GB/Z 24364-2009 English PDF (GBZ24364-2009)
GB/Z 24364-2009 English PDF (GBZ24364-2009)
GB/Z 24364-2009: Information security technology -- Guidelines for information security risk management
GB /Z 24364-2009
Information security technology.Guidelines for information security risk management ICS 35.040
National Standardization Technical Document of the People's Republic of China GB /Z24364-2009
Information security technology
Information Security Risk Management Guide
General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China China National Standardization Administration issued
1 range 1
2 Normative references 1
3 Terms and Definitions 1
4 Information Security Risk Management Overview 2
4.1 Scope and Objects of Information Security Risk Management 2
4.2 Content and Process of Information Security Risk Management 2
4.3 Relationship between information security risk management and information system life cycle and information security objectives 3 4.4 Role and Responsibilities of Information Security Risk Management Personnel 4 5 background establishment 5
5.1 Background Establishment Overview 5
5.2 Background establishment process 5
5.3 Background Establishment Document 8
6 Risk Assessment 8
6.1 Overview of Risk Assessment 8
6.2 Risk Assessment Process 9
6.3 Risk Assessment Document 12
7 Risk Management 13
7.1 Overview of Risk Management 13
7.2 Risk Processing Process 14
7.3 Risk Management Document 17
8 Approval supervision 17
8.1 Approval Supervision Overview 17
8.2 Approval of the supervision process 17
8.3 Approval of the supervision document 20
9 Monitoring review 20
9.1 Overview of Monitoring Review 20
9.2 Monitoring review process 20
9.3 Monitoring Review Document 23
10 Communication Advisory 23
10.1 Overview of Communication Consulting 23
10.2 Communication Advisory Process 24
10.3 Communication Advisory Document 27
11 Information Security Risk Management in the Information System Planning Phase 27 11.1 Safety objectives and safety requirements 27
11.2 Processes and Activities of Risk Management 27
12 Information Security Risk Management in the Information System Design Phase 29 GB /Z24364-2009
12.1 Safety objectives and safety requirements 29
12.2 Process and activities of risk management 29
13 Information Security Risk Management in the Information System Implementation Phase 31 13.1 Safety objectives and safety requirements 31
13.2 Process and activities of risk management 31
14 Information Security Risk Management in the Operation and Maintenance Phase of the Information System 32 14.1 Security Objectives and Security Requirements 32
14.2 Processes and Activities for Risk Management 33
15 Information security risk management during the obsolescence phase of the information system 34 15.1 Security objectives and security requirements 34
15.2 Risk Management Processes and Activities 34
Appendix A (informative) Risk Management Reference Model and its requirements and measures 36 A. 1 Risk Management Reference Model 36
A. 2 Risk management needs and measures 36
Appendix A of this guidance document is an informative annex.
This guidance technical document is proposed and managed by the National Information Security Standardization Technical Committee. This guiding technical document drafting unit. National Information Center Information Security Research and Service Center, China Telecom Co., Ltd. Beijing Research Institute.
The main drafters of this guiding technical document. Wu Yafei, Zhang Jian, Fan Hong, Liu Wei, Zhao Yang. GB /Z24364-2009
An organization must use its resources to accomplish its mission. In the information age, information has become the first strategic resource, and it is still the key Important role. Therefore, the security of information assets is a matter of whether the institution can fulfill its mission. Assets and risks are born one For contradictions, the higher the value of the asset, the greater the risk. Information assets have different characteristics from traditional assets and face new risks. The purpose of information security risk management is to alleviate and balance this contradiction, control the risk to an acceptable level, and protect the information and its phase. Assets are ultimately guaranteed to fulfill their mission.
Information security risk management is a basic work in information security protection, mainly in the following aspects. The ideas and measures of information security risk management should be reflected in the technology, organization and management of the information security system. due to There are related risks in the technology, organization and management of the information security system. Therefore, in the information security system, technology The idea of risk management should be introduced in surgery, organization and management to accurately assess risks and deal with risks reasonably, and jointly realize information security. The goal.
The ideas and measures of information security risk management should run through the entire process of the information system life cycle. Information system life cycle includes Five stages of planning, design, implementation, operation and maintenance. There are risks associated with each phase, as well as information security risk management. The ideas are dealt with and controlled by risk management measures.
The idea and measures of information security risk management are a strong support for implementing the information security level protection system. Information security risk management According to the idea and principle of information security level protection, distinguish primary and secondary, balance cost and benefit, rationally deploy and utilize information security protection mechanism, Key infrastructure such as trust system, monitoring system and emergency response, select and determine appropriate safety control measures to ensure Have the information security capabilities needed to accomplish their mission. In order to implement the requirements of the state to strengthen information security assurance work, and to develop the information technology level protection system, the development of this guiding technology Documentation. This guidance document can be used in conjunction with GB/T 20984 and can be used as an organization to establish an Information Security Management System (ISMS). Reference.
This guidance document refers to the relevant standards of international information security risk management such as ISO /IEC 27005, and has been Pilot verification of industry and region. Standards for background establishment, risk assessment, risk management, and approval of information security risk management Various processes such as supervision, monitoring and review, communication and consultation have been comprehensively described, and information security risk management is at all stages of the information system life cycle. The application of the segment was systematically elaborated.
The term ?€?risk management?€? as used in the terms of this guidance document is ?€?information security risk management?€?. The document with the title number listed in this guidance document is exemplary and its format and details are not specified. GB /Z24364-2009
Information security technology
Information Security Risk Management Guide
This guidance document specifies the content and process of information security risk management, and information for different stages of the information system life cycle. Security risk management provides guidance.
This guidance document is intended to guide organizations in the management of information security risks. 2 Normative references
The terms of the following documents are incorporated into the terms of this guidance document by reference to this guidance. Any dated Reference documents, all subsequent amendments (not including errata content) or revisions do not apply to this guidance technical document, however, drums The parties that have reached an agreement under this guidance document will investigate whether the latest versions of these documents are available. Any undated reference The latest version of the document applies to this guidance document.
GB 17859-1999 Computer Information System Security Protection Level Division Guidelines GB/T 18336.2-2008 Information technology security technology - Information technology - Safety assessment criteria - Part 2 Seeking (ISO /IEC 15408-2.2005, IDT)
GB/T 20984-2007 Information Security Technology Information Security Risk Assessment Specification GB/T 22081-2008 Information technology security technology information security management practical rules (ISO /IEC 27002..2005, IDT) 3 Terms and definitions
The following terms and definitions apply to this guidance document.
The nature of the data or resource, the authorized entity can access and use the data or resources as required. [GB/T 20984]
The characteristics of the data, that is, the data that is not provided or not disclosed to unauthorized individuals, processes, or other entities. degree.
The threat of man-made or natural threats to the use of information systems and their management systems leads to the occurrence of security incidents and their The impact of the formation.
A feature that guarantees that information and information systems will not be altered or destroyed by unauthorized means. Includes data integrity and system integrity. [GB/T 20984]
The probability of a state of affairs and the combination of its results. [GB/T 22081]
The process of identifying, controlling, eliminating, or minimizing uncertainties that may affect system resources. 3.7
The process of selecting and implementing actions to change the risk.
4 Overview of Information Security Risk Management
4.1 Scope and objects of information security risk management
The concept of information security covers the security of information, information carriers and the information environment. Information refers to the collection and location in the information system. Contents such as data and files stored; information carriers are the mediums that carry information, that is, the entities used to record, transmit, accumulate, and store information; The information environment refers to the environment in which information and information carriers are located, including hard environments and soft platforms such as physical platforms, system platforms, network platforms, and application platforms. surroundings.
Information security risk management is risk-based information security management, that is, information security management is always based on risk. Conceptually, information security risk management should involve information security in the above three aspects (information, information carrier and information environment) All related objects. However, for a specific information system, information security risk management may mainly involve the key aspects of the information system. Sensitive part. Therefore, according to the actual information system, the focus of information security risk management, that is, the scope and pair of risk management options The focus should be different.
4.2 Content and process of information security risk management
Information security risk management includes background establishment, risk assessment, risk management, approval supervision, monitoring review and communication consultation. content. Background establishment, risk assessment, risk management and approval supervision are the four basic steps of information security risk management, monitoring and review. The consultation is carried out in these four basic steps, as shown in Figure 1. Figure 1 Content and process of information security risk management
The first step is to establish the background, determine the object and scope of risk management, establish the preparation for implementing risk management, and adjust the relevant information. GB /Z24364-2009
Check and analyze. The second step is a risk assessment that identifies, analyzes, and evaluates the risks faced by established risk management objects. third The steps are risk management, selecting and implementing appropriate security measures based on the results of the risk assessment. The fourth step is to approve the supervision and the decision of the organization. The policy layer determines whether to approve the risk management activities based on whether the results of risk assessment and risk processing meet the security requirements of the information system. set. When the business objectives and characteristics of the protected system change or face new risks, you need to re-enter the above four steps to form a new One cycle. The monitoring review monitors and reviews the above four steps. Monitoring is effective in monitoring and controlling the above four steps Sexuality and cost effectiveness; review is to track changes in the protected system itself or in its environment to ensure the validity of the results of the above four steps and Compliance. Communication consultation provides communication and consultation for the relevant personnel in the above four steps. Communication is to provide communication for participants in the above process Ways to maintain coordination among relevant people and achieve security goals together. Consulting is to provide learning for all relevant personnel in the above process Ways to improve the risk awareness and knowledge of people and to achieve safety goals. Background establishment, risk assessment, risk management, approval supervision, supervision Control review and communication consultation constitute a spiraling cycle, enabling the protected system to respond continuously to changes in itself and the environment. New security needs and risks.
In the fifth chapter to the tenth chapter of this guidance technical document, the concept of the above six steps in the implementation process of information security risk management The process, work content, output documentation, etc. are described.
4.3 Relationship between information security risk management and information system life cycle and information security objectives 4.3.1 Information System Life Cycle
The information system life cycle is the whole process of an information system from scratch to sublation, including planning, design, implementation, and operation. 5 basic stages of protection and disposal.
In the planning stage, determine the purpose, scope and needs of the information system, analyze and demonstrate feasibility, and propose an overall plan. In the design phase, According to the overall plan, the implementation structure of the information system (including functional division, interface protocol and performance indicators, etc.) and implementation plan (including real Current technology, equipment selection and system integration, etc.). In the implementation phase, according to the implementation plan, purchase and test equipment, develop customized functions, integration, Deploy, configure, and test systems, train personnel, and more. In the operation and maintenance phase, the operation and maintenance system ensures that the information system is in its own and in the ring The environment changes and works constantly and constantly upgrades. In the obsolete phase, the information system as a whole or the information system is outdated or useless Dispose of the waste. When the business objectives and needs of the information system change, or when the technology and management environment change, you need to Enter the above five stages to form a new cycle. Therefore, planning, design, implementation, operation and maintenance, and disposal constitute a spiral The cycle of liters makes the information system constantly adapt to changes in itself and the environment. 4.3.2 Information Security Objectives
The goal of information security is to realize the basic security features of information systems (ie, the basic attributes of information security) and achieve the required level of protection. do not. The basic attributes of information security include confidentiality, integrity, availability, authenticity and non-repudiation. Each attribute has a corresponding level of protection. Do not be used as a measure of its strength, as shown in Figure 2.
Figure 2 Information security basic attributes and their security levels Confidentiality refers to the characteristics of information and information systems that are not accessed or utilized by unauthorized persons, including data privacy and access control. Integrity refers to the fact that information and information systems are authentic, accurate and complete, and are not impersonated, forged and tampered, including identity truth, data integrity and System integrity and other aspects. Availability refers to the characteristics of information and information systems that can be accessed and used by authorized persons when needed. Authenticity The identity of the subject or resource is the claimed property. Non-repudiation means that an entity cannot deny the characteristics of its actions and can support its responsibility. GB /Z24364-2009
Responsibility, deterrence and legal action. The level of security refers to confidentiality, integrity, availability, authenticity and non-repudiation in the specific implementation. The level or intensity achieved can be used as a measure of security trust. The security level of the information system is mainly through the information system. Line safety assessment and certification to determine.
4.3.3 Three relationships
The relationship between information security risk management and information system life cycle and information security objectives can be briefly expressed as information system life. At each stage of the cycle, in order to meet its information security objectives, corresponding information security risk management tools are needed as support. The characteristics of each phase of the information system life cycle and the level of assurance of its information security objectives vary with industry characteristics and system characteristics. Same, that is, different systems in different industries have different attributes of information security at different stages of the information system life cycle (ie, confidentiality) The requirements and focus of sex, integrity, usability, authenticity and non-repudiation are different. Therefore, it can be developed under the guidance of this guiding technical document. Industry's information security risk management practices. The level of protection for information security objectives should follow the national information security level protection system For details, please refer to GB 17859-1999.
In Chapters 11 through 15 of this guidance document, security requirements and objectives for all phases of the information system life cycle, and The corresponding main processes and activities of information security risk management are described. 4.4 Role and Responsibilities of Information Security Risk Management
Information security risk management is a risk-based information system security management. Therefore, information security risk management involves people, including letters. Direct participants in interest security risk management, including those involved in the i...