1, risk assessment preparation
The main task of this stage is to develop the assessment work plan, including the assessment objectives, the scope of the assessment, the development of security risk assessment work program. According to the needs of the assessment work, component assessment team, clear responsibilities of all parties.
2. Asset identification process
Asset identification is mainly accomplished by issuing asset questionnaires to the appraised party. In identifying assets, the list of assets provided by the appraised party is used as the basis for marking important and critical assets and classifying assets within the scope of appraisal in detail. Based on the manifestation of assets, assets can be categorized into types such as data, software, hardware, services and personnel.
According to the different requirements of assets in terms of confidentiality, integrity and availability, assets are assigned confidentiality, integrity, availability and asset importance.
3. Threat identification process
In the threat assessment stage, the evaluator identifies the source of the threat in conjunction with the current common anthropogenic threats, their possible motives, exploitable weaknesses, possible methods of attack, and the resulting consequences. After the threat identification is completed, the likelihood of the threat occurring should also be evaluated, listed as a list of threats, describing the threat attributes, and assigning a value to the frequency of the threat's occurrence.
4, vulnerability identification process
Vulnerability is divided into management vulnerability and technical vulnerability. Management vulnerability is mainly through the distribution of management vulnerability questionnaires, interviews and cell phone analysis of the existing management system to complete; technical vulnerability is mainly with the help of professional vulnerability detection tools and the assessment of the scope of the various hardware and software security configurations within the inspection to identify. Vulnerability identification is completed, to the specific asset vulnerability severity of the assigned value, the greater the value, the higher the severity of vulnerability.
5, there are security measures to confirm
Security measures can be divided into preventive security measures and protective security measures. Preventive security measures can reduce the threat of using vulnerability leads to the possibility of security incidents, such as intrusion detection systems; protective security measures can reduce the impact on the organization or system due to the occurrence of security incidents.
6, risk analysis process
After the completion of the above steps, the appropriate methods and tools will be used to carry out security risk analysis and calculation. The risk value can be calculated by choosing the appropriate risk calculation method according to your situation, such as matrix method or multiplication method. If the risk value is within the acceptable range, the risk is changed to acceptable risk; if the risk value is outside the acceptable range, security measures need to be taken to reduce the control risk.