassessment, to judge whether the residual risk after the implementation of the security measures has been reduced to an acceptable grade. The assessment of residual risk can be carried out according to the risk assessment process as proposed in this standard, it can also be appropriately reduced. In general, the implementation of security measures is to reduce the vulnerability or to reduce the likelihood of a security incident. Therefore, the assessment of residual risk can start from the assessment of vulnerability. After comparing the vulnerability status before and after the implementation of the security measures, calculate the size of the risk value again. For certain risks, the residual risks may, after taking appropriate security measures, still be in an unacceptable risk range, so it shall consider whether to accept this risk or further take corresponding security measures. 5.7 Documentation of risk assessment 5.7.1 Requirements for documentation of risk assessment The relevant documentation for the risk assessment process shall meet the following requirements (but not limited to this). a) Ensure that the document is approved before it is released; b) Ensure that the changes to the documentation and the current revision status are identifiable; c) Ensure that the distribution of the documentation is properly controlled, it can obtain the applicable documentation of relevant version; d) Prevent unintended use of obsolete documents. If the obsolete documents need to be kept for any purposes, these documents shall be properly identified. For the relevant documents formed during the risk assessment process, it shall also specify its identification, storage, protection, retrieval, shelf life and control required for disposal. Whether the relevant documents are required as well as the grade of detail are security measures, clarify responsibilities, schedules, resources; assess the residual risks to determine the effectiveness of selected security measures; j) Risk assessment record. According to the risk assessment procedure, it requires that various on-site records in the risk assessment process can reproduce the assessment process and serve as a basis for solving the problem after ambiguity is generated. 6 Risk assessment at each phase of the life cycle of information system 6.1 Overview of life cycle of information system Risk assessment shall be carried out throughout the life cycle of the information system. The principles and methods of risk assessment involved in each phase of the life cycle of information system are consistent. However, due to the different content, objects, and security requirements of each phase, the objects, objectives, and requirements of the risk assessment are also different. Specifically, in the planning and design phase, the risk assessment is used to determine the security objectives of the system; in the construction acceptance phase, the risk assessment is used to determine whether the security objectives of the system are achieved or not; in the operation-maintenance phase, the risk assessment is continuously implemented to identify the ever-changing risks and vulnerabilities of the system, to determine the effectiveness of security measures and to ensure that security objectives are achieved. Therefore, the specific implementation of the risk assessment at each phase shall be carried out in a focused manner based on the characteristics of the phase. When conditions permit, it shall use the risk assessment tools to conduct risk assessment activities. See Appendix B for a description of the risk assessment tools. 6.2 Risk assessment in the planning phase The purpose of the risk assessment in the planning phase is to identify the business strategy of the system, to support system’s security requirements and security strategies. The assessment in the planning phase shall be able to describe the role of the information system after the completion on the existing business model, including technology, management, etc., determine the security objectives that the system shall achieve according to its role. b) Whether the design plan analyze the threats faced by the system after construction, focusing on analyzing threats from the physical environment and nature, as well as threats caused by internal and external intrusions; c) Whether the security requirements in the design plan meet the security objectives of the planning phase, develop an overall security policy for the information system based on the analysis of the threat; d) Whether the design has taken certain measures to deal with possible system failures; e) Whether the design plan assesses such aspects as the technical implementation of the design prototype and the vulnerability of personnel, organizational management, etc., including the management vulnerabilities in the design process and the inherent vulnerabilities of the technology platform; f) Whether the design plan considers the risks that may arise as other systems are accessed; g) Whether the system performance meets the user’s needs, considers the impact of the peak value, whether technically considers the methods to meet technical requirements of the system performance; h) Whether the application system (including the database) is designed securely according to business requirements; i) Whether the design plan selects the development method according to the scale, time and system characteristics of the development, performs the analysis and type selection of the system-related software, hardware and network, according to the design development plan and the user’s needs; j) The impact of security control measures and security technical safeguards used in design activities on risks. After the change of security requirements and the change of design, it shall also repeat this assessment. The assessment in the design phase can be carried out in the form of a security construction plan review, to determine the compliance of the security functions provided by the plan with the technical standards on the information technology security. The results of the assessment shall be reflected in the analysis report of information system needs or the construction implementation plan. 6.4 Risk assessment in the implementation phase The purpose of implementing the risk assessment in the implementation phase consistent with the overall security strategy; d) Judge the compliance of the risk control effect achieved by the system to the expected design. If there is a large nonconformance, it shall design and adjust the security strategy of the information system again. For the risk assessment at this phase, it may use the method of reference to the implementation plan and the standard requirements, to test and analyze the actual construction results. 6.5 Risk assessment in the operation-maintenance phase The purpose of the risk assessment in the operation-maintenance phase is to understand and control the security risks in the operation process, which is a relatively-comprehensive risk assessment. The assessment includes such aspects as the actually-operated information system, asset, threat, vulnerability. a) Assessment of asset. A more detailed assessment in a real environment. It includes the software-hardware assets purchased in the implementation phase, the information assets generated in the operation process of the system, the related personnel and services. The identification of asset at this phase is the supplement and addition to the identification of asset of the earlier phase; b) Assessment of threat. It shall thoroughly analyze the likelihood and impact of threats. For the assessment of security incidents caused by unintentional threats, it may refer to the frequency of occurrence of security incidents; for the assessment of security incidents caused by intentional threats, it shall mainly make professional judgments on the various influencing elements of threats; c) Assessment of vulnerability. A comprehensive vulnerability assessment. It includes the vulnerabilities of physical, network, system, application, security equipment, management in the operating environment. The assessment of technology vulnerability can be implemented by means of verification, scanning, case verification, permeability testing; the vulnerability assessment of security equipment shall consider the implementation of security functions and the vulnerability of the security equipment itself; the assessment of management vulnerability can be verified by means of documentation, record verification, etc. d) Calculation of risk. According to the relevant methods of this standard, perform qualitative or quantitative analysis of the risks of important assets, to describe the risk grade of different assets. Risk assessment during the operation-maintenance phase shall be performed Maintenance technicians and managers of information systems shall be involved in the assessment of this phase. 7 Working form of risk assessment 7.1 Overview The risk assessment of information security is divided into two types. self- assessment and inspection-assessment. The risk assessment of information security shall focus on self-assessment, the self-assessment and inspection- assessment shall be combined and complement each other. 7.2 Self-assessment Self-assessment refers to the risk assessment conducted by the organization owning, operating or using the information system against the information system of the organization itself. Self-assessment shall be carried out in conjunction with system-specific security requirements under the guidance of this standard. Regular self-assessments can be appropriately streamlined in the assessment process, focusing on new threats introduced since the last assessment of the system, as well as the complete identification of system vulnerabilities, to facilitate comparison of the results of two assessment. However, in the event of a major change listed in 6.5 occurs, it shall perform a complete assessment in accordance with this standard. The self-assessment may be implemented by the sponsor or commissioned to the technical support party of the risk assessment service. The assessments carried out by the sponsors can reduce the cost of implementation and improve the security awareness of the relevant personnel of the information system, but the results may not be thorough and accurate due to the lack of professional skills in risk assessment; at the same time, due to the impacts of various elements within the organization, the objectivity of the assessment results is susceptible. For the assessment as implemented by the technical support party of the risk assessment service, the process is more standardized, the assessment results are more objective, the degree of credibility is higher; but due to the limitations of industry knowledge and skills and business understanding, the understanding of the assessed system, especially for the special requirements for business, has certain limitations. However, since the introduction of a third party is itself a risk element, it shall control such aspects as its background and qualifications, the confidentiality requirements of the assessment process and results. In addition, in order to ensure the implementation of the risk assessment, the Appendix A (Informative) Calculation method of risk To calculate the risk, it is necessary to determine the risk elements, the combination of the elements, the specific calculation method. Use the specific calculation method to calculate the risk elements according to the combination method, to obtain the risk value. At present, the risk elements involved in the risk value calculation in the general risk assessment are generally assets, threats, vulnerabilities (the relationship is as shown in Figure 1). The combination method of these elements is indicated in the principle of risk calculation of 5.6.1. From the threats and vulnerabilit...... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.