Standard No.:	GB/T 20274.1-2006
Chinese Name:	信息安全技术 信息系统安全保障评估框架 第一部分：简介和一般模型
English Name:	Information security technology Evaluation framework for information systems security assurance Part 1: Introduction and general model
Professional Classification:	L80 Data encryption
Professional Classification:	GB National Standard
ICS Classification:	35.040
Issued by:
Issued on:	2006-05-31
Implemented on:	2006-12-01
Status:	VALID
Language:	English
File Format:	PDF
Word Count:	22000 words
Price(USD):	660 (USD)
Delivery:	via email in 1-5 business day

1 Scope

GB/T 20274 describes the model of information systems security assurance, establishes the framework for information systems security assurance and formulates the general security assurance requirements of information systems from technology, management and engineering of information systems security.
This part of GB/T 20274 specifies the basic concept and model of information systems security assurance and establishes the framework for information systems security assurance.
This part is applicable to all relevant parties of information systems security assurance work, including the design developer, engineering executor, evaluator and certification licenser.
This part is not applicable to the following aspects:
a) Evaluation on personnel skill and capability, but the requirements for personnel security are not reflected in the management assurance;
b) System evaluation methodology;
c) Inherent quality evaluation by cryptographic algorithm.

2 Normative References

The following documents contain provisions which, through reference in this text, constitute provisions of this part. For dated reference, subsequent amendments to (excluding any corrigendum), or revisions of, any of these publications do not apply. However, parties to agreements based on this standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. For any undated references, the latest edition of the document referred to applies.
GB/T 9387.2-1995 Information Processing Systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture (idt ISO 7498-2: 1989)
GB/T 18336-2001 Information Technology - Security Techniques - Evaluation Criteria For IT Security (idt ISO/IEC 15408:1999)

3 Terms, Definitions and Abbreviations

3.1 Terms and Definitions
For purpose of this part, the following terms and definitions apply.
3.1.1
Access control
Prevent the unauthorized application of the resources, including use certain resource in unauthorized way.
[GB/T 9837.2-1995, 3.3.1]
3.1.2
Accountability
A property, it ensures that the effect of an entity can be traced to the entity uniquely.
[GB/T 9837.2-1995, 3.3.3]
3.1.3
Asset
The information or resource protected in the information systems security policy.
[GB/T18336.1-2001, 3.3.1]
3.1.4
Attack
A kind of behavior bypassing the security control in the information systems. The success of attack depends on the vulnerability of information systems and the validity of existing countermeasures.
3.1.5
Audit
The independent observation and examination on the system record and activity for the purpose of testing the adequacy of system control, ensuring the compliance with the established policy and operation, finding the vulnerability in security and suggesting making any designated change in control, policy and accumulation.
[GB/T 9837.2-1995, 3.3.5]
3.1.6
Authentication
Verify the alleged identity of the entity.
3.1.7
Authorization
Award authority, including the access based on access right.
[GB/T 9837.2-1995, 3.3.10]
3.1.8
Authorized user