Standard No.:	GB/T 20282-2006
Chinese Name:	信息安全技术 信息系统安全工程管理要求
English Name:	Information security technology—Information system security engineering management requirements
Professional Classification:	L09
Professional Classification:	GB National Standard
ICS Classification:	35.020
Issued by:
Issued on:	2006-05-31
Implemented on:	2006-12-01
Status:	VALID
Language:	English
File Format:	PDF
Word Count:	14000 words
Price(USD):	420 (USD)
Delivery:	via email in 1-3 business day

1 Scope

This standard specifies management requirements for information system security engineering (hereinafter referred to as security engineering) as the instructions for construction of information system safety engineering by the owner, the developer and the third party, upon which all parties can base security engineering management system.
This standard, in accordance with five security protection levels specified in GB 17859-1999, specifies different requirements for management of information system security engineering.
This standard is applicable for the owner and the developer of information system to manage security engineering, which can be referred by all parties concerned.

2 Normative References

The following standards contain provisions which, through reference in this text, constitute provisions of this standard. For dated references, subsequent amendments to (excluding correction to), or revisions of, any of these publications do not apply. However, the parties to agreements based on this standard are encouraged to investigate the possibility of applying the most recent editions of the standards. For undated references, the latest edition of the normative document referred to applies.
GB 17859-1999 Classified Criteria for Security Protection of Computer Information System
GB/T 20269-2006 Information Security Technology - Information System Security Management Requirements
GB/T 20271-2006 Information Security Technology - Common Security Techniques Requirement for Information System

3 Terminologies and Definitions

For the purposes of this standard, the following terminologies and definitions apply.
3.1
Security engineering
The process of system engineering to ensure confidentiality, integrity and availability of information system.
3.2
Security engineering lifecycle
Activities related to security engineering throughout the lifecycle of information system include concept formation, concept development and definition, verification and validation, engineering implementation development and manufacture, production and deployment, operation and support, and termination.
3.3
Security engineering guide
Guiding information defined by engineering group on how to select, design and implement engineering system structure.
3.4
Vulnerability
A weakness of an asset or a group of assets, which can be exploited by certain threat.
3.5
Risk
The probability for certain threat to make an asset or a group of assets lost or damaged by exploiting its or their vulnerability.
3.6
Owner
The party to organize the construction of information system security engineering.
3.7
Developer
The party to provide services for the construction of information system security engineering.
3.8
Third party
A neutral organization or institution, independent of the owner and the developer, which is engaged in activities relating to the construction of information system security engineering.