GB/T 20274.2-2008 PDF EnglishUS$145.00 · In stock · Download in 9 seconds
GB/T 20274.2-2008: Information security technology -- Evaluation framework for information systems security assurance -- Part 2: Technical assurance Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure Status: Valid
Similar standardsGB/T 20274.2-2008: Information security technology -- Evaluation framework for information systems security assurance -- Part 2: Technical assurance---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT20274.2-2008 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information Security Technology - Evaluation Framework for Information Systems Security Assurance - Part 4.Technical Assurance Issued on. JULY 18, 2008 Implemented on. DECEMBER 1, 2008 Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China; Standardization Administration of the People's Republic of China. Table of ContentsForeword... 6 1 Scope... 7 2 Normative References... 7 3 Terms and Definitions... 7 4 Structure of This Part... 8 5 Information Security Technical Assurance... 8 6 Control Structure of Information Security Technical Assurance... 15 7 FAU Class. Security Audit... 22 8 FCO Class. Communication... 34 9 FCS Class. Cryptographic Support... 38 10 FDP Class. User Data Protection... 43 11 FIA Class. Identification and Authentication... 70 12 FMT Class. Security Management... 81 13 FPR Class. Secrecy... 92 14 FPT Class. TSF Protection... 98 14.16 TSF Self-test (FPT_TST)... 119 15 FRU Class. Resource Utilization... 121 16 FTA Class. TOE Access... 125 17 TP Class. Trusted Path/Channel... 133 18 Security Technology Architecture Capability Maturity Level... 136 Appendix A (Informative) Annotations for Security Technical Requirements. 141 Appendix B (Informative) Hierarchical Multi-point Information Systems Security Architecture... 152 Bibliography... 1561 ScopeThis Part of GB/T 20274 establishes the framework for information systems security technical assurance and the guide & general principles for starting, implementing, maintaining, evaluating and improving information security technology system in the organization. This Part of GB/T 20274 defines and explains the technology architecture capability level of the organization reflected in the construction and evaluation of information systems security technology system and the information systems security technical requirements of the organization. This Part of GB/T 20274 is applicable to the organization for starting, implementing, maintaining, evaluating and improving the information security technology system and all the users, developers and evaluators involved in the information systems security technical work.2 Normative ReferencesThe following documents contain provisions which, through reference in this text, constitute the provisions of this Part. For the dated reference, the subsequent amendments (excluding corrigendum) or revisions of these publications do not apply. However, the parties who enter into agreements based on this standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. For any undated references, the latest edition of the document referred to applies. GB/T 20274.1 Information Security Technology - Evaluation Framework for Information Systems Security Assurance - Part 1.Introduction and General Model3 Terms and DefinitionsFor the purposes of this Part of GB/T 20274, the terms and definitions specified in GB/T 20274.1 apply.4 Structure of This PartThe organization structure of this Part of GB/T 20274 is as follows.5 Information Security Technical Assurance5.1 Overview of Security Technical Assurance Evaluation framework for information systems security assurance - security technical assurance is mainly used to evaluate the system level security technology framework and the security technology solution in information systems, i.e. 5.2 Security Technology Architecture Capability Level System security technology architecture is the description of the overall structure of the security technology system of the organization's information technology system. The security technology architecture capability is the integral security technology system framework that conforms to the security policy development planning of information technology system of the organization and is established by the organization according to the system security risk evaluation results and the requirements of system security policy and by reference to the relevant security technology architecture standard and the optimal practice as well as in combination with the specific current status and needs of the organization's information technology system. 5.3 Examples of Security Technical Assurance Control Requirements This article describes the examples used in the security technical assurance control requirements in this Part. Figures 1 and 2 describe some key concepts of the examples. This article provides text description for the concepts in the figure and other key concepts not in the figure. The key concepts discussed are highlighted in bold italic.6 Control Structure of Information Security Technical Assurance6.1 Overview This chapter defines the contents and forms of technical requirements of this Part and provides guide for the organization which needs to add new modules into ISST. 6.1.1 Structure of information security technical assurance control class Figure 5 illustrates the structure of security technical assurance control class in diagram. 6.1.2 Structure of information security technical assurance control subclass Figure 6 shows the structure of security technical assurance control subclass in diagram. 6.1.3 Structure of information security technical assurance control module Figure 7 shows the structure of security technical assurance control module. Figure 7 Structure of Security Technical Assurance Control Module 6.1.4 Allowable operation of security technical assurance control module The security technical assurance control modules used to define requirements in PP, ST or technology package may be exactly the same as those explained in Chapters 5~17 of this Part and may be cut to meet specific security purpose. But the dependency of the identified modules must be considered, so the selection and cutting of these security technical assurance control modules are complicated. 7 FAU Class. Security Audit Security audit includes identifying, recording, saving and analyzing those information relevant to security-related activities (i.e. TSP-controlled activity). Inspection of the audit record results may be used to judge what security-related activities are occurred and which user shall be responsible for these activities. 7.1 Automatic Response of Security Audit (FAU_ARP) Subclass behavior 7.2 Generation of Security Audit Data (FAU_GEN) Subclass behavior For the security-related event generated under the control of TSF, this subclass defines the requirements of recording its happening. This subclass determines the audit level, lists the event type auditable by TSF and the minimal set of audit-related information that shall be provided in audit record. 7.6 Storage of Security Audit Event (FAU_STG) Subclass behavior This subclass defines the requirements that TSF is able to create and maintain security audit trail. 8 FCO Class. Communication This class provides two subclasses specifically designed to ensure the identity of participants in data exchange. These subclasses are related to the insurance of the identity of the information transmission initiator (original evidence) and receiver (receipt evidence). They will ensure that the initiator cannot deny the fact that he or she has sent and received information. 8.1 Non-repudiation of origin (FCO_NRO) Subclass behavior Non-repudiation of origin ensures that information initiator cannot successfully deny the fact that he or she has sent the information. This subclass requires TSF to provide one method to ensure the subject who receives the information received the evidence of information origin during data exchange. The evidence may be verified by the subject or other subjects. 8.2 Non-repudiation of receipt (FCO_NRR) Subclass behavior Non-repudiation of receipt ensures that information receiver cannot successfully deny the fact that he or she has received the information. This subclass requires TSF to provide one method to ensure the subject who sends the information received the evidence of information receipt during data exchange. The evidence may be verified by the subject or other subjects. 9 FCS Class. Cryptographic Support TSF may utilize cryptogram functions, including (but not limited to). identification and authentication, non-repudiation, trusted path, trusted channel and data separation, to satisfy some senior security purposes. 9.1 Key Management (FCS_CKM) Subclass behavior Key must be managed in the whole life cycle. For this reason, this subclass defines the requirements for the following several operations. key generation, distribution, access and destruction. If any function requirement for key management, this subclass must be included. 9.2 Crypto-operation (FCS_COP) Subclass behavior To ensure the correctness of crypto-operation function, specific algorithm and key in certain length must be in accordance with. All with crypto-operation requirements shall be included in this subclass. ......Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al. Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of English version of GB/T 20274.2-2008 be delivered?Answer: The full copy PDF of English version of GB/T 20274.2-2008 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.Question 2: Can I share the purchased PDF of GB/T 20274.2-2008_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 20274.2-2008_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 20274.2-2008 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.How to buy and download a true PDF of English version of GB/T 20274.2-2008?A step-by-step guide to download PDF of GB/T 20274.2-2008_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).Step 2: Search keyword "GB/T 20274.2-2008". Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart. Step 4: Select payment option (Via payment agents Stripe or PayPal). Step 5: Customize Tax Invoice -- Fill up your email etc. Step 6: Click "Checkout". Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively. Step 8: Optional -- Go to download PDF. Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice. See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9 |
