This part of GB/T 20274 establishes the framework for information systems security technical assurance and the guide & general principles for starting, implementing, maintaining, evaluating and improving information security technology system in the organization. This part of GB/T 20274 defines and explains the technology architecture capability level of the organization reflected in the construction and evaluation of information systems security technology system and the information systems security technical requirements of the organization.
This part of GB/T 20274 is applicable to the organization for starting, implementing, maintaining, evaluating and improving the information security technology system and all the users, developers and evaluators involved in the information systems security technical work.
2 Normative References
The following documents contain provisions which, through reference in this text, constitute provisions of this part. For dated reference, subsequent amendments to (excluding any corrigendum), or revisions of, any of these publications do not apply. However, parties to agreements based on this standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. For any undated references, the latest edition of the document referred to applies.
GB/T 20274.1 Information Security Technology - Evaluation Framework for Information Systems Security Assurance - Part 1: Introduction and General Model
3 Terms and Definitions
For the purposes of this part of GB/T 20274, the terms and definitions specified in GB/T 20274.1 apply.
4 Structure of This Part
The organization structure of this part of GB/T 20274 is as follows:
a) Chapter 1 introduces the range of this part;
b) Chapter 2 introduces the normative references of this part;
c) Chapter 3 describes the terms and definitions applicable to this part;
d) Chapter 4 describes the organization structure of this part;
e) Chapter 5 describes the framework for information systems security technical assurance and further summarizes the information systems security technical assurance control class domain and security technology architecture capability level;
f) Chapter 6 describes the standard description structure and requirements of information security technical assurance control class;
g) Chapter 7 to Chapter 17 expatiate the detailed requirements of eleven information security technical assurance control classes which provide information security technical assurance control classes;
h) Chapter 18 describes the security technology architecture capability maturity model;
i) Appendix A is informative and further explains the security technical requirements;
j) Appendix B is informative and describes the hierarchical multi-point information systems security technology architecture;
k) In the Bibliography, the bibliographies of this part of GB/T 20274 are listed.
5 Information Security Technical Assurance
5.1 Overview of Security Technical Assurance
Evaluation framework for information systems security assurance - security technical assurance is mainly used to evaluate the system level security technology framework and the security technology solution in information systems, i.e. make security assessment on the information technology systems (Information technology systems: any combination of computer hardware, software and/or firmware which are used to acquire, create, communicate, compute, distribute, process, store and/or control data or information as a part of information system to perform the information function of the organization). In the technology, management and engineering assurance of evaluation framework for information systems security assurance, security technical assurance has the most direct and close relationship with "Evaluation Criteria For IT Security" (GB/T 18336); the security technical system framework and solution with accurate information systems security assurance evaluation is directly established upon the product and product system approved by the evaluation criteria of GB/T 18336.
In the security technical assurance of evaluation framework for information systems security assurance, the target of evaluation (TOE) is any combination of all the computer hardware, software and/or firmware constituting the information systems. The security technical assurance of evaluation framework for information systems security assurance requires the information system users to establish and perfect the security technology architecture for their targets of evaluation (i.e. information technology systems) at first; make high-level analysis and determine relevant security purpose based on this security technology architecture after the security technology architecture of the information technology systems is completed; describe with standardized security technical assurance control components at last.
5.2 Security Technology Architecture Capability Level
System security technology architecture is the description of the overall structure of the security technology system of the organization's information technology system. The security technology architecture capability is the integral security technology system framework that conforms to the security policy development planning of information technology system of the organization and is established by the organization according to the system security risk evaluation results and the requirements of system security policy and by reference to the relevant security technology architecture standard and the optimal practice as well as in combination with the specific current status and needs of the organization's information technology system. It is the specific embodiment of the information technology system security strategy management of the organization. Security technology architecture capability is the integral reflection of the organization's capability in executing system security technology and it also embodies that the organization is carrying out the management of the information security technology system framework and has achieved the predetermined cost, function and quality target.
5.3 Examples of Security Technical Assurance Control Requirements
This article describes the examples used in the security technical assurance control requirements in this part. Figures 1 and 2 describe some key concepts of the examples. This article provides text description for the concepts in the figure and other key concepts not in the figure. The key concepts discussed are highlighted in bold italic.
GB/T 20274.2-2008 The following standards are cited:
GB/T 20274.2-2008 Cited by the following standards:
