Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GBZ24364-2009 PDF English

Q: Do you accept my currency other than USD?

Yes. https://www.ChineseStandard.us/products/GBZ24364-2009 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.

Q: How to buy and download a true PDF of English version of GBZ24364-2009?

Answer: A step-by-step guide to download PDF of GBZ24364-2009_English. Step 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD). Step 2: Search keyword 'GBZ24364-2009'. Step 3: Click 'Add to Cart'. If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart. Step 4: Select payment option (Via payment agents Stripe or PayPal). Step 5: Customize Tax Invoice -- Fill up your email etc. Step 6: Click 'Checkout'. Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively. Step 8: Optional -- Go to download PDF. Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice. See screenshots for above steps: https://www.chinesestandard.net/Img/LDHowToStep1-3.jpg https://www.chinesestandard.net/Img/LDHowToStep4-6.jpg https://www.chinesestandard.net/Img/LDHowToStep7.jpg https://www.chinesestandard.net/Img/LDHowToStep8.jpg https://www.chinesestandard.net/Img/LDHowToStep9.jpg

US$350.00 · In stock · Download in 9 seconds
GBZ24364-2009: Information security technology -- Guidelines for information security risk management
Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure
Status: Obsolete

Standard ID	USD	BUY PDF	Delivery	Standard Title (Description)	Status
GB/Z 24364-2009	350	Add to Cart	Auto, 9 seconds.	Information security technology -- Guidelines for information security risk management	Obsolete

Similar standards

GB/T 25068.1 GB/T 25058 GB/T 25061 GB/T 19713

GBZ24364-2009: Information security technology -- Guidelines for information security risk management

---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBZ24364-2009
GB /Z 24364-2009 Information security technology.Guidelines for information security risk management ICS 35.040 L80 National Standardization Technical Document of the People's Republic of China GB /Z24364-2009 Information security technology Information Security Risk Management Guide Released on.2009-09-30 2009-12-01 implementation General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China China National Standardization Administration issued Content Foreword III Introduction IV 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Information Security Risk Management Overview 2 4.1 Scope and Objects of Information Security Risk Management 2 4.2 Content and Process of Information Security Risk Management 2 4.3 Relationship between information security risk management and information system life cycle and information security objectives 3 4.4 Role and Responsibilities of Information Security Risk Management Personnel 4 5 background establishment 5 5.1 Background Establishment Overview 5 5.2 Background establishment process 5 5.3 Background Establishment Document 8 6 Risk Assessment 8 6.1 Overview of Risk Assessment 8 6.2 Risk Assessment Process 9 6.3 Risk Assessment Document 12 7 Risk Management 13 7.1 Overview of Risk Management 13 7.2 Risk Processing Process 14 7.3 Risk Management Document 17 8 Approval supervision 17 8.1 Approval Supervision Overview 17 8.2 Approval of the supervision process 17 8.3 Approval of the supervision document 20 9 Monitoring review 20 9.1 Overview of Monitoring Review 20 9.2 Monitoring review process 20 9.3 Monitoring Review Document 23 10 Communication Advisory 23 10.1 Overview of Communication Consulting 23 10.2 Communication Advisory Process 24 10.3 Communication Advisory Document 27 11 Information Security Risk Management in the Information System Planning Phase 27 11.1 Safety objectives and safety requirements 27 11.2 Processes and Activities of Risk Management 27 12 Information Security Risk Management in the Information System Design Phase 29 GB /Z24364-2009 12.1 Safety objectives and safety requirements 29 12.2 Process and activities of risk management 29 13 Information Security Risk Management in the Information System Implementation Phase 31 13.1 Safety objectives and safety requirements 31 13.2 Process and activities of risk management 31 14 Information Security Risk Management in the Operation and Maintenance Phase of the Information System 32 14.1 Security Objectives and Security Requirements 32 14.2 Processes and Activities for Risk Management 33 15 Information security risk management during the obsolescence phase of the information system 34 15.1 Security objectives and security requirements 34 15.2 Risk Management Processes and Activities 34 Appendix A (informative) Risk Management Reference Model and its requirements and measures 36 A. 1 Risk Management Reference Model 36 A. 2 Risk management needs and measures 36 Reference 39 GB /Z24364-2009

Foreword

Appendix A of this guidance document is an informative annex. This guidance technical document is proposed and managed by the National Information Security Standardization Technical Committee. This guiding technical document drafting unit. National Information Center Information Security Research and Service Center, China Telecom Co., Ltd. Beijing Research Institute. The main drafters of this guiding technical document. Wu Yafei, Zhang Jian, Fan Hong, Liu Wei, Zhao Yang. GB /Z24364-2009

introduction

An organization must use its resources to accomplish its mission. In the information age, information has become the first strategic resource, and it is still the key Important role. Therefore, the security of information assets is a matter of whether the institution can fulfill its mission. Assets and risks are born one For contradictions, the higher the value of the asset, the greater the risk. Information assets have different characteristics from traditional assets and face new risks. The purpose of information security risk management is to alleviate and balance this contradiction, control the risk to an acceptable level, and protect the information and its phase. Assets are ultimately guaranteed to fulfill their mission. Information security risk management is a basic work in information security protection, mainly in the following aspects. The ideas and measures of information security risk management should be reflected in the technology, organization and management of the information security system. due to There are related risks in the technology, organization and management of the information security system. Therefore, in the information security system, technology The idea of risk management should be introduced in surgery, organization and management to accurately assess risks and deal with risks reasonably, and jointly realize information security. The goal. The ideas and measures of information security risk management should run through the entire process of the information system life cycle. Information system life cycle includes Five stages of planning, design, implementation, operation and maintenance. There are risks associated with each phase, as well as information security risk management. The ideas are dealt with and controlled by risk management measures. The idea and measures of information security risk management are a strong support for implementing the information security level protection system. Information security risk management According to the idea and principle of information security level protection, distinguish primary and secondary, balance cost and benefit, rationally deploy and utilize information security protection mechanism, Key infrastructure such as trust system, monitoring system and emergency response, select and determine appropriate safety control measures to ensure Have the information security capabilities needed to accomplish their mission. In order to implement the requirements of the state to strengthen information security assurance work, and to develop the information technology level protection system, the development of this guiding technology Documentation. This guidance document can be used in conjunction with GB/T 20984 and can be used as an organization to establish an Information Security Management System (ISMS). Reference. This guidance document refers to the relevant standards of international information security risk management such as ISO /IEC 27005, and has been Pilot verification of industry and region. Standards for background establishment, risk assessment, risk management, and approval of information security risk management Various processes such as supervision, monitoring and review, communication and consultation have been comprehensively described, and information security risk management is at all stages of the information system life cycle. The application of the segment was systematically elaborated. The term “risk management” as used in the terms of this guidance document is “information security risk management”. The document with the title number listed in this guidance document is exemplary and its format and details are not specified. GB /Z24364-2009 Information security technology Information Security Risk Management Guide

1 Scope

This guidance document specifies the content and process of information security risk management, and information for different stages of the information system life cycle. Security risk management provides guidance. This guidance document is intended to guide organizations in the management of information security risks.

2 Normative references

The terms of the following documents are incorporated into the terms of this guidance document by reference to this guidance. Any dated Reference documents, all subsequent amendments (not including errata content) or revisions do not apply to this guidance technical document, however, drums The parties that have reached an agreement under this guidance document will investigate whether the latest versions of these documents are available. Any undated reference The latest version of the document applies to this guidance document. GB 17859-1999 Computer Information System Security Protection Level Division Guidelines GB/T 18336.2-2008 Information technology security technology - Information technology - Safety assessment criteria - Part 2 Seeking (ISO /IEC 15408-2.2005, IDT) GB/T 20984-2007 Information Security Technology Information Security Risk Assessment Specification GB/T 22081-2008 Information technology security technology information security management practical rules (ISO /IEC 27002..2005, IDT)

3 Terms and definitions

The following terms and definitions apply to this guidance document. 3.1 The nature of the data or resource, the authorized entity can access and use the data or resources as required. [GB/T 20984] 3.2 The characteristics of the data, that is, the data that is not provided or not disclosed to unauthorized individuals, processes, or other entities. degree. [GB/T 20984] 3.3 The threat of man-made or natural threats to the use of information systems and their management systems leads to the occurrence of security incidents and their The impact of the formation. [GB/T 20984] 3.4 A feature that guarantees that information and information systems will not be altered or destroyed by unauthorized means. Includes data integrity and system integrity. [GB/T 20984] GB /Z24364-2009 3.5 The probability of a state of affairs and the combination of its results. [GB/T 22081] 3.6 The process of identifying, controlling, eliminating, or minimizing uncertainties that may affect system resources. 3.7 The process of selecting and implementing actions to change the risk. [GB/T 22081]

4 Overview of Information Security Risk Management

4.1 Scope and objects of information security risk management The concept of information security covers the security of information, information carriers and the information environment. Information refers to the collection and location in the information system. Contents such as data and files stored; information carriers are the mediums that carry information, that is, the entities used to record, transmit, accumulate, and store information; The information environment refers to the environment in which information and information carriers are located, including hard environments and soft platforms such as physical platforms, system platforms, network platforms, and application platforms. surroundings. Information security risk management is risk-based information security management, that is, information security management is always based on risk. Conceptually, information security risk management should involve information security in the above three aspects (information, information carrier and information environment) All related objects. However, for a specific information system, information security risk management may mainly involve the key aspects of the information system. Sensitive part. Therefore, according to the actual information system, the focus of information security risk management, that is, the scope and pair of risk management options The focus should be different. 4.2 Content and process of information security risk management Information security risk management includes background establishment, risk assessment, risk management, approval supervision, monitoring review and communication consultation. content. Background establishment, risk assessment, risk management and approval supervision are the four basic steps of information security risk management, monitoring and review. The consultation is carried out in these four basic steps, as shown in Figure 1. Figure 1 Content and process of information security risk management The first step is to establish the background, determine the object and scope of risk management, establish the preparation for implementing risk management, and adjust the relevant information. GB /Z24364-2009 Check and analyze. The second step is a risk assessment that identifies, analyzes, and evaluates the risks faced by established risk management objects. third The steps are risk management, selecting and implementing appropriate security measures based on the results of the risk assessment. The fourth step is to approve the supervision and the decision of the organization. The policy layer determines whether to approve the risk management activities based on whether the results of risk assessment and risk processing meet the security requirements of the information system. set. When the business objectives and characteristics of the protected system change or face new risks, you need to re-enter the above four steps to form a new One cycle. The monitoring review monitors and reviews the above four steps. Monitoring is effective in monitoring and controlling the above four steps Sexuality and cost effectiveness; review is to track changes in the protected system itself or in its environment to ensure the validity of the results of the above four steps and Compliance. Communication consultation provides communication and consultation for the relevant personnel in the above four steps. Communication is to provide communication for participants in the above process Ways to maintain coordination among relevant people and achieve security goals together. Consulting is to provide learning for all relevant personnel in the above process Ways to improve the risk awareness and knowledge of people and to achieve safety goals. Background establishment, risk assessment, risk management, approval supervision, supervision Control review and communication consultation constitute a spiraling cycle, enabling the protected system to respond continuously to changes in itself and the environment. New security needs and risks. In the fifth chapter to the tenth chapter of this guidance technical document, the concept of the above six steps in the implementation process of information security risk management The process, work content, output documentation, etc. are described. 4.3 Relationship between information security risk management and information system life cycle and information security objectives 4.3.1 Information System Life Cycle The information system life cycle is the whole process of an information system from scratch to sublation, including planning, design, implementation, and operation. 5 basic stages of protection and disposal. In the planning stage, determine the purpose, scope and needs of the information system, analyze and demonstrate feasibility, and propose an overall plan. In the design phase, According to the overall plan, the implementation structure of the information system (including functional division, interface protocol and performance indicators, etc.) and implementation plan (including real Current technology, equipment selection and system integration, etc.). In the implementation phase, according to the implementation plan, purchase and test equipment, develop customized functions, integration, Deploy, configure, and test systems, train personnel, and more. In the operation and maintenance phase, the operation and maintenance system ensures that the information system is in its own and in the ring The environment changes and works constantly and constantly upgrades. In the obsolete phase, the information system as a whole or the information system is outdated or useless Dispose of the waste. When the business objectives and needs of the information system change, or when the technology and management environment change, you need to Enter the above five stages to form a new cycle. Therefore, planning, design, implementation, operation and maintenance, and disposal constitute a spiral The cycle of liters makes the information system constantly adapt to changes in itself and the environment. 4.3.2 Information Security Objectives The goal of information security is to realize the basic security features of information systems (ie, the basic attributes of information security) and achieve the required level of protection. do not. The basic attributes of information security include confidentiality, integrity, availability, authenticity and non-repudiation. Each attribute has a corresponding level of protection. Do not be used as a measure of its strength, as shown in Figure 2. Figure 2 Information security basic attributes and their security levels Confidentiality refers to the characteristics of information and information systems that are not accessed or utilized by unauthorized persons, including data privacy and access control. Integrity refers to the fact that information and information systems are authentic, accurate and complete, and are not impersonated, forged and tampered, including identity truth, data integrity and System integrity and other aspects. Availability refers to the characteristics of information and information systems that can be accessed and used by authorized persons when needed. Authenticity The identity of the subject or resource is the claimed property. Non-repudiation means that an entity cannot deny the characteristics of its actions and can support its responsibility. GB /Z24364-2009 Responsibility, deterrence and legal action. The level of security refers to confidentiality, integrity, availability, authenticity and non-repudiation in the specific implementation. The level or intensity achieved can be used as a measure of security trust. The security level of the information system is mainly through the information system. Line safety assessment and certification to determine. 4.3.3 Three relationships The relationship between information security risk management and information system life cycle and information security objectives can be briefly expressed as information system life. At each stage of the cycle, in order to meet its information security objectives, corresponding information security risk management tools are needed as support. The characteristics of each phase of the information system life cycle and the level of assurance of its information security objectives vary with industry characteristics and system characteristics. Same, that is, different systems in different industries have different attributes of information security at different stages of the information system life cycle (ie, confidentiality) The requirements and focus of sex, integrity, usability, authenticity and non-repudiation are different. Therefore, it can be developed under the guidance of this guiding technical document. Industry's information security risk management practices. The level of protection for information security objectives should follow the national information security level protection system For details, please refer to GB 17859-1999. In Chapters 11 through 15 of this guidance document, security requirements and objectives for all phases of the information system life cycle, and The corresponding main processes and activities of information security risk management are described. 4.4 Role and Responsibilities of Information Security Risk Management Information security risk management is a risk-based information system security management. Therefore, information security risk management involves people, including letters. Direct participants in interest security risk management, including those involved in the information system. Table 1 for information security risk management related personnel Roles and responsibilities are summarized and classified. Table 1 Roles and responsibilities of personnel involved in information security risk management Level Information System Information Security Risk Management Internal and external responsibility of role internal and external responsibility roles Decision makers Responsible for major decisions in information systems And overall specification Within the decision maker Responsible for information security risk management Major decisions, master plans and approvals Supervision Within management Responsible for all aspects of the information system Management, organization and coordination Inside the management Responsible for information security risk management Management, organization and coordination in the process Executive layer Planning and Design personnel Inside or outside Responsible for the planning and design Inside or outside the building Responsible for the construction of information systems and Implementation Inside the operating staff Responsible for the daily operation of the information system And operation Maintenance personnel inside or outside Responsible for the daily maintenance of the information system, Including repairs and upgrades Inside or outside the executive Responsible for information security risk management Specific planning, design and implementation Inside the monitoring staff Responsible for the monitoring of information systems and control Inside the monitoring staff Responsible for information security risk management Monitoring of processes, costs and results control Support layer support staff Provide expertise in information systems Support, including consulting, training, evaluation And tools customization and other services Outside the support staff Provided for information security risk management Professional technical support, including consulting, Training, assessment and tool customization, etc. service User layer inside or outside the staff Use the information system to complete its own task Use inside or outside the staff Follow information security risk management Principles and processes use information systems, And feedback information security risk management Effect GB /Z24364-2009

5 background establishment

5.1 Overview of background establishment 5.1.1 Concept of background establishment Background establishment is the first step of information security risk management, determining the object and scope of risk management, and establishing the criteria for implementing risk management. Prepare and conduct investigation and analysis of relevant information. 5.1.2 Purpose of background establishment The background is established to clarify the scope and objects of information security risk management, as well as the characteristics and security requirements of the objects, and the security of information security. The insurance management project is planned and prepared to ensure the smooth follow-up of risk management activities. 5.1.3 Basis for background establishment Relevant policies, laws, regulations and standards of countries, regions or industries, as well as the business objectives and characteristics of information systems are established in the background. Necessary basis. 5.2 Background establishment process The background establishment process includes four stages. risk management preparation, information system investigation, information system analysis and information security analysis. In the letter In the process of interest security risk management, the background establishment process is the beginning of a main loop of information security risk management, providing input for risk assessment. Monitoring review and communication consulting run through its four phases, as shown in Figure 3. Figure 3 Background establishment process and its location in information security risk management 5.2.1 Risk Management Preparation As shown in Figure 4, the work process and content of the risk management preparation phase are as follows. a) Identify risk management objects. Rely on the mission of the organization and follow relevant national, regional or industry policies, laws, regulations and standards The provisions that determine the objects that will be implemented for risk management. GB /Z24364-2009 b) Establish a risk management team. Establish a risk management team to determine team members, organizational structure, roles, responsibilities, and more. c) Develop a risk management plan. Develop an implementation plan for risk management, including the purpose, significance, scope, objectives, and organization of risk management Structure, implementation plan, budget and schedule, etc., form a risk management plan. d) Get support. After all the above contents are determined, the risk management plan shall be supported and approved by the top management of the organization; The decision-making layer communicates to the management and executive levels, and organizes training on risk management related content to clarify the relevant people. The task of the staff in risk management. Figure 4 Process of risk management preparation phase and its input and output 5.2.2 Information System Survey As shown in Figure 5, the working process and content of the information system investigation phase are as follows. a) Investigate the business objectives of the information system. Understand the mission of the organization, including its strategic background and strategic objectives, and clearly support the organization The business objectives of the information system that fulfills its mission. b) Investigate the business characteristics of the information system. Understand the organization's business, including business content and business processes, and clearly support the machine The business characteristics of the information system that constitutes the business operation. c) Investigate the management characteristics of the information system. Understand the organizational structure and management system of the organization, including job setting, responsibility allocation, and regulations Institutions, operational procedures, and personnel management, etc., clearly define the management characteristics of the information systems that support the business operations of the organization. d) Investigate the technical characteristics of the information system. Understand the technology platform of information systems, including physical platforms, system platforms, communication platforms, A network platform and an application platform, from which the technical characteristics of the information system supporting the business operation are clearly defined. e) Summarize the above findings to form a description report of the information system, including the business objectives, business characteristics, and management of the information system Features such as features and technical characteristics. Information system survey methods include questionnaires, interviews, on-site visits, and auxiliary tools. The situation is flexible and combined. GB /Z24364-2009 Figure 5 Process of the information system investigati... ......
Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.

Image 1 Image 2 Image 3

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of English version of GBZ24364-2009 be delivered?

Answer: The full copy PDF of English version of GBZ24364-2009 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.

Question 2: Can I share the purchased PDF of GBZ24364-2009_English with my colleagues?

Answer: Yes. The purchased PDF of GBZ24364-2009_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. www.ChineseStandard.us -- GBZ24364-2009 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.

How to buy and download a true PDF of English version of GBZ24364-2009?

A step-by-step guide to download PDF of GBZ24364-2009_English

Step 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).
Step 2: Search keyword "GBZ24364-2009".
Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart.
Step 4: Select payment option (Via payment agents Stripe or PayPal).
Step 5: Customize Tax Invoice -- Fill up your email etc.
Step 6: Click "Checkout".
Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively.
Step 8: Optional -- Go to download PDF.
Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice.
See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9