ICS35.240.01 I6440 团体标准 T/WHCSA007-2024 网络安全风险量化评估规范 SpecificationforQuantitativeAssessmentof CybersecurityRisks 2024-12-30发布 2025-01-10实施 武汉市网络安全协会发布 全国团体标准信息平台 IT/WHCSA007—2024 目次 前 言..............................................................................III 引 言...............................................................................IV 1范围................................................................................1 2规范性引用文件......................................................................1 3术语定义............................................................................1 3.1风险评估......................................................................1 3.2网络安全风险量化评估..........................................................1 3.3组织安全量化指数..............................................................1 3.4内部安全管理量化指数..........................................................1 3.5外部安全有效性量化指数........................................................1 3.6组织量化评级..................................................................2 3.7组织暴露面....................................................................2 3.8下属机构......................................................................2 3.9外部数据泄露..................................................................2 3.10第三方供应链.................................................................2 3.11网络安全保险.................................................................2 4风险量化评估概述....................................................................2 4.1评估原则......................................................................2 4.2评估思路......................................................................3 4.3评估度量......................................................................3 4.4风险量化等级划分..............................................................3 5评估内容............................................................................3 6评估周期............................................................................4 7评估流程............................................................................4 7.1流程概述......................................................................4 7.2评估准备......................................................................4 7.3评估方案编制..................................................................5 7.4评估数据采集..................................................................6 7.5评估数据分析量化..............................................................6 7.6评估报告编制..................................................................7 8评估结果应用........................................................................7 8.1组织安全量化管理..............................................................7 8.2政府安全合规管理赋能..........................................................7 8.3数字供应链安全管理............................................................7 8.4网络安全保险..................................................................8 9后续工作............................................................................8 9.1风险处置和复评................................................................8 9.2持续监控和评估结果更新........................................................8 9.3评估工作改进和优化............................................................8 10其它...............................................................................8 10.1工具和技术推荐...............................................................8 全国团体标准信息平台 II10.2培训和认证...................................................................9 10.3评估机构与人员认定和管理.....................................................9 附录A...............................................................................11 附录B...............................................................................12 附录C................................................................................13 附录D................................................................................15 全国团体标准信息平台 III前 言 本文件按照GB/T1.1—2020《标准化工作导则第1部分：标准化文件的结构和起草规则》的规定起草。 请注意本文件的某些内容可能涉及专利。本文件的发布机构不承担识别专利的责任。 本文