安全能力过程（Security capability process）.docVIP

安全能力过程（Security capability process） Security threats of 1\ systems are complex and diverse, and evolve over time. Therefore, the identification and assessment of external threats, as an important component of security services, are carried out periodically, and the evaluation cycle is determined primarily through consultation with the user on the basis of the value of the information assets of the system. The evaluation of external security threats follows the procedure shown in figure 1. Figure 1 security threat assessment procedures Among them, information collection mainly from the state, industry, information security authority and international security organizations, service providers published literature reports, the system security incidents occurred in the past and security audit reports and so on. Classification analysis mainly uses the knowledge of security threats, knowledge base, the nature and characteristics of threats, and adds new threats and related knowledge to the knowledge base. Threat assessment uses the accumulated knowledge of security event knowledge and system security architecture to construct a virtual attack chain, to evaluate the probability of attack by link, and finally obtain the probability of using vulnerability. The vulnerability of 2\ system is the inherent security characteristics of the system relative to external threats, including technical factors, including management factors, and also changes with the system itself and the external environment. As one of the important processes of security service, vulnerability assessment is carried out periodically or as a special work. The system vulnerability assessment is carried out in accordance with the procedures shown in figure 2. Figure 2 vulnerability assessment procedures Among them, classification analysis and vulnerability assessment are mainly based on Q/GDW 2814011-2013, information security technology, information security risk classification and classification guide. Bas