|
US$2594.00 ยท In stock
Delivery: <= 12 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 18336.1-2024: Cybersecurity technology - Evaluation criteria for IT security - Part 1: Introduction and general model
Status: Valid GB/T 18336.1: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 18336.1-2024 | English | 2594 |
Add to Cart
|
12 days [Need to translate]
|
Cybersecurity technology - Evaluation criteria for IT security - Part 1: Introduction and general model
| Valid |
GB/T 18336.1-2024
|
| GB/T 18336.1-2015 | English | 150 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general model
| Obsolete |
GB/T 18336.1-2015
|
| GB/T 18336.1-2008 | English | RFQ |
ASK
|
4 days [Need to translate]
|
IT security technology information technology security evaluation criteria -- Part 1: Introduction and general model
| Obsolete |
GB/T 18336.1-2008
|
| GB/T 18336.1-2001 | English | RFQ |
ASK
|
4 days [Need to translate]
|
Information technology -- Security techniques -- Evaluation criteria for IT security -- Part 1: Introduction and general model
| Obsolete |
GB/T 18336.1-2001
|
PDF similar to GB/T 18336.1-2024
Basic data | Standard ID | GB/T 18336.1-2024 (GB/T18336.1-2024) | | Description (Translated English) | Cybersecurity technology - Evaluation criteria for IT security - Part 1: Introduction and general model | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.030 | | Word Count Estimation | 130,170 | | Date of Issue | 2024-04-25 | | Date of Implementation | 2024-11-01 | | Older Standard (superseded by this standard) | GB/T 18336.1-2015 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 18336.1-2024: Cybersecurity technology - Evaluation criteria for IT security - Part 1: Introduction and general model
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
ICS 35:030
CCSL80
National Standards of People's Republic of China
Replaces GB/T 18336:1-2015
Cybersecurity Technology Information Technology Security Assessment Criteria
Part 1: Introduction and general model
(ISO /IEC 15408-1:2022, Information security, cyber security and
Published on April 25, 2024, implemented on November 1, 2024
State Administration for Market Regulation
The National Standardization Administration issued
Table of Contents
Preface V
Introduction VII
1 Scope 1
2 Normative references 1
3 Terms and Definitions 2
4 Abbreviations11
5 Overview 12
5:1 Overview 12
5:2 ISO /IEC 15408 Notes 12
5:3 Evaluation Object 15
5:4 The rest of the content 17
6 General Model 17
6:1 Background 17
6:2 Asset and security controls 17
6:3 ISO /IEC 15408 Core Model Structure 19
7 Detailed description of safety requirements 23
7:1 Security Problem Definition 23
7:2 Security Objectives 24
7:3 Safety requirements 27
8 Safety components 30
8:1 Hierarchy of security components 30
8:2 Operation 31
8:3 Dependencies between components 34
8:4 Extension Components 35
9 packs 36
9:1 Rule 36
9:2 Packet Type 36
9:3 Package Dependencies 37
9:4 Evaluation methods and activities 37
10 Protection profile 37
10:1 Overview 37
10:2 Introduction to PP 37
10:3 Declaration of conformity and statement of conformity 38
10:4 Security requirements 39
10:5 Additional requirements common to strict and demonstrable compliance 40
10:6 Specific additional requirements for strict compliance 40
10:7 Specific additional requirements for which compliance may be demonstrated 41
10:8 Specific additional requirements for exact compliance 41
10:9 Use of PP 42
10:10 Statements and declarations of conformity in the case of multiple PPs 42
11 Modular requirements construction 42
11:1 Overview 42
11:2 PP-Module 43
11:3 PP-Configuration 46
12 Safety Goals 53
12:1 Rule 53
12:2 Declaration and statement of conformity 53
12:3 Security Requirements 55
12:4 Additional requirements for exact compliance 55
12:5 Additional requirements for multiple safeguards 56
13 Evaluation and evaluation results 58
13:1 Overview 58
13:2 Evaluation Content 60
13:3 Evaluation of PP and PP-configurations 60
13:4 ST Evaluation 60
13:5 Evaluation of TOE 61
13:6 Assessment methods and assessment activities 61
13:7 Evaluation Results 61
13:8 Multiple Assurance Assessment 62
14 Composite protection 63
14:1 Overview 63
14:2 Composite Model 63
14:3 Assessment Techniques for Providing Assurance in Composite Models 65
14:4 Requirements for evaluation using composite techniques 74
14:5 Assessment through composite and multiple assurance 76
Appendix A (Normative) Package Specifications 77
A:1 Objective and structure of this appendix 77
A:2 Package family 77
A:3 Package 77
Appendix B (normative) Specifications for protection profiles 81
B:1 Objectives and structure of this annex 81
B:2 Specification of PP81
B:3 Mandatory contents of PP82
B:4 References to other standards in PP 87
B:5 Direct fundamentals PP 88
B:6 Optional Contents of PP 90
Appendix C (normative) Specifications for PP-modules and PP-configurations 91
C:1 Objective and structure of this appendix 91
C:2 PP-Module Specification 91
C:3 PP-Configuration Specification 98
Appendix D (Normative) Safety Goal (ST) and Direct Rationale ST Specification 103
D:1 Objective and structure of this appendix 103
D:2 Use of ST 103
D:3 Mandatory content of ST104
D:4 Direct fundamentals ST 110
D:5 Other reference standards in ST 112
Annex E (normative) Conformity of PP/PP-configuration 113
E:1 Overview 113
E:2 Demonstrable compliance 113
E:3 Strict compliance 114
E:4 Exact compliance 114
References 118
Foreword
This document is in accordance with the provisions of GB/T 1:1-2020 "Guidelines for standardization work Part 1: Structure and drafting rules for standardization documents"
Drafting is required:
This document is part 1 of GB/T 18336 "Cybersecurity Technology Information Technology Security Assessment Criteria": GB/T 18336 has been
The following parts were published:
--- Part 1: Introduction and general model;
--- Part 2: Safety functional components;
--- Part 3: Safety assurance components;
--- Part 4: Normative framework for assessment methods and activities;
--- Part 5: Predefined security requirements package:
This document replaces GB/T 18336:1-2015 "Information Technology Security Technology Information Technology Security Evaluation Criteria Part 1: Simple
Compared with GB/T 18336:1-2015, in addition to structural adjustments and editorial changes, the main technical changes are as follows:
--- Added the "exact compliance" type and related requirements (see 6:3:2, 10:3, 10:8, E:4);
--- Deleted "low protection profile" (see B:11 of the:2015 edition);
--- Added the term "direct basic principle" (see 3:34);
--- Added the term "multiple assurance assessment" (see 3:60);
--- Applicable situations and related requirements (see 6:3:4:3, 12:5, 13:8);
--- Added "PP-Module" and "PP-Configuration" for modular evaluation (Chapter 11);
--- Added a chapter on "Composite Security" (see Chapter 14);
--- Added the content requirements of "direct fundamental protection profile" and "direct fundamental safety goal" (see B:5, D:4):
This document is equivalent to ISO /IEC 15408-1:2022 "Information security, network security and privacy protection information technology security assessment standards"
Part 1: Introduction and general model:
The following minimal editorial changes were made to this document:
--- In order to coordinate with the existing standards, the name of the standard will be changed to "Cybersecurity Technology Information Technology Security Assessment Criteria Part 1: Simple
Introduction and General Model";
--- Added "Footnote" (see Chapter 1):
Please note that some of the contents of this document may involve patents: The issuing organization of this document does not assume the responsibility for identifying patents:
This document was proposed and coordinated by the National Cybersecurity Standardization Technical Committee (SAC/TC260):
This document was drafted by: China Information Security Evaluation Center, Tsinghua University, the Third Research Institute of the Ministry of Public Security, and the First Research Institute of China Electronics Technology Group Corporation:
The 15th Research Institute, Jilin Information Security Evaluation Center, China Cyber Security Review Technology and Certification Center, China Electronics Technology Standardization Institute,
Huawei Technologies Co:, Ltd:, Peking University, Institute of Information Engineering, Chinese Academy of Sciences, China Institute of Cyberspace, Beijing Kuaishou Technology Co:, Ltd:
Shanghai Guanan Information Technology Co:, Ltd:, Unigroup Tongxin Microelectronics Co:, Ltd:, Kelai Network Technology Co:, Ltd:, Sangfor Technologies Co:, Ltd:
Technology Co:, Ltd:, Hangzhou Deep Technology Co:, Ltd:, Beijing Zhongce Anhua Technology Co:, Ltd:, China Trade Promotion Information Technology Co:, Ltd:
Company, Chengdu Zhongke Zhishan Information Technology Co:, Ltd:, Guangdong-Hong Kong-Macao Greater Bay Area Precision Medicine Research Institute (Guangzhou), China Communications Service Consulting and Design Institute
Co:, Ltd:, Mashang Consumer Finance Co:, Ltd:, China Software Testing Center, National Computer Network Emergency Response Technology Coordination Center,
China Academy of Space Systems Science and Engineering, National Radio and Television Administration Radio and Television Science Research Institute, iFLYTEK Co:, Ltd:,
Beijing Jingdong Shangke Information Technology Co:, Ltd:, OPPO Guangdong Mobile Communications Co:, Ltd:, Changyang Technology (Beijing) Co:, Ltd:, Beijing
CYBERENGE TECHNOLOGY LIMITED:
The main drafters of this document are: Zhang Baofeng, Gao Jinping, Yang Yongsheng, Shi Hongsong, Wang Yanan, Gao Song, Xie Shihua, Ye Xiaojun, Shangguan Xiaoli,
Huo Shanshan, Guo Hao, Xie Anming, Wang Xiaonan, Luo Hongwei, Li Fengjuan, Xu Yuan, Sun Yafei, Xiong Qi, Pang Bo, Wang Feng, Yang Yuanyuan, Liu Jian, He Yang,
Liu Zhanfeng, Feng Yun, Tan Ru, Sun Nan, Zheng Liang, Liu Jilin, Zuo Jian, Tang Chuan, Xie Jiang, Jiang Wei, Wu Wei, Kong Yong, Li Jing, Yu Mingming, Sheng Zhifan,
Tan Xiaosheng, Zhao Tian, Pu Xiong, Wang Xiaopeng, Yang Bo, Chen Liang, Ding Feng, Jiang Ning, Feng Na, Zhao Hua, Li Gen, Jia Wei, Bi Haiying, Deng Hui, Chen Feng:
This document was first published in:2001 as GB/T 18336:1-2001, revised for the first time in:2008, and revised for the second time in:2015:
This is the third revision:
Introduction
GB/T 18336 provides a set of general security functions and safeguards for information technology (IT) products in security assessment:
The requirements provide guidance for the development, evaluation and procurement of IT products with security functions:
The process establishes a confidence level for the security features of IT products and their safeguards in meeting these requirements, allowing independent security assessors to
The evaluation results are comparable and can help consumers determine whether the IT product meets their security requirements:
GB/T 18336 is proposed to consist of five parts:
--- Part 1: Introduction and general model: Provide an overall overview of GB/T 18336 and define the general concept of information technology security assessment:
concepts and principles, and presents a general model for evaluation:
--- Part 2: Safety functional components: Establish a set of standardized templates for functional components used to describe safety functional requirements: These functional components are used to describe safety functional requirements:
The components can be organized into classes and families, and specific safety functions can be constructed through component selection, refinement, and cutting:
Feature request:
--- Part 3: Security Assurance Components: Establish a set of standardized templates for security assurance components used to describe security assurance requirements:
The full support components are structured in the form of classes and families, defining the criteria for evaluating PP, ST and TOE:
Specific security requirements are constructed through component selection, refinement, and tailoring:
--- Part 4: Normative framework for evaluation methods and activities: Provides a standardized framework for normative evaluation methods and activities:
The assessment methods and activities are contained in the PP, ST and any supporting documents for the assessor to use:
The evaluation work is carried out based on the models described in other parts of GB/T 18336:
--- Part 5: Predefined security requirement packages: Provide security assurance requirements and security functional requirements commonly used by stakeholders
Examples of packages provided include Evaluation Assurance Level (EAL) and Combined Assurance Package (CAP):
GB/T 18336 has great flexibility and applies the assessment method to a range of security attributes of a range of IT products:
Therefore, users should be careful when using GB/T 18336 to avoid misusing the flexibility of this standard:
Taking inappropriate assessment methods/activities, selecting irrelevant security attributes, or targeting inappropriate IT products may lead to meaningless
of the evaluation results:
Therefore, the fact that an IT product has been evaluated is only relevant if it refers to which security attributes were selected and what evaluation methods were used:
The evaluation authority needs to carefully review the product, safety attributes and evaluation methods to determine whether the evaluation can produce meaningful results:
In addition, the buyer of the product being evaluated also needs to carefully consider the specific circumstances of the evaluation to determine whether the product is useful and can
Whether it meets its specific usage scenarios and needs:
GB/T 18336 is committed to protecting assets from unauthorized information disclosure, data tampering, or loss of availability: This type of protection is consistent with three types of
The corresponding security failure conditions are usually called confidentiality, integrity and availability: In addition, GB/T 18336 also applies to these three conditions:
GB/T 18336 is used to consider risks caused by human (whether malicious or not) and non-human factors:
In addition, GB/T 18336 is also applied to other fields of IT technology, but no statement is made on its applicability outside the security field:
Some issues are not within the scope of GB/T 18336 because they involve professional technology or are less important to IT security: For example,
Surface content:
a) GB/T 18336 does not include security assessments that are administrative security measures and are not directly related to IT security measures:
However, it is known that some important safety components can be achieved through organizational, personnel, physical, procedural
This can be achieved through administrative management measures such as control:
b) GB/T 18336 does not involve the application of the evaluation methods of this document:
Note 1: GB/T 30270 defines the basic assessment method, GB/T 18336:4 is used to further derive assessment activities and methods from GB/T 302705:
c) GB/T 18336 does not cover the administrative and legal framework for the use of this document by assessment authorities, but GB/T 18336 is also used
evaluation within this framework:
d) The procedure for using the evaluation results for product approval is not within the scope of GB/T 18336: Product approval is an administrative process:
The process by which an IT product (or a collection of them) is permitted to be used in its entire operating environment: The assessment focuses on the product's IT security
The assessment results are an important input to the accreditation process:
However, since other techniques are more suitable for assessing non-IT related attributes and their relationship to IT security components, the
Different clauses should be formulated for each of these situations:
e) GB/T 18336 does not include clauses related to the evaluation of the inherent quality of cryptographic algorithms: If the mathematical properties of cryptographic algorithms need to be evaluated,
If an independent assessment is to be carried out, special provisions shall be formulated for the relevant evaluation in the assessment system using GB/T 18336:
Note 2: This document uses bold and italic words in some cases to distinguish terms from the rest of the text:
Bold highlights are used for all new requirements: For layered components, when requirements are enhanced or modified beyond the
In addition, any new or enhanced allowed operations beyond those of the previous component are also indicated using
Bold highlights: Italics are used to indicate text with precise meaning: For safety assurance requirements, this convention also applies to
Special verbs related to estimate:
Cybersecurity Technology Information Technology Security Assessment Criteria
Part 1: Introduction and general model
1 Scope
This document establishes the general concepts and principles for information technology security assessment and specifies the requirements given in the various parts of ISO /IEC 15408:
This general evaluation model can be used as a basis for evaluating the security attributes of IT products as a whole:
This document gives a general overview of ISO /IEC 15408 (all parts)1): It describes the content of each part of ISO /IEC 15408:
The content of this paper is as follows: It defines the terms and abbreviations used in each section; establishes the core concept of the object of evaluation (TOE); describes the evaluation background and evaluation criteria;
This document also provides the basic security concepts required for the evaluation of information technology products:
1) ISO /IEC 15408-1~ISO /IEC 15408-5 were adopted to correspond to my country's national standards GB/T 18336:1~GB/T 18335:5 respectively:
This document describes:
--- Core concepts such as protection profile (PP), PP-module, PP-configuration, package, safety target (ST) and conformance type;
--- An organized description of the security components in the entire model;
--- Defines the allowed use when customizing the functional components and assurance components given in ISO /IEC 15408-2 and ISO /IEC 15408-3
Various operations;
--- General information on the evaluation methods given in ISO /IEC 18045;
---Guidelines for the application of ISO /IEC 15408-4 to the development of evaluation methods (EM) and assessment activities derived from ISO /IEC 18045
(EA);
--- General information on the predefined Evaluation Assurance Levels (EALs) in ISO /IEC 15408-5;
--- Information on the scope of the assessment system:
2 Normative references
The contents of the following documents constitute the essential clauses of this document through normative references in this document:
For referenced documents without a date, only the version corresponding to that date applies to this document; for referenced documents without a date, the latest version (including all amendments) applies to
This document:
GB/T 18336:2-2024 Cybersecurity technology Information technology security assessment criteria Part 2: Security functional components
(ISO /IEC 15408-2:2022, IDT)
GB/T 18336:3-2024 Cybersecurity technology Information technology security assessment criteria Part 3: Security assurance components
(ISO /IEC 15408-3:2022, IDT)
ISO /IEC 15408-2 Information security, network security and privacy protection Information technology security evaluation criteria Part 2: Security functions
ISO /IEC 15408-3 Information security, network security and privacy protection Information technology security evaluation criteria Part 3: Security protection
|