HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (8 Dec 2024)

GB/T 20984-2022 PDF in English


GB/T 20984-2022 (GB/T20984-2022, GBT 20984-2022, GBT20984-2022)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 20984-2022English470 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Risk assessment method for information security Valid
GB/T 20984-2007English225 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Risk assessment specification for information security Obsolete
Standards related to (historical): GB/T 20984-2022
PDF Preview

GB/T 20984-2022: PDF in English (GBT 20984-2022)

GB/T 20984-2022 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.030 CCS L 80 Replacing GB/T 20984-2007 Information security technology - Risk assessment method for information security ISSUED ON: APRIL 15, 2022 IMPLEMENTED ON: NOVEMBER 01, 2022 Issued by: State Administration for Market Regulation; Standardization Administration of the PRC. Table of Contents Foreword ... 3  1 Scope ... 5  2 Normative references ... 5  3 Terms and definitions, abbreviations ... 5  3.1 Terms and definitions ... 5  3.2 Abbreviations ... 7  4 Risk assessment framework and process ... 8  4.1 Relationship between risk factors ... 8  4.2 Principles of risk analysis ... 9  4.3 Risk assessment process ... 9  5 Implementation of risk assessment ... 11  5.1 Preparation of risk assessment ... 11  5.2 Risk identification ... 12  5.3 Risk analysis ... 22  5.4 Risk evaluation ... 22  5.5 Communication and negotiation ... 24  5.6 Risk assessment documentation ... 24  Appendix A (Informative) Risk assessment at each stage of assessment object lifecycle ... 27  Appendix B (Informative) Work forms of risk assessment ... 33  Appendix C (Informative) Tools for risk assessment ... 35  Appendix D (Informative) Asset identification ... 40  Appendix E (Informative) Threat identification ... 43  Appendix F (Informative) Examples of risk calculation ... 47  Bibliography ... 49  Information security technology - Risk assessment method for information security 1 Scope This document describes the basic concepts of information security risk assessment, relationship between risk factors, principles of risk analysis, implementation process and assessment method of risk assessment, as well as the implementation points and work forms of risk assessment at different stages of information system lifecycle. This document applies to all types of organizations conducting information security risk assessments. 2 Normative references The contents of the following documents, through normative references in this text, constitute indispensable provisions of this document. Among them, for dated references, only the edition corresponding to that date applies to this document. For undated references, the latest edition (including all amendments) applies to this document. GB/T 25069 Information security techniques - Terminology GB/T 33132-2016 Information security technology - Guide of implementation for information security risk treatment 3 Terms and definitions, abbreviations 3.1 Terms and definitions The terms and definitions defined in GB/T 25069 and the following ones apply to this document. 3.1.1 Information security risk The potential for a particular threat to exploit the vulnerability of a single or group of assets and the damage that this may cause to an organization. Note: It is measured by a combination of the likelihood of a state of affairs and its consequences. [Source: GB/T 31722-2015, 3.2] 3.1.2 Risk assessment The entire process of risk identification, risk analysis, and risk evaluation. [Source: GB/T 29246-2017, 2.71] Note: This document refers specifically to information security risk assessment. 3.1.3 Organization An individual or group that has its own responsibilities, authority, and relationships to achieve its goals. Note: The concept of organization includes, but is not limited to, a sole proprietor, company, legal person, firm, enterprise, agency, partnership, charity or institution, or parts or combinations thereof, whether incorporated or not, public or private. [Source: GB/T 29246-2017, 2.57, modified] 3.1.4 Business Operational activities carried out by the organization to achieve a development plan. Note: The activity has clear goals and runs over a period of time. 3.1.5 Security requirement Requirements for security control to ensure the proper functioning of an organization's business plan. 3.1.6 Security control Various practices, procedures, and mechanisms which are implemented to protect assets, defend against threats, reduce vulnerability, reduce the impact of security incidents, and combat information crime. 3.1.7 4.2 Principles of risk analysis The principles of risk analysis are as follows: a) According to the source, type, motivation, etc. of threats, combined with historical data statistics such as threat-related security incidents and logs, determine the capability and frequency of threats; b) According to the vulnerability access path and trigger requirements, etc., as well as the implemented security control and its effectiveness, determine the degree of difficulty of the vulnerability being exploited; c) Determine the degree of impact on assets after a security incident occurs when a vulnerability is exploited by a threat; d) According to the capability and frequency of threat, combined with the degree of difficulty of the vulnerability being exploited, determine the likelihood of a security incident; e) According to the position of the asset in the development plan and the property of the asset, determine the asset value; f) According to the impact degree and asset value, determine the loss caused to the assessment object after the security incident occurs; g) According to the possibility of a security incident and the loss caused by the security incident, determine the risk value of the assessment object; h) According to the risk evaluation criteria, the risk level is determined and used for risk decision. 4.3 Risk assessment process The implementation process of risk assessment is shown in Figure 2. The risk assessment process shall include the following. a) Assessment preparation. This stage shall include: 1) Determine the objective of risk assessment; 2) Determine the object, scope and boundaries of risk assessment; 3) Form an assessment team; 4) Carry out preliminary research; 5) Determine the basis for assessment; security objectives of the assessment object change, risk assessment shall be carried out again. The results of risk assessment can provide decision support for risk treatment. Risk treatment refers to a series of activities to deal with risks, such as accepting risks, avoiding risks, transferring risks, and reducing risks, etc. Risk treatment is carried out in accordance with GB/T 33132-2016. 5 Implementation of risk assessment 5.1 Preparation of risk assessment Organization’s implementation of risk assessment is a strategic consideration. Its results will be affected by organizational planning, business, business process, security requirement, system scale and structure, etc. Therefore, before the implementation of risk assessment, the following work shall be prepared. a) On the basis of considering the work form of risk assessment, the stage in the lifecycle, and the security assessment requirement of the assessed organization, determine the risk assessment objective. Appendix A gives the risk assessment content of each stage of assessment object lifecycle. Appendix B gives the description of the work form of risk assessment. b) Determine the object, scope and boundaries of risk assessment. c) Form an assessment team and define assessment tools. Appendix C gives tools for risk assessment. d) Conduct preliminary research. e) Determine the basis for assessment. f) Establish risk evaluation criteria: Based on the consideration of national laws and regulations, industry background and characteristics, the organization shall establish risk evaluation criteria, to achieve risk control and management. The risk evaluation criteria shall meet the following requirements: 1) Comply with the organization's security policy or security requirement; 2) Meet stakeholder expectations; 3) Align with the organization's business values. The purpose of establishing risk evaluation criteria includes but is not limited to: Before classifying a threat, it shall identify the source of the threat. Threat sources include three categories: Environment, accident, and man-made. Appendix E gives reference methods for threat identification. Table E.1 presents a classification of threat sources. According to the different threat sources, threats can be divided into types of threats such as information damage and unauthorized behavior. Table E.2 provides a reference for the division of threat types. Threat subjects are divided according to man-made and environmental. Man-made is divided into countries, organizations, and individuals. Environmental is divided into general natural disasters, more serious natural disasters, and serious natural disasters. Threat motivation refers to the internal motivation and reasons that guide and stimulate man-made threats to carry out certain activities and have an impact on the business and assets of the organization. Threat motivation can be divided into malicious and non- malicious. Malicious includes attack, destruction, stealing, etc. Non-malicious includes misoperation, curiosity, etc. Table E.3 gives a reference to a threat motivation classification. Threat timing can be divided into ordinary period, special period, and natural law. Threat frequency shall be judged based on experience and relevant statistical data. Considering the following four aspects, form the frequency of various threats in a specific assessment environment: a) Threats that have appeared in past security incident reports and their frequency statistics; b) Threats discovered through detection tools and various logs in the actual environment and their frequency statistics; c) Threats detected by monitoring in the actual environment and their frequency statistics; d) Recently publicly released social or industry-specific threats and their frequency statistics, as well as issued threat warnings. 5.2.2.2 Threat assignment Threat assignment shall be comprehensively calculated based on the threat behavior, according to the behavioral capability and frequency of the threat, and combined with the timing of the threat. And it shall set the corresponding rating method for grading. The higher the level, the greater the possibility of the threat exploiting the vulnerability. Table 7 gives a description of the division of threat assignment levels. Relevant documents documenting the risk assessment process shall meet the following requirements (including but not limited to): a) Ensure that documents are approved before publication; b) Ensure that changes to documents and the current revision status are identifiable (there are edition control measures); c) Ensure that the distribution of the documents is properly controlled AND that applicable documents for the relevant edition are available at the time of use; d) Prevent unintended use of obsolete documents. If obsolete documents need to be retained for any purpose, these documents shall be appropriately identified. For relevant documents formed during the risk assessment process, it shall specify the controls required for their identification, storage, protection, retrieval, shelf life, and disposal. The need for relevant documents and the level of detail are at the discretion of the management of the organization. 5.6.2 Risk assessment documents Risk assessment documents refer to the process documents and result documents generated during the risk assessment process, including (but not limited to): a) Risk assessment plan: Describe the risk assessment objectives, scope, personnel, assessment methods, form of assessment results, and implementation progress, etc.; b) Asset identification list: Identify assets according to the asset classification method determined by the organization; form an asset identification list (including business assets, system assets, system components, and unit assets); clarify the person responsible for the asset and the responsible department; c) List of important assets: According to the results of asset identification and assignment, form a list of important assets; including the name, description, type, importance, responsible person, responsible department, etc. of the important assets; d) Threat list: According to the results of threat identification and assignment, form a threat list; including threat source, type, threat behavior, capability, and frequency, etc.; e) List of existing security control: Identify the security control that has been taken; form a list of existing security control; including the name, type, function description, and implementation effect, etc. of the existing security control; f) Vulnerability list: According to the results of vulnerability identification and Appendix A (Informative) Risk assessment at each stage of assessment object lifecycle A.1 Overview Risk assessment shall run through all stages of the assessment object lifecycle. The risk assessment principles and methods involved in each stage of the assessment object lifecycle are consistent. But due to the different implementation contents, objects, and security requirements in each stage, the risk assessment objects, purposes, requirements and other aspects are also different. In the planning and design stage, use risk assessment to determine the security objectives of the assessment object. In the construction acceptance stage, use risk assessment to determine whether the security objectives of the assessment object have been achieved or not. In the operation and maintenance stage, risk assessment shall be carried out continuously, to identify the ever-changing risks and vulnerabilities faced by the assessment object; so as to determine the effectiveness of security control and ensure the realization of security objectives. Therefore, the specific implementation of risk assessment in each stage shall be carried out with emphasis according to the characteristics of the stage. A.2 Risk assessment at the planning stage The purpose of risk assessment in the planning stage is to identify the business plan of the assessment object, to support the security requirement and security planning of the assessment object. The assessment in the planning stage shall be able to describe the effect of the assessment object on the existing business model after completion, including technology, management and other aspects; and according to its effect, DETERMINE the security objectives that the assessment object construction shall achieve. In this stage of assessment, assets and vulnerabilities do not need to be identified. Threats shall be analyzed based on the aspects such as future application objects, application environments, business conditions, and operational requirements. The assessment focuses on the following areas: a) Whether a security plan consistent with the business plan has been established in accordance with the relevant rules and approved by the top management; b) Whether a security policy that is compatible with the business has been established and approved by the top security manager; c) Whether the organization of assessment object development, business change management, and development priorities are clearly defined in the system planning; d) Whether the threat and environment of the assessment object are considered in the system planning; and whether the overall security policy is formulated; e) Whether the information expected to be used by the assessment object is described in the system planning, including the expected information system, the importance of asset, the potential value, the possible use restriction, the degree of support for the business, etc.; f) Whether all operating environments related to the security of the assessment object are described in the system planning, including the physical and personnel security configuration; and whether the relevant regulations, organizational security policies, expertise and knowledge are clearly defined. The assessment results in the planning stage shall be reflected in the overall planning or project proposal of the assessment object. A.3 Risk assessment at the design stage The risk assessment at the design stage needs to put forward the security function requirements according to the operating environment, business importance, and asset importance specified in the planning stage. The results of the risk assessment in the design stage shall judge the compliance of the security functions provided in the design plan, as the basis for implementing process risk control. In this stage of assessment, the description of the threats faced in the design plan shall be assessed in detail. The assets such as specific equipment and software used by the assessment object and their security functions shall be formed into a requirement list. The assessment of the design plan focuses on the following aspects: a) Whether the design plan conforms to the construction plan of the assessment object and has been approved by the top management; b) Whether the design plan has analyzed the threats faced by the assessment object after construction, focusing on the threats from the physical environment and nature, as well as threats caused by internal and external intrusions, etc.; c) Whether the security requirements in the design plan meet the security objectives in the planning stage; and based on the analysis of threats, formulate the overall security policy of the assessment object; d) Whether the design plan has taken certain measures to deal with possible failures; e) Whether the design plan assesses the vulnerability of the technical implementation a) Laws, policies, applicable standards and guidelines: Specific laws that directly or indirectly affect the security requirement of assessment object; government policies, international or national standards that affect the security requirement and product selection of assessment object; b) Functional needs of assessment object: Whether the security requirement effectively supports the functionality of the system; c) Cost-effectiveness risk: Based on the analysis results of the assets, threats and vulnerabilities of the assessment object, whether to select the most appropriate security control under the premise of complying with relevant laws, policies, standards and functional needs; d) Assessment assurance level: Whether it is clear what tests and inspections shall be carried out after the system is constructed, so as to determine whether it meets the requirements of project construction and implementation specifications. A.5 Risk assessment at the delivery stage The assessment points of the system delivery implementation process include: a) According to the actual system being constructed, analyze the assets, threats and vulnerabilities in detail; b) According to the system construction goals and security requirements, carry out the acceptance test of the security function of the system; evaluate whether the security control can resist security threats; c) Assess whether an organizational management system that is consistent with the overall security policy has been established; d) Judge the compliance of the risk control effect realized by the system with the expected design. If there is a big inconsistency, the design and adjustment of the security policy of assessment object shall be redone. Risk assessment at this stage can be used to test and analyze the actual construction results by comparing the implementation plan and standard requirements. A.6 Risk assessment at the operation stage The purpose of risk assessment in the operation and maintenance stage is to understand and control the security risks in the operation process, which is a relatively comprehensive risk assessment. The assessment includes all aspects of the real operating assets, threats, vulnerabilities, etc. a) Asset assessment: It includes assessment of business, system assets, system components, and unit assets. Business assessment includes business positioning, business relevance, integrity, and business process analysis. System asset assessment includes system classification and business bearing continuity assessment. System components and unit assets are more detailed assessments in the real environment; including hardware and software assets purchased during the implementation stage; information assets generated during system operation, related personnel and services, etc. Asset identification at this stage is a supplement and addition to previous asset identification. b) Threat assessment: The likelihood and severity of threats shall be thoroughly analyzed. The assessment of threats leading to security incidents can refer to threat source motivations, capabilities, and frequency of security incidents. c) Vulnerability assessment: It is a comprehensive vulnerability assessment. It includes the vulnerability of physical, network, system, application, security guarantee equipment, management and other aspects in the operating environment. Technology vulnerability assessment can be implemented by means of verification, scanning, case verification, and penetration testing. The vulnerability assessment of security guarantee equipment shall include the realization of security functions and the vulnerability of the security guarantee equipment itself. The management vulnerability assessment can be verified by means of documentation, record verification, etc. d) Risk calculation: According to the relevant methods of this document, qualitative or quantitative risk analysis is carried out, to describe the risk level of different business and system assets. Risk assessment in the operation and maintenance stage shall be carried out regularly. When the organization's business processes and system conditions undergo major changes, risk assessment shall also be conducted. Major changes include the following (but not limited to): a) Add new applications or there are major changes in applications; b) There are major changes in network structure and connection status; c) Large-scale update of technology platform; d) System capacity expansion or transformation; e) After a major security incident occurs; or based on certain operating records, it is suspected that a major security incident will occur; f) A major change in the organizational structure has an impact on the system. A.7 Risk assessment at the abandonment stage ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.