scope
This standard proposes the basic concept, element relationship, analysis principle, implementation process and assessment method of risk assessment, as well as the
implementation points and work forms of risk assessment in different stages of the information system life cycle.
This standard is applicable to the risk assessment work carried out by regulatory organizations.
2 Normative references
The clauses in the following documents become the clauses of this standard through the reference of this standard. For dated references, all subsequent
amendments (excluding errata content) or revisions do not apply to this standard. However, parties to agreements based on this standard are encouraged
to investigate whether the latest versions of these documents can be used. For undated references, the latest version applies to this standard.
GB/T 9361 Computing station site security requirements
GB 17859-1999 Computer information system security protection classification criteria
GB/T 18336-2001 Information technology security technology Information technology security assessment criteria (idt ISO/IEC 15408:1999)
GB/T 19716 -2005 Practical Rules for Information Technology Information Security Management (ISO/IEC 17799:2000, MOD)
3 Terms and Definitions
The following terms and definitions apply to this standard.
3.1
Assets
are information or resources that are valuable to the organization and are protected by security policies.
3.2
Asset value asset value
The characterization of the importance or sensitivity of assets. Asset value is an attribute of an asset, and it is also the main content of asset identification.
3.3
Availability
A characteristic of data or resources that an authorized entity can access and use as required.
3.4
Business Strategy
A set of rules or requirements established by an organization to achieve its development goals.
3.5
Confidentiality
is the characteristic of data, that is, the degree to which the data has not been provided or disclosed to unauthorized persons, processes or other entities.
3.6
Information security risk
is man-made or natural threats that exploit the vulnerabilities in information systems and their management systems to cause security incidents and their impact on organizations.
GB/T 20984—2007
20 %
3.7
(Information security) Risk assessment (information security) is the process of evaluating security attributes
such as confidentiality, integrity and availability of information systems and information processed, transmitted and stored by them based on relevant information security technology and management standards .
It needs to assess the threats faced by the assets and the possibility of threats using the vulnerabilities to cause security incidents
, and combine the value of the assets involved in the security incidents to judge the impact on the organization once a security incident occurs.
3.8
Information system is a man-machine system
composed of computers and related and supporting equipment and facilities (including networks), which collects, processes, stores, transmits, and retrieves information according to certain application objectives and rules
.
A typical information system consists of three parts: hardware system (computer hardware system and network hardware system); system software (computer
system software and network system software); application software (including information processed and stored by it).
3.9
Inspection assessment is a mandatory inspection activity
on information systems and their management initiated by the superior authority or business authority of the assessed organization, in accordance with relevant national regulations and standards.
3.10
Integrity is
the characteristic that ensures that information and information systems will not be altered or destroyed without authorization. Including data integrity and system integrity.
3.11
Organization
is a structure established by individuals with different roles to implement common business goals. A unit is an organization, and a business unit can also
be an organization.
3.12
Residual risk is
a risk that may still exist in an information system after security measures have been taken.
3.13
Self-assessment
is initiated by the organization itself, and is a risk assessment activity for information systems and their management in accordance with relevant national regulations and standards.
3.14
A security incident
refers to the occurrence of an identifiable state of a system, service or network, which may be a violation of information security policies or a failure of protective measures, or an unexpected
unsafe situation.
3.15
Security measures are the various practices, procedures and mechanisms
implemented to protect assets, resist threats, reduce vulnerabilities, reduce the impact of security incidents, and combat information crimes . GB/T 20984—2007 3
3.16
Security requirement security requirement
is a requirement in terms of security measures to ensure the normal operation of the organization's business strategy.
3.17
threat
potential cause of an undesired incident that could result in harm to a system or organization.
3.18
Vulnerability
A weak point of an asset or of several assets that may be exploited by threats.
References
Information Security Technology Information Security Risk Assessment Specification