HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (18 Jan 2025)

GB/T 31509-2015 PDF English


Search result: GB/T 31509-2015_English: PDF (GB/T31509-2015)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 31509-2015English460 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Guide of implementation for information security risk assessment Valid
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 31509-2015     Related standards: GB/T 31509-2015

PDF Preview: GB/T 31509-2015


GB/T 31509-2015: PDF in English (GBT 31509-2015)

GB/T 31509-2015 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information security technology - Guide of implementation for information security risk assessment ISSUED ON: MAY 15, 2015 IMPLEMENTED ON: JANUARY 01, 2016 Issued by: General Administration of Quality Supervision, Inspection and Quarantine of PRC; Standardization Administration of PRC. Table of Contents Foreword ... 3  Introduction ... 4  1 Scope ... 5  2 Normative references ... 5  3 Terms, definitions, abbreviations ... 5  3.1 Terms and definitions ... 5  3.2 Abbreviations ... 7  4 Overview of implementation of risk assessment ... 8  4.1 Basic principles of implementation ... 8  4.2 Basic process of implementation ... 9  4.3 Working form of risk assessment ... 9  4.4 Risk assessment in the information system lifecycle... 10  5 Staged work of implementation of risk assessment ... 11  5.1 Preparation stage ... 11  5.2 Identification stage ... 21  5.3 Risk analysis stage ... 42  5.4 Recommendations on risk treatment ... 46  Appendix A (Informative) Questionnaire ... 52  Appendix B (Informative) Checklist of security technology vulnerabilities ... 55  Appendix C (Informative) Checklist of security management vulnerability ... 65  Appendix D (Informative) Case of risk analysis ... 73  Information security technology - Guide of implementation for information security risk assessment 1 Scope This standard specifies the process and method for the implementation of information security risk assessment. This standard applies to the management of information security risk assessment items of non-confidential information systems by various security assessment agencies or assessed organizations, guides the organization, implementation, acceptance of risk assessment items. 2 Normative references The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard. GB/T 20984-2007 Information security technology - Risk assessment specification for information security GB/Z 24364-2009 Information security technology - Guidelines for information security risk management 3 Terms, definitions, abbreviations The terms and definitions as defined in GB/T 20984-2007 and GB/Z 24364- 2009 as well as the following terms and definitions apply to this document. 3.1 Terms and definitions 3.1.1 Implementation The process of putting a series of activities into practice. 3.1.2 In the project implementation activities, the implementation activities that can play a decisive role of influencing the overall progress of the project. 3.1.10 Analysis model A kind of simulation analysis method as formed according to a certain analysis principle, for the analysis of assessment elements. 3.1.11 Evaluation model The formation of several assessment indicators according to a certain assessment system, to perform a relatively perfect assessment of the corresponding activities. 3.1.12 Risk treatment A series of activities that deal with risks, such as accepting risks, avoiding risks, transferring risks, reducing risks. 3.1.13 Acceptance A method used in risk assessment activities to end project implementation which is mainly organized by the assessed parties to conduct an item-by- item inspection of the assessment activities, to determine whether the assessment objectives are met. 3.2 Abbreviations The following abbreviations apply to this document. AC: Access Complexity AV: Access Vector BOF: Buffer Overflow CDP: Collateral Damage Potential CVE: Common Vulnerabilities & Exposures agreement, to ensure the security of the project information. It shall strictly manage the work process data and the result data, which shall not be disclosed to any unit or individual without authorization. c) Process controllability: It shall follow the project management requirements to establish a project implementation team and adopt the project leader responsibility system, to achieve the controllability of project process. d) Tool controllability: The assessment tools used by the security assessor shall be informed to the user in advance and obtain the user's permission before the project is implemented, including the product itself, test strategy, etc. 4.1.4 Minimum impact principle For the risk assessment of the online business system, it shall take the minimum impact principle, that is, giving priority to guaranteeing the stable operation of the business system. However, for the work content which requires to be tested for aggressiveness, it is necessary to communicate with the user and perform emergency backup, meanwhile carry out in other time than the peak hour of business. 4.2 Basic process of implementation GB/T 20984-2007 specifies the implementation process of risk assessment. According to the various work contents in the process, the implementation of risk assessment is generally divided into 4 stages: assessment preparation, risk element identification, risk analysis, risk treatment. Among them, the assessment preparation stage is the guarantee for the effectiveness of the assessment, which is the beginning of the assessment; the risk element identification stage is mainly to identify and assign various key element assets, threats, vulnerabilities, security measures of the assessment activities; the risk analysis stage is mainly to carry out correlated analysis of various types of information as obtained in the identification stage, calculate the risk value; the risk treatment recommendation work is, focusing on the assessed risks, to propose the corresponding treatment recommendations, treat the residual risk after performing security reinforcement according to the treatment recommendations. 4.3 Working form of risk assessment GB/T 20984-2007 clarifies that the basic working form of risk assessment is information system adapts to changes in itself and the environment. 5 Staged work of implementation of risk assessment 5.1 Preparation stage 5.1.1 Work contents of preparation stage 5.1.1.1 Overview Risk assessment preparation is a guarantee for the effectiveness of the entire risk assessment process. Since the risk assessment is affected by such aspects as organization's business strategy, business processes, security needs, system scale and structure, before the implementation of risk assessment, it shall make preparation for the assessment. The information security risk assessment involves important information within the organization. The assessed organization shall carefully select the qualifications of the assessment organization and the assessor, meanwhile follow the relevant national or industry management requirements. 5.1.1.2 Determine assessment target The risk assessment shall be carried out in all stages of the information system lifecycle. Since the content, object, security needs of the implementation of risk assessment are different in each stage of the information system lifecycle, the assessed organization shall first determine the stage in the information system lifecycle according to the actual conditions of the current information system, thereby defining the risk assessment target. In general, the assessment target for each stage identified by the organization shall meet the following principles: a) The target of the risk assessment in the planning stage is to identify the business strategy of the system, to support system security requirements and security strategies. The assessment in the planning stage shall be able to describe the role of the information system after the completion on the existing business model, including technology, management, etc., meanwhile determine the security objectives that the system shall achieve according to its role. b) The target of the risk assessment in the design stage is to propose security function needs based on the system operating environment and asset importance as defined in the planning stage. The risk assessment results in the design stage shall judge the compliance of the security functions as provided in the design scheme, as the basis for the risk control of the procurement process. c) The target of the risk assessment in the implementation stage is to identify the risks in the development and implementation process of system according to the system’s security needs and operating environment, verify the security functions after the system is built. According to the analyzed threats in the design stage and the established security measures, carry out quality control in the course of implementation and acceptance. d) The target of risk assessment in the operation-maintenance stage is to understand and control the security risks during operation. The assessment includes the information system assets, the threats faced, the vulnerabilities, the existing security measures, etc. The target of risk assessment in the obsolescence stage is to ensure that the obsoleted assets and residual information are properly disposed of, the impact of obsoleted assets on the organization is analyzed, to determine whether it will increase or introduce new risk. 5.1.1.3 Determine the assessment scope After determining the stage of the risk assessment and the corresponding targets, it shall further define the scope of the risk assessment. It may be either all the information and various assets and management organizations related to information processing, or an independent information system, key business processes, etc. In determining the scope of assessment, it shall, combining with the established assessment targets and the actual information system building conditions of the organization, rationally define the assessment object and the boundary of assessment scope. It may refer to the following basis as the principle for dividing the boundary of scope: a) The business logic boundary of the business system; b) The network and equipment carrier boundaries; c) The physical environmental boundaries; d) The organizational management authority boundaries; e) Others. 5.1.1.4 Establish an assessment team 5.1.1.4.1 Overview For the risk assessment implementation team, the assessed organization and the assessment agency shall jointly form a risk assessment team. The leader of the assessed organization, the relevant department head, the relevant personnel of the assessment agency shall establish a risk assessment leading a) Help the assessed organization and implementer to plan the overall work concept and direction of the risk assessment project; b) Making decisions on key and difficult issues that arise; c) Determine the risk assessment conclusions. 5.1.1.5 Kick-off meeting of assessment work In order to ensure the smooth development of risk assessment work, establish work targets, unify ideas, coordinate resources of all parties, it shall hold a kick- off meeting for risk assessment work. The kick-off meeting is generally organized by the head of the risk assessment’s leading team. The participants shall include all the members of the assessment team, the main responsible person of the relevant business department, relevant members of the expert team, if necessary. The main contents of the kick-off meeting mainly include: the leader of the assessed organization declares the significance, purpose, target of the assessment work and the division of responsibilities in the assessment work. The project team leader of the assessed organization explains the plan of the assessment work and the tasks at each stage, as well as the specific matters that need to be coordinated. The project team leader of the assessment agency introduces the general methods and work contents of the assessment work. Through the kick-off meeting, it may carry out training on the assessment methods and techniques for the personnel of the assessed organizations who participate the assessment as well as other relevant personnel, to make all personnel understand the importance of the assessment work, as well as the work content which requires cooperation at each work stage. 5.1.1.6 System investigation System investigation is the process of understanding and familiarizing with the object being evaluated. The risk assessment team shall conduct sufficient system investigation, to determine the basis and method of risk assessment. The investigation content shall include: a) System security protection level; b) Major business functions and requirements; c) Network structure and network environment, including internal connections and external connections; d) System boundaries, including business logic boundaries, network and device carrier boundaries, physical environment boundaries, organizational management authority boundaries, etc.; a) The system vulnerability assessment tool shall have a comprehensive capability for system vulnerability verification and detection; b) The inspection rule base of the assessment tool shall have an update function that can be updated in a timely manner; c) The detection strategy and detection method used by the assessment tool shall not cause an abnormal impact on the information system; d) The same test object can be detected by various assessment tools. If the detection results are inconsistent, it shall further carry out the necessary manual detection and correlation analysis, give the result judgment that is most consistent with the actual situation. The selection and use of assessment tools must comply with relevant national regulations. 5.1.1.9 Develop an assessment scheme The risk assessment scheme is a general plan for evaluating work implementation activities, which is used to manage the implementation of assessment work, to make the work of each stage of the assessment controllable, meanwhile use it as one of the main basis for the acceptance of assessment project. The risk assessment scheme shall be confirmed and approved by the assessed organization. The content of the risk assessment program shall include: a) Risk assessment work framework: including assessment targets, scope of assessment, basis for assessment, etc.; b) Assessment team organization: including assessment team members, organizational structure, roles, responsibilities; if necessary, it shall include the introduction of the establishment of risk assessment leading team and expert team; c) Assessment work plan: including the work content, work form, work results, etc. of each stage; d) Risk avoidance: including confidentiality agreements, environment requirements for assessment work, assessment methods, tool selection, emergency plans, etc.; e) Time schedule: The time schedule for the implementation of the assessment work; f) Project acceptance method: including acceptance method, acceptance basis, definition of acceptance conclusion, etc. The assessment agency shall verify the test tools. The content includes: whether the test tool has the necessary system patches installed, whether there are residual information unrelated to this assessment work, the upgrade and operation of the virus Trojan, the vulnerability library or the detection rule base. The verification personnel shall fill in the test tool verification record. The assessor shall fully communicate the test method with the relevant personnel of the assessed organization in advance. During the test, the assessor shall perform the test operation under the cooperation by the relevant personnel of the assessed organization. 5.2 Identification stage 5.2.1 Overview The identification stage is an important work stage of risk assessment. It identifies such elements as the assets, threats, vulnerabilities in the organization and information system. It is the prerequisite for the security risk analysis of information system. 5.2.2 Asset identification 5.2.2.1 Overview An asset is information or resources that are valuable to the organization and is the object of security policy protection. In the risk assessment work, the important factors of risk are asset-centric; threats, vulnerabilities and risks are objectively existing against assets. Threats exploit the vulnerability of assets to make security incidents possible, thus creating security risks. Once these security incidents occur, they will have certain impact on specific assets and even the entire information system, thus affecting the interests of the organization. Therefore, assets are an important part of risk assessment. Assets of different values have different degrees of impact on the organization when they are destroyed to the same extent. The value of an asset is a measure of the importance or sensitivity of the asset. Identifying assets and assessing asset value is an important part of risk assessment. 5.2.2.2 Asset classification In an organization, assets exist in a variety of forms, different types of assets may have different asset values, threats faced, vulnerabilities, and security measures taken. Classifying assets can help improve the efficiency of asset identification and facilitate overall risk assessment. In the implementation of risk assessment, it may use the asset classification method in GB/T 20984-2007, to divide the assets into 6 categories: hardware, scheme, implementation scheme, installation manual, user manual, test report, operation report, security policy document, security management system document, operation process document, system implementation records, asset lists, network topology maps, etc., to identify assets of organizations and information systems. If there is a contradiction between the documented information, or there is an unclear place, or if the documented information is different from the actual situation, the asset identification shall be verified with the relevant personnel of the assessed organization on key assets and key issues, select to interview the personnel who undertake different roles in the organization and information system management, including leaders in charge, business personnel, developers, implementers, operation-maintenance personnel, supervisors. Under normal circumstances, after reading the documents and on-site interviews, it may basically identify the organization and information system assets. For key assets, it shall carry out a fact-finding trip at site. 5.2.2.4 Asset assignment On the basis of asset investigations, it is necessary to analyze the level of security attributes of assets such as confidentiality, integrity, availability. The security attribute levels include 5 levels: very high, high, medium, low, very low. The higher the level of a certain security attribute, the more important the security attribute of the asset. The meaning of the 5 assignments of confidentiality, integrity, availability can be found in GB/T 20984-2007. The quantification process of security attributes of assets such as confidentiality, integrity, availability are subjective, it may make reference to the following factors, use the methods such as weighting to comprehensively derive the assignment level of security attributes of assets such as confidentiality, integrity, availability: a) The importance of the information systems carried by the assets; b) The security level of the information system carried by the asset; c) The importance of the assets to the safe and normal operation of the information carried; d) The importance of the security attributes of asset such as confidentiality, integrity, availability, etc. to the information system, as well as to the related business. The value of the asset shall be determined by a comprehensive assessment based on the level of assignment of the confidentiality, integrity, availability of the asset. The asset values include 5 levels: very high, high, medium, low, very low. The meanings of each level may be found in GB/T 20984-2007. into 11 types: hardware and software failures, physical environment impact, inaction or operational errors, insufficient management, malicious code, un- authorization or abusing, network attacks, physical attacks, leaks, tampering, repudiation. a) Depending on the cause, performance, consequences of the threat, the threat can also be divided into unwanted program. An unwanted program is a piece of program that is inserted into an information system that compromises the confidentiality, integrity, availability of data, applications, operating systems in the system, or affects the proper functioning of the information system. Unwanted programs include computer viruses, worms, Trojan horses, botnets, hybrid attackers, malicious code embedded in web pages, other unwanted programs; b) Cyber-attack. A cyber-attack is an attack on an information system by means of a network or other means, using configuration flaws, protocol defects, program flaws, or violent attacks to attack the information system, causing an abnormality in the information system or potential harm to the current operation of the information system. Network attacks include denial of service attacks, backdoor attacks, exploits, network scanning eavesdropping, phishing, interference, other network attacks; c) Information destruction. Information destruction refers to the tampering, counterfeiting, disclosure, theft of information in the information system through the network or other technical means. Information destruction includes information tampering, information spoofing, information disclosure, information theft, information loss, other information destruction; d) Information content attacks. Information content attack refers to the use of information networks to publish and disseminate attacks that endanger national security, social stability, public interest, corporate and personal interests; e) Equipment facility failure. Equipment facility failure refers to the information system abnormality or potential harm to the current operation of the information system due to the failure of the information system itself or the failure of the peripheral support facilities. Equipment facility failures include hardware and software failures, peripheral support facilities failures, vandalism, other equipment failures; f) Disastrous damage. Disastrous damage refers to physical damage to the information system caused by force majeure. Disastrous damage includes floods, typhoons, earthquakes, lightning strikes, collapses, fires, terrorist attacks, wars, etc.; funds, manpower, technical resources for the attack. a) The knowledge and skills of malicious employees are generally very limited, so the attack ability is weak. However, malicious employees may have a large amount of information about the system, have certain permissions, have more attack opportunities than external attackers, so the successful rate is high. It belongs to a serious security threat; b) Independent hackers are individual attackers with limited resources, mainly using external attacks, usually launching scattered, purposeless attacks. The attack ability is limited; c) Domestic and foreign competitors, criminal gangs, terrorist organizations are organized attackers with certain resource guarantees, strong cooperation and computing skills, strong attack objectives. They can make long-term and intensive attack preparation, use the attack method which combines external attacks, internal attacks, proximity attacks, even simple distribution attacks. They have strong attack ability. Attacks from state actions are the most powerful attacks. National attacks are not only well-organized, have sufficient financial, human, technical resources, but also may perform high-hidden and highly destructive distribution attacks when necessary, stealing organizational core secrets or making the network and information systems completely flawed. Table 3 analyzes the types, motivations, characteristics of typical attacker. Table 3 -- Typical types, motivations, capabilities of attackers Type Description Main motivations Capabilities Malicious employee Mainly refers to internal employees who are dissatisfied with the organization or have some malicious purpose Deliberately destroy the system due to dissatisfaction with the organization, or steal information or destroy the system for some purpose Master the internal situation, understand the system structure and configuration; have a system legal account, or master the available account information; can attack the weakest link of the system from inside Independent hacker Mainly refers to individual hacker Try to find and exploit the vulnerability of information systems to achieve curiosity, testing technical capabilities, and malicious destruction; motivation is complex, purpose is not strong Occupy a small amount of resources, generally reconnaissance and attack networks and systems from outside the system; the level of attackers varies greatly Organized attacker Domestic and foreign competitors Mainly refers to domestic and foreign industrial and commercial institutions with competitive relations Obtain business intelligence; undermine competitors’ business and reputation, with strong purpose Have certain financial, human, technical resources. Mainly through a variety of channels to collect intelligence, including the use of internal employees from competitors, modifying data; inserting data; denial of service attacks, etc. b) Passive attacks do not result in tampering with system information, meanwhile the system operations and status do not change. Passive attacks are generally not easy to find. Common passive attacks include reconnaissance, sniffing, monitoring, traffic analysis, password interception, etc. c) Proximity attacks are attacks where the attacker is geographically as close as possible to the attacked network, system, device, in order to modify, collect, or compromise the system. This approaching can be open or secret, or both. Common proximity attacks include: stealing the disk and returning it; peeking at the screen information; collecting the invalid printed paper; eavesdropping on the room; destroying the communication line. d) Distributed attack is that an attacker who maliciously modifies the design, configuration, etc. during the development, production, transportation, installation stages of software and hardware. Common distributed attacks include: using the manufacturer to set hidden functions on the device, to modify the software and hardware configurations during product distribution and installation; modifying software and hardware configur...... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.