GB/T 20984-2007 Translated English of Chinese Standard. (GBT 20984-2007, GB/T20984-2007, GBT20984-2007): Information security technology - Risk assessment specification for information security
This standard proposes the basic concepts, element relationships, analysis principles, implementation processes, assessment methods of risk assessment, as well as the implementation key-points and working forms of risk assessment at different stages of the life cycle of information system. This standard applies to normalizing the risk assessment work carried out by the organization.
Framework and process for risk assessment
Risk assessment at each phase of the life cycle of information system
Working form of risk assessment
Appendix B Informative Risk assessment tool
according application software assessment and management assessment results asset A1 asset identification asset value Assigned value business strategy Calculate the loss calculate the risk calculation method Calculation of risk damage database design plan electromagnetic interference element value environment existing security measures exploited by threat frequency of occurrence frequency of threats GB/T hardware hierarchical treatment Identification of asset impact important assets information security information system Inspection-assessment intrusion detection system likelihood of occurrence loss caused loss of security management tools management vulnerability matrix method multiplication method obsolete occurrence of security operating system organization organization’s personnel principle of risk relevant residual risk risk analysis risk assessment process risk assessment tool risk calculation risk elements risk management plan risk matrix security attributes security incident loss security requirements security risk self-assessment severity of vulnerability specific standard technical technical vulnerability threat T1 value-assignment Very-low vulnerability identification vulnerability scanner vulnerability scanning tools vulnerability V1