Shulou(Shulou.com)06/01 Report--

With the promulgation and implementation of the Network Security Law in 2017, more and more enterprise leaders begin to pay attention to the network security construction of their own enterprises, while the upcoming release of "basic requirements for Information Security Technology Network Security level Protection" V2.0, more clearly defines the direction of enterprise network security construction. When Serena Williams recently conducted technical exchanges with customers, customers often mentioned "risk assessment" and "equal insurance assessment", and some customers often confused the two. Today, Serena Williams will summarize the similarities and differences between risk assessment and equal insurance assessment.

I. Overview of risk assessment and equal insurance assessment

Risk assessment:

In 2007, the National Standardization Management Committee issued GB/T 20984-2007 "Information Security Technology Information Security risk Assessment Standard", which is the main basis for information security risk assessment. On the basis of the original standard in 2011, the National Standardization Management Committee issued the second edition of the user information technology information security risk assessment standard, namely ISO/IEC 27005Vist2011. The method of information security risk assessment recommended by GB/T 20984-2007 and ISO/IEC 27005Vol 2011 can be used as a method of information security risk assessment.

Risk assessment includes three processes: risk identification, risk analysis and risk assessment. Its main activities include ① to establish relevant guidelines, ② to determine the scope and boundaries of risk assessment, ③ risk analysis, ④ risk assessment, ⑤ risk management. For details, please see the following figure:

Figure 1 risk assessment activity

Equal protection evaluation

GB/T 28449-2012 "Information Security Technology Information system Security level Protection Evaluation process Guide" is the main reference basis for grade protection evaluation. This standard describes the evaluation process from the point of view of grade protection evaluation process and its various tasks, including test preparation, scheme preparation, on-site evaluation and report preparation. The specific contents include determining the scope of evaluation, identifying the objects of assets tested, identifying non-conformities, risk analysis and evaluation, and putting forward suggestions for rectification and improvement.

Fig. 2 and other protection and evaluation activities

From the above description, we can see that risk assessment and equal insurance assessment have something in common in some aspects, but there are also many differences.

2. analysis of the differences between risk assessment and equal insurance assessment.

The methods and criteria for their implementation are different.

Risk assessment should establish risk assessment methods, risk assessment criteria, impact assessment criteria and risk acceptance criteria before implementation, while isoinsurance assessment does not need to establish assessment methods and criteria, because GB/T 28449-2012 has carried out detailed specifications and does not need to be defined. And the risk analysis and evaluation results in the equal insurance evaluation are only used as the input items of the evaluation conclusions, and have nothing to do with the final rectification opinions.

The scope and boundary definitions of the two are different

Both of them are different in the method and basis of determining the implementation direction and boundary. first of all, there are many factors to be considered in the scope and boundary of risk assessment, which is relatively complex. In the equal protection evaluation, it is relatively simple to define the boundary, only to judge the network boundary of the evaluated system according to the situation of the system.

Figure 3 scope and boundary definition

The two face different objects.

In GB/T 22239-2008, the asset object includes six parts: physical environment, host environment, network environment, application environment, data security and security management. The basic requirements of grade protection V2.0 to be released soon include physical environment, communication network, computing environment, management center and security management. In the chapter "7.2.1 Evaluation object confirmation" of GB/T 28449-2012, the objects of equal protection evaluation are described in detail, including computer room, business software, host operating system, database system, network equipment, security equipment, management documents and so on. The objects of assets in risk assessment include information assets, hardware assets, software assets, service assets, personnel assets and so on. Thus it can be seen that there are obvious differences between the two in terms of objects.

Fig. 4 Asset objects for risk assessment and equal insurance assessment

As can be seen from the above chart, the scope of assets in risk assessment is obviously wider than that of isoinsurance assessment. In some specific projects, more than 500 assets are identified in the risk assessment project.

The methods of risk analysis and evaluation are different.

There are many methods of risk analysis and assessment, including qualitative and quantitative. In the risk analysis and evaluation of equal insurance evaluation, the risk analysis and evaluation of the non-conformance items found in the evaluation are mainly carried out according to the requirements of "Grade Evaluation report template (trial)" (Gongxin an [2009] No. 1487). The subject carries on the evaluation in a qualitative way, and gives the safety problems found by the grade evaluation as well as the risk analysis and evaluation in the form of a list. The details are as follows:

Figure 5 and other security assessment security issues and risk analysis and evaluation (example)

According to the relevant norms and standards of grade protection, the method of risk analysis is used to analyze the possible impact on the security of information system caused by the security problems existing in the results of information system grade evaluation (the summary results of some coincidence or non-conformity items in the grade evaluation results).

The analysis process includes

1) to judge the possibility of a security problem being threatened, the range of the possibility is high, medium and low.

2) to judge the degree of influence on information system security (business information security and system service security) after the security problem is threatened, the range of influence degree is high, medium and low.

3) synthesize the results of 1) and 2) to assign the security risk faced by the information system, and the range of risk value is high, medium and low.

4) evaluate the results of risk analysis according to the security protection level of the information system, that is, the risks to national security, social order, public interests and the legitimate rights and interests of citizens, legal persons and other organizations.

Risk assessment does not specify whether to use qualitative or quantitative methods. Many risk assessment methods are also introduced in GB/T 20984-2007. Finally, organizations or risk assessment teams are advised to use qualitative or quantitative methods, or a combination of both, according to the actual situation.

The two have different requirements for conclusions.

In the risk assessment, neither GB/T 20984-2007 nor ISO/IEC 27005 2011 requires the conclusions of the assessment, and the risk assessment focuses more on the results. On the other hand, the equal protection evaluation has clear requirements for the evaluation conclusions, and whether the evaluation results meet or meet the basic requirements of grade protection is expressed by using "compliance", "basic compliance" and "non-conformity".

The two have different ways of dealing with the conclusions.

There are four options for risk management in risk assessment, namely, risk mitigation, risk aversion, risk maintenance and risk transfer. When an enterprise takes any of the four options for any risk, it must be implemented in the risk management plan. While the equal protection evaluation is different, the equal protection evaluation needs to put forward rectification and reform suggestions according to the results of the evaluation, and is aimed at the rectification and implementation plan proposed by the non-conformance items in the evaluation, and it is up to the organization to decide whether to adopt it or not, and there is no need to formulate a rectification plan. However, the enterprise must rectify and reform so that the information system meets all the non-compliance items and fully meets the basic requirements of grade protection, otherwise the non-rectification behavior of the enterprise will be punished accordingly according to the requirements of the Network Security Law.

Report compilation

After the completion of the on-site implementation and the collection of all the data, it is necessary to prepare the relevant report, such as the insurance assessment report has an official template, while the risk assessment report has no template or fixed content requirements.

III. Implementation recommendations

From the analysis of the above description, we can see that the two are very different in nature, so we can learn from each other in the implementation, but it is not recommended to integrate the implementation. Risk assessment and equal insurance assessment are two different types of activities, which need to be completed separately. It is suggested that the security assessment of the information system should be implemented first, and then the risk assessment should be carried out. When carrying out the security risk assessment of the information system, we can borrow the security problems found in the implementation of the insurance assessment.

As the first security manufacturer to put forward the concept of "white environment" of industrial network security, so far, it has served more than 500 customers in the fields of electric power, petroleum and petrochemical, rail transit, intelligent manufacturing, gas, water, military, tobacco, coal, chemical industry, universities and scientific research institutions. He has rich experience in industrial control system security construction and security risk assessment, and won the second-level qualification of ISCCC information security service risk assessment in 2018, which is also an affirmation of Venute's achievements in the implementation of risk assessment. In 2019, Venut will take the achievements made in 2018 as a starting point, with its own professional technical service team to contribute to the network security construction of industrial control systems.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.