1
/
от
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
YD/T 1730-2008 English PDF (YD/T1730-2008)
YD/T 1730-2008 English PDF (YD/T1730-2008)
Обичайна цена
$310.00 USD
Обичайна цена
Цена при разпродажба
$310.00 USD
Единична цена
/
за
Не може да се зареди възможността за взимане
Delivery: 2 working-hours manually (Sales@ChineseStandard.net)
Need delivered in 3-second? USA-Site: YD/T 1730-2008
Get Quotation: Click YD/T 1730-2008 (Self-service in 1-minute)
Historical versions (Master-website): YD/T 1730-2008
Preview True-PDF (Reload/Scroll-down if blank)
YD/T 1730-2008: Implementation Guide for Security Risk Assessment of Telecom Network and Internet
YD/T 1730-2008
COMMUNICATION INDUSTRY STANDARD
OF THEPEOPLE’S REPUBLIC OF CHINA
Implementation guide for security risk assessment of
telecom network and internet
ISSUED ON. JANUARY 14, 2008
IMPLEMENTED ON. JANUARY 14, 2008
Issued by. Ministry of Information Industry of PRC
Table of Contents
Foreword... 3
1 Scope... 6
2 Normative references... 6
3 Terms and definitions... 7
4 Risk assessment framework and process... 10
4.1 Relationship of risk factors... 10
4.2 Implementation process... 12
4.3 Form of work... 12
4.4 Principles to follow... 13
5 Implementation of risk assessment... 14
5.1 Preparation for risk assessment... 14
5.2 Asset identification... 16
5.3 Threat identification... 19
5.4 Vulnerability identification... 21
5.5 Relationship of threat exploitability vulnerabilities... 24
5.6 Confirmation of existing security measures... 25
5.7 Risk analysis... 25
5.8 Risk assessment documents... 28
6 Different requirements for risk assessment in the life cycle of system of telecom
network and internet... 30
6.1 Overview of the life cycle of system of telecom network and internet... 30
6.2 Risk assessment of startup stage... 31
6.3 Risk assessment of design stage... 32
6.4 Risk assessment of implementation stage... 33
6.5 Risk assessment of operation and maintenance stage... 34
6.6 Risk assessment of discarding stage... 35
Appendix A (Normative) Calculation method of asset value... 36
Appendix B (Normative) Calculation method of risk value... 38
References... 40
Implementation guide for security risk assessment of
telecom network and internet
1 Scope
This standard specifies the elements of risk assessment for telecom network and internet
security, the relationship between the elements, the implementation process, the form
of work, the principles to be followed, the different requirements and implementation
points at different stages of the life cycle of telecom network and internet.
This standard applies to the risk assessment work of the telecom networks and the
internet.
This standard can be used as an overall guidance document for the security risk
assessment of telecom network and internet. For the security risk assessment of specific
networks, please refer to the security protection requirements and security protection
testing requirements of specific networks.
2 Normative references
The provisions in following documents become the provisions of this Standard through
reference in this Standard. For the dated references, the subsequent amendments
(excluding corrections) or revisions do not apply to this Standard; however, parties who
reach an agreement based on this Standard are encouraged to study if the latest versions
of these documents are applicable. For undated references, the latest edition of the
referenced document applies.
GB/T 5271.8-2001 Information technology - Vocabulary - Part 8.Security
GB/T 9361-2000 Security requirements for computer field
GB/T 19716-2005 Information technology - Code of practice for information
security management
YD/T 754-95 General rules for electrostatic protection of communication rooms
YD/T 5026-2005 Installation and design standard for cabling duct in the room of
telecommunication
YD 5002-94 Design standard for fire protection of posts and communications building
YD 5098-2005 Specifications of engineering design for lightning protection and
4.4.5 Confidentiality principle
The assessor shall sign relevant non-disclosure agreements and non-invasive
agreements with the assessed network and service operators, so as to protect the
interests of the assessed party.
5 Implementation of risk assessment
5.1 Preparation for risk assessment
The preparation of the risk assessment is the guarantee of the effectiveness of the whole
risk assessment process. Implementing a risk assessment is a strategic consideration;
the results will be affected by the organization's business strategy, business processes,
security requirements, system size, structure, etc. Therefore, before the implementation
of a risk assessment, the following preparations shall be made.
a) Obtain support and cooperation;
b) Determine the objectives of the risk assessment;
c) Determine the content of the risk assessment;
d) Form a risk assessment team;
e) Conduct research on the assessed subject;
f) Determine the assessment basis and method.
5.1.1 Get support and cooperation
The self-assessment shall be approved by the managing-personnel who are responsible
for the relevant work of the organization. The tasks of the relevant management and
technical personnel in the risk assessment work shall be clarified. For the inspection
assessment, the network and service operators under assessment have the responsibility
and obligation to support and cooperate, so as to ensure the smooth progress of the
inspection assessment.
5.1.2 Determine objectives
The preparation stage of risk assessment shall clarify the objectives of risk assessment,
and provide guidance for the process of risk assessment.
The goal of risk assessment for system of telecom network and internet is to identify
the technical and management vulnerabilities, threats faced, possible risks of system of
telecom network and internet; be clear with the objective risks; propose and implement
appropriate security protection measures in a targeted manner; thereby reducing the
occurrence of security events; meeting the security requirements of the sustainable
development of the organization's business; maintaining and improving the
organization's competitive advantage, profitability and corporate image; meeting the
requirements of the country and industry for system of telecom network and internet.
5.1.3 Determine the content
Determining the risk assessment content, based on the risk assessment objective, is the
premise of completing the risk assessment. The content of the security risk assessment
of the system of telecom network and internet can be all the assets and management
institutions in the entire system of telecom network and internet, OR it can be the
independent assets and related departments of a certain part of the system of telecom
network and internet. The content of risk assessment includes management security
risks and technical security risks. The risk assessment content of management security
includes security management organization, security management system, personnel
security management, system building management, system operation and maintenance
management, etc. The risk assessment content of technical security includes
business/application security, network security, equipment security, physical
environment security, etc.
5.1.4 Form a team
Appropriate risk assessment management and implementation teams shall be formed to
support the advancement of the entire risk assessment process. The risk assessment
team for self-assessment can be formed by the relevant business key-personnel,
technical personnel and management personnel of the development, maintenance and
management of the network and service operators. The risk assessment team for
inspection assessment may consist of a competent authority and assessment agency.
The assessment team shall be able to ensure that the risk assessment work is carried out
effectively.
5.1.5 Research the assessed object
The risk assessment team shall conduct sufficient research on the assessment objects,
in the system of telecom network and internet. The research content shall include the
network structure and network environment; the main hardware and software and the
data and information contained therein; the personnel of management, maintenance and
use. Focus on researching the asset value, existing vulnerabilities and threats of the
assessed object, so as to lay the foundation for the selection of the basis and method of
risk assessment AND the implementation of the assessment.
The survey of assessed objects can be carried out by a combination of questionnaire
survey and on-site interview. Questionnaire is a question form, that provides a set of
management or operation control questions for technical or management personnel to
fill in; on-site interview is for assessors to observe and collect information, on the
physical environment and operation of the assessed party.
certain conditions and circumstances, which is the most difficult part of vulnerability
identification. Incorrect, ineffective, or not properly implemented security measures can
be a vulnerability in themselves.
The methods used in vulnerability identification mainly include questionnaire survey,
tool detection, manual verification, document review, penetration testing, etc. It shall
be noted that, when identifying the asset vulnerabilities of has-been-running system of
telecom network and internet, it is necessary to avoid affecting the normal operation of
the system of telecom network and internet, as much as possible; it shall be completed
in the experimental environment of equal conditions, as much as possible.
Vulnerability identification takes assets as the core; identifies the vulnerabilities that
may be exploited by threats for each asset; evaluates the severity of the vulnerabilities.
It can also be identified from the physical environment, equipment and systems,
network, business/application, etc.; then combined with assets and threats. The data for
vulnerability identification shall come from the owners and users of assets, experts in
the business field of the system of telecom network and internet, as well as professionals
in software and hardware, etc.
Vulnerability identification is mainly carried out from two aspects. technology and
management. Technical vulnerability involves security issues at the physical
environment layer, equipment and system layer, network layer, business/application
layer. Management vulnerability can be divided into technical management
vulnerability and organization management vulnerability. The former is related to
specific technical activities, whilst the latter is related to the management environment.
For different identification objects, the specific requirements for vulnerability
identification shall be implemented, with reference to the corresponding technical or
management standards. For example, the vulnerability identification of the physical
environment can be implemented, with reference to the technical indicators in such
standards as GB/T 9361-2000, YD/T 5026-2005, YD 5098-2005, YD 5002-94, YD/T
754-95; the vulnerability identification of the equipment and network can refer to the
technical indicators in the standards, such as YDN 126-2005 and YDN 127-2005; the
identification of management vulnerability can refer to the requirements in the
standards, such as GB/T 19716-2005, ISO/IEC 17799-2005, ISO/IEC 13335.1-2004, to
carry out inspections of security management systems and their implementation, and
identify management loopholes and deficiencies.
Table 9 provides a reference for the content of vulnerability identification.
taken. If the risk result is within the acceptable range, the risk is acceptable and the
existing risk shall be maintained. If the risk result is out of acceptable range, it is an
unacceptable risk; then it is necessary to formulate a risk treatment plan and take new
security measures to reduce and control the risk.
It shall comprehensively consider the risk control cost and the impact of the risk;
combine the security level of the network or system, where the asset is located, to
propose an acceptable risk threshold.
5.7.3 Risk treatment plan
For unacceptable risks, a risk treatment plan shall be developed based on the
vulnerabilities and threats that lead to the risk. The risk treatment plan specifies the new
security measures to compensate the vulnerability; reduces the loss as caused by the
security event; or reduces the occurring possibility of security event, the expected
effects, the implementation conditions, the schedule, the responsible departments, etc.
The selection of security measures shall fully take into account the possible constraints
of organization, capital, environment, personnel, time, law, technology, social culture,
considering both management and technology; the management measures can be used
as a supplement to technical measures. The selection and implementation of security
measures shall refer to relevant national and industry standards.
After selecting new security measures for unacceptable risks, in order to ensure the
effectiveness of security measures, re-assessment shall be carried out to determine
whether the residual risk, after the implementation of new security measures that has
been reduced to an acceptable level. The assessment of residual risk can be carried out
according to the risk assessment process of this standard; it can also be appropriately
reduced.
For some risks, after the selection of new security measures, the risk assessment result
of residual risk is still within the unacceptable range. In this case, it shall be considered
whether to accept this risk OR further increase the corresponding security measures.
5.8 Risk assessment documents
5.8.1 Requirements for risk assessment documents
During the risk analysis process of the system of telecom network and internet, it shall
record the risk assessment process; keep it as an assessment document. It shall meet
(but not be limited to) the following requirements.
a) Ensure that documents are approved prior to publication;
b) Ensure that changes to the document and the current revision status are
identifiable;
c) Ensure that the distribution of the documentation is properly controlled AND that
the relevant version of the applicable documentation is available at the time of
use;
d) Prevent the unintended use of obsolete documents; if obsolete documents need to
be retained for any purpose, they shall be properly identified.
Controls required for identification, storage, protection, retrieval, shelf life, disposal
Need delivered in 3-second? USA-Site: YD/T 1730-2008
Get Quotation: Click YD/T 1730-2008 (Self-service in 1-minute)
Historical versions (Master-website): YD/T 1730-2008
Preview True-PDF (Reload/Scroll-down if blank)
YD/T 1730-2008: Implementation Guide for Security Risk Assessment of Telecom Network and Internet
YD/T 1730-2008
COMMUNICATION INDUSTRY STANDARD
OF THEPEOPLE’S REPUBLIC OF CHINA
Implementation guide for security risk assessment of
telecom network and internet
ISSUED ON. JANUARY 14, 2008
IMPLEMENTED ON. JANUARY 14, 2008
Issued by. Ministry of Information Industry of PRC
Table of Contents
Foreword... 3
1 Scope... 6
2 Normative references... 6
3 Terms and definitions... 7
4 Risk assessment framework and process... 10
4.1 Relationship of risk factors... 10
4.2 Implementation process... 12
4.3 Form of work... 12
4.4 Principles to follow... 13
5 Implementation of risk assessment... 14
5.1 Preparation for risk assessment... 14
5.2 Asset identification... 16
5.3 Threat identification... 19
5.4 Vulnerability identification... 21
5.5 Relationship of threat exploitability vulnerabilities... 24
5.6 Confirmation of existing security measures... 25
5.7 Risk analysis... 25
5.8 Risk assessment documents... 28
6 Different requirements for risk assessment in the life cycle of system of telecom
network and internet... 30
6.1 Overview of the life cycle of system of telecom network and internet... 30
6.2 Risk assessment of startup stage... 31
6.3 Risk assessment of design stage... 32
6.4 Risk assessment of implementation stage... 33
6.5 Risk assessment of operation and maintenance stage... 34
6.6 Risk assessment of discarding stage... 35
Appendix A (Normative) Calculation method of asset value... 36
Appendix B (Normative) Calculation method of risk value... 38
References... 40
Implementation guide for security risk assessment of
telecom network and internet
1 Scope
This standard specifies the elements of risk assessment for telecom network and internet
security, the relationship between the elements, the implementation process, the form
of work, the principles to be followed, the different requirements and implementation
points at different stages of the life cycle of telecom network and internet.
This standard applies to the risk assessment work of the telecom networks and the
internet.
This standard can be used as an overall guidance document for the security risk
assessment of telecom network and internet. For the security risk assessment of specific
networks, please refer to the security protection requirements and security protection
testing requirements of specific networks.
2 Normative references
The provisions in following documents become the provisions of this Standard through
reference in this Standard. For the dated references, the subsequent amendments
(excluding corrections) or revisions do not apply to this Standard; however, parties who
reach an agreement based on this Standard are encouraged to study if the latest versions
of these documents are applicable. For undated references, the latest edition of the
referenced document applies.
GB/T 5271.8-2001 Information technology - Vocabulary - Part 8.Security
GB/T 9361-2000 Security requirements for computer field
GB/T 19716-2005 Information technology - Code of practice for information
security management
YD/T 754-95 General rules for electrostatic protection of communication rooms
YD/T 5026-2005 Installation and design standard for cabling duct in the room of
telecommunication
YD 5002-94 Design standard for fire protection of posts and communications building
YD 5098-2005 Specifications of engineering design for lightning protection and
4.4.5 Confidentiality principle
The assessor shall sign relevant non-disclosure agreements and non-invasive
agreements with the assessed network and service operators, so as to protect the
interests of the assessed party.
5 Implementation of risk assessment
5.1 Preparation for risk assessment
The preparation of the risk assessment is the guarantee of the effectiveness of the whole
risk assessment process. Implementing a risk assessment is a strategic consideration;
the results will be affected by the organization's business strategy, business processes,
security requirements, system size, structure, etc. Therefore, before the implementation
of a risk assessment, the following preparations shall be made.
a) Obtain support and cooperation;
b) Determine the objectives of the risk assessment;
c) Determine the content of the risk assessment;
d) Form a risk assessment team;
e) Conduct research on the assessed subject;
f) Determine the assessment basis and method.
5.1.1 Get support and cooperation
The self-assessment shall be approved by the managing-personnel who are responsible
for the relevant work of the organization. The tasks of the relevant management and
technical personnel in the risk assessment work shall be clarified. For the inspection
assessment, the network and service operators under assessment have the responsibility
and obligation to support and cooperate, so as to ensure the smooth progress of the
inspection assessment.
5.1.2 Determine objectives
The preparation stage of risk assessment shall clarify the objectives of risk assessment,
and provide guidance for the process of risk assessment.
The goal of risk assessment for system of telecom network and internet is to identify
the technical and management vulnerabilities, threats faced, possible risks of system of
telecom network and internet; be clear with the objective risks; propose and implement
appropriate security protection measures in a targeted manner; thereby reducing the
occurrence of security events; meeting the security requirements of the sustainable
development of the organization's business; maintaining and improving the
organization's competitive advantage, profitability and corporate image; meeting the
requirements of the country and industry for system of telecom network and internet.
5.1.3 Determine the content
Determining the risk assessment content, based on the risk assessment objective, is the
premise of completing the risk assessment. The content of the security risk assessment
of the system of telecom network and internet can be all the assets and management
institutions in the entire system of telecom network and internet, OR it can be the
independent assets and related departments of a certain part of the system of telecom
network and internet. The content of risk assessment includes management security
risks and technical security risks. The risk assessment content of management security
includes security management organization, security management system, personnel
security management, system building management, system operation and maintenance
management, etc. The risk assessment content of technical security includes
business/application security, network security, equipment security, physical
environment security, etc.
5.1.4 Form a team
Appropriate risk assessment management and implementation teams shall be formed to
support the advancement of the entire risk assessment process. The risk assessment
team for self-assessment can be formed by the relevant business key-personnel,
technical personnel and management personnel of the development, maintenance and
management of the network and service operators. The risk assessment team for
inspection assessment may consist of a competent authority and assessment agency.
The assessment team shall be able to ensure that the risk assessment work is carried out
effectively.
5.1.5 Research the assessed object
The risk assessment team shall conduct sufficient research on the assessment objects,
in the system of telecom network and internet. The research content shall include the
network structure and network environment; the main hardware and software and the
data and information contained therein; the personnel of management, maintenance and
use. Focus on researching the asset value, existing vulnerabilities and threats of the
assessed object, so as to lay the foundation for the selection of the basis and method of
risk assessment AND the implementation of the assessment.
The survey of assessed objects can be carried out by a combination of questionnaire
survey and on-site interview. Questionnaire is a question form, that provides a set of
management or operation control questions for technical or management personnel to
fill in; on-site interview is for assessors to observe and collect information, on the
physical environment and operation of the assessed party.
certain conditions and circumstances, which is the most difficult part of vulnerability
identification. Incorrect, ineffective, or not properly implemented security measures can
be a vulnerability in themselves.
The methods used in vulnerability identification mainly include questionnaire survey,
tool detection, manual verification, document review, penetration testing, etc. It shall
be noted that, when identifying the asset vulnerabilities of has-been-running system of
telecom network and internet, it is necessary to avoid affecting the normal operation of
the system of telecom network and internet, as much as possible; it shall be completed
in the experimental environment of equal conditions, as much as possible.
Vulnerability identification takes assets as the core; identifies the vulnerabilities that
may be exploited by threats for each asset; evaluates the severity of the vulnerabilities.
It can also be identified from the physical environment, equipment and systems,
network, business/application, etc.; then combined with assets and threats. The data for
vulnerability identification shall come from the owners and users of assets, experts in
the business field of the system of telecom network and internet, as well as professionals
in software and hardware, etc.
Vulnerability identification is mainly carried out from two aspects. technology and
management. Technical vulnerability involves security issues at the physical
environment layer, equipment and system layer, network layer, business/application
layer. Management vulnerability can be divided into technical management
vulnerability and organization management vulnerability. The former is related to
specific technical activities, whilst the latter is related to the management environment.
For different identification objects, the specific requirements for vulnerability
identification shall be implemented, with reference to the corresponding technical or
management standards. For example, the vulnerability identification of the physical
environment can be implemented, with reference to the technical indicators in such
standards as GB/T 9361-2000, YD/T 5026-2005, YD 5098-2005, YD 5002-94, YD/T
754-95; the vulnerability identification of the equipment and network can refer to the
technical indicators in the standards, such as YDN 126-2005 and YDN 127-2005; the
identification of management vulnerability can refer to the requirements in the
standards, such as GB/T 19716-2005, ISO/IEC 17799-2005, ISO/IEC 13335.1-2004, to
carry out inspections of security management systems and their implementation, and
identify management loopholes and deficiencies.
Table 9 provides a reference for the content of vulnerability identification.
taken. If the risk result is within the acceptable range, the risk is acceptable and the
existing risk shall be maintained. If the risk result is out of acceptable range, it is an
unacceptable risk; then it is necessary to formulate a risk treatment plan and take new
security measures to reduce and control the risk.
It shall comprehensively consider the risk control cost and the impact of the risk;
combine the security level of the network or system, where the asset is located, to
propose an acceptable risk threshold.
5.7.3 Risk treatment plan
For unacceptable risks, a risk treatment plan shall be developed based on the
vulnerabilities and threats that lead to the risk. The risk treatment plan specifies the new
security measures to compensate the vulnerability; reduces the loss as caused by the
security event; or reduces the occurring possibility of security event, the expected
effects, the implementation conditions, the schedule, the responsible departments, etc.
The selection of security measures shall fully take into account the possible constraints
of organization, capital, environment, personnel, time, law, technology, social culture,
considering both management and technology; the management measures can be used
as a supplement to technical measures. The selection and implementation of security
measures shall refer to relevant national and industry standards.
After selecting new security measures for unacceptable risks, in order to ensure the
effectiveness of security measures, re-assessment shall be carried out to determine
whether the residual risk, after the implementation of new security measures that has
been reduced to an acceptable level. The assessment of residual risk can be carried out
according to the risk assessment process of this standard; it can also be appropriately
reduced.
For some risks, after the selection of new security measures, the risk assessment result
of residual risk is still within the unacceptable range. In this case, it shall be considered
whether to accept this risk OR further increase the corresponding security measures.
5.8 Risk assessment documents
5.8.1 Requirements for risk assessment documents
During the risk analysis process of the system of telecom network and internet, it shall
record the risk assessment process; keep it as an assessment document. It shall meet
(but not be limited to) the following requirements.
a) Ensure that documents are approved prior to publication;
b) Ensure that changes to the document and the current revision status are
identifiable;
c) Ensure that the distribution of the documentation is properly controlled AND that
the relevant version of the applicable documentation is available at the time of
use;
d) Prevent the unintended use of obsolete documents; if obsolete documents need to
be retained for any purpose, they shall be properly identified.
Controls required for identification, storage, protection, retrieval, shelf life, disposal
Share
