Search result: GB/T 42926-2023
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 42926-2023 | English | 1179 |
Add to Cart
|
8 days [Need to translate]
|
Specification of financial information system cybersecurity risk assessment
| Valid |
GB/T 42926-2023
|
| Standard ID | GB/T 42926-2023 (GB/T42926-2023) | | Description (Translated English) | Specification of financial information system cybersecurity risk assessment | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | A11 | | Classification of International Standard | 03.060 | | Word Count Estimation | 62,634 | | Date of Issue | 2023-08-06 | | Date of Implementation | 2023-12-01 | | Issuing agency(ies) | State Administration for Market Regulation, National Standardization Administration |
GB/T 42926-2023. Specification for Network Security Risk Assessment of Financial Information Systems
ICS 03.060
CCSA11
National Standards of People's Republic of China
Specifications for Network Security Risk Assessment of Financial Information Systems
Published on 2023-08-06
Implemented on 2023-12-01
State Administration for Market Regulation
Released by the National Standardization Administration Committee
Table of contents
PrefaceⅠ
Introduction II
1 range 1
2 Normative reference documents 1
3 Terms and Definitions 1
4 Abbreviations 1
5 Key points and principles of risk assessment 2
5.1 Work Points 2
5.2 Working Principles 2
6 Elements and principles of risk assessment 2
6.1 Risk assessment elements 2
6.2 Principles of Risk Assessment 3
7 Phased work of risk assessment 4
7.1 Preparatory phase 4
7.2 Identification Phase 5
7.3 Risk calculation and treatment stage 11
Appendix A (Informative) Evaluation Reference Sample 15
A.1 Network security system protection vulnerability assessment (235 points) 15
A.2 Network security technology protection vulnerability assessment (258 points) 29
Appendix B (Informative) Asset Identification and Value Assignment Table 49
Appendix C (informative) Information system threat assessment method 52
Appendix D (informative) Information system vulnerability assignment method 53
D.1 Level vulnerability assessment and assignment 53
D.2 Information system vulnerability assessment and assignment 54
Appendix E (informative) Method for assigning the likelihood of information system vulnerability being exploited 56
Appendix F (informative) Asset risk list of information system 57
Reference 58
Preface
This document complies with the provisions of GB/T 1.1-2020 "Standardization Work Guidelines Part 1.Structure and Drafting Rules of Standardization Documents"
Drafting.
Please note that some content in this document may be subject to patents. The publisher of this document assumes no responsibility for identifying patents.
This document is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC180).
This document was drafted by. China Financial Electronic Group Co., Ltd., Beijing National Financial Technology Certification Center Co., Ltd., Beijing Tianrong
Information Network Security Technology Co., Ltd., Industrial and Commercial Bank of China Co., Ltd., AsiaInfo Technology (Chengdu) Co., Ltd.
The main drafters of this document. Zhang Haiyan, Tang Hui, Gao Qiangyi, Pan Liyang, Zhang Lu, Zhang Shu, Yang Jian, Meng Xianzhe, Li Ji, Jin Hongyue, Li Zhelong.
introduction
As the integration of finance and technology becomes a new trend, new financial technology applications such as cloud computing, big data, Internet of Things, mobile Internet, and artificial intelligence have
Application scenarios are growing explosively, and financial information systems are facing complex and ever-changing network security threats and an increasingly severe network security situation.
Financial information system network security risk assessment helps to comprehensively analyze the threats, vulnerabilities and risks faced by financial information systems, etc.
level, and carry out risk treatment work based on the risk assessment results. In order to better adapt to the changes in financial technology, financial information system network security risks
The risk assessment system also needs to be further improved.
This document is based on mature risk assessment methodology, combined with the characteristics of financial information systems and the requirements for information system security construction.
Network security risk assessment models, processes and risk analysis methods for financial businesses and financial information systems are common to financial information systems.
Provide guidance on cybersecurity risk assessment.
Specifications for Network Security Risk Assessment of Financial Information Systems
1 Scope
This document establishes the key points, principles, elements and principles of risk assessment work, and stipulates the risk assessment preparation stage, identification stage, risk
Requirements for calculation and processing phase work.
This document is applicable to financial management departments, financial industry institutions and network security risk assessment service agencies when conducting financial information system network security.
Complete risk assessment work.
Note. The “risk assessment” in the terms of this document refers to “financial information system network security risk assessment”.
2 Normative reference documents
The contents of the following documents constitute essential provisions of this document through normative references in the text. Among them, the dated quotations
For undated referenced documents, only the version corresponding to that date applies to this document; for undated referenced documents, the latest version (including all amendments) applies to
this document.
GB/T 20269-2006 Information security technology information system security management requirements
GB/T 20984-2022 Information security technology Information security risk assessment method
GB/T 22240-2020 Information security technology network security level protection grading guide
GB/T 25069-2022 Information security technical terms
GB/T 31509-2015 Information Security Technology Information Security Risk Assessment Implementation Guide
3 Terms and definitions
The following terms and definitions as defined in GB/T 20269-2006, GB/T 25069-2022 and GB/T 20984-2022 apply
in this document.
3.1
asset value assetvalue
An indication of the importance or sensitivity of an asset.
Note. Asset value is the attribute of the asset and is also the main content of asset identification.
4 Abbreviations
The following abbreviations apply to this document.
ty)
......
|