GB/T 20261-2020 PDF in English
GB/T 20261-2020 (GB/T20261-2020, GBT 20261-2020, GBT20261-2020)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 20261-2020 | English | 1820 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology. System security engineering. Capability maturity model
| Valid |
GB/T 20261-2006 | English | RFQ |
ASK
|
3 days
|
Information technology -- Systems security engineering -- Capability maturity model
| Obsolete |
Standards related to (historical): GB/T 20261-2020
PDF Preview
GB/T 20261-2020: PDF in English (GBT 20261-2020) GB/T 20261-2020
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 20261-2006
Information security technology - System security
engineering - Capability maturity model
(ISO/IEC 21827:2008, Information technology - Security techniques - Systems
security engineering - Capability maturity model, MOD)
ISSUED ON: NOVEMBER 19, 2020
IMPLEMENTED ON: JUNE 01, 2021
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword ... 4
Introduction ... 6
0.1 General ... 6
0.2 How should the SSE-CMM® be used? ... 8
0.3 Benefits of using the SSE-CMM® ... 8
1 Scope ... 10
2 Normative references ... 11
3 Terms and definitions ... 11
4 Overview of System Security Engineering ... 20
4.1 Development Background of Security Engineering ... 20
4.2 Importance of Security Engineering ... 21
4.3 Security Engineering Organizations ... 22
4.4 Security Engineering Life Cycle ... 22
4.5 Security Engineering and Other Disciplines ... 22
4.6 Security Engineering Specialties ... 23
5 Model System Architecture ... 24
5.1 Security Engineering Process Overview ... 24
5.2 SSE-CMM® Architecture Description ... 27
5.3 Summary Chart ... 39
6 Security Base Practices ... 41
6.1 Description of Security Base Practices ... 41
6.2 PA01 – Administer Security Controls ... 42
6.3 PA02 – Assess Impact ... 47
6.4 PA03 – Assess Security Risk ... 52
6.5 PA04 – Assess Threat ... 57
6.6 PA05 – Assess Vulnerability ... 61
6.7 PA06 – Build Assurance Argument ... 66
6.8 PA07 – Coordinate Security ... 71
6.9 PA08 – Monitor Security Posture ... 74
6.10 PA09 – Provide Security Input ... 81
6.11 PA10 – Specify Security Needs ... 87
6.12 PA11 – Verify and Validate Security ... 93
Annex A (informative) Structural Changes of This Standard Compared with ISO/IEC
21827:2008 ... 97
Annex B (informative) Technical Differences Between This Standard and ISO/IEC
21827:2008 and Their Reasons ... 100
Annex C (normative) Generic Practices ... 103
C.1 General ... 103
C.2 Capability Level 1 - Performed Basically ... 104
C.3 Capability Level 2 – Planned and Tracked ... 105
C.4 Capability Level 3 – Sufficiently Defined ... 112
C.5 Capability Level 4 – Quantitatively Controlled ... 117
C.6 Capability Level 5 – Continuously Improving ... 120
Annex D (normative) Project and Organizational Base Practices ... 124
D.1 General ... 124
D.2 General Security Considerations ... 124
D.3 PA12 – Ensure Quality ... 125
D.4 PA13 – Manage Configurations ... 131
D.5 PA14 – Manage Project Risks ... 136
D.6 PA15 – Monitor and Control Technical Effort ... 141
D.7 PA16 – Plan Technical Effort ... 145
D.8 PA17 – Define Organization's Systems Engineering Process ... 154
D.9 PA18 – Improve Organization's Systems Engineering Processes ... 158
D.10 PA19 – Manage Product Line Evolution... 162
D.11 PA20 – Manage Systems Engineering Support Environment ... 165
D.12 PA21 – Provide Ongoing Skills and Knowledge ... 171
D.13 PA22 – Coordinate with Suppliers ... 177
Annex E (informative) Capability Maturity Model Concepts ... 183
E.1 General ... 183
E.2 Process Improvement ... 183
E.3 Expected Results ... 184
E.4 Common Misunderstandings ... 185
E.5 Key Concepts ... 186
Annex F (informative) Information Security Services and Security Engineering Process
Domain Correspondence Table ... 192
Annex G (informative) Comparison Table of Major Changes Between GB/T 20261-
XXXX and GB/T 20261-2006 ... 194
Bibliography ... 199
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This Standard replaces GB/T 20261-2006, Information technology - Systems security
engineering - Capability maturity model. Compared with GB/T 20261-2006, the main
technical changes are as follows (see Annex G for the comparison of main changes):
– Modify some normative references (see Clause 2; Clause 2 of the 2006 edition);
– Add terms and definitions, namely “base practices; BP”, “capability”, “information
security event”, “information security incident”, “process area; PA”, “risk
management”;
– Modify the definitions of “assurance”, “engineering group”, “work product” in
Terms and definitions; and modify “residual risk” to “residual risk” (see Clause 3;
Clause 3 the 2006 edition).
– Remove the term “practices” (see 3.24 of the 2006 edition);
– Modify some clause and sub-clause titles, merge, adjust and delete some contents
that are related or not suitable as national standards (see 4.1, 4.2, 4.3, 4.4, 4.5, 4.6,
5.1);
– Delete the original Clause 5, and adjust the original Clause 6 and Clause 7 to Clause
5 and Clause 6 (Clause 5, Clause 6 and Clause 7 of the 2006 edition);
– Add BP.06.03 Define Security Measures in Clause 6, and the additions and revisions
of ISO/IEC 21827:2008 relative to ISO/IEC 21827:2002 (see Clause 6);
– Add Annex A and Annex B (see Annex A, Annex B);
– Modify the definition of the five levels of capability level in Annex C to be consistent
with the description of the current standard GB/T 30271 and other standards;
– Modify the error message that the serial process area number does not match the
process area description in Annex D (see D.6.1.1, D.7.7.3, D.9.3.3, D.11.1.1, D.11.4,
D.11.4.1, D.12.3.1);
– Add Annex F to facilitate the mapping relationship between the standard model and
the current security services (see Annex F);
– Add a comparison table of major changes compared with GB/T 20261-2006 (see
Annex G).
Information security technology - System security
engineering - Capability maturity model
1 Scope
This Standard specifies the Systems Security Engineering – Capability Maturity Model
(SSE-CMM®). The SSE-CMM® is a process reference model focused upon the
requirements for implementing security in a system or series of related systems that are
the information technology security (ITS) domain. Within the ITS domain, the SSE-
CMM® is focused on the processes used to achieve ITS, most specifically on the
maturity of those processes. There is no intent within the SSE-CMM® to dictate a
specific process to be used by an organization, let alone a specific methodology. Rather
the intent is that the organization making use of the SSE-CMM® should use its existing
processes, be those processes based upon any other ITS guidance document.
While the SSE-CMM® is a distinct model to improve and assess security engineering
capability, this does not imply that security engineering should be practised in isolation
from other engineering disciplines. On the contrary, the SSE-CMM® promotes
integration, taking the view that security is pervasive across all engineering disciplines
(e.g., systems, software and hardware) and defining components of the model to address
such concerns. The Common Feature “Coordinate Practices” recognizes the need to
integrate security with all disciplines and groups involved on a project or within an
organization. Similarly, the Process Area “Coordinate Security” defines the objectives
and mechanisms to be used in coordinating the security engineering activities.
The scope encompasses:
• the system security engineering activities for a secure product or a trusted system
addressing the complete life cycle of concept definition, requirements analysis,
design, development, integration, installation, operation, maintenance and de-
commissioning;
• requirements for product developers, secure systems developers and integrators,
organizations that provide computer security services and computer security
engineering;
• all types and sizes of security engineering organization, from commercial to
government and the academe; and
• demanders, providers and evaluators of system security engineering.
• human factors engineering;
• communications engineering;
• hardware engineering; and
• enterprise engineering.
Note 1: With respect to systems engineering, further information can be found in
ISO/IEC 15288 which views security from a systems perspective.
Note 2: With respect to software engineering, further information can be found in
GB/T 8566-2007 which views security from a software perspective.
Security engineering activities must be coordinated with many external entities because
assurance and the acceptability of residual operational impacts are established in
conjunction with the developer, integrator, acquirer, user, independent evaluator, and
other groups. It is these interfaces and the requisite interaction across a broad set of
organizations that make security engineering particularly complex and different from
other engineering disciplines.
4.6 Security Engineering Specialties
While Security Engineering and Information Technology Security are very often the
driving disciplines in the current security and business environment, other more
traditional security disciplines, such as Physical Security and Personnel Security should
not be overlooked. Security Engineering will need to draw upon these and many other
specialist sub-disciplines if they are to achieve the most efficient and effective results
in the performance of their work. The list below gives a few examples of specialty
security sub-disciplines likely to be required, along with a short description of each,
including:
• operations security -- targets the security of the operating environment, and the
maintenance of a secure operating posture;
• information security -- pertains to information and the maintenance of security of
the information during its manipulation and processing;
• network security -- involves the protection of network hardware, software, and
protocols, including information communicated over networks;
• physical security -- focuses on the protection buildings and physical locations;
• personnel security -- is related to people, their trustworthiness and their awareness
of security concerns;
• administrative security -- is related to the administrative aspects of security and
security in administrative systems; and
Chinese Standards
This is an excerpt of the PDF (Some pages are marked off intentionally)
Full-copy PDF can be purchased from 1 of 2 websites:
1. https://www.ChineseStandard.us
SEARCH the standard ID, such as GB 4943.1-2022.
Select your country (currency), for example: USA (USD); Germany (Euro).
Full-copy of PDF (text-editable, true-PDF) can be downloaded in 9 seconds.
Tax invoice can be downloaded in 9 seconds.
Receiving emails in 9 seconds (with download links).
SEARCH the standard ID, such as GB 4943.1-2022.
Full-copy of PDF (text-editable, true-PDF) can be downloaded in 9 seconds.
Receiving emails in 9 seconds (with PDFs attached, invoice and download links).
Translated by: Field Test Asia Pte. Ltd. (Incorporated & taxed in Singapore. Tax ID: 201302277C)
Linkin: https://www.linkedin.com/in/waynezhengwenrui/
------ The End ------
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|