GB/T 28449-2018 PDF English
Search result: GB/T 28449-2018 English: PDF (GB/T28449-2018)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 28449-2018 | English | 830 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Testing and evaluation process guide for classified protection of cybersecurity
| Valid |
GB/T 28449-2012 | English | RFQ |
ASK
|
10 days
|
Information security technology -- Testing and evaluation process guide for classified protection of information system security
| Obsolete |
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 28449-2018 Related standards: GB/T 28449-2018
PDF Preview: GB/T 28449-2018
GB/T 28449-2018: PDF in English (GBT 28449-2018) GB/T 28449-2018
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 28449-2012
Information security technology - Testing and
evaluation process guide for classified protection of
cyber security
ISSUED ON: DECEMBER 28, 2018
IMPLEMENTED ON: JULY 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 7
4 Overview of classified testing and evaluation ... 8
4.1 Overview of classified testing and evaluation process ... 8
4.2 Classified testing and evaluation risks ... 9
4.3 Classified testing and evaluation risk avoidance ... 9
5 Preparation of testing and evaluation ... 10
5.1 Workflow of preparation of testing and evaluation ... 10
5.2 Major tasks of preparation of testing and evaluation ... 11
5.3 Output files of testing and evaluation preparation ... 13
5.4 Duties of both parties in testing and evaluation preparation ... 14
6 Scheme preparations ... 15
6.1 Workflow of scheme preparation ... 15
6.2 Major tasks of scheme preparation ... 15
6.3 Output files of scheme preparation ... 22
6.4 Duties of both parties in scheme preparation ... 22
7 On-site testing and evaluation ... 23
7.1 Work flow of on-site testing and evaluation ... 23
7.2 Main tasks of on-site testing and evaluation ... 24
7.3 Output files of on-site testing and evaluation ... 26
7.4 Duties of both parties in on-site testing and evaluation ... 27
8 Report preparation ... 28
8.1 Work flow of report preparation ... 28
8.2 Main tasks of report preparation ... 29
8.3 Output files of report preparation ... 35
8.4 Duties of both parties in report preparation ... 36
Annex A (Normative) Workflow of classified testing and evaluation ... 37
Annex B (Normative) Requirements for classified testing and evaluation ... 40
Annex C (Normative) Supplement for classified testing and evaluation of new
technology and new application ... 42
Annex D (Normative) Principle and example for confirmation of target of testing
and evaluation ... 47
Annex E (Informative) Modes and work tasks for on-site testing and evaluation
of classified testing and evaluation ... 53
Annex F (Informative) Example for template of classified testing and evaluation
report ... 58
Bibliography ... 87
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This Standard replaces GB/T 28449-2012 “Information security technology -
Testing and evaluation process guide for classified protection of information
system security”. Compared with GB/T 28449-2012, in addition to editorial
modifications, the main technical changes are as follows:
- modified standard’s name to “Information security technology - Testing and
evaluation process guide for classified protection of cyber security”;
- modified tasks in report preparation from 6 tasks to 7 tasks (see 4.1 of this
Edition, 5.4 of Edition 2012);
- in duties of both parties involved in preparation of testing and evaluation
and on-site testing and evaluation, added duties to coordinate multiple
parties and specified in some work tasks involved in multiple parties (see
7.4 of this Edition, 8.4 of Edition 2012);
- added contents of information analysis method in information collection and
analysis task (see 5.2.2 of this Edition);
- added special tasks and requirements that require additional focus for
security testing and evaluation carried out for classified protection target
that is built by using cloud computing, Internet of Things, mobile internet,
industrial control systems, IPv6 system (see Annex C of this Edition);
- deleted testing and evaluation scheme examples (see Annex D of Edition
2012);
- deleted questionnaire template for basic situation of information system
(see Annex E of Edition 2012).
Attention is drawn to the possibility that some contents of this Standard may be
the subject of patent rights. The issuing authority shall not be held responsible
for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of National
Technical Committee on Information Security of Standardization Administration
of China (SAC/TC 260).
The drafting organizations of this Standard: The Third Institute of the Ministry
of Public Security (Information Security Level Protection Assessment Center of
the Ministry of Public Security), The 15th Research Institute of China
Electronics Technology Group Corporation (Information Industry Information
Security Evaluation Center), Beijing Information Security Evaluation Center.
Main drafters of this Standard: Yuan Jing, Ren Weihong, Jiang Lei, Li Sheng,
Zhang Yuxiang, Bi Maning, Li Ming, Zhang Yi, Liu Kaijun, Zhao Qin, Wang Ran,
Liu Haifeng, Qu Jie, Liu Jing, Zhu Jianping, Ma Li, Chen Guangyong.
Version of standard substituted by this Standard is:
- GB/T 28449-2012.
Introduction
Classified testing and evaluation in this Standard is a process for testing and
evaluation organization, based on technical standards such as GB/T 22239 and
GB/T 28448, to test and evaluate whether classified security protection of
classified target meets basic requirements for corresponding classification. It is
an important link to implement classified protection system of cyber security.
During construction, rectification and reform, operator and user of classified
target, through classified testing and evaluation, performs situation analysis to
determine system’s security protection status and existing security problems;
and based on this, determine security requirements for system rectification and
reform.
During operation-maintenance of classified target, operator and user of
classified target regularly perform self-check or entrust testing and evaluation
organization to carry out classified testing and evaluation in terms of security
classified protection status of classified target to inspect and evaluate
information security control ability, so as to determine whether classified target
has security protection ability required by corresponding classification in GB/T
22239. Therefore, classified testing and evaluation report formed by classified
testing and evaluation is an important reference for classified target to carry out
rectification and reinforcement. It is also an important attachment for level three
and above classified targets to put on record. Operator and user shall, based
on classified testing and evaluation report, make plan for rectification.
This Standard is one of series standards related to classified protection of cyber
security.
Information security technology - Testing and
evaluation process guide for classified protection of
cyber security
1 Scope
This Standard standardizes testing and evaluation process for classified
protection of cyber security (hereinafter referred to as “classified testing and
evaluation”). It also specifies testing and evaluation as well as work tasks.
This Standard is applicable for testing and evaluation organization, supervision
department of classified target as well as operation user to carry out testing and
evaluation for classified protection of cyber security.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB 17859, Classified criteria for security protection of computer information
system
GB/T 22239, Information security technology - Baseline for classified
protection of cybersecurity
GB/T 25069, Information security technology - Glossary
GB/T 28448, Information security technology - Evaluation requirement for
classified protection of cybersecurity
3 Terms and definitions
For the purposes of this document, the terms and definitions defined in GB
17859, GB/T 22239 and GB/T 28448 apply.
4 Overview of classified testing and evaluation
4.1 Overview of classified testing and evaluation process
Testing and evaluation process and tasks in this Standard are based on the first
classified testing and evaluation that is carried by entrusted testing and
evaluation organization on classified target. If operator and user have
performed self-check or entrusted testing and evaluation organization has
carried out above classified testing and evaluation once, testing and evaluation
organization and personnel shall, according to actual situation, adjust partial
work tasks (see Annex A). Testing and evaluation organization that carries out
classified testing and evaluation shall carry out related work strictly according
to classified testing and evaluation requirements given in Annex B.
Classified testing and evaluation process includes four basic testing and
evaluation activities: preparation of testing and evaluation, scheme preparation,
on-site testing and evaluation, report preparation. Communication and
negotiation between relevant parties of testing and evaluation shall be
conducted throughout entire classified testing and evaluation. Each testing and
evaluation has one set of determined work tasks. See Table 1 for details.
Table 1 -- Classified testing and evaluation process
Testing and evaluation Main work tasks
Preparation of testing and evaluation
Work start
Information collection and analysis
Tool and form preparation
Scheme preparation
Confirmation of target of testing and evaluation
Confirmation of indicator of testing and evaluation
Confirmation of content of testing and evaluation
Confirmation of tool testing method
Development of testing and evaluation guide
Preparation of scheme of testing and evaluation
On-site testing and evaluation
Preparation of on-site testing and evaluation
Record of testing and evaluation and result
Result confirmation and material return
Report preparation
Determination of individual testing and evaluation
result
Determination of unit testing and evaluation result
Overall testing and evaluation
Evaluation of system security assurance
Risk analysis of security problem
Formation of classified testing and evaluation
conclusion
Preparation of testing and evaluation report
This Standard gives corresponding working procedure, main task, output file as
well as duties of relevant parties of each activity. Each work task has
corresponding input, task description and output product.
4.2 Classified testing and evaluation risks
4.2.1 Risk that affects system’s normal operation
During on-site testing and evaluation, it needs to conduct a certain verification
testing to equipment and system. Some testing contents need on-board
verification and need checking some information, which might cause a certain
impact on system’s operation even cause possible mis-operation.
In addition, when it uses testing tool to conduct vulnerability scanning test,
performance test and penetration test, it might cause a certain impact on
network and system’s load. Penetration attack test might also affect normal
operation of server and system, for example, it might cause reboot, service
interruption, and code implanted during penetration process is not completely
cleaned up.
4.2.3 Risk of Trojan implant
After testing and evaluation personnel completes penetration test, he or she
may intentionally or unintentionally not clean or not clean thoroughly testing tool
that is used during penetration test process, or because testing computer has
Trojan program. All may bring Trojan implant risk in system under test.
4.3 Classified testing and evaluation risk avoidance
During classified testing and evaluation, it shall take the following measures to
avoid risks:
a) Signing of a commissioned testing and evaluation agreement
Before testing and evaluation are officially started, testing and evaluation
party and party under test and evaluated need to, in a mode of
commissioned agreement, SPECIFY goal, scope, personnel composition,
planning, implementation steps and requirements of testing and
evaluation as well as responsibilities and obligations of both parties, so as
to make both parties of testing and evaluation reach a consensus on basic
problems in testing and evaluation process.
c) Avoidance of on-site testing and evaluation risk
Before on-site testing and evaluation, testing and evaluation organization
shall sign an on-site testing and evaluation letter of authorization with
relevant organization to require relevant parties to back up system and
data, and develop emergency response plans for possible events.
When conducting verification testing and tool testing, it shall avoid
business peaks. Conduct when system resource is idle. Or configure an
analog/simulation environment that is consistent with production
environment. In the analog/simulation environment, conduct testing such
as vulnerability scanning. For on-board verification testing, contents to be
verified are proposed by testing and evaluation personnel; actual
operation is conducted by technical personnel of system operation, using
organization. The entire on-site testing and evaluation process requires
full supervision of system operation and using organization.
d) Testing and evaluation site restoration
After testing and evaluation are completed, testing and evaluation
personnel shall return all privileges acquired during testing and evaluation
process, return relevant documents borrowed during testing and
evaluation process, and restore testing and evaluation environment to the
status before testing and evaluation are performed.
5 Preparation of testing and evaluation
5.1 Workflow of preparation of testing and evaluation
Preparation of testing and evaluation is to start testing and evaluation project
smoothly, to collect relevant material of classified target, to prepare material
required by testing and evaluation, and to lay a good foundation for preparation
of testing and evaluation scheme.
Preparation of testing and evaluation includes three major tasks: work start,
information collection and analysis, tool and form preparation. See Figure 1 for
basic workflow of these three tasks.
Figure 1 -- Basic workflow of preparation of testing and evaluation
5.2 Major tasks of preparation of testing and evaluation
5.2.1 Work start
In work start task, testing and evaluation organization builds a project team for
classified testing and evaluation so as to obtain basic information of testing and
evaluation entrusted organization and classified target. Make full preparation
for implementation of entire classified testing and evaluation project in terms of
basic information, personnel, planning.
Input: commissioned testing and evaluation agreement.
Task description:
a) According to commissioned testing and evaluation agreement signed by
both parties of testing and evaluation as well as system scale, testing and
evaluation organization builds a testing and evaluation project team to
make full preparation from perspective of personnel, to prepare project
planning proposal.
b) Testing and evaluation organization requires testing and evaluation
entrusted organization to provide basic information, prepare information
so as to make a comprehensive understanding of classified target under
test.
Work start
Information collection and analysis
Tool and form preparation
Output/product: project planning proposal.
5.2.2 Information collection and analysis
Through checking material that has been obtained by classified target under
test or using system survey form, testing and evaluation organization knows
composition of entire system and protection situation as well as relevant
situation of responsible department, so as to lay a foundation for on-site testing
and evaluation as well as security evaluation.
Input: project planning proposal, system survey form, relevant information of
classified target under test.
Task description:
a) Testing and evaluation organization collects relevant information required
for classified testing and evaluation, including management structure,
technical system, operation, construction plan, and related test files during
construction of testing and evaluation trusted organization. See Annex C
for supplementary collection information of cloud computing platform,
Internet of Things, mobile internet, industrial control system.
b) Testing and evaluation organization submits system survey form to testing
and evaluation entrusted organization, supervises and urges relevant
personnel of classified target under test to correctly fill in survey form.
c) Testing and evaluation organization takes back survey form that has been
filled, analyzes survey results so as to understand and be familiar with
actual situation of classified target under test.
When analyzing collected information, it may use the following methods:
1) Use system analysis method to analyze entire network structure and
system composition, including network structure, external boundary,
number and level of classified target, distribution of classified target at
different security protection levels, and load application.
2) Use decomposition and comprehensive analysis method to analyze
classified target boundary and system composition component,
including physical and logical boundaries, hardware resources,
software resources, information resources.
3) Use comparison and analogy analysis method to analyze interrelation
of classified target, including application architecture, application
processing flow, processing information type, business data processing
flow, service target, number of users.
d) If information in survey form is inaccurate, imperfect or contradictory,
testing and evaluation organization shall negotiate and confirm with form
filling personnel. If necessary, schedule an on-site investigation to have a
face-to-face communication and confirmation with relevant personnel, so
as to ensure accuracy and completeness of system information survey.
Output/product: completed survey form, various technical information related to
classified target under test.
5.2.3 Tool and form preparation
Before testing and evaluation project members conduct on-site testing and
evaluation, they shall be familiar with classified target under test, adjust testing
and evaluation tools and prepare various forms.
Input: completed survey form, various technical information related to classified
target under test.
Task description:
a) Testing and evaluation personnel adjust testing and evaluation tools that
shall be used in this testing and evaluation process, including vulnerability
scanning tool, permeability testing tool, performance testing tool, and
protocol analysis tool.
b) Testing and evaluation personnel stimulate architecture of classified target
under test in testing and evaluation environment to make preparation for
testing and evaluation guide of relevant network and target of testing and
evaluation such as host device and performs necessary tool verification.
5.3 Output files of testing and evaluation preparation
Output files of testing and evaluation preparation and contents are shown as
Table 2.
Table 2 -- Output files of testing and evaluation preparation and contents
Task Output file File content
Work start Project planning proposal Project overview, work basis, technical ideas, work content and project organization
Information
collection and
analysis
Completed survey form,
various technical information
Security protection level of classified target
under test, business situation, data situation,
network situation, hardware and software
related to classified target
under test
situation, management mode and related
departments and roles
Tool and form
preparation
List of selected testing and
evaluation tools
Various printed forms: risk
notification form, file transfer
form, meeting record form,
meeting check-in form
Risk notification, document name of
handover, meeting minutes, meeting
attendance form
5.4 Duties of both parties in testing and evaluation preparation
Duties of testing and evaluation organization:
a) Set up a project team for classified testing and evaluation.
b) Point out basic information that shall be provided by testing and evaluation
entrusted organization.
c) Prepare survey form of basic situation of classified target under test.
Submit to testing and evaluation entrusted organization.
d) Introduce working flow and method of security testing and evaluation to
testing and evaluation entrusted organization.
e) Explain possible risks that might be brought by testing and evaluation as
well as avoidance method to testing and evaluation entrusted organization.
f) Understand informatization construction of testing and evaluation
entrusted organization as well as basic situation of classified target under
test.
g) Initially analyze security situation of system.
h) Prepare testing and evaluation tools and files.
Duties of testing and evaluation entrusted organization:
a) Introduce informatization construction and development of itself to testing
and evaluation organization.
b) Provide relevant information required by testing and evaluation
organization.
c) Provide support and coordination for information collection by testing and
evaluation personnel.
d) Correctly fill survey form.
6 Scheme preparations
6.1 Workflow of scheme preparation
Scheme preparation is to organize relevant information of classified target that
is obtained in testing and evaluation preparation, so as to provide the most
basic files and guide plan to on-site testing and evaluation.
Scheme preparation includes six major tasks: confirmation of target of testing
and evaluation, confirmation of testing and evaluation indicators, confirmation
of testing and evaluation contents, confirmation of tool testing method,
development of testing and evaluation guide and preparation of testing and
evaluation scheme. See Figure 2 for basic workflow.
Figure 2 -- Basic workflow of scheme preparation
6.2 Major tasks of scheme preparation
6.2.1 Confirmation of target of testing and evaluation
According to results of system survey, analyze entire business flow of classified
target under test, data flow, scope, characteristics as well as main functions of
each device and components so as to confirm target of testing and evaluation
of this testing and evaluation.
Input: completed survey form, various technical information related to classified
target under test.
Task description:
a) Identify and describe overall structure of classified target under test
According to basic situation of classified target under test obtained from
survey form, identify overall structure of classified target under test and
describe it.
b) Identify and describe boundaries of classified target under test
According to completed survey form, identify boundaries of classified
target under test as well as boundary device and describe.
c) Identify and describe network area of classified target under test
In general, classified target shall, according to business type as well as its
degree of importance, divide classified target into different areas.
According to area division, describe main business application, business
flow, area boundaries as well as connection between them in every area.
d) Identify and describe main devices of classified target under test
When describing devices in system, taking area as clue, specifically
describe devices deployed in each area. Describe major business born by
each device, situation of software installation as well as main connection
between each device.
e) Confirm target of testing and evaluation
Combining security level and degree of importance of classified target
under test, comprehensively analyze functions and characteristics of each
device and component in system. Confirm target of testing and evaluation
of technical level from attributes such as importance, security, sharing,
comprehensiveness and appropriateness of components of classified
target under test. Confirm personnel and management file related to
classified target under test as target of testing and evaluation. See Annex
D for confirmation rules and examples for target of testing and evaluation.
f) Describe target of testing and evaluation
When describing target of testing and evaluation, according to category,
describe target of testing and evaluation, including computer room,
business application software, host operating system, database
management system, network interconnection equipment, security
equipment, interviewers, and security management files.
Output/product: target of testing and evaluation part of testing and evaluation
scheme.
6.2.2 Confirmation of testing and evaluation indicators
According to classification results of classified target under test, confirm basic
testing and evaluation indicators for testing and evaluation of this time.
According to business needs of testing and evaluation entrusted organization
and classified target under test, confirm special testing and evaluation
indicators for testing and evaluation of this time.
Input: completed survey form, GB 17859, GB/T 22239, industry specification,
business requirement file.
Task description:
a) According to classification results of classified target under test, including
security protection level of business information and security protection
level of system service, obtain combination of basic security requirements
of system service guarantee class (class A) of classified target under test,
basic security requirements of business information security class (class
S) as well as basic security requirements of general security protection
class (class G).
b) According to combination of basic security requirements of class A, class
S and class G of classified target under test, from GB/T 22239 and
industry specification, select basic security requirements at corresponding
level as basic testing and evaluation indicators.
c) According to actual situation of classified target under test, confirm testing
and evaluation indicators that are not applicable.
d) According to business needs of testing and evaluation entrusted
organization and classified target under test, confirm special testing and
evaluation indicators.
6.2.3 Confirmation of testing and evaluation contents
This sub-clause confirms specific implementation contents of on-site testing
and evaluation, i.e., testing and evaluation content of individual item.
Input: completed system survey form, target of testing and evaluation part in
testing and evaluation scheme, tes......
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|