1
/
of
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 20984-2007 English PDF (GB/T20984-2007)
GB/T 20984-2007 English PDF (GB/T20984-2007)
Regular price
$225.00
Regular price
Sale price
$225.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GB/T 20984-2007: Information security technology -- Risk assessment specification for information security
Delivery: 9 seconds. Download (and Email) true-PDF + Invoice.
Newer version: (Replacing this standard) GB/T 20984-2022
Get Quotation: Click GB/T 20984-2007 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 20984-2022
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 20984-2007
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Risk assessment
specification for information security
ISSUED ON. JUNE 14, 2007
IMPLEMENTED ON. NOVEMBER 01, 2007
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Framework and process for risk assessment ... 10
4.1 Relationship of risk elements ... 10
4.2 Principles of risk analysis ... 11
4.3 Implementation process ... 12
5 Implementation of risk assessment ... 13
5.1 Preparation of risk assessment ... 13
5.2 Identification of asset ... 16
5.3 Identification of threats ... 20
5.4 Identification of vulnerability ... 23
5.5 Confirmation of existing security measures... 25
5.6 Risk analysis ... 26
5.7 Documentation of risk assessment ... 29
6 Risk assessment at each phase of the life cycle of information system ... 31
6.1 Overview of life cycle of information system ... 31
6.2 Risk assessment in the planning phase ... 31
6.3 Risk assessment in the design phase ... 32
6.4 Risk assessment in the implementation phase ... 33
6.5 Risk assessment in the operation-maintenance phase ... 35
6.6 Risk assessment in the obsolete phase ... 36
7 Working form of risk assessment ... 37
7.1 Overview ... 37
7.2 Self-assessment ... 37
7.3 Inspection-assessment ... 38
Appendix A (Informative) Calculation method of risk ... 40
A.1 Risk calculation by matrix method ... 40
A.2 Calculation of risk by multiplication method... 46
Appendix B (Informative) Risk assessment tool ... 50
B.1 Risk assessment and management tools ... 50
B.2 System fundamental platform’s risk assessment tool ... 52
B.3 Risk assessment aids ... 53
References ... 55
Information security technology - Risk assessment
specification for information security
1 Scope
This standard proposes the basic concepts, element relationships, analysis
principles, implementation processes, assessment methods of risk assessment,
as well as the implementation key-points and working forms of risk assessment
at different stages of the life cycle of information system.
This standard applies to normalizing the risk assessment work carried out by
the organization.
2 Normative references
The provisions in following documents become the provisions of this standard
through reference in this standard. For the dated references, the subsequent
amendments (excluding corrections) or revisions do not apply to this standard;
however, parties who reach an agreement based on this standard are
encouraged to study if the latest versions of these documents are applicable.
For undated references, the latest edition of the referenced document applies.
GB/T 9361 Security requirements for computer field
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 18336-2001 Information technology - Security techniques -
Assessment criteria for IT security (idt ISO/IEC 15408.1999)
GB/T 19716-2005 Information technology - Code of practice for information
security management (ISO/IEC 17799.2000, MOD)
3 Terms and definitions
The following terms and definitions apply to this standard.
3.1
Asset
c) Risk is caused by threats. The more threats an asset faces, the greater
the risk, which may evolve into a security incident;
d) The vulnerability of an asset may expose the value of the asset. The more
vulnerable the asset is, the greater the risk;
e) Vulnerability is an unsatisfied security requirement, that threatens to
exploit vulnerabilities to harm assets;
f) The existence of risks and knowledge of risks to derive security
requirements;
g) Security requirements can be met through security measures, the
implementation costs need to be considered in conjunction with asset
values;
h) Security measures can protect against threats and reduce risks;
i) Some residual risks are risks due to improper or ineffective security
measures, such risks can be controlled through enhancing the security
measures; some other residual risks are those that are not controlled after
comprehensively considering the security costs and benefits;
j) Residual risks shall be closely monitored, it may induce new security
incidents in the future.
4.2 Principles of risk analysis
The principle of risk analysis is as shown in Figure 2.
Risk analysis involves three basic elements. assets, threats, vulnerabilities.
Each element has its own attribute. The attribute of the asset is the asset value;
the attribute of the threat can be the subject of threat, the object of impact, the
frequency of occurrence, the motivation, etc.; the attribute of vulnerability is the
severity of the weakness of the asset.
The main contents of the risk analysis are.
a) Identify the assets, assign values to the assets;
b) Identify the threat, describe the attributes of the threat, assign a value to
the frequency of the threat;
c) Identify the vulnerabilities, assign values to the severity of the vulnerability
of specific assets;
d) Judge the likelihood of the occurrence of a security incident based on the
a) Determine the objectives of the risk assessment;
b) Determine the scope of the risk assessment;
c) Form an appropriate team for the management and implementation of
assessment;
d) Conduct the systematic research;
e) Determine the basis and method of assessment;
f) Develop a risk assessment plan;
g) Get top management’s support for risk assessment work.
5.1.2 Determination of target
Based on the security requirements of the organization's continuous business
development as well as the legal and regulatory requirements, identify the
deficiencies of the existing information systems and management, as well as
the possible risks caused.
5.1.3 Determination of scope
The scope of risk assessment may be the organization's entire information and
various assets and management related to information processing, or it may be
an independent information system, key business processes, systems or
departments related to customer’s intellectual property.
5.1.4 Formation of team
For the implementation team of risk assessment, the management grade, the
relevant business backbones, the information technology personnel, etc. form
the risk assessment team. If necessary, it may establish a risk assessment
leading team which consists of the leaders of the assessing party, the leaders
of the assessed party, the person in charge of the relevant department. It shall
hire the relevant technical experts and technical backbones to form an expert
team.
The implementation team of assessment shall do well in all preparation works
including forms, documents, testing tools, etc. Before the assessment, conduct
technical training and confidential education on risk assessment, formulate
relevant provisions for the management of risk assessment process. According
to the requirements of the assessed party, both parties may sign a
confidentiality contract and, if necessary, sign a personal confidentiality
agreement.
5.1.5 System research
effect, personnel quality and other elements of the assessment, to select the
specific method of risk calculation; based on the requirements of the
implementation of business for the security operation of the system, determine
the relevant basis for judgement, to make it be appropriate to the organizational
environment and security requirements.
5.1.7 Establishment of plan
The purpose of the risk assessment plan is to provide a master plan for the
subsequent activities of implementing risk assessment, to guide the
implementers to carry out the follow-up work. The content of the risk
assessment plan generally includes (but is not limited to).
a) Team organization. including assessment of team members,
organizational structure, roles, responsibilities, etc.;
b) Work plan. work plan of each stage of risk assessment, including work
content, work form, work result, etc.;
c) Time schedule. time schedule for the implementation of project.
5.1.8 Getting support
After determining all the above contents, it shall form a relatively complete risk
assessment implementation plan, which shall be supported and approved by
the top management of the organization. It shall be communicated to the
management and technical personnel, carry out training on the relevant
contents of risk assessment within the organization’s scope, so as to define the
task of personnel in risk assessment.
5.2 Identification of asset
5.2.1 Classification of asset
Confidentiality, integrity and availability are three security attributes for
assessing assets. The value of an asset in a risk assessment is not measured
by the economic value of the asset, but by the extent to which the asset's
achievement in these three security attributes or the extent to which it causes
when its security attributes are not achieved. The different degree of
achievement of security attributes will make assets have different values, whilst
the threats faced, the vulnerabilities existed, the security measures adopted of
assets will have an impact on the degree of achievement of asset’s security
attributes. Therefore, it shall identify the assets in the organization.
In an organization, assets have multiple manifestations. The same two assets
are also of different importance because they belong to different information
Security measures can be divided into two types. preventive security measures
and protective security measures. Preventive security measures can reduce
the likelihood of the occurrence of security incident due to the threat exploiting
the vulnerability, such as an intrusion detection system. Protective security
measures can reduce the impact on an organization or system after a security
incident occurs.
The confirmation of the existing security measures has a certain relationship
with the identification of vulnerability. In general, the use of security measures
will reduce the system’s vulnerabilities in technology or management, but the
confirmation of security measures does not need to be as specific to the
vulnerability of each asset and component as that of the identification process
of vulnerability, but rather a set of specific measures. It provides basis and
reference for the establishment of the risk management plan.
5.6 Risk analysis
5.6.1 Principle of risk calculation
After finishing asset identification, threat identification, vulnerability
identification, as well as the confirmation of the existing security measures, it
will use appropriate methods and tools to determine the likelihood of occurrence
of security incident due to the threat’s exploiting of vulnerability. Combine the
value of asset on which the security incident acts and the severity of
vulnerability, to judge the impact of the loss caused by the security incident on
the organization, that is, the security risk. This standard gives the principle of
risk calculation, which is explained by the following paradigm.
Risk value = R (A, T, V) = R (L (T, V), F (Ia, Va)).
Where R is the calculation function of security risk; A is the asset; T is the threat;
V is the vulnerability; Ia is the value of the asset that the security incident is
acting on; Va is the severity of the vulnerability; L is the likelihood of occurrence
of security incident as caused by the threat’s exploiting of vulnerability; F is the
loss caused by a security incident. There are three key calculations as below.
a) Calculate the likelihood of a security incident
Based on the frequency of threats and the status of vulnerability, calculate
the likelihood of occurrence of security incident which is caused by a
threat’s exploiting of vulnerability, namely.
The likelihood of a security incident = L (the frequency of threats,
vulnerability) = L (T, V).
In the specific assessment, it shall combine the technical capabilities of
the attacker (professional skill grade, attacking equipment, etc.), the
difficulty of exploiting the vulnerability (accessibility time, disclosure
degree of design and operational knowledge, etc.), asset attractiveness
and other elements, to judge the likelihood of occurrence of a security
incident.
b) Calculate the loss caused by the occurrence of a security incident
Based on the asset value and the severity of vulnerability, calculate the
loss caused by the occurrence of a security incident, i.e..
Loss caused by security incidents = F (asset value, vulnerability severity)
= F (Ia, Va).
The loss caused by the occurrence of some security incidents is not only
for the asset itself, but also for the continuity of the business; the impact
of different security incidents on the organization is also different. When
calculating the loss of a security incident, the impact on the organization
shall also be taken into account.
The judgment of the loss caused by some security incidents shall also
refer to the likelihood results of the occurrence of security incidents. For
the security incidents of very-low likelihood (such as earthquake threats
in non-seismic zones, power failure threats under the condition of
complete power supply measures, etc.), it may not calculate its loss.
c) Calculate the risk value
Based on the calculated likelihood of a security incident and the loss
caused by the security incident, calculate the risk value, that is.
Risk value = R (likelihood of security incident, loss due to security incident)
= R (L (T, V), F (Ia, Va)).
The assessor may, based on its own conditions, select the corresponding
risk calculation method, to calculate the risk value, such as matrix method
or multiplication method. The matrix method constructs a two-
dimensional matrix, to form a two-dimensional relationship betwe...
Delivery: 9 seconds. Download (and Email) true-PDF + Invoice.
Newer version: (Replacing this standard) GB/T 20984-2022
Get Quotation: Click GB/T 20984-2007 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 20984-2022
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 20984-2007
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Risk assessment
specification for information security
ISSUED ON. JUNE 14, 2007
IMPLEMENTED ON. NOVEMBER 01, 2007
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Framework and process for risk assessment ... 10
4.1 Relationship of risk elements ... 10
4.2 Principles of risk analysis ... 11
4.3 Implementation process ... 12
5 Implementation of risk assessment ... 13
5.1 Preparation of risk assessment ... 13
5.2 Identification of asset ... 16
5.3 Identification of threats ... 20
5.4 Identification of vulnerability ... 23
5.5 Confirmation of existing security measures... 25
5.6 Risk analysis ... 26
5.7 Documentation of risk assessment ... 29
6 Risk assessment at each phase of the life cycle of information system ... 31
6.1 Overview of life cycle of information system ... 31
6.2 Risk assessment in the planning phase ... 31
6.3 Risk assessment in the design phase ... 32
6.4 Risk assessment in the implementation phase ... 33
6.5 Risk assessment in the operation-maintenance phase ... 35
6.6 Risk assessment in the obsolete phase ... 36
7 Working form of risk assessment ... 37
7.1 Overview ... 37
7.2 Self-assessment ... 37
7.3 Inspection-assessment ... 38
Appendix A (Informative) Calculation method of risk ... 40
A.1 Risk calculation by matrix method ... 40
A.2 Calculation of risk by multiplication method... 46
Appendix B (Informative) Risk assessment tool ... 50
B.1 Risk assessment and management tools ... 50
B.2 System fundamental platform’s risk assessment tool ... 52
B.3 Risk assessment aids ... 53
References ... 55
Information security technology - Risk assessment
specification for information security
1 Scope
This standard proposes the basic concepts, element relationships, analysis
principles, implementation processes, assessment methods of risk assessment,
as well as the implementation key-points and working forms of risk assessment
at different stages of the life cycle of information system.
This standard applies to normalizing the risk assessment work carried out by
the organization.
2 Normative references
The provisions in following documents become the provisions of this standard
through reference in this standard. For the dated references, the subsequent
amendments (excluding corrections) or revisions do not apply to this standard;
however, parties who reach an agreement based on this standard are
encouraged to study if the latest versions of these documents are applicable.
For undated references, the latest edition of the referenced document applies.
GB/T 9361 Security requirements for computer field
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 18336-2001 Information technology - Security techniques -
Assessment criteria for IT security (idt ISO/IEC 15408.1999)
GB/T 19716-2005 Information technology - Code of practice for information
security management (ISO/IEC 17799.2000, MOD)
3 Terms and definitions
The following terms and definitions apply to this standard.
3.1
Asset
c) Risk is caused by threats. The more threats an asset faces, the greater
the risk, which may evolve into a security incident;
d) The vulnerability of an asset may expose the value of the asset. The more
vulnerable the asset is, the greater the risk;
e) Vulnerability is an unsatisfied security requirement, that threatens to
exploit vulnerabilities to harm assets;
f) The existence of risks and knowledge of risks to derive security
requirements;
g) Security requirements can be met through security measures, the
implementation costs need to be considered in conjunction with asset
values;
h) Security measures can protect against threats and reduce risks;
i) Some residual risks are risks due to improper or ineffective security
measures, such risks can be controlled through enhancing the security
measures; some other residual risks are those that are not controlled after
comprehensively considering the security costs and benefits;
j) Residual risks shall be closely monitored, it may induce new security
incidents in the future.
4.2 Principles of risk analysis
The principle of risk analysis is as shown in Figure 2.
Risk analysis involves three basic elements. assets, threats, vulnerabilities.
Each element has its own attribute. The attribute of the asset is the asset value;
the attribute of the threat can be the subject of threat, the object of impact, the
frequency of occurrence, the motivation, etc.; the attribute of vulnerability is the
severity of the weakness of the asset.
The main contents of the risk analysis are.
a) Identify the assets, assign values to the assets;
b) Identify the threat, describe the attributes of the threat, assign a value to
the frequency of the threat;
c) Identify the vulnerabilities, assign values to the severity of the vulnerability
of specific assets;
d) Judge the likelihood of the occurrence of a security incident based on the
a) Determine the objectives of the risk assessment;
b) Determine the scope of the risk assessment;
c) Form an appropriate team for the management and implementation of
assessment;
d) Conduct the systematic research;
e) Determine the basis and method of assessment;
f) Develop a risk assessment plan;
g) Get top management’s support for risk assessment work.
5.1.2 Determination of target
Based on the security requirements of the organization's continuous business
development as well as the legal and regulatory requirements, identify the
deficiencies of the existing information systems and management, as well as
the possible risks caused.
5.1.3 Determination of scope
The scope of risk assessment may be the organization's entire information and
various assets and management related to information processing, or it may be
an independent information system, key business processes, systems or
departments related to customer’s intellectual property.
5.1.4 Formation of team
For the implementation team of risk assessment, the management grade, the
relevant business backbones, the information technology personnel, etc. form
the risk assessment team. If necessary, it may establish a risk assessment
leading team which consists of the leaders of the assessing party, the leaders
of the assessed party, the person in charge of the relevant department. It shall
hire the relevant technical experts and technical backbones to form an expert
team.
The implementation team of assessment shall do well in all preparation works
including forms, documents, testing tools, etc. Before the assessment, conduct
technical training and confidential education on risk assessment, formulate
relevant provisions for the management of risk assessment process. According
to the requirements of the assessed party, both parties may sign a
confidentiality contract and, if necessary, sign a personal confidentiality
agreement.
5.1.5 System research
effect, personnel quality and other elements of the assessment, to select the
specific method of risk calculation; based on the requirements of the
implementation of business for the security operation of the system, determine
the relevant basis for judgement, to make it be appropriate to the organizational
environment and security requirements.
5.1.7 Establishment of plan
The purpose of the risk assessment plan is to provide a master plan for the
subsequent activities of implementing risk assessment, to guide the
implementers to carry out the follow-up work. The content of the risk
assessment plan generally includes (but is not limited to).
a) Team organization. including assessment of team members,
organizational structure, roles, responsibilities, etc.;
b) Work plan. work plan of each stage of risk assessment, including work
content, work form, work result, etc.;
c) Time schedule. time schedule for the implementation of project.
5.1.8 Getting support
After determining all the above contents, it shall form a relatively complete risk
assessment implementation plan, which shall be supported and approved by
the top management of the organization. It shall be communicated to the
management and technical personnel, carry out training on the relevant
contents of risk assessment within the organization’s scope, so as to define the
task of personnel in risk assessment.
5.2 Identification of asset
5.2.1 Classification of asset
Confidentiality, integrity and availability are three security attributes for
assessing assets. The value of an asset in a risk assessment is not measured
by the economic value of the asset, but by the extent to which the asset's
achievement in these three security attributes or the extent to which it causes
when its security attributes are not achieved. The different degree of
achievement of security attributes will make assets have different values, whilst
the threats faced, the vulnerabilities existed, the security measures adopted of
assets will have an impact on the degree of achievement of asset’s security
attributes. Therefore, it shall identify the assets in the organization.
In an organization, assets have multiple manifestations. The same two assets
are also of different importance because they belong to different information
Security measures can be divided into two types. preventive security measures
and protective security measures. Preventive security measures can reduce
the likelihood of the occurrence of security incident due to the threat exploiting
the vulnerability, such as an intrusion detection system. Protective security
measures can reduce the impact on an organization or system after a security
incident occurs.
The confirmation of the existing security measures has a certain relationship
with the identification of vulnerability. In general, the use of security measures
will reduce the system’s vulnerabilities in technology or management, but the
confirmation of security measures does not need to be as specific to the
vulnerability of each asset and component as that of the identification process
of vulnerability, but rather a set of specific measures. It provides basis and
reference for the establishment of the risk management plan.
5.6 Risk analysis
5.6.1 Principle of risk calculation
After finishing asset identification, threat identification, vulnerability
identification, as well as the confirmation of the existing security measures, it
will use appropriate methods and tools to determine the likelihood of occurrence
of security incident due to the threat’s exploiting of vulnerability. Combine the
value of asset on which the security incident acts and the severity of
vulnerability, to judge the impact of the loss caused by the security incident on
the organization, that is, the security risk. This standard gives the principle of
risk calculation, which is explained by the following paradigm.
Risk value = R (A, T, V) = R (L (T, V), F (Ia, Va)).
Where R is the calculation function of security risk; A is the asset; T is the threat;
V is the vulnerability; Ia is the value of the asset that the security incident is
acting on; Va is the severity of the vulnerability; L is the likelihood of occurrence
of security incident as caused by the threat’s exploiting of vulnerability; F is the
loss caused by a security incident. There are three key calculations as below.
a) Calculate the likelihood of a security incident
Based on the frequency of threats and the status of vulnerability, calculate
the likelihood of occurrence of security incident which is caused by a
threat’s exploiting of vulnerability, namely.
The likelihood of a security incident = L (the frequency of threats,
vulnerability) = L (T, V).
In the specific assessment, it shall combine the technical capabilities of
the attacker (professional skill grade, attacking equipment, etc.), the
difficulty of exploiting the vulnerability (accessibility time, disclosure
degree of design and operational knowledge, etc.), asset attractiveness
and other elements, to judge the likelihood of occurrence of a security
incident.
b) Calculate the loss caused by the occurrence of a security incident
Based on the asset value and the severity of vulnerability, calculate the
loss caused by the occurrence of a security incident, i.e..
Loss caused by security incidents = F (asset value, vulnerability severity)
= F (Ia, Va).
The loss caused by the occurrence of some security incidents is not only
for the asset itself, but also for the continuity of the business; the impact
of different security incidents on the organization is also different. When
calculating the loss of a security incident, the impact on the organization
shall also be taken into account.
The judgment of the loss caused by some security incidents shall also
refer to the likelihood results of the occurrence of security incidents. For
the security incidents of very-low likelihood (such as earthquake threats
in non-seismic zones, power failure threats under the condition of
complete power supply measures, etc.), it may not calculate its loss.
c) Calculate the risk value
Based on the calculated likelihood of a security incident and the loss
caused by the security incident, calculate the risk value, that is.
Risk value = R (likelihood of security incident, loss due to security incident)
= R (L (T, V), F (Ia, Va)).
The assessor may, based on its own conditions, select the corresponding
risk calculation method, to calculate the risk value, such as matrix method
or multiplication method. The matrix method constructs a two-
dimensional matrix, to form a two-dimensional relationship betwe...
Share
