With the release of 2017, "Network Security Act", the implementation of a growing number of business leaders concerned about network security building their own business situation, and the "information security technology to protect the basic level of network security requirements" V2.0 approaching release, more clear direction of enterprise network security building. Serena in the near future technical exchanges with customers, clients often refer to "risk assessment" and "and other security assessment", but some customers were often confused the two. Serena today for everyone to summarize the similarities and differences such as insurance risk assessment and evaluation of.
One, such as insurance risk assessment and evaluation Overview
Risk assessment:
2007, Standardization Administration of China issued GB / T 20984-2007 "Information Security techniques - Information security risk assessment norms" standard, which is based primarily on information security risk assessment, in in 2011 the national standardization management Committee on the basis of the original standard, has released the second edition of the standard user IT information security risk assessment, namely ISO / IEC 27005: 2011. GB / T 20984-2007 and ISO / IEC 27005: 2011 information security risk assessment method recommended can be used as a method of information security risk assessment.
Risk assessment includes risk identification, risk analysis, risk assessment of these three processes. Its main activities include work to establish guidelines ①, ② determine the scope and boundaries, ③ risk assessment risk analysis, ④ risk assessment, ⑤ risk management. DETAILED See the diagram:
Figure 1 Risk assessment work activities
such as security evaluation
GB / T 28449-2012 "Information security technology information system security protection Assessment Procedures Guide" is the level of protection based on the evaluation of the main reference, this standard is the process of evaluation of the level of protection and its process tasks described angle assessment, including assessment preparation, programming, site evaluation, reporting, specifically includes determining the scope of assessment, evaluation assets to identify objects, identify nonconformities, risk analysis and evaluation, put forward rectification opinions. 
FIG 2 and other operational activities security assessment
from the above description, it can be seen security risk assessment and evaluation, etc. In certain aspects in common is present, but there are many differences.
Second, such as insurance risk assessment and evaluation of differential analysis
of different methods and guidelines for the implementation of both
risk assessment before implementation to establish a risk assessment methods, risk evaluation criteria, impact assessment guidelines and risk acceptance criteria, and so on need to establish security assessment evaluation method and guidelines, because the GB / T 28449-2012 has a detailed specification, do not need to define. Such as risk analysis and security assessment in the evaluation and the evaluation results only as a conclusion of entry, regardless of the final rectification.
Both the scope and boundaries define different
both in the method of determining the orientation and implementation of the border, according to different, first of all assess the scope and boundaries of the factors considered in terms of risk assessment are more relatively complex. And other security assessment is defined in the boundary portion is relatively simple, but the boundary is determined by the network measurement system according to the system situation. 
FIG 3 define the scope and boundary of
different objects that face the
In GB / T 22239-2008 assets in objects include the physical environment, the host environment, network environment, application environment, data security and security management of six parts, including the physical environment in the level of protection of the basic requirements of the upcoming V2.0 release, communications networks, computing environment, management center, security management five parts. In GB / T "7.2.1 assessee confirm" 28449-2012 chapter describes in detail the evaluation of insurance and other objects, including room, business software, host operating systems, database systems, network devices, security devices, management documents. The target risk assessment information assets, including assets, hardware assets, software assets, services assets, personnel and other assets. Thus, there are significant differences both on the object. 
4, etc. FIG security risk assessment and evaluation of the asset objects
can be seen from the figure, the range of risk assessment assets ratio significantly security evaluation is broader. In some specific projects, project risk assessment identified assets of up to more than 500.
Both risk analysis and evaluation of different methods
of risk analysis and evaluation methods are many, including qualitative and quantitative. Risk analysis and evaluation insurance evaluation in mainly carried out on non-conformity assessment found the risk analysis and evaluation based on "classified evaluation report template (Trial)" requires text (Public Principal [2009] No. 1487). The body is evaluated in a qualitative way, and given a rating evaluation in a list discovered security issues as well as risk analysis and evaluation of the situation. Specific follows: 
Paul Evaluation FIG. 5 and the like security and risk analysis and evaluation (example)
according to the relevant norms and standards level of protection, the method risk analysis analysis (grade evaluation results security level evaluation result information present in the system in partial compliance items or non-conformance summary of results) potential impact on information systems security.
Process consists of
1) determines the possibility of security threats is utilized, the range of possibilities for the high, medium and low;
2) Analyzing security threat is being utilized, the information security system (security service information and system security services ) the extent of the impact, the impact in the range of high, medium and low.
3) Integrated 1) and 2) the results of the security risks faced by information systems assignments, ranging from risk values as high, medium and low.
4) combined with the degree of protection of information systems for risk analysis results were evaluated, namely national security, public order, the risk of causing public interests and the legitimate rights and interests of citizens, legal persons and other organizations of the
way risk assessment is not explicitly required is the use of qualitative or quantitative manner, in GB / T 20984-2007 also introduced a number of methods of risk assessment, and ultimately recommended the organization or risk assessment team used the actual situation qualitative or quantitative manner, or a combination of both.
Both require different conclusions
in risk assessment both GB / T 20984-2007 or ISO / IEC 27005: 2011 on the assessment findings are not required, a risk assessment is more focused on results. The evaluation for insurance and other evaluation concluded that there is a clear requirement by using the "accord", "in line" and "not in line" to express the results of the evaluation of compliance or level of protection to meet the basic requirements.
Both handling of the conclusions of the different
risk assessment risk management has four options, namely, risk mitigation, risk avoidance, risk keeping, risk transfer. When companies adopt any of the four options in the choice of any risk, the risk must be implemented in the treatment plan. The evaluation is different and other insurance, such as insurance assessment need to make corrective recommendations based on the results of the evaluation, and the evaluation is not in line for the program of reform implementation proposals, adopted or not is determined by the organization itself and does not need to develop corrective plans. But companies must reform so that all information systems in line items, to meet the full level of protection of fundamental requirements, or request the "Network Security Act", the enterprise will not be punished corrective behavior.
Preparation of the report
after the completion of the implementation of the scene, collect all the complete information necessary to the preparation of related reports, such as security assessment report of the official release of the template, and risk assessment reports no template or fixed content requirements.
Third, the implementation of the recommendations
Analysis from the above description, it can be seen on both the nature of the difference is large, it can learn from each other embodiments, the integration is not recommended embodiment. Such as insurance risk assessment and evaluation are two different activities, it needs to be done separately. It is recommended to ensure the implementation of information systems evaluation, and implementation of risk assessment, security risk assessment information systems, the security issues such as the implementation of security evaluation found can borrow.
Wei Nute As the network security industry first proposed the concept of "white environment," security vendor to date service electric power, petroleum and petrochemical, rail transportation, intelligent manufacturing, gas, water, military, tobacco, coal, chemical industry, universities and research institutions five hundred customers. Has a wealth of experience in the construction of industrial safety control systems and safety risk assessment, 2018 is to obtain a risk assessment of information security services ISCCC two qualifications, which is also a kind Wei Nute achievements in the implementation of risk assessment certainly . 2019, Wei Nute results will be achieved in 2018 as a starting point, by virtue of their professional and technical services team for industrial control systems contribute to the construction of network security.