1
/
von
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 31509-2015 English PDF (GBT31509-2015)
GB/T 31509-2015 English PDF (GBT31509-2015)
Normaler Preis
$460.00 USD
Normaler Preis
Verkaufspreis
$460.00 USD
Grundpreis
/
pro
Versand wird beim Checkout berechnet
Verfügbarkeit für Abholungen konnte nicht geladen werden
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 31509-2015
Historical versions: GB/T 31509-2015
Preview True-PDF (Reload/Scroll if blank)
GB/T 31509-2015: Information security technology -- Guide of implementation for information security risk assessment
GB/T 31509-2015
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Guide of
implementation for information security risk assessment
ISSUED ON: MAY 15, 2015
IMPLEMENTED ON: JANUARY 01, 2016
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine of PRC;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms, definitions, abbreviations ... 5
3.1 Terms and definitions ... 5
3.2 Abbreviations ... 7
4 Overview of implementation of risk assessment ... 8
4.1 Basic principles of implementation ... 8
4.2 Basic process of implementation ... 9
4.3 Working form of risk assessment ... 9
4.4 Risk assessment in the information system lifecycle... 10
5 Staged work of implementation of risk assessment ... 11
5.1 Preparation stage ... 11
5.2 Identification stage ... 21
5.3 Risk analysis stage ... 42
5.4 Recommendations on risk treatment ... 46
Appendix A (Informative) Questionnaire ... 52
Appendix B (Informative) Checklist of security technology vulnerabilities ... 55
Appendix C (Informative) Checklist of security management vulnerability ... 65
Appendix D (Informative) Case of risk analysis ... 73
Information security technology - Guide of
implementation for information security risk assessment
1 Scope
This standard specifies the process and method for the implementation of
information security risk assessment.
This standard applies to the management of information security risk
assessment items of non-confidential information systems by various security
assessment agencies or assessed organizations, guides the organization,
implementation, acceptance of risk assessment items.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 20984-2007 Information security technology - Risk assessment
specification for information security
GB/Z 24364-2009 Information security technology - Guidelines for
information security risk management
3 Terms, definitions, abbreviations
The terms and definitions as defined in GB/T 20984-2007 and GB/Z 24364-
2009 as well as the following terms and definitions apply to this document.
3.1 Terms and definitions
3.1.1
Implementation
The process of putting a series of activities into practice.
3.1.2
In the project implementation activities, the implementation activities that can
play a decisive role of influencing the overall progress of the project.
3.1.10
Analysis model
A kind of simulation analysis method as formed according to a certain
analysis principle, for the analysis of assessment elements.
3.1.11
Evaluation model
The formation of several assessment indicators according to a certain
assessment system, to perform a relatively perfect assessment of the
corresponding activities.
3.1.12
Risk treatment
A series of activities that deal with risks, such as accepting risks, avoiding
risks, transferring risks, reducing risks.
3.1.13
Acceptance
A method used in risk assessment activities to end project implementation
which is mainly organized by the assessed parties to conduct an item-by-
item inspection of the assessment activities, to determine whether the
assessment objectives are met.
3.2 Abbreviations
The following abbreviations apply to this document.
AC: Access Complexity
AV: Access Vector
BOF: Buffer Overflow
CDP: Collateral Damage Potential
CVE: Common Vulnerabilities and Exposures
agreement, to ensure the security of the project information. It shall strictly
manage the work process data and the result data, which shall not be
disclosed to any unit or individual without authorization.
c) Process controllability:
It shall follow the project management requirements to establish a project
implementation team and adopt the project leader responsibility system,
to achieve the controllability of project process.
d) Tool controllability:
The assessment tools used by the security assessor shall be informed to
the user in advance and obtain the user's permission before the project is
implemented, including the product itself, test strategy, etc.
4.1.4 Minimum impact principle
For the risk assessment of the online business system, it shall take the
minimum impact principle, that is, giving priority to guaranteeing the stable
operation of the business system. However, for the work content which requires
to be tested for aggressiveness, it is necessary to communicate with the user
and perform emergency backup, meanwhile carry out in other time than the
peak hour of business.
4.2 Basic process of implementation
GB/T 20984-2007 specifies the implementation process of risk assessment.
According to the various work contents in the process, the implementation of
risk assessment is generally divided into 4 stages: assessment preparation, risk
element identification, risk analysis, risk treatment. Among them, the
assessment preparation stage is the guarantee for the effectiveness of the
assessment, which is the beginning of the assessment; the risk element
identification stage is mainly to identify and assign various key element assets,
threats, vulnerabilities, security measures of the assessment activities; the risk
analysis stage is mainly to carry out correlated analysis of various types of
information as obtained in the identification stage, calculate the risk value; the
risk treatment recommendation work is, focusing on the assessed risks, to
propose the corresponding treatment recommendations, treat the residual risk
after performing security reinforcement according to the treatment
recommendations.
4.3 Working form of risk assessment
GB/T 20984-2007 clarifies that the basic working form of risk assessment is
information system adapts to changes in itself and the environment.
5 Staged work of implementation of risk assessment
5.1 Preparation stage
5.1.1 Work contents of preparation stage
5.1.1.1 Overview
Risk assessment preparation is a guarantee for the effectiveness of the entire
risk assessment process. Since the risk assessment is affected by such aspects
as organization's business strategy, business processes, security needs,
system scale and structure, before the implementation of risk assessment, it
shall make preparation for the assessment. The information security risk
assessment involves important information within the organization. The
assessed organization shall carefully select the qualifications of the
assessment organization and the assessor, meanwhile follow the relevant
national or industry management requirements.
5.1.1.2 Determine assessment target
The risk assessment shall be carried out in all stages of the information system
lifecycle. Since the content, object, security needs of the implementation of risk
assessment are different in each stage of the information system lifecycle, the
assessed organization shall first determine the stage in the information system
lifecycle according to the actual conditions of the current information system,
thereby defining the risk assessment tar...
Get QUOTATION in 1-minute: Click GB/T 31509-2015
Historical versions: GB/T 31509-2015
Preview True-PDF (Reload/Scroll if blank)
GB/T 31509-2015: Information security technology -- Guide of implementation for information security risk assessment
GB/T 31509-2015
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Guide of
implementation for information security risk assessment
ISSUED ON: MAY 15, 2015
IMPLEMENTED ON: JANUARY 01, 2016
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine of PRC;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms, definitions, abbreviations ... 5
3.1 Terms and definitions ... 5
3.2 Abbreviations ... 7
4 Overview of implementation of risk assessment ... 8
4.1 Basic principles of implementation ... 8
4.2 Basic process of implementation ... 9
4.3 Working form of risk assessment ... 9
4.4 Risk assessment in the information system lifecycle... 10
5 Staged work of implementation of risk assessment ... 11
5.1 Preparation stage ... 11
5.2 Identification stage ... 21
5.3 Risk analysis stage ... 42
5.4 Recommendations on risk treatment ... 46
Appendix A (Informative) Questionnaire ... 52
Appendix B (Informative) Checklist of security technology vulnerabilities ... 55
Appendix C (Informative) Checklist of security management vulnerability ... 65
Appendix D (Informative) Case of risk analysis ... 73
Information security technology - Guide of
implementation for information security risk assessment
1 Scope
This standard specifies the process and method for the implementation of
information security risk assessment.
This standard applies to the management of information security risk
assessment items of non-confidential information systems by various security
assessment agencies or assessed organizations, guides the organization,
implementation, acceptance of risk assessment items.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 20984-2007 Information security technology - Risk assessment
specification for information security
GB/Z 24364-2009 Information security technology - Guidelines for
information security risk management
3 Terms, definitions, abbreviations
The terms and definitions as defined in GB/T 20984-2007 and GB/Z 24364-
2009 as well as the following terms and definitions apply to this document.
3.1 Terms and definitions
3.1.1
Implementation
The process of putting a series of activities into practice.
3.1.2
In the project implementation activities, the implementation activities that can
play a decisive role of influencing the overall progress of the project.
3.1.10
Analysis model
A kind of simulation analysis method as formed according to a certain
analysis principle, for the analysis of assessment elements.
3.1.11
Evaluation model
The formation of several assessment indicators according to a certain
assessment system, to perform a relatively perfect assessment of the
corresponding activities.
3.1.12
Risk treatment
A series of activities that deal with risks, such as accepting risks, avoiding
risks, transferring risks, reducing risks.
3.1.13
Acceptance
A method used in risk assessment activities to end project implementation
which is mainly organized by the assessed parties to conduct an item-by-
item inspection of the assessment activities, to determine whether the
assessment objectives are met.
3.2 Abbreviations
The following abbreviations apply to this document.
AC: Access Complexity
AV: Access Vector
BOF: Buffer Overflow
CDP: Collateral Damage Potential
CVE: Common Vulnerabilities and Exposures
agreement, to ensure the security of the project information. It shall strictly
manage the work process data and the result data, which shall not be
disclosed to any unit or individual without authorization.
c) Process controllability:
It shall follow the project management requirements to establish a project
implementation team and adopt the project leader responsibility system,
to achieve the controllability of project process.
d) Tool controllability:
The assessment tools used by the security assessor shall be informed to
the user in advance and obtain the user's permission before the project is
implemented, including the product itself, test strategy, etc.
4.1.4 Minimum impact principle
For the risk assessment of the online business system, it shall take the
minimum impact principle, that is, giving priority to guaranteeing the stable
operation of the business system. However, for the work content which requires
to be tested for aggressiveness, it is necessary to communicate with the user
and perform emergency backup, meanwhile carry out in other time than the
peak hour of business.
4.2 Basic process of implementation
GB/T 20984-2007 specifies the implementation process of risk assessment.
According to the various work contents in the process, the implementation of
risk assessment is generally divided into 4 stages: assessment preparation, risk
element identification, risk analysis, risk treatment. Among them, the
assessment preparation stage is the guarantee for the effectiveness of the
assessment, which is the beginning of the assessment; the risk element
identification stage is mainly to identify and assign various key element assets,
threats, vulnerabilities, security measures of the assessment activities; the risk
analysis stage is mainly to carry out correlated analysis of various types of
information as obtained in the identification stage, calculate the risk value; the
risk treatment recommendation work is, focusing on the assessed risks, to
propose the corresponding treatment recommendations, treat the residual risk
after performing security reinforcement according to the treatment
recommendations.
4.3 Working form of risk assessment
GB/T 20984-2007 clarifies that the basic working form of risk assessment is
information system adapts to changes in itself and the environment.
5 Staged work of implementation of risk assessment
5.1 Preparation stage
5.1.1 Work contents of preparation stage
5.1.1.1 Overview
Risk assessment preparation is a guarantee for the effectiveness of the entire
risk assessment process. Since the risk assessment is affected by such aspects
as organization's business strategy, business processes, security needs,
system scale and structure, before the implementation of risk assessment, it
shall make preparation for the assessment. The information security risk
assessment involves important information within the organization. The
assessed organization shall carefully select the qualifications of the
assessment organization and the assessor, meanwhile follow the relevant
national or industry management requirements.
5.1.1.2 Determine assessment target
The risk assessment shall be carried out in all stages of the information system
lifecycle. Since the content, object, security needs of the implementation of risk
assessment are different in each stage of the information system lifecycle, the
assessed organization shall first determine the stage in the information system
lifecycle according to the actual conditions of the current information system,
thereby defining the risk assessment tar...
Share
