HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (3 Nov 2024)

GB/T 20261-2020 PDF in English


GB/T 20261-2020 (GB/T20261-2020, GBT 20261-2020, GBT20261-2020)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 20261-2020English1820 Add to Cart 0-9 seconds. Auto-delivery. Information security technology. System security engineering. Capability maturity model Valid
GB/T 20261-2006EnglishRFQ ASK 3 days Information technology -- Systems security engineering -- Capability maturity model Obsolete
Standards related to (historical): GB/T 20261-2020
PDF Preview

GB/T 20261-2020: PDF in English (GBT 20261-2020)

GB/T 20261-2020 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 20261-2006 Information security technology - System security engineering - Capability maturity model (ISO/IEC 21827:2008, Information technology - Security techniques - Systems security engineering - Capability maturity model, MOD) ISSUED ON: NOVEMBER 19, 2020 IMPLEMENTED ON: JUNE 01, 2021 Issued by: State Administration for Market Regulation; Standardization Administration of the People’s Republic of China. Table of Contents Foreword ... 4 Introduction ... 6 0.1 General ... 6 0.2 How should the SSE-CMM® be used? ... 8 0.3 Benefits of using the SSE-CMM® ... 8 1 Scope ... 10 2 Normative references ... 11 3 Terms and definitions ... 11 4 Overview of System Security Engineering ... 20 4.1 Development Background of Security Engineering ... 20 4.2 Importance of Security Engineering ... 21 4.3 Security Engineering Organizations ... 22 4.4 Security Engineering Life Cycle ... 22 4.5 Security Engineering and Other Disciplines ... 22 4.6 Security Engineering Specialties ... 23 5 Model System Architecture ... 24 5.1 Security Engineering Process Overview ... 24 5.2 SSE-CMM® Architecture Description ... 27 5.3 Summary Chart ... 39 6 Security Base Practices ... 41 6.1 Description of Security Base Practices ... 41 6.2 PA01 – Administer Security Controls ... 42 6.3 PA02 – Assess Impact ... 47 6.4 PA03 – Assess Security Risk ... 52 6.5 PA04 – Assess Threat ... 57 6.6 PA05 – Assess Vulnerability ... 61 6.7 PA06 – Build Assurance Argument ... 66 6.8 PA07 – Coordinate Security ... 71 6.9 PA08 – Monitor Security Posture ... 74 6.10 PA09 – Provide Security Input ... 81 6.11 PA10 – Specify Security Needs ... 87 6.12 PA11 – Verify and Validate Security ... 93 Annex A (informative) Structural Changes of This Standard Compared with ISO/IEC 21827:2008 ... 97 Annex B (informative) Technical Differences Between This Standard and ISO/IEC 21827:2008 and Their Reasons ... 100 Annex C (normative) Generic Practices ... 103 C.1 General ... 103 C.2 Capability Level 1 - Performed Basically ... 104 C.3 Capability Level 2 – Planned and Tracked ... 105 C.4 Capability Level 3 – Sufficiently Defined ... 112 C.5 Capability Level 4 – Quantitatively Controlled ... 117 C.6 Capability Level 5 – Continuously Improving ... 120 Annex D (normative) Project and Organizational Base Practices ... 124 D.1 General ... 124 D.2 General Security Considerations ... 124 D.3 PA12 – Ensure Quality ... 125 D.4 PA13 – Manage Configurations ... 131 D.5 PA14 – Manage Project Risks ... 136 D.6 PA15 – Monitor and Control Technical Effort ... 141 D.7 PA16 – Plan Technical Effort ... 145 D.8 PA17 – Define Organization's Systems Engineering Process ... 154 D.9 PA18 – Improve Organization's Systems Engineering Processes ... 158 D.10 PA19 – Manage Product Line Evolution... 162 D.11 PA20 – Manage Systems Engineering Support Environment ... 165 D.12 PA21 – Provide Ongoing Skills and Knowledge ... 171 D.13 PA22 – Coordinate with Suppliers ... 177 Annex E (informative) Capability Maturity Model Concepts ... 183 E.1 General ... 183 E.2 Process Improvement ... 183 E.3 Expected Results ... 184 E.4 Common Misunderstandings ... 185 E.5 Key Concepts ... 186 Annex F (informative) Information Security Services and Security Engineering Process Domain Correspondence Table ... 192 Annex G (informative) Comparison Table of Major Changes Between GB/T 20261- XXXX and GB/T 20261-2006 ... 194 Bibliography ... 199 Foreword This Standard was drafted in accordance with the rules given in GB/T 1.1-2009. This Standard replaces GB/T 20261-2006, Information technology - Systems security engineering - Capability maturity model. Compared with GB/T 20261-2006, the main technical changes are as follows (see Annex G for the comparison of main changes): – Modify some normative references (see Clause 2; Clause 2 of the 2006 edition); – Add terms and definitions, namely “base practices; BP”, “capability”, “information security event”, “information security incident”, “process area; PA”, “risk management”; – Modify the definitions of “assurance”, “engineering group”, “work product” in Terms and definitions; and modify “residual risk” to “residual risk” (see Clause 3; Clause 3 the 2006 edition). – Remove the term “practices” (see 3.24 of the 2006 edition); – Modify some clause and sub-clause titles, merge, adjust and delete some contents that are related or not suitable as national standards (see 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 5.1); – Delete the original Clause 5, and adjust the original Clause 6 and Clause 7 to Clause 5 and Clause 6 (Clause 5, Clause 6 and Clause 7 of the 2006 edition); – Add BP.06.03 Define Security Measures in Clause 6, and the additions and revisions of ISO/IEC 21827:2008 relative to ISO/IEC 21827:2002 (see Clause 6); – Add Annex A and Annex B (see Annex A, Annex B); – Modify the definition of the five levels of capability level in Annex C to be consistent with the description of the current standard GB/T 30271 and other standards; – Modify the error message that the serial process area number does not match the process area description in Annex D (see D.6.1.1, D.7.7.3, D.9.3.3, D.11.1.1, D.11.4, D.11.4.1, D.12.3.1); – Add Annex F to facilitate the mapping relationship between the standard model and the current security services (see Annex F); – Add a comparison table of major changes compared with GB/T 20261-2006 (see Annex G). Information security technology - System security engineering - Capability maturity model 1 Scope This Standard specifies the Systems Security Engineering – Capability Maturity Model (SSE-CMM®). The SSE-CMM® is a process reference model focused upon the requirements for implementing security in a system or series of related systems that are the information technology security (ITS) domain. Within the ITS domain, the SSE- CMM® is focused on the processes used to achieve ITS, most specifically on the maturity of those processes. There is no intent within the SSE-CMM® to dictate a specific process to be used by an organization, let alone a specific methodology. Rather the intent is that the organization making use of the SSE-CMM® should use its existing processes, be those processes based upon any other ITS guidance document. While the SSE-CMM® is a distinct model to improve and assess security engineering capability, this does not imply that security engineering should be practised in isolation from other engineering disciplines. On the contrary, the SSE-CMM® promotes integration, taking the view that security is pervasive across all engineering disciplines (e.g., systems, software and hardware) and defining components of the model to address such concerns. The Common Feature “Coordinate Practices” recognizes the need to integrate security with all disciplines and groups involved on a project or within an organization. Similarly, the Process Area “Coordinate Security” defines the objectives and mechanisms to be used in coordinating the security engineering activities. The scope encompasses: • the system security engineering activities for a secure product or a trusted system addressing the complete life cycle of concept definition, requirements analysis, design, development, integration, installation, operation, maintenance and de- commissioning; • requirements for product developers, secure systems developers and integrators, organizations that provide computer security services and computer security engineering; • all types and sizes of security engineering organization, from commercial to government and the academe; and • demanders, providers and evaluators of system security engineering. • human factors engineering; • communications engineering; • hardware engineering; and • enterprise engineering. Note 1: With respect to systems engineering, further information can be found in ISO/IEC 15288 which views security from a systems perspective. Note 2: With respect to software engineering, further information can be found in GB/T 8566-2007 which views security from a software perspective. Security engineering activities must be coordinated with many external entities because assurance and the acceptability of residual operational impacts are established in conjunction with the developer, integrator, acquirer, user, independent evaluator, and other groups. It is these interfaces and the requisite interaction across a broad set of organizations that make security engineering particularly complex and different from other engineering disciplines. 4.6 Security Engineering Specialties While Security Engineering and Information Technology Security are very often the driving disciplines in the current security and business environment, other more traditional security disciplines, such as Physical Security and Personnel Security should not be overlooked. Security Engineering will need to draw upon these and many other specialist sub-disciplines if they are to achieve the most efficient and effective results in the performance of their work. The list below gives a few examples of specialty security sub-disciplines likely to be required, along with a short description of each, including: • operations security -- targets the security of the operating environment, and the maintenance of a secure operating posture; • information security -- pertains to information and the maintenance of security of the information during its manipulation and processing; • network security -- involves the protection of network hardware, software, and protocols, including information communicated over networks; • physical security -- focuses on the protection buildings and physical locations; • personnel security -- is related to people, their trustworthiness and their awareness of security concerns; • administrative security -- is related to the administrative aspects of security and security in administrative systems; and Chinese Standards This is an excerpt of the PDF (Some pages are marked off intentionally) Full-copy PDF can be purchased from 1 of 2 websites: 1. https://www.ChineseStandard.us  SEARCH the standard ID, such as GB 4943.1-2022.  Select your country (currency), for example: USA (USD); Germany (Euro).  Full-copy of PDF (text-editable, true-PDF) can be downloaded in 9 seconds.  Tax invoice can be downloaded in 9 seconds.  Receiving emails in 9 seconds (with download links).  SEARCH the standard ID, such as GB 4943.1-2022.  Full-copy of PDF (text-editable, true-PDF) can be downloaded in 9 seconds.  Receiving emails in 9 seconds (with PDFs attached, invoice and download links). Translated by: Field Test Asia Pte. Ltd. (Incorporated & taxed in Singapore. Tax ID: 201302277C) Linkin: https://www.linkedin.com/in/waynezhengwenrui/ ------ The End ------ ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.