GB/T 20282-2006 PDF in English
GB/T 20282-2006 (GB/T20282-2006, GBT 20282-2006, GBT20282-2006)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 20282-2006 | English | 145 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Information system security engineering management requirements
| Valid |
Standards related to (historical): GB/T 20282-2006
PDF Preview
GB/T 20282-2006: PDF in English (GBT 20282-2006) GB/T 20282-2006
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.020
L 09
Information Security Technology - Information
System Security Engineering Management
Requirements
ISSUED ON. MAY 31, 2006
IMPLEMENTED ON. DECEMBER 1, 2006
Issued by.
General Administration of Quality Supervision, Inspection
and Quarantine of the People’s Republic of China;
Standardization Administration of the People’s Republic of
China.
Table of Contents
1 Scope ... 5
2 Normative References ... 5
3 Terms and Definitions ... 6
4 Security Engineering System ... 7
4.1 Overview ... 7
4.2 Goal of Security Engineering ... 8
4.3 Fundamental Relation ... 8
5 Qualification Assurance Requirements ... 8
5.1 System Integration Qualification Requirement ... 8
5.2 Personnel Qualification Requirement ... 8
5.3 Third-party Service Requirement ... 8
5.4 Security Product Requirement ... 8
5.5 Engineering Supervision Requirement ... 9
5.6 Requirement for Compliance with Laws, Regulations and Policies ... 9
6 Organizational Assurance Requirements ... 9
6.1 Define Organizational Process of System Engineering ... 9
6.2 Improve Organizational Process of System Engineering ... 10
6.3 Manage the Evolution of Series of Products ... 10
6.4 Manage Support Environment of System Engineering ... 12
6.5 Host Training ... 13
6.6 Coordinate with Supplier ... 14
7 Engineering Implementation Requirements ... 15
7.1 Manage Security Control ... 15
7.2 Assess Impacts ... 16
7.3 Assess Security Risk ... 17
7.4 Assess Threats ... 18
7.5 Assess Vulnerability ... 19
7.6 Build Assurance Argument ... 20
7.7 Coordinate Security ... 21
7.8 Monitor Security Posture ... 22
7.9 Provide Security Input ... 23
7.10 Specify Security Requirements ... 25
7.11 Verify and Validate Security ... 26
8 Project Implementation Requirements ... 27
8.1 Quality Assurance ... 27
8.2 Manage Configuration ... 29
8.3 Manage Project Risk ... 30
8.4 Monitor Technical Activities... 31
8.5 Plan Technical Activities ... 33
9 Grading Requirements for Security Engineering Management ... 35
9.1 Level 1. the User's Discretionary Protection Level ... 35
9.2 Level 2. System Audit Protection Level ... 37
9.3 Level 3. Security Label Protection Level ... 40
9.4 Level 4. Structured Protection Level ... 44
9.5 Level 5. Access Verification Protection Level ... 46
9.6 Comparison Table of Security Protection Level Classification and Security
Engineering Requirements ... 49
10 Process and Requirements of Security Engineering ... 49
10.1 Security Engineering Process ... 49
10.2 Security Engineering Requirements of Security Engineering Process in Each
Stage ... 56
Appendix A (Informative) Corresponding Relationship between Security Engineering
Requirements and Security Protection Level/Security Engineering Process ... 57
References ... 62
Foreword
Appendix A of this Standard is informative.
This Standard was proposed by and is under the jurisdiction of National Committee on
Information Security of Standardization Administration of China.
Drafting organizations of this Standard. the 30th Research Institute of China
Electronics Technology Group Corporation (CETC 30), Shanghai 30wish Information
Security Co., Ltd. and Shanghai Institute of Standardization.
Main drafters of this Standard. Zhang Jianjun, Wei Zhong, Ye Ming, Chen Changsong
and Kong Yitong.
Information Security Technology - Information
System Security Engineering Management
Requirements
1 Scope
This Standard specifies management requirements for information system security
engineering (hereinafter referred to as security engineering) as the instructions for
construction of information system safety engineering by the owner, the developer
and the third party, upon which all parties can base security engineering management
system.
This Standard, in accordance with five security protection levels specified in GB
17859-1999, specifies different requirements for management of information system
security engineering.
This Standard is applicable for the owner and the developer of information system to
manage security engineering, which can be referred by all parties concerned.
2 Normative References
The provisions in following documents become the provisions of this Standard through
reference in this Standard. For dated references, the subsequent amendments
(excluding corrections) or revisions do not apply to this Standard, however, parties
who reach an agreement based on this Standard are encouraged to study if the latest
versions of these documents are applicable. For undated references, the latest edition
of the referenced document applies.
GB 17859-1999 Classified Criteria for Security Protection of Computer
Information System
GB/T 20269-2006 Information Security Technology - Information System Security
Management Requirements
GB/T 20271-2006 Information Security Technology - Common Security Techniques
Requirement for Information System
3 Terms and Definitions
For the purposes of this Standard, the following terminologies and definitions apply.
3.1
Security engineering
The process of system engineering that ensures confidentiality, integrity and
availability of information system.
3.2
Security engineering lifecycle
Activities that relate to security engineering throughout the lifecycle of information
system, including concept formation, concept development and definition, verification
and validation, engineering implementation development and manufacture,
production and deployment, operation and support, and termination.
3.3
Security engineering guide
Guiding information that is defined by engineering group on how to select, design and
implement engineering system structure.
3.4
Vulnerability
...
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|