ISO/IEEE 11073-40101:2022 健康信息学 设备互操作性 第40101部分：基础 网络安全 脆弱性评估过程

标准编号：ISO/IEEE 11073-40101:2022

中文名称：健康信息学 设备互操作性 第40101部分：基础 网络安全 脆弱性评估过程

英文名称：Health informatics — Device interoperability — Part 40101: Foundational — Cybersecurity — Processes for vulnerability assessment

发布日期：2022-03

标准范围

在安全即插即用互操作性的背景下，网络安全是防止未经授权访问或修改、误用、拒绝使用或未经授权使用存储在PHD/PoCD上、从PHD/PoCD访问或传输到PHD/PoCD的信息的过程和能力。网络安全的过程部分是对特定于博士/博士学位的用例进行风险分析。对于博士/博士生，本标准定义了一种迭代、系统、可扩展和可审计的方法，用于识别网络安全漏洞和评估风险。这种迭代式漏洞评估使用欺骗、篡改、否认、信息泄露、拒绝服务和特权提升（STERD）分类方案以及嵌入式通用漏洞评分系统（eCVSS）。评估包括系统上下文、系统分解、预-缓解评分、缓解和缓解后评分并迭代，直到剩余漏洞降低到可接受的风险水平。

Within the context of secure plug-and-play interoperability, cybersecurity is the process and capability of preventing unauthorized access or modification, misuse, denial of use, or the unauthorized use of information that is stored on, accessed from, or transferred to and from a PHD/PoCD. The process part of cybersecurity is risk analysis of use cases specific to a PHD/PoCD.For PHDs/PoCDs, this standard defines an iterative, systematic, scalable, and auditable approach to identification of cybersecurity vulnerabilities and estimation of risk. This iterative vulnerability assessment uses the Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege (STRIDE) classification scheme and the embedded Common Vulnerability Scoring System (eCVSS). The assessment includes system context, system decomposition, pre-mitigation scoring, mitigation, and post-mitigation scoring and iterates until the remaining vulnerabilities are reduced to an acceptable level of risk.

标准预览图