Powered by Google www.ChineseStandard.net Database: 189759 (16 Jun 2024)

GB/T 31509-2015 PDF in English


GB/T 31509-2015 (GB/T31509-2015, GBT 31509-2015, GBT31509-2015)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 31509-2015English460 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Guide of implementation for information security risk assessment Valid

PDF Preview

Standards related to: GB/T 31509-2015

GB/T 31509-2015: PDF in English (GBT 31509-2015)

GB/T 31509-2015
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Guide of
implementation for information security risk assessment
ISSUED ON: MAY 15, 2015
IMPLEMENTED ON: JANUARY 01, 2016
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine of PRC;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3 
Introduction ... 4 
1 Scope ... 5 
2 Normative references ... 5 
3 Terms, definitions, abbreviations ... 5 
3.1 Terms and definitions ... 5 
3.2 Abbreviations ... 7 
4 Overview of implementation of risk assessment ... 8 
4.1 Basic principles of implementation ... 8 
4.2 Basic process of implementation ... 9 
4.3 Working form of risk assessment ... 9 
4.4 Risk assessment in the information system lifecycle... 10 
5 Staged work of implementation of risk assessment ... 11 
5.1 Preparation stage ... 11 
5.2 Identification stage ... 21 
5.3 Risk analysis stage ... 42 
5.4 Recommendations on risk treatment ... 46 
Appendix A (Informative) Questionnaire ... 52 
Appendix B (Informative) Checklist of security technology vulnerabilities ... 55 
Appendix C (Informative) Checklist of security management vulnerability ... 65 
Appendix D (Informative) Case of risk analysis ... 73 
Information security technology - Guide of
implementation for information security risk assessment
1 Scope
This standard specifies the process and method for the implementation of
information security risk assessment.
This standard applies to the management of information security risk
assessment items of non-confidential information systems by various security
assessment agencies or assessed organizations, guides the organization,
implementation, acceptance of risk assessment items.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 20984-2007 Information security technology - Risk assessment
specification for information security
GB/Z 24364-2009 Information security technology - Guidelines for
information security risk management
3 Terms, definitions, abbreviations
The terms and definitions as defined in GB/T 20984-2007 and GB/Z 24364-
2009 as well as the following terms and definitions apply to this document.
3.1 Terms and definitions
3.1.1
Implementation
The process of putting a series of activities into practice.
3.1.2
In the project implementation activities, the implementation activities that can
play a decisive role of influencing the overall progress of the project.
3.1.10
Analysis model
A kind of simulation analysis method as formed according to a certain
analysis principle, for the analysis of assessment elements.
3.1.11
Evaluation model
The formation of several assessment indicators according to a certain
assessment system, to perform a relatively perfect assessment of the
corresponding activities.
3.1.12
Risk treatment
A series of activities that deal with risks, such as accepting risks, avoiding
risks, transferring risks, reducing risks.
3.1.13
Acceptance
A method used in risk assessment activities to end project implementation
which is mainly organized by the assessed parties to conduct an item-by-
item inspection of the assessment activities, to determine whether the
assessment objectives are met.
3.2 Abbreviations
The following abbreviations apply to this document.
AC: Access Complexity
AV: Access Vector
BOF: Buffer Overflow
CDP: Collateral Damage Potential
CVE: Common Vulnerabilities & Exposures
agreement, to ensure the security of the project information. It shall strictly
manage the work process data and the result data, which shall not be
disclosed to any unit or individual without authorization.
c) Process controllability:
It shall follow the project management requirements to establish a project
implementation team and adopt the project leader responsibility system,
to achieve the controllability of project process.
d) Tool controllability:
The assessment tools used by the security assessor shall be informed to
the user in advance and obtain the user's permission before the project is
implemented, including the product itself, test strategy, etc.
4.1.4 Minimum impact principle
For the risk assessment of the online business system, it shall take the
minimum impact principle, that is, giving priority to guaranteeing the stable
operation of the business system. However, for the work content which requires
to be tested for aggressiveness, it is necessary to communicate with the user
and perform emergency backup, meanwhile carry out in other time than the
peak hour of business.
4.2 Basic process of implementation
GB/T 20984-2007 specifies the implementation process of risk assessment.
According to the various work contents in the process, the implementation of
risk assessment is generally divided into 4 stages: assessment preparation, risk
element identification, risk analysis, risk treatment. Among them, the
assessment preparation stage is the guarantee for the effectiveness of the
assessment, which is the beginning of the assessment; the risk element
identification stage is mainly to identify and assign various key element assets,
threats, vulnerabilities, security measures of the assessment activities; the risk
analysis stage is mainly to carry out correlated analysis of various types of
information as obtained in the identification stage, calculate the risk value; the
risk treatment recommendation work is, focusing on the assessed risks, to
propose the corresponding treatment recommendations, treat the residual risk
after performing security reinforcement according to the treatment
recommendations.
4.3 Working form of risk assessment
GB/T 20984-2007 clarifies that the basic working form of risk assessment is
information system adapts to changes in itself and the environment.
5 Staged work of implementation of risk assessment
5.1 Preparation stage
5.1.1 Work contents of preparation stage
5.1.1.1 Overview
Risk assessment preparation is a guarantee for the effectiveness of the entire
risk assessment process. Since the risk assessment is affected by such aspects
as organization's business strategy, business processes, security needs,
system scale and structure, before the implementation of risk assessment, it
shall make preparation for the assessment. The information security risk
assessment involves important information within the organization. The
assessed organization shall carefully select the qualifications of the
assessment organization and the assessor, meanwhile follow the relevant
national or industry management requirements.
5.1.1.2 Determine assessment target
The risk assessment shall be carried out in all stages of the information system
lifecycle. Since the content, object, security needs of the implementation of risk
assessment are different in each stage of the information system lifecycle, the
assessed organization shall first determine the stage in the information system
lifecycle according to the actual conditions of the current information system,
thereby defining the risk assessment target. In general, the assessment target
for each stage identified by the organization shall meet the following principles:
a) The target of the risk assessment in the planning stage is to identify the
business strategy of the system, to support system security requirements
and security strategies. The assessment in the planning stage shall be
able to describe the role of the information system after the completion on
the existing business model, including technology, management, etc.,
meanwhile determine the security objectives that the system shall achieve
according to its role.
b) The target of the risk assessment in the design stage is to propose security
function needs based on the system operating environment and asset
importance as defined in the planning stage. The risk assessment results
in the design stage shall judge the compliance of the security functions as
provided in the design scheme, as the basis for the risk control of the
procurement process.
c) The target of the risk assessment in the implementation stage is to identify
the risks in the development and implementation process of system
according to the system’s security needs and operating environment,
verify the security functions after the system is built. According to the
analyzed threats in the design stage and the established security
measures, carry out quality control in the course of implementation and
acceptance.
d) The target of risk assessment in the operation-maintenance stage is to
understand and control the security risks during operation. The
assessment includes the information system assets, the threats faced, the
vulnerabilities, the existing security measures, etc.
The target of risk assessment in the obsolescence stage is to ensure that the
obsoleted assets and residual information are properly disposed of, the impact
of obsoleted assets on the organization is analyzed, to determine whether it will
increase or introduce new risk.
5.1.1.3 Determine the assessment scope
After determining the stage of the risk assessment and the corresponding
targets, it shall further define the scope of the risk assessment. It may be either
all the information and various assets and management organizations related
to information processing, or an independent information system, key business
processes, etc. In determining the scope of assessment, it shall, combining with
the established assessment targets and the actual information system building
conditions of the organization, rationally define the assessment object and the
boundary of assessment scope. It may refer to the following basis as the
principle for dividing the boundary of scope:
a) The business logic boundary of the business system;
b) The network and equipment carrier boundaries;
c) The physical environmental boundaries;
d) The organizational management authority boundaries;
e) Others.
5.1.1.4 Establish an assessment team
5.1.1.4.1 Overview
For the risk assessment implementation team, the assessed organization and
the assessment agency shall jointly form a risk assessment team. The leader
of the assessed organization, the relevant department head, the relevant
personnel of the assessment agency shall establish a risk assessment leading
a) Help the assessed organization and implementer to plan the overall work
concept and direction of the risk assessment project;
b) Making decisions on key and difficult issues that arise;
c) Determine the risk assessment conclusions.
5.1.1.5 Kick-off meeting of assessment work
In order to ensure the smooth development of risk assessment work, establish
work targets, unify ideas, coordinate resources of all parties, it shall hold a kick-
off meeting for risk assessment work. The kick-off meeting is generally
organized by the head of the risk assessment’s leading team. The participants
shall include all the members of the assessment team, the main responsible
person of the relevant business department, relevant members of the expert
team, if necessary.
The main contents of the kick-off meeting mainly include: the leader of the
assessed organization declares the significance, purpose, target of the
assessment work and the division of responsibilities in the assessment work.
The project team leader of the assessed organization explains the plan of the
assessment work and the tasks at each stage, as well as the specific matters
that need to be coordinated. The project team leader of the assessment agency
introduces the general methods and work contents of the assessment work.
Through the kick-off meeting, it may carry out training on the assessment
methods and techniques for the personnel of the assessed organizations who
participate the assessment as well as other relevant personnel, to make all
personnel understand the importance of the assessment work, as well as the
work content which requires cooperation at each work stage.
5.1.1.6 System investigation
System investigation is the process of understanding and familiarizing with the
object being evaluated. The risk assessment team shall conduct sufficient
system investigation, to determine the basis and method of risk assessment.
The investigation content shall include:
a) System security protection level;
b) Major business functions and requirements;
c) Network structure and network environment, including internal
connections and external connections;
d) System boundaries, including business logic boundaries, network and
device carrier boundaries, physical environment boundaries,
organizational management authority boundaries, etc.;
a) The system vulnerability assessment tool shall have a comprehensive
capability for system vulnerability verification and detection;
b) The inspection rule base of the assessment tool shall have an update
function that can be updated in a timely manner;
c) The detection strategy and detection method used by the assessment tool
shall not cause an abnormal impact on the information system;
d) The same test object can be detected by various assessment tools. If the
detection results are inconsistent, it shall further carry out the necessary
manual detection and correlation analysis, give the result judgment that is
most consistent with the actual situation.
The selection and use of assessment tools must comply with relevant national
regulations.
5.1.1.9 Develop an assessment scheme
The risk assessment scheme is a general plan for evaluating work
implementation activities, which is used to manage the implementation of
assessment work, to make the work of each stage of the assessment
controllable, meanwhile use it as one of the main basis for the acceptance of
assessment project. The risk assessment scheme shall be confirmed and
approved by the assessed organization. The content of the risk assessment
program shall include:
a) Risk assessment work framework: including assessment targets, scope of
assessment, basis for assessment, etc.;
b) Assessment team organization: including assessment team members,
organizational structure, roles, responsibilities; if necessary, it shall
include the introduction of the establishment of risk assessment leading
team and expert team;
c) Assessment work plan: including the work content, work form, work results,
etc. of each stage;
d) Risk avoidance: including confidentiality agreements, environment
requirements for assessment work, assessment methods, tool selection,
emergency plans, etc.;
e) Time schedule: The time schedule for the implementation of the
assessment work;
f) Project acceptance method: including acceptance method, acceptance
basis, definition of acceptance conclusion, etc.
The assessment agency shall verify the test tools. The content includes:
whether the test tool has the necessary system patches installed, whether there
are residual information unrelated to this assessment work, the upgrade and
operation of the virus Trojan, the vulnerability library or the detection rule base.
The verification personnel shall fill in the test tool verification record. The
assessor shall fully communicate the test method with the relevant personnel
of the assessed organization in advance. During the test, the assessor shall
perform the test operation under the cooperation by the relevant personnel of
the assessed organization.
5.2 Identification stage
5.2.1 Overview
The identification stage is an important work stage of risk assessment. It
identifies such elements as the assets, threats, vulnerabilities in the
organization and information system. It is the prerequisite for the security risk
analysis of information system.
5.2.2 Asset identification
5.2.2.1 Overview
An asset is information or resources that are valuable to the organization and
is the object of security policy protection. In the risk assessment work, the
important factors of risk are asset-centric; threats, vulnerabilities and risks are
objectively existing against assets. Threats exploit the vulnerability of assets to
make security incidents possible, thus creating security risks. Once these
security incidents occur, they will have certain impact on specific assets and
even the entire information system, thus affecting the interests of the
organization. Therefore, assets are an important part of risk assessment.
Assets of different values have different degrees of impact on the organization
when they are destroyed to the same extent. The value of an asset is a measure
of the importance or sensitivity of the asset. Identifying assets and assessing
asset value is an important part of risk assessment.
5.2.2.2 Asset classification
In an organization, assets exist in a variety of forms, different types of assets
may have different asset values, threats faced, vulnerabilities, and security
measures taken. Classifying assets can help improve the efficiency of asset
identification and facilitate overall risk assessment.
In the implementation of risk assessment, it may use the asset classification
method in GB/T 20984-2007, to divide the assets into 6 categories: hardware,
scheme, implementation scheme, installation manual, user manual, test report,
operation report, security policy document, security management system
document, operation process document, system implementation records, asset
lists, network topology maps, etc., to identify assets of organizations and
information systems.
If there is a contradiction between the documented information, or there is an
unclear place, or if the documented information is different from the actual
situation, the asset identification shall be verified with the relevant personnel of
the assessed organization on key assets and key issues, select to interview the
personnel who undertake different roles in the organization and information
system management, including leaders in charge, business personnel,
developers, implementers, operation-maintenance personnel, supervisors.
Under normal circumstances, after reading the documents and on-site
interviews, it may basically identify the organization and information system
assets. For key assets, it shall carry out a fact-finding trip at site.
5.2.2.4 Asset assignment
On the basis of asset investigations, it is necessary to analyze the level of
security attributes of assets such as confidentiality, integrity, availability. The
security attribute levels include 5 levels: very high, high, medium, low, very low.
The higher the level of a certain security attribute, the more important the
security attribute of the asset. The meaning of the 5 assignments of
confidentiality, integrity, availability can be found in GB/T 20984-2007.
The quantification process of security attributes of assets such as confidentiality,
integrity, availability are subjective, it may make reference to the following
factors, use the methods such as weighting to comprehensively derive the
assignment level of security attributes of assets such as confidentiality, integrity,
availability:
a) The importance of the information systems carried by the assets;
b) The security level of the information system carried by the asset;
c) The importance of the assets to the safe and normal operation of the
information carried;
d) The importance of the security attributes of asset such as confidentiality,
integrity, availability, etc. to the information system, as well as to the
related business.
The value of the asset shall be determined by a comprehensive assessment
based on the level of assignment of the confidentiality, integrity, availability of
the asset. The asset values include 5 levels: very high, high, medium, low, very
low. The meanings of each level may be found in GB/T 20984-2007.
into 11 types: hardware and software failures, physical environment impact,
inaction or operational errors, insufficient management, malicious code, un-
authorization or abusing, network attacks, physical attacks, leaks, tampering,
repudiation.
a) Depending on the cause, performance, consequences of the threat, the
threat can also be divided into unwanted program. An unwanted program
is a piece of program that is inserted into an information system that
compromises the confidentiality, integrity, availability of data, applications,
operating systems in the system, or affects the proper functioning of the
information system. Unwanted programs include computer viruses,
worms, Trojan horses, botnets, hybrid attackers, malicious code
embedded in web pages, other unwanted programs;
b) Cyber-attack. A cyber-attack is an attack on an information system by
means of a network or other means, using configuration flaws, protocol
defects, program flaws, or violent attacks to attack the information system,
causing an abnormality in the information system or potential harm to the
current operation of the information system. Network attacks include
denial of service attacks, backdoor attacks, exploits, network scanning
eavesdropping, phishing, interference, other network attacks;
c) Information destruction. Information destruction refers to the tampering,
counterfeiting, disclosure, theft of information in the information system
through the network or other technical means. Information destruction
includes information tampering, information spoofing, information
disclosure, information theft, information loss, other information
destruction;
d) Information content attacks. Information content attack refers to the use
of information networks to publish and disseminate attacks that endanger
national security, social stability, public interest, corporate and personal
interests;
e) Equipment facility failure. Equipment facility failure refers to the
information system abnormality or potential harm to the current operation
of the information system due to the failure of the information system itself
or the failure of the peripheral support facilities. Equipment facility failures
include hardware and software failures, peripheral support facilities
failures, vandalism, other equipment failures;
f) Disastrous damage. Disastrous damage refers to physical damage to the
information system caused by force majeure. Disastrous damage includes
floods, typhoons, earthquakes, lightning strikes, collapses, fires, terrorist
attacks, wars, etc.;
funds, manpower, technical resources for the attack.
a) The knowledge and skills of malicious employees are generally very
limited, so the attack ability is weak. However, malicious employees may
have a large amount of information about the system, have certain
permissions, have more attack opportunities than external attackers, so
the successful rate is high. It belongs to a serious security threat;
b) Independent hackers are individual attackers with limited resources,
mainly using external attacks, usually launching scattered, purposeless
attacks. The attack ability is limited;
c) Domestic and foreign competitors, criminal gangs, terrorist organizations
are organized attackers with certain resource guarantees, strong
cooperation and computing skills, strong attack objectives. They can make
long-term and intensive attack preparation, use the attack method which
combines external attacks, internal attacks, proximity attacks, even simple
distribution attacks. They have strong attack ability.
Attacks from state actions are the most powerful attacks. National attacks are
not only well-organized, have sufficient financial, human, technical resources,
but also may perform high-hidden and highly destructive distribution attacks
when necessary, stealing organizational core secrets or making the network
and information systems completely flawed. Table 3 analyzes the types,
motivations, characteristics of typical attacker.
Table 3 -- Typical types, motivations, capabilities of attackers
Type Description Main motivations Capabilities
Malicious employee
Mainly refers to internal
employees who are
dissatisfied with the
organization or have
some malicious purpose
Deliberately destroy the system
due to dissatisfaction with the
organization, or steal
information or destroy the
system for some purpose
Master the internal situation,
understand the system structure and
configuration; have a system legal
account, or master the available
account information; can attack the
weakest link of the system from inside
Independent hacker
Mainly refers to individual
hacker
Try to find and exploit the
vulnerability of information
systems to achieve curiosity,
testing technical capabilities,
and malicious destruction;
motivation is complex, purpose
is not strong
Occupy a small amount of resources,
generally reconnaissance and attack
networks and systems from outside
the system; the level of attackers
varies greatly
Organized
attacker
Domestic
and foreign
competitors
Mainly refers to domestic
and foreign industrial and
commercial institutions
with competitive relations
Obtain business intelligence;
undermine competitors’
business and reputation, with
strong purpose
Have certain financial, human,
technical resources. Mainly through a
variety of channels to collect
intelligence, including the use of
internal employees from competitors,
modifying data; inserting data; denial of service attacks, etc.
b) Passive attacks do not result in tampering with system information,
meanwhile the system operations and status do not change. Passive
attacks are generally not easy to find. Common passive attacks include
reconnaissance, sniffing, monitoring, traffic analysis, password
interception, etc.
c) Proximity attacks are attacks where the attacker is geographically as close
as possible to the attacked network, system, device, in order to modify,
collect, or compromise the system. This approaching can be open or
secret, or both. Common proximity attacks include: stealing the disk and
returning it; peeking at the screen information; collecting the invalid printed
paper; eavesdropping on the room; destroying the communication line.
d) Distributed attack is that an attacker who maliciously modifies the design,
configuration, etc. during the development, production, transportation,
installation stages of software and hardware. Common distributed attacks
include: using the manufacturer to set hidden functions on the device, to
modify the software and hardware configurations during product
distribution and installation; modifying software and hardware
configurations during device and system maintenance and upgrade, etc.
Remote upgrade and maintenance directly through the Internet have a
greater security risk.
e) Mis-operation refers to the attack on the system caused by the
unintentional behavior of the legitimate user. The mis-operation does not
intentionally destroy the information and the system, but some special
behaviors occur due to mis-operation, lack of experience, insufficient
training, thus causing unintentional damage to the system. Common mis-
operations include: inadvertent destruction of equipment or data, deletion
of files or data, destruction of lines, configuration and operational errors,
inadvertent use of system-corruption commands, etc.
The threat source causes damage to the threat object, sometimes not directly,
but through the transmission of several media in the middle, forming a threat
path. In the risk assessment work, investigating the threat path is useful for
analyzing the possibility and damage caused by threats in various links. The
threat path investigation shall identify the starting point of the threat, the
intermediate point of the threat, the end point of the threat, meanwhile clarify
the characteristics of the threat at different links.
5.2.3.3.4 Likelihood of threat and its impact
Threats exist objectively, but for different organizations and information systems,
the possibility of threats varies. The impact of threats is closely related to
other similar organizations or the similar information systems ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.