GB/T 20984-2022_English: PDF (GB/T20984-2022)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
GB/T 20984-2022 | English | 470 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information security technology -- Risk assessment method for information security
| Valid |
GB/T 20984-2022
|
GB/T 20984-2007 | English | 225 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information security technology -- Risk assessment specification for information security
| Obsolete |
GB/T 20984-2007
|
Standard ID | GB/T 20984-2022 (GB/T20984-2022) | Description (Translated English) | Information security technology -- Risk assessment method for information security | Sector / Industry | National Standard (Recommended) | Classification of Chinese Standard | L80 | Classification of International Standard | 35.030 | Word Count Estimation | 30,366 | Date of Issue | 2022-04-15 | Date of Implementation | 2022-11-01 | Older Standard (superseded by this standard) | GB/T 20984-2007 | Quoted Standard | GB/T 25069; GB/T 33132-2016 | Drafting Organization | State Information Center, Beijing Anxin Tianxing Technology Co., Ltd., Information Industry Information Security Evaluation Center, Beijing Information Security Evaluation Center, China Information Security Evaluation Center, China Network Security Review Technology and Certification Center, China Electronics Standardization Institute, Ministry of Public Security Information Security Level Protection Evaluation Center, The First Research Institute of the Ministry of Public Security, Shanghai Guan'an Information Technology Co., Ltd., Chengdu Civil Aviation Electronic Technology Co., Ltd., Henan Jindun Xin'an Testing and Evaluation Center Co., Ltd., Shenzhen Nanshan District Government Service Data Administration, Yunnan Highway Network Charge Management Co., Ltd., State Grid Ningxia Electric Power Co., Ltd., State Grid Xinjiang Electric Power Co., Ltd. | Administrative Organization | National Information Security Standardization Technical Committee (SAC/TC 260) | Proposing organization | National Information Security Standardization Technical Committee (SAC/TC 260) | Issuing agency(ies) | State Administration for Market Regulation, National Standardization Administration | Summary | This standard specifies the basic concepts of information security risk assessment, the relationship between risk elements, the principle of risk analysis, the implementation process and assessment method of risk assessment, as well as the implementation points and work forms of risk assessment in different stages of the information system life cycle. This standard applies to all kinds of organizations to carry out information security risk assessment. | Standard ID | GB/T 20984-2007 (GB/T20984-2007) | Description (Translated English) | Information security technology. Risk assessment specification for information security | Sector / Industry | National Standard (Recommended) | Classification of Chinese Standard | L80 | Classification of International Standard | 35.040 | Word Count Estimation | 31,323 | Date of Issue | 2007-06-14 | Date of Implementation | 2007-11-01 | Quoted Standard | GB/T 9361; GB 17859-1999; GB/T 18336-2001; GB/T 19716-2005 | Drafting Organization | National Information Center | Administrative Organization | Standardization Technical Committee of the National Information Security | Regulation (derived from) | GB Notice 2007 No. 6 (Total No. 106) (GB Commission) | Proposing organization | State Council Information Office | Issuing agency(ies) | General Administration of Quality Supervision, Inspection and Quarantine of PRC, China National Standardization Administration Committee | Summary | This standard specifies the basic concepts of risk assessment, elements of relationship analysis principles, implementation process and assessment methods and risk assessment in the information system life cycle at different stages of the implementation of the key points and forms of work. This standard applies to regulate the organization to carry out a risk assessment. |
GB/T 20984-2022
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Replacing GB/T 20984-2007
Information security technology - Risk assessment method
for information security
ISSUED ON: APRIL 15, 2022
IMPLEMENTED ON: NOVEMBER 01, 2022
Issued by: State Administration for Market Regulation;
Standardization Administration of the PRC.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions, abbreviations ... 5
3.1 Terms and definitions ... 5
3.2 Abbreviations ... 7
4 Risk assessment framework and process ... 8
4.1 Relationship between risk factors ... 8
4.2 Principles of risk analysis ... 9
4.3 Risk assessment process ... 9
5 Implementation of risk assessment ... 11
5.1 Preparation of risk assessment ... 11
5.2 Risk identification ... 12
5.3 Risk analysis ... 22
5.4 Risk evaluation ... 22
5.5 Communication and negotiation ... 24
5.6 Risk assessment documentation ... 24
Appendix A (Informative) Risk assessment at each stage of assessment object lifecycle
... 27
Appendix B (Informative) Work forms of risk assessment ... 33
Appendix C (Informative) Tools for risk assessment ... 35
Appendix D (Informative) Asset identification ... 40
Appendix E (Informative) Threat identification ... 43
Appendix F (Informative) Examples of risk calculation ... 47
Bibliography ... 49
Information security technology - Risk assessment method
for information security
1 Scope
This document describes the basic concepts of information security risk assessment,
relationship between risk factors, principles of risk analysis, implementation process
and assessment method of risk assessment, as well as the implementation points and
work forms of risk assessment at different stages of information system lifecycle.
This document applies to all types of organizations conducting information security risk
assessments.
2 Normative references
The contents of the following documents, through normative references in this text,
constitute indispensable provisions of this document. Among them, for dated references,
only the edition corresponding to that date applies to this document. For undated
references, the latest edition (including all amendments) applies to this document.
GB/T 25069 Information security techniques - Terminology
GB/T 33132-2016 Information security technology - Guide of implementation for
information security risk treatment
3 Terms and definitions, abbreviations
3.1 Terms and definitions
The terms and definitions defined in GB/T 25069 and the following ones apply to this
document.
3.1.1
Information security risk
The potential for a particular threat to exploit the vulnerability of a single or group of
assets and the damage that this may cause to an organization.
Note: It is measured by a combination of the likelihood of a state of affairs and its consequences.
[Source: GB/T 31722-2015, 3.2]
3.1.2
Risk assessment
The entire process of risk identification, risk analysis, and risk evaluation.
[Source: GB/T 29246-2017, 2.71]
Note: This document refers specifically to information security risk assessment.
3.1.3
Organization
An individual or group that has its own responsibilities, authority, and relationships to
achieve its goals.
Note: The concept of organization includes, but is not limited to, a sole proprietor, company, legal
person, firm, enterprise, agency, partnership, charity or institution, or parts or combinations
thereof, whether incorporated or not, public or private.
[Source: GB/T 29246-2017, 2.57, modified]
3.1.4
Business
Operational activities carried out by the organization to achieve a development plan.
Note: The activity has clear goals and runs over a period of time.
3.1.5
Security requirement
Requirements for security control to ensure the proper functioning of an organization's
business plan.
3.1.6
Security control
Various practices, procedures, and mechanisms which are implemented to protect assets,
defend against threats, reduce vulnerability, reduce the impact of security incidents, and
combat information crime.
3.1.7
4.2 Principles of risk analysis
The principles of risk analysis are as follows:
a) According to the source, type, motivation, etc. of threats, combined with historical
data statistics such as threat-related security incidents and logs, determine the
capability and frequency of threats;
b) According to the vulnerability access path and trigger requirements, etc., as well
as the implemented security control and its effectiveness, determine the degree of
difficulty of the vulnerability being exploited;
c) Determine the degree of impact on assets after a security incident occurs when a
vulnerability is exploited by a threat;
d) According to the capability and frequency of threat, combined with the degree of
difficulty of the vulnerability being exploited, determine the likelihood of a
security incident;
e) According to the position of the asset in the development plan and the property of
the asset, determine the asset value;
f) According to the impact degree and asset value, determine the loss caused to the
assessment object after the security incident occurs;
g) According to the possibility of a security incident and the loss caused by the
security incident, determine the risk value of the assessment object;
h) According to the risk evaluation criteria, the risk level is determined and used for
risk decision.
4.3 Risk assessment process
The implementation process of risk assessment is shown in Figure 2. The risk
assessment process shall include the following.
a) Assessment preparation. This stage shall include:
1) Determine the objective of risk assessment;
2) Determine the object, scope and boundaries of risk assessment;
3) Form an assessment team;
4) Carry out preliminary research;
5) Determine the basis for assessment;
security objectives of the assessment object change, risk assessment shall be carried out
again.
The results of risk assessment can provide decision support for risk treatment. Risk
treatment refers to a series of activities to deal with risks, such as accepting risks,
avoiding risks, transferring risks, and reducing risks, etc. Risk treatment is carried out
in accordance with GB/T 33132-2016.
5 Implementation of risk assessment
5.1 Preparation of risk assessment
Organization’s implementation of risk assessment is a strategic consideration. Its results
will be affected by organizational planning, business, business process, security
requirement, system scale and structure, etc. Therefore, before the implementation of
risk assessment, the following work shall be prepared.
a) On the basis of considering the work form of risk assessment, the stage in the
lifecycle, and the security assessment requirement of the assessed organization,
determine the risk assessment objective. Appendix A gives the risk assessment
content of each stage of assessment object lifecycle. Appendix B gives the
description of the work form of risk assessment.
b) Determine the object, scope and boundaries of risk assessment.
c) Form an assessment team and define assessment tools. Appendix C gives tools for
risk assessment.
d) Conduct preliminary research.
e) Determine the basis for assessment.
f) Establish risk evaluation criteria: Based on the consideration of national laws and
regulations, industry background and characteristics, the organization shall
establish risk evaluation criteria, to achieve risk control and management.
The risk evaluation criteria shall meet the following requirements:
1) Comply with the organization's security policy or security requirement;
2) Meet stakeholder expectations;
3) Align with the organization's business values.
The purpose of establishing risk evaluation criteria includes but is not limited to:
Before classifying a threat, it shall identify the source of the threat. Threat sources
include three categories: Environment, accident, and man-made. Appendix E gives
reference methods for threat identification. Table E.1 presents a classification of threat
sources.
According to the different threat sources, threats can be divided into types of threats
such as information damage and unauthorized behavior. Table E.2 provides a reference
for the division of threat types.
Threat subjects are divided according to man-made and environmental. Man-made is
divided into countries, organizations, and individuals. Environmental is divided into
general natural disasters, more serious natural disasters, and serious natural disasters.
Threat motivation refers to the internal motivation and reasons that guide and stimulate
man-made threats to carry out certain activities and have an impact on the business and
assets of the organization. Threat motivation can be divided into malicious and non-
malicious. Malicious includes attack, destruction, stealing, etc. Non-malicious includes
misoperation, curiosity, etc. Table E.3 gives a reference to a threat motivation
classification.
Threat timing can be divided into ordinary period, special period, and natural law.
Threat frequency shall be judged based on experience and relevant statistical data.
Considering the following four aspects, form the frequency of various threats in a
specific assessment environment:
a) Threats that have appeared in past security incident reports and their frequency
statistics;
b) Threats discovered through detection tools and various logs in the actual
environment and their frequency statistics;
c) Threats detected by monitoring in the actual environment and their frequency
statistics;
d) Recently publicly released social or industry-specific threats and their frequency
statistics, as well as issued threat warnings.
5.2.2.2 Threat assignment
Threat assignment shall be comprehensively calculated based on the threat behavior,
according to the behavioral capability and frequency of the threat, and combined with
the timing of the threat. And it shall set the corresponding rating method for grading.
The higher the level, the greater the possibility of the threat exploiting the vulnerability.
Table 7 gives a description of the division of threat assignment levels.
Relevant documents documenting the risk assessment process shall meet the following
requirements (including but not limited to):
a) Ensure that documents are approved before publication;
b) Ensure that changes to documents and the current revision status are identifiable
(there are edition control measures);
c) Ensure that the distribution of the documents is properly controlled AND that
applicable documents for the relevant edition are available at the time of use;
d) Prevent unintended use of obsolete documents. If obsolete documents need to be
retained for any purpose, these documents shall be appropriately identified.
For relevant documents formed during the risk assessment process, it shall specify the
controls required for their identification, storage, protection, retrieval, shelf life, and
disposal. The need for relevant documents and the level of detail are at the discretion
of the management of the organization.
5.6.2 Risk assessment documents
Risk assessment documents refer to the process documents and result documents
generated during the risk assessment process, including (but not limited to):
a) Risk assessment plan: Describe the risk assessment objectives, scope, personnel,
assessment methods, form of assessment results, and implementation progress,
etc.;
b) Asset identification list: Identify assets according to the asset classification
method determined by the organization; form an asset identification list
(including business assets, system assets, system components, and unit assets);
clarify the person responsible for the asset and the responsible department;
c) List of important assets: According to the results of asset identification and
assignment, form a list of important assets; including the name, description, type,
importance, responsible person, responsible department, etc. of the important
assets;
d) Threat list: According to the results of threat identification and assignment, form
a threat list; including threat source, type, threat behavior, capability, and
frequency, etc.;
e) List of existing security control: Identify the security control that has been taken;
form a list of existing security control; including the name, type, function
description, and implementation effect, etc. of the existing security control;
f) Vulnerability list: According to the results of vulnerability identification and
Appendix A
(Informative)
Risk assessment at each stage of assessment object lifecycle
A.1 Overview
Risk assessment shall run through all stages of the assessment object lifecycle. The risk
assessment principles and methods involved in each stage of the assessment object
lifecycle are consistent. But due to the different implementation contents, objects, and
security requirements in each stage, the risk assessment objects, purposes, requirements
and other aspects are also different. In the planning and design stage, use risk
assessment to determine the security objectives of the assessment object. In the
construction acceptance stage, use risk assessment to determine whether the security
objectives of the assessment object have been achieved or not. In the operation and
maintenance stage, risk assessment shall be carried out continuously, to identify the
ever-changing risks and vulnerabilities faced by the assessment object; so as to
determine the effectiveness of security control and ensure the realization of security
objectives. Therefore, the specific implementation of risk assessment in each stage shall
be carried out with emphasis according to the characteristics of the stage.
A.2 Risk assessment at the planning stage
The purpose of risk assessment in the planning stage is to identify the business plan of
the assessment object, to support the security requirement and security planning of the
assessment object. The assessment in the planning stage shall be able to describe the
effect of the assessment object on the existing business model after completion,
including technology, management and other aspects; and according to its effect,
DETERMINE the security objectives that the assessment object construction shall
achieve.
In this stage of assessment, assets and vulnerabilities do not need to be identified.
Threats shall be analyzed based on the aspects such as future application objects,
application environments, business conditions, and operational requirements. The
assessment focuses on the following areas:
a) Whether a security plan consistent with the business plan has been established in
accordance with the relevant rules and approved by the top management;
b) Whether a security policy that is compatible with the business has been
established and approved by the top security manager;
c) Whether the organization of assessment object development, business change
management, and development priorities are clearly defined in the system
planning;
d) Whether the threat and environment of the assessment object are considered in
the system planning; and whether the overall security policy is formulated;
e) Whether the information expected to be used by the assessment object is described
in the system planning, including the expected information system, the
importance of asset, the potential value, the possible use restriction, the degree of
support for the business, etc.;
f) Whether all operating environments related to the security of the assessment object
are described in the system planning, including the physical and personnel
security configuration; and whether the relevant regulations, organizational
security policies, expertise and knowledge are clearly defined.
The assessment results in the planning stage shall be reflected in the overall planning
or project proposal of the assessment object.
A.3 Risk assessment at the design stage
The risk assessment at the design stage needs to put forward the security function
requirements according to the operating environment, business importance, and asset
importance specified in the planning stage. The results of the risk assessment in the
design stage shall judge the compliance of the security functions provided in the design
plan, as the basis for implementing process risk control.
In this stage of assessment, the description of the threats faced in the design plan shall
be assessed in detail. The assets such as specific equipment and software used by the
assessment object and their security functions shall be formed into a requirement list.
The assessment of the design plan focuses on the following aspects:
a) Whether the design plan conforms to the construction plan of the assessment
object and has been approved by the top management;
b) Whether the design plan has analyzed the threats faced by the assessment object
after construction, focusing on the threats from the physical environment and
nature, as well as threats caused by internal and external intrusions, etc.;
c) Whether the security requirements in the design plan meet the security objectives
in the planning stage; and based on the analysis of threats, formulate the overall
security policy of the assessment object;
d) Whether the design plan has taken certain measures to deal with possible failures;
e) Whether the design plan assesses the vulnerability of the technical implementation
a) Laws, policies, applicable standards and guidelines: Specific laws that directly or
indirectly affect the security requirement of assessment object; government
policies, international or national standards that affect the security requirement
and product selection of assessment object;
b) Functional needs of assessment object: Whether the security requirement
effectively supports the functionality of the system;
c) Cost-effectiveness risk: Based on the analysis results of the assets, threats and
vulnerabilities of the assessment object, whether to select the most appropriate
security control under the premise of complying with relevant laws, policies,
standards and functional needs;
d) Assessment assurance level: Whether it is clear what tests and inspections shall
be carried out after the system is constructed, so as to determine whether it meets
the requirements of project construction and implementation specifications.
A.5 Risk assessment at the delivery stage
The assessment points of the system delivery implementation process include:
a) According to the actual system being constructed, analyze the assets, threats and
vulnerabilities in detail;
b) According to the system construction goals and security requirements, carry out
the acceptance test of the security function of the system; evaluate whether the
security control can resist security threats;
c) Assess whether an organizational management system that is consistent with the
overall security policy has been established;
d) Judge the compliance of the risk control effect realized by the system with the
expected design. If there is a big inconsistency, the design and adjustment of the
security policy of assessment object shall be redone.
Risk assessment at this stage can be used to test and analyze the actual construction
results by comparing the implementation plan and standard requirements.
A.6 Risk assessment at the operation stage
The purpose of risk assessment in the operation and maintenance stage is to understand
and control the security risks in the operation process, which is a relatively
comprehensive risk assessment. The assessment includes all aspects of the real
operating assets, threats, vulnerabilities, etc.
a) Asset assessment: It includes assessment of business, system assets, system
components, and unit assets. Business assessment includes business positioning,
business relevance, integrity, and business process analysis. System asset
assessment includes system classification and business bearing continuity
assessment. System components and unit assets are more detailed assessments in
the real environment; including hardware and software assets purchased during
the implementation stage; information assets generated during system operation,
related personnel and services, etc. Asset identification at this stage is a
supplement and addition to previous asset identification.
b) Threat assessment: The likelihood and severity of threats shall be thoroughly
analyzed. The assessment of threats leading to security incidents can refer to
threat source motivations, capabilities, and frequency of security incidents.
c) Vulnerability assessment: It is a comprehensive vulnerability assessment. It
includes the vulnerability of physical, network, system, application, security
guarantee equipment, management and other aspects in the operating
environment. Technology vulnerability assessment can be implemented by means
of verification, scanning, case verification, and penetration testing. The
vulnerability assessment of security guarantee equipment shall include the
realization of security functions and the vulnerability of the security guarantee
equipment itself. The management vulnerability assessment can be verified by
means of documentation, record verification, etc.
d) Risk calculation: According to the relevant methods of this document, qualitative
or quantitative risk analysis is carried out, to describe the risk level of different
business and system assets.
Risk assessment in the operation and maintenance stage shall be carried out regularly.
When the organization's business processes and system conditions undergo major
changes, risk assessment shall also be conducted. Major changes include the following
(but not limited to):
a) Add new applications or there are major changes in applications;
b) There are major changes in network structure and connection status;
c) Large-scale update of technology platform;
d) System capacity expansion or transformation;
e) After a major security incident occurs; or based on certain operating records, it is
suspected that a major security incident will occur;
f) A major change in the organizational structure has an impact on the system.
A.7 Risk assessment at the abandonment stage
......
GB/T 20984-2007
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Risk assessment
specification for information security
ISSUED ON. JUNE 14, 2007
IMPLEMENTED ON. NOVEMBER 01, 2007
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Framework and process for risk assessment ... 10
4.1 Relationship of risk elements ... 10
4.2 Principles of risk analysis ... 11
4.3 Implementation process ... 12
5 Implementation of risk assessment ... 13
5.1 Preparation of risk assessment ... 13
5.2 Identification of asset ... 16
5.3 Identification of threats ... 20
5.4 Identification of vulnerability ... 23
5.5 Confirmation of existing security measures... 25
5.6 Risk analysis ... 26
5.7 Documentation of risk assessment ... 29
6 Risk assessment at each phase of the life cycle of information system ... 31
6.1 Overview of life cycle of information system ... 31
6.2 Risk assessment in the planning phase ... 31
6.3 Risk assessment in the design phase ... 32
6.4 Risk assessment in the implementation phase ... 33
6.5 Risk assessment in the operation-maintenance phase ... 35
6.6 Risk assessment in the obsolete phase ... 36
7 Working form of risk assessment ... 37
7.1 Overview ... 37
7.2 Self-assessment ... 37
7.3 Inspection-assessment ... 38
Appendix A (Informative) Calculation method of risk ... 40
A.1 Risk calculation by matrix method ... 40
A.2 Calculation of risk by multiplication method... 46
Appendix B (Informative) Risk assessment tool ... 50
B.1 Risk assessment and management tools ... 50
B.2 System fundamental platform’s risk assessment tool ... 52
B.3 Risk assessment aids ... 53
References ... 55
Information security technology - Risk assessment
specification for information security
1 Scope
This standard proposes the basic concepts, element relationships, analysis
principles, implementation processes, assessment methods of risk assessment,
as well as the implementation key-points and working forms of risk assessment
at different stages of the life cycle of information system.
This standard applies to normalizing the risk assessment work carried out by
the organization.
2 Normative references
The provisions in following documents become the provisions of this standard
through reference in this standard. For the dated references, the subsequent
amendments (excluding corrections) or revisions do not apply to this standard;
however, parties who reach an agreement based on this standard are
encouraged to study if the latest versions of these documents are applicable.
For undated references, the latest edition of the referenced document applies.
GB/T 9361 Security requirements for computer field
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 18336-2001 Information technology - Security techniques -
Assessment criteria for IT security (idt ISO/IEC 15408.1999)
GB/T 19716-2005 Information technology - Code of practice for information
security management (ISO/IEC 17799.2000, MOD)
3 Terms and definitions
The following terms and definitions apply to this standard.
3.1
Asset
c) Risk is caused by threats. The more threats an asset faces, the greater
the risk, which may evolve into a security incident;
d) The vulnerability of an asset may expose the value of the asset. The more
vulnerable the asset is, the greater the risk;
e) Vulnerability is an unsatisfied security requirement, that threatens to
exploit vulnerabilities to harm assets;
f) The existence of risks and knowledge of risks to derive security
requirements;
g) Security requirements can be met through security measures, the
implementation costs need to be considered in conjunction with asset
values;
h) Security measures can protect against threats and reduce risks;
i) Some residual risks are risks due to improper or ineffective security
measures, such risks can be controlled through enhancing the security
measures; some other residual risks are those that are not controlled after
comprehensively considering the security costs and benefits;
j) Residual risks shall be closely monitored, it may induce new security
incidents in the future.
4.2 Principles of risk analysis
The principle of risk analysis is as shown in Figure 2.
Risk analysis involves three basic elements. assets, threats, vulnerabilities.
Each element has its own attribute. The attribute of the asset is the asset value;
the attribute of the threat can be the subject of threat, the object of impact, the
frequency of occurrence, the motivation, etc.; the attribute of vulnerability is the
severity of the weakness of the asset.
The main contents of the risk analysis are.
a) Identify the assets, assign values to the assets;
b) Identify the threat, describe the attributes of the threat, assign a value to
the frequency of the threat;
c) Identify the vulnerabilities, assign values to the severity of the vulnerability
of specific assets;
d) Judge the likelihood of the occurrence of a security incident based on the
a) Determine the objectives of the risk assessment;
b) Determine the scope of the risk assessment;
c) Form an appropriate team for the management and implementation of
assessment;
d) Conduct the systematic research;
e) Determine the basis and method of assessment;
f) Develop a risk assessment plan;
g) Get top management’s support for risk assessment work.
5.1.2 Determination of target
Based on the security requirements of the organization's continuous business
development as well as the legal and regulatory requirements, identify the
deficiencies of the existing information systems and management, as well as
the possible risks caused.
5.1.3 Determination of scope
The scope of risk assessment may be the organization's entire information and
various assets and management related to information processing, or it may be
an independent information system, key business processes, systems or
departments related to customer’s intellectual property.
5.1.4 Formation of team
For the implementation team of risk assessment, the management grade, the
relevant business backbones, the information technology personnel, etc. form
the risk assessment team. If necessary, it may establish a risk assessment
leading team which consists of the leaders of the assessing party, the leaders
of the assessed party, the person in charge of the relevant department. It shall
hire the relevant technical experts and technical backbones to form an expert
team.
The implementation team of assessment shall do well in all preparation works
including forms, documents, testing tools, etc. Before the assessment, conduct
technical training and confidential education on risk assessment, formulate
relevant provisions for the management of risk assessment process. According
to the requirements of the assessed party, both parties may sign a
confidentiality contract and, if necessary, sign a personal confidentiality
agreement.
5.1.5 System research
effect, personnel quality and other elements of the assessment, to select the
specific method of risk calculation; based on the requirements of the
implementation of business for the security operation of the system, determine
the relevant basis for judgement, to make it be appropriate to the organizational
environment and security requirements.
5.1.7 Establishment of plan
The purpose of the risk assessment plan is to provide a master plan for the
subsequent activities of implementing risk assessment, to guide the
implementers to carry out the follow-up work. The content of the risk
assessment plan generally includes (but is not limited to).
a) Team organization. including assessment of team members,
organizational structure, roles, responsibilities, etc.;
b) Work plan. work plan of each stage of risk assessment, including work
content, work form, work result, etc.;
c) Time schedule. time schedule for the implementation of project.
5.1.8 Getting support
After determining all the above contents, it shall form a relatively complete risk
assessment implementation plan, which shall be supported and approved by
the top management of the organization. It shall be communicated to the
management and technical personnel, carry out training on the relevant
contents of risk assessment within the organization’s scope, so as to define the
task of personnel in risk assessment.
5.2 Identification of asset
5.2.1 Classification of asset
Confidentiality, integrity and availability are three security attributes for
assessing assets. The value of an asset in a risk assessment is not measured
by the economic value of the asset, but by the extent to which the asset's
achievement in these three security attributes or the extent to which it causes
when its security attributes are not achieved. The different degree of
achievement of security attributes will make assets have different values, whilst
the threats faced, the vulnerabilities existed, the security measures adopted of
assets will have an impact on the degree of achievement of asset’s security
attributes. Therefore, it shall identify the assets in the organization.
In an organization, assets have multiple manifestations. The same two assets
are also of different importance because they belong to different information
Security measures can be divided into two types. preventive security measures
and protective security measures. Preventive security measures can reduce
the likelihood of the occurrence of security incident due to the threat exploiting
the vulnerability, such as an intrusion detection system. Protective security
measures can reduce the impact on an organization or system after a security
incident occurs.
The confirmation of the existing security measures has a certain relationship
with the identification of vulnerability. In general, the use of security measures
will reduce the system’s vulnerabilities in technology or management, but the
confirmation of security measures does not need to be as specific to the
vulnerability of each asset and component as that of the identification process
of vulnerability, but rather a set of specific measures. It provides basis and
reference for the establishment of the risk management plan.
5.6 Risk analysis
5.6.1 Principle of risk calculation
After finishing asset identification, threat identification, vulnerability
identification, as well as the confirmation of the existing security measures, it
will use appropriate methods and tools to determine the likelihood of occurrence
of security incident due to the threat’s exploiting of vulnerability. Combine the
value of asset on which the security incident acts and the severity of
vulnerability, to judge the impact of the loss caused by the security incident on
the organization, that is, the security risk. This standard gives the principle of
risk calculation, which is explained by the following paradigm.
Risk value = R (A, T, V) = R (L (T, V), F (Ia, Va)).
Where R is the calculation function of security risk; A is the asset; T is the threat;
V is the vulnerability; Ia is the value of the asset that the security incident is
acting on; Va is the severity of the vulnerability; L is the likelihood of occurrence
of security incident as caused by the threat’s exploiting of vulnerability; F is the
loss caused by a security incident. There are three key calculations as below.
a) Calculate the likelihood of a security incident
Based on the frequency of threats and the status of vulnerability, calculate
the likelihood of occurrence of security incident which is caused by a
threat’s exploiting of vulnerability, namely.
The likelihood of a security incident = L (the frequency of threats,
vulnerability) = L (T, V).
In the specific assessment, it shall combine the technical capabilities of
the attacker (professional skill grade, attacking equipment, etc.), the
difficulty of exploiting the vulnerability (accessibility time, disclosure
degree of design and operational knowledge, etc.), asset attractiveness
and other elements, to judge the likelihood of occurrence of a security
incident.
b) Calculate the loss caused by the occurrence of a security incident
Based on the asset value and the severity of vulnerability, calculate the
loss caused by the occurrence of a security incident, i.e..
Loss caused by security incidents = F (asset value, vulnerability severity)
= F (Ia, Va).
The loss caused by the occurrence of some security incidents is not only
for the asset itself, but also for the continuity of the business; the impact
of different security incidents on the organization is also different. When
calculating the loss of a security incident, the impact on the organization
shall also be taken into account.
The judgment of the loss caused by some security incidents shall also
refer to the likelihood results of the occurrence of security incidents. For
the security incidents of very-low likelihood (such as earthquake threats
in non-seismic zones, power failure threats under the condition of
complete power supply measures, etc.), it may not calculate its loss.
c) Calculate the risk value
Based on the calculated likelihood of a security incident and the loss
caused by the security incident, calculate the risk value, that is.
Risk value = R (likelihood of security incident, loss due to security incident)
= R (L (T, V), F (Ia, Va)).
The assessor may, based on its own conditions, select the corresponding
risk calculation method, to calculate the risk value, such as matrix method
or multiplication method. The matrix method constructs a two-
dimensional matrix, to form a two-dimensional relationship between the
likelihood of a security incident and the loss caused by a security incident;
the multiplication method constructs an empirical function, to compute the
likelihood of a security incident and the loss caused by a security incident,
thereby obtaining the risk value.
Appendix A gives an example of risk calculations by matrix method and
multiplication method.
5.6.2 Judgement of risk results
choice of security measures shall be considered in terms of management and
technology. The selection and implementation of security measures shall be
carried out in accordance with relevant standards for information security.
5.6.4 Assessment of residual risk
For the unacceptable risks, after selecting appropriate security measures, to
ensure the effectiveness of the security measures, it may perform a
reassessment, to judge whether the residual risk after the implementation of
the security measures has been reduced to an acceptable grade. The
assessment of residual risk can be carried out according to the risk assessment
process as proposed in this standard, it can also be appropriately reduced. In
general, the implementation of security measures is to reduce the vulnerability
or to reduce the likelihood of a security incident. Therefore, the assessment of
residual risk can start from the assessment of vulnerability. After comparing the
vulnerability status before and after the implementation of the security
measures, calculate the size of the risk value again.
For certain risks, the residual risks may, after taking appropriate security
measures, still be in an unacceptable risk range, so it shall consider whether to
accept this risk or further take corresponding security measures.
5.7 Documentation of risk assessment
5.7.1 Requirements for documentation of risk assessment
The relevant documentation for the risk assessment process shall meet the
following requirements (but not limited to this).
a) Ensure that the document is approved before it is released;
b) Ensure that the changes to the documentation and the current revision
status are identifiable;
c) Ensure that the distribution of the documentation is properly controlled, it
can obtain the applicable documentation of relevant version;
d) Prevent unintended use of obsolete documents. If the obsolete documents
need to be kept for any purposes, these documents shall be properly
identified.
For the relevant documents formed during the risk assessment process, it shall
also specify its identification, storage, protection, retrieval, shelf life and control
required for disposal.
Whether the relevant documents are required as well as the grade of detail are
security measures, clarify responsibilities, schedules, resources; assess
the residual risks to determine the effectiveness of selected security
measures;
j) Risk assessment record. According to the risk assessment procedure, it
requires that various on-site records in the risk assessment process can
reproduce the assessment process and serve as a basis for solving the
problem after ambiguity is generated.
6 Risk assessment at each phase of the life cycle of
information system
6.1 Overview of life cycle of information system
Risk assessment shall be carried out throughout the life cycle of the information
system. The principles and methods of risk assessment involved in each phase
of the life cycle of information system are consistent. However, due to the
different content, objects, and security requirements of each phase, the objects,
objectives, and requirements of the risk assessment are also different.
Specifically, in the planning and design phase, the risk assessment is used to
determine the security objectives of the system; in the construction acceptance
phase, the risk assessment is used to determine whether the security objectives
of the system are achieved or not; in the operation-maintenance phase, the risk
assessment is continuously implemented to identify the ever-changing risks
and vulnerabilities of the system, to determine the effectiveness of security
measures and to ensure that security objectives are achieved. Therefore, the
specific implementation of the risk assessment at each phase shall be carried
out in a focused manner based on the characteristics of the phase. When
conditions permit, it shall use the risk assessment tools to conduct risk
assessment activities.
See Appendix B for a description of the risk assessment tools.
6.2 Risk assessment in the planning phase
The purpose of the risk assessment in the planning phase is to identify the
business strategy of the system, to support system’s security requirements and
security strategies. The assessment in the planning phase shall be able to
describe the role of the information system after the completion on the existing
business model, including technology, management, etc., determine the
security objectives that the system shall achieve according to its role.
b) Whether the design plan analyze the threats faced by the system after
construction, focusing on analyzing threats from the physical environment
and nature, as well as threats caused by internal and external intrusions;
c) Whether the security requirements in the design plan meet the security
objectives of the planning phase, develop an overall security policy for the
information system based on the analysis of the threat;
d) Whether the design has taken certain measures to deal with possible
system failures;
e) Whether the design plan assesses such aspects as the technical
implementation of the design prototype and the vulnerability of personnel,
organizational management, etc., including the management
vulnerabilities in the design process and the inherent vulnerabilities of the
technology platform;
f) Whether the design plan considers the risks that may arise as other
systems are accessed;
g) Whether the system performance meets the user’s needs, considers the
impact of the peak value, whether technically considers the methods to
meet technical requirements of the system performance;
h) Whether the application system (including the database) is designed
securely according to business requirements;
i) Whether the design plan selects the development method according to the
scale, time and system characteristics of the development, performs the
analysis and type selection of the system-related software, hardware and
network, according to the design development plan and the user’s needs;
j) The impact of security control measures and security technical safeguards
used in design activities on risks. After the change of security
requirements and the change of design, it shall also repeat this
assessment.
The assessment in the design phase can be carried out in the form of a security
construction plan review, to determine the compliance of the security functions
provided by the plan with the technical standards on the information technology
security. The results of the assessment shall be reflected in the analysis report
of information system needs or the construction implementation plan.
6.4 Risk assessment in the implementation phase
The purpose of implementing the risk assessment in the implementation phase
consistent with the overall security strategy;
d) Judge the compliance of the risk control effect achieved by the system to
the expected design. If there is a large nonconformance, it shall design
and adjust the security strategy of the information system again.
For the risk assessment at this phase, it may use the method of reference to
the implementation plan and the standard requirements, to test and analyze the
actual construction results.
6.5 Risk assessment in the operation-maintenance phase
The purpose of the risk assessment in the operation-maintenance phase is to
understand and control the security risks in the operation process, which is a
relatively-comprehensive risk assessment. The assessment includes such
aspects as the actually-operated information system, asset, threat, vulnerability.
a) Assessment of asset. A more detailed assessment in a real environment.
It includes the software-hardware assets purchased in the implementation
phase, the information assets generated in the operation process of the
system, the related personnel and services. The identification of asset at
this phase is the supplement and addition to the identification of asset of
the earlier phase;
b) Assessment of threat. It shall thoroughly analyze the likelihood and impact
of threats. For the assessment of security incidents caused by
unintentional threats, it may refer to the frequency of occurrence of
security incidents; for the assessment of security incidents caused by
intentional threats, it shall mainly make professional judgments on the
various influencing elements of threats;
c) Assessment of vulnerability. A comprehensive vulnerability assessment. It
includes the vulnerabilities of physical, network, system, application,
security equipment, management in the operating environment. The
assessment of technology vulnerability can be implemented by means of
verification, scanning, case verification, permeability testing; the
vulnerability assessment of security equipment shall consider the
implementation of security functions and the vulnerability of the security
equipment itself; the assessment of management vulnerability can be
verified by means of documentation, record verification, etc.
d) Calculation of risk. According to the relevant methods of this standard,
perform qualitative or quantitative analysis of the risks of important assets,
to describe the risk grade of different assets.
Risk assessment during the operation-maintenance phase shall be performed
Maintenance technicians and managers of information systems shall be
involved in the assessment of this phase.
7 Working form of risk assessment
7.1 Overview
The risk assessment of information security is divided into two types. self-
assessment and inspection-assessment. The risk assessment of information
security shall focus on self-assessment, the self-assessment and inspection-
assessment shall be combined and complement each other.
7.2 Self-assessment
Self-assessment refers to the risk assessment conducted by the organization
owning, operating or using the information system against the information
system of the organization itself. Self-assessment shall be carried out in
conjunction with system-specific security requirements under the guidance of
this standard. Regular self-assessments can be appropriately streamlined in
the assessment process, focusing on new threats introduced since the last
assessment of the system, as well as the complete identification of system
vulnerabilities, to facilitate comparison of the results of two assessment.
However, in the event of a major change listed in 6.5 occurs, it shall perform a
complete assessment in accordance with this standard.
The self-assessment may be implemented by the sponsor or commissioned to
the technical support party of the risk assessment service. The assessments
carried out by the sponsors can reduce the cost of implementation and improve
the security awareness of the relevant personnel of the information system, but
the results may not be thorough and accurate due to the lack of professional
skills in risk assessment; at the same time, due to the impacts of various
elements within the organization, the objectivity of the assessment results is
susceptible. For the assessment as implemented by the technical support party
of the risk assessment service, the process is more standardized, the
assessment results are more objective, the degree of credibility is higher; but
due to the limitations of industry knowledge and skills and business
understanding, the understanding of the assessed system, especially for the
special requirements for business, has certain limitations. However, since the
introduction of a third party is itself a risk element, it shall control such aspects
as its background and qualifications, the confidentiality requirements of the
assessment process and results.
In addition, in order to ensure the implementation of the risk assessment, the
Appendix A
(Informative)
Calculation method of risk
To calculate the risk, it is necessary to determine the risk elements, the
combination of the elements, the specific calculation method. Use the specific
calculation method to calculate the risk elements according to the combination
method, to obtain the risk value.
At present, the risk elements involved in the risk value calculation in the general
risk assessment are generally assets, threats, vulnerabilities (the relationship
is as shown in Figure 1). The combination method of these elements is
indicated in the principle of risk calculation of 5.6.1. From the threats and
vulnerabilit......
......
|