Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 31509-2015 English PDF (GBT31509-2015)

GB/T 31509-2015 English PDF (GBT31509-2015)

Regular price $455.00 USD
Regular price Sale price $455.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 31509-2015 to get it for Purchase Approval, Bank TT...

GB/T 31509-2015: Information security technology -- Guide of implementation for information security risk assessment

This standard specifies the process and method for the implementation of information security risk assessment. This standard applies to the management of information security risk assessment items of non-confidential information systems by various security assessment agencies or assessed organizations, guides the organization, implementation, acceptance of risk assessment items.
GB/T 31509-2015
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Guide of
implementation for information security risk assessment
ISSUED ON: MAY 15, 2015
IMPLEMENTED ON: JANUARY 01, 2016
Issued by: General Administration of Quality Supervision, Inspection and Quarantine of PRC;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms, definitions, abbreviations ... 5
3.1 Terms and definitions ... 5
3.2 Abbreviations ... 7
4 Overview of implementation of risk assessment ... 8
4.1 Basic principles of implementation ... 8
4.2 Basic process of implementation ... 9
4.3 Working form of risk assessment ... 9
4.4 Risk assessment in the information system lifecycle... 10
5 Staged work of implementation of risk assessment ... 11
5.1 Preparation stage ... 11
5.2 Identification stage ... 21
5.3 Risk analysis stage ... 42
5.4 Recommendations on risk treatment ... 46
Appendix A (Informative) Questionnaire ... 52
Appendix B (Informative) Checklist of security technology vulnerabilities ... 55 Appendix C (Informative) Checklist of security management vulnerability ... 65 Appendix D (Informative) Case of risk analysis ... 73
Information security technology - Guide of
implementation for information security risk assessment
1 Scope
This standard specifies the process and method for the implementation of information security risk assessment.
This standard applies to the management of information security risk
assessment items of non-confidential information systems by various security assessment agencies or assessed organizations, guides the organization, implementation, acceptance of risk assessment items.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB/T 20984-2007 Information security technology - Risk assessment
specification for information security
GB/Z 24364-2009 Information security technology - Guidelines for
information security risk management
3 Terms, definitions, abbreviations
The terms and definitions as defined in GB/T 20984-2007 and GB/Z 24364- 2009 as well as the following terms and definitions apply to this document. 3.1 Terms and definitions
3.1.1
Implementation
The process of putting a series of activities into practice.
3.1.2
In the project implementation activities, the implementation activities that can play a decisive role of influencing the overall progress of the project. 3.1.10
Analysis model
A kind of simulation analysis method as formed according to a certain
analysis principle, for the analysis of assessment elements.
3.1.11
Evaluation model
The formation of several assessment indicators according to a certain
assessment system, to perform a relatively perfect assessment of the
corresponding activities.
3.1.12
Risk treatment
A series of activities that deal with risks, such as accepting risks, avoiding risks, transferring risks, reducing risks.
3.1.13
Acceptance
A method used in risk assessment activities to end project implementation which is mainly organized by the assessed parties to conduct an item-by- item inspection of the assessment activities, to determine whether the
assessment objectives are met.
3.2 Abbreviations
The following abbreviations apply to this document.
AC: Access Complexity
AV: Access Vector
BOF: Buffer Overflow
CDP: Collateral Damage Potential
CVE: Common Vulnerabilities and Exposures
agreement, to ensure the security of the project information. It shall strictly manage the work process data and the result data, which shall not be
disclosed to any unit or individual without authorization.
c) Process controllability:
It shall follow the project management requirements to establish a project implementation team and adopt the project leader responsibility system, to achieve the controllability of project process.
d) Tool controllability:
The assessment tools used by the security assessor shall be informed to the user in advance and obtain the user's permission before the project is implemented, including the product itself, test strategy, etc.
4.1.4 Minimum impact principle
For the risk assessment of the online business system, it shall take the minimum impact principle, that is, giving priority to guaranteeing the stable operation of the business system. However, for the work content which requires to be tested for aggressiveness, it is necessary to communicate with the user and perform emergency backup, meanwhile carry out in other time than the peak hour of business.
4.2 Basic process of implementation
GB/T 20984-2007 specifies the implementation process of risk assessment. According to the various work contents in the process, the implementation of risk assessment is generally divided into 4 stages: assessment preparation, risk element identification, risk analysis, risk treatment. Among them, the
assessment preparation stage is the guarantee for the effectiveness of the assessment, which is the beginning of the assessment; the risk element
identification stage is mainly to identify and assign various key element assets, threats, vulnerabilities, security measures of the assessment activities; the risk analysis stage is mainly to carry out correlated analysis of various types of information as obtained in the identification stage, calculate the risk value; the risk treatment recommendation work is, focusing on the assessed risks, to propose the corresponding treatment recommendations, treat the residual risk after performing security reinforcement according to the treatment
recommendations.
4.3 Working form of risk assessment
GB/T 20984-2007 clarifies that the basic working form of risk assessment is information system adapts to changes in itself and the environment.
5 Staged work of implementation of risk assessment
5.1 Preparation stage
5.1.1 Work contents of preparation stage
5.1.1.1 Overview
Risk assessment preparation is a guarantee for the effectiveness of the entire risk assessment process. Since the risk assessment is affected by such aspects as organization's business strategy, business processes, security needs, system scale and structure, before the implementation of risk assessment, it shall make preparation for the assessment. The information security risk assessment involves important information within the organization. The
assessed organization shall carefully select the qualifications of the
assessment organization and the assessor, meanwhile follow the relevant national or industry management requirements.
5.1.1.2 Determine assessment target
The risk assessment shall be carried out in all stages of the information system lifecycle. Since the content, object, security needs of the implementation of risk assessment are different in each stage of the information system lifecycle, the assessed organization shall first determine the stage in the information system lifecycle according to the actual conditions of the current information system, thereby defining the risk assessment target. In general, the assessment target for each stage identified by the organization shall meet the following principles: a) The target of the risk assessment in the planning stage is to identify the business strategy of the system, to support system security requirements and security strategies. The assessment in the planning stage shall be
able to describe the role of the information system after the completion on the existing business model, including technology, management, etc.,
meanwhile determine the security objectives that the system shall achieve according to its role.
b) The target of the risk assessment in the design stage is to propose security function needs based on the system operating environment and asset
importance as defined in the planning stage. The risk assessment results in the design stage shall judge the compliance of the security functions as provided in the design scheme, as the basis for the risk control of the procurement process.
c) The target of the risk assessment in the implementation stage is to identify the risks in the development and implementation process of system
according to the system?€?s security needs and operating environment,
verify the security functions after the system is built. According to the analyzed threats in the design stage and the established security
measures, carry out quality control in the course of implementation and acceptance.
d) The target of risk assessment in the operation-maintenance stage is to understand and control the security risks during operation. The
assessment includes the information system assets, the threats faced, the vulnerabilities, the existing security measures, etc.
The target of risk assessment in the obsolescence stage is to ensure that the obsoleted assets and residual information are properly disposed of, the impact of obsoleted assets on the organization is analyzed, to determine whether it will increase or introduce new risk.
5.1.1.3 Determine the assessment scope
After determining the stage of the risk assessment and the corresponding targets, it shall further define the scope of the risk assessment. It may be either all the information and various assets and management organizations related to information processing, or an independent information system, key business processes, etc. In determining the scope of assessment, it shall, combining with the established assessment targets and the actual information system building conditions of the organization, rationally define the assessment object and the boundary of assessment scope. It may refer to the following basis as the principle for dividing the boundary of scope:
a) The business logic boundary of the business system;
b) The network and equipment carrier boundaries;
c) The physical environmental boundaries;
d) The organizational management authority boundaries;
e) Others.
5.1.1.4 Establish an assessment team
5.1.1.4.1 Overview
For the risk assessment implementation team, the assessed organization and the assessment agency shall jointly form a risk assessment team. The leader of the assessed organization, the relevant department head, the relevant personnel of the assessment agency shall establish a risk assessment leading a) Help the assessed organization and implementer to plan the overall work concept and direction of the risk assessment project;
b) Making decisions on key and difficult issues that arise;
c) Determine the risk assessment conclusions.
5.1.1.5 Kick-off meeting of assessment work
In order to ensure the smooth development of risk assessment work, establish work targets, unify ideas, coordinate resources of all parties, it shall hold a kick- off meeting for risk assessment work. The kick-off meeting is generally organized by the head of the risk assessment?€?s leading team. The participants shall include all the members of the assessment team, the main responsible person of the relevant business department, relevant members of the expert team, if necessary.
The main contents of the kick-off meeting mainly include: the leader of the assessed organization declares the significance, purpose, target of the assessment work and the division of responsibilities in the assessment work. The project team leader of the assessed organization explains the plan of the assessment work and the tasks at each stage, as well as the specific matters that need to be coordinated. The project team leader of the assessment agency introduces the general methods and work contents of the assessment work. Through the kick-off meeting, it may carry out training on the assessment methods and techniques for the personnel of the assessed organizations who participate the assessment as well as other relevant personnel, to make all personnel understand the importance of the assessment work, as well as the work content which requires cooperation at each work stage.
5.1.1.6 System investigation
System investigation is the process of understanding and familiarizing with the object being evaluated. The risk assessment team shall conduct sufficient system investigation, to determine the basis and method of risk assessment. The investigation content shall include:
a) System security protection level;
b) Major business functions and requirements;
c) Network structure and network environment, including internal
connections and external connections;
d) System boundaries, including business logic boundaries, network and
device carrier boundaries, physical environment boundaries,
organizational management authority boundaries, etc.;
a) The system vulnerability assessment tool shall have a comprehensive
capability for system vulnerability verification and detection;
b) The inspection rule base of the assessment tool shall have an update function that can be updated in a timely manner;
c) The detection strategy and detection method used by the assessment tool shall not cause an abnormal impact on the information system;
d) The same test object can be detected by various assessment tools. If the detection results are inconsistent, it shall further carry out the necessary manual detection and correlation analysis, give the result judgment that is most consistent with the actual situation.
The selection and use of assessment tools must comply with relevant national regulations.
5.1.1.9 Develop an assessment scheme
The risk assessment scheme is a general plan for evaluating work
implementation activities, which is used to manage the implementation of assessment work, to make the work of each stage of the assessment
controllable, meanwhile use it as one of the main basis for the acceptance of assessment project. The risk assessment scheme shall be confirmed and
approved by the assessed organization. The content of the risk assessment program shall include:
a) Risk assessment work framework: including assessment targets, scope of assessment, basis for assessment, etc.;
b) Assessment team organization: including assessment team members,
organizational structure, roles, responsibilities; if necessary, it shall include the introduction of the establishment of risk assessment leading team and expert team;
c) Assessment work plan: including the work content, work form, work results, etc. of each stage;
d) Risk avoidance: including confidentiality agreements, environment
requirements for assessment work, assessment methods, tool selection,
emergency plans, etc.;
e) Time schedule: The time schedule for the implementation of the
assessment work;
f) Project acceptance method: including acceptance method, acceptance
basis, definition of acceptance conclusion, etc.
The assessment agency shall verify the test tools. The content includes: whether the test tool has the necessary system patches installed, whether there are residual information unrelated to this assessment work, the upgrade and operation of the virus Trojan, the vulnerability library or the detection rule base. The verification personnel shall fill in the test tool verification record. The assessor shall fully communicate the test method with the relevant personnel of the assessed organization in advance. During the test, the assessor shall perform the test operation under the cooperation by the relevant personnel of the assessed organization.
5.2 Identification stage
5.2.1 Overview
The identification stage is an important work stage of risk assessment. It identifies such elements as the assets, threats, vulnerabilities in the organization and information system. It is the prerequisite for the security risk analysis of information system.
5.2.2 Asset identification
5.2.2.1 Overview
An asset is information or resources that are valuable to the organization and is the object of security policy protection. In the risk assessment work, the important factors of risk are asset-centric; threats, vulnerabilities and risks are objectively existing against assets. Threats exploit the vulnerability of assets to make security incidents possible, thus creating security risks. Once these security incidents occur, they will have certain impact on specific assets and even the entire information system, thus affecting the interests of the organization. Therefore, assets are an important part of risk assessment. Assets of different values have different degrees of impact on the organization when they are destroyed to the same extent. The value of an asset is a measure of the importance or sensitivity of the asset. Identifying assets and assessing asset value is an important part of risk assessment.
5.2.2.2 Asset classification
In an organization, assets exist in a variety of forms, different types of assets may have different asset values, threats faced, vulnerabilities, and security measures taken. Classifying assets can help improve the efficiency of asset identification and facilitate overall risk assessment.
In the implementation of risk assessment, it may use the asset classification method in GB/T 20984-2007, to divide the assets into 6 categories: hardware, scheme, implementation scheme, installation manual, user manual, test report, operation report, security policy document, security management system
document, operation process document, system implementation records, asset lists, network topology maps, etc., to identify assets of organizations and information systems.
If there is a contradiction between the documented information, or there is an unclear place, or if the documented information is different from the actual situation, the asset identification shall be verified with the relevant personnel of the assessed organization on key assets and key issues, select to interview the personnel who undertake different roles in the organization and information system management, including leaders in charge, business personnel,
developers, implementers, operation-maintenance personnel, supervisors. Under normal circumstances, after reading the documents and on-site
interviews, it may basically identify the organization and information system assets. For key assets, it shall carry out a fact-finding trip at site. 5.2.2.4 Asset assignment
On the basis of asset investigations, it is necessary to analyze the level of security attributes of assets such as confidentiality, integrity, availability. The security attribute levels include 5 levels: very high, high, medium, low, very low. The higher the level of a certain security attribute, the more important the security attribute of the asset. The meaning of the 5 assignments of
confidentiality, integrity, availability can be found in GB/T 20984-2007. The quantification process of security attributes of assets such as confidentiality, integrity, availability are subjective, it may make reference to the following factors, use the methods such as weighting to comprehensively derive the assignment level of security attributes of assets such as confidentiality, integrity, availabilit...

View full details