HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (9 Feb 2025)

GB/T 28449-2018 PDF English


Search result: GB/T 28449-2018 English: PDF (GB/T28449-2018)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 28449-2018English830 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Testing and evaluation process guide for classified protection of cybersecurity Valid
GB/T 28449-2012EnglishRFQ ASK 10 days Information security technology -- Testing and evaluation process guide for classified protection of information system security Obsolete
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 28449-2018     Related standards: GB/T 28449-2018

PDF Preview: GB/T 28449-2018


GB/T 28449-2018: PDF in English (GBT 28449-2018)

GB/T 28449-2018 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 28449-2012 Information security technology - Testing and evaluation process guide for classified protection of cyber security ISSUED ON: DECEMBER 28, 2018 IMPLEMENTED ON: JULY 01, 2019 Issued by: State Administration for Market Regulation; Standardization Administration of the People's Republic of China. Table of Contents Foreword ... 4  Introduction ... 6  1 Scope ... 7  2 Normative references ... 7  3 Terms and definitions ... 7  4 Overview of classified testing and evaluation ... 8  4.1 Overview of classified testing and evaluation process ... 8  4.2 Classified testing and evaluation risks ... 9  4.3 Classified testing and evaluation risk avoidance ... 9  5 Preparation of testing and evaluation ... 10  5.1 Workflow of preparation of testing and evaluation ... 10  5.2 Major tasks of preparation of testing and evaluation ... 11  5.3 Output files of testing and evaluation preparation ... 13  5.4 Duties of both parties in testing and evaluation preparation ... 14  6 Scheme preparations ... 15  6.1 Workflow of scheme preparation ... 15  6.2 Major tasks of scheme preparation ... 15  6.3 Output files of scheme preparation ... 22  6.4 Duties of both parties in scheme preparation ... 22  7 On-site testing and evaluation ... 23  7.1 Work flow of on-site testing and evaluation ... 23  7.2 Main tasks of on-site testing and evaluation ... 24  7.3 Output files of on-site testing and evaluation ... 26  7.4 Duties of both parties in on-site testing and evaluation ... 27  8 Report preparation ... 28  8.1 Work flow of report preparation ... 28  8.2 Main tasks of report preparation ... 29  8.3 Output files of report preparation ... 35  8.4 Duties of both parties in report preparation ... 36  Annex A (Normative) Workflow of classified testing and evaluation ... 37  Annex B (Normative) Requirements for classified testing and evaluation ... 40  Annex C (Normative) Supplement for classified testing and evaluation of new technology and new application ... 42  Annex D (Normative) Principle and example for confirmation of target of testing and evaluation ... 47  Annex E (Informative) Modes and work tasks for on-site testing and evaluation of classified testing and evaluation ... 53  Annex F (Informative) Example for template of classified testing and evaluation report ... 58  Bibliography ... 87  Foreword This Standard was drafted in accordance with the rules given in GB/T 1.1-2009. This Standard replaces GB/T 28449-2012 “Information security technology - Testing and evaluation process guide for classified protection of information system security”. Compared with GB/T 28449-2012, in addition to editorial modifications, the main technical changes are as follows: - modified standard’s name to “Information security technology - Testing and evaluation process guide for classified protection of cyber security”; - modified tasks in report preparation from 6 tasks to 7 tasks (see 4.1 of this Edition, 5.4 of Edition 2012); - in duties of both parties involved in preparation of testing and evaluation and on-site testing and evaluation, added duties to coordinate multiple parties and specified in some work tasks involved in multiple parties (see 7.4 of this Edition, 8.4 of Edition 2012); - added contents of information analysis method in information collection and analysis task (see 5.2.2 of this Edition); - added special tasks and requirements that require additional focus for security testing and evaluation carried out for classified protection target that is built by using cloud computing, Internet of Things, mobile internet, industrial control systems, IPv6 system (see Annex C of this Edition); - deleted testing and evaluation scheme examples (see Annex D of Edition 2012); - deleted questionnaire template for basic situation of information system (see Annex E of Edition 2012). Attention is drawn to the possibility that some contents of this Standard may be the subject of patent rights. The issuing authority shall not be held responsible for identifying any or all such patent rights. This Standard was proposed by and shall be under the jurisdiction of National Technical Committee on Information Security of Standardization Administration of China (SAC/TC 260). The drafting organizations of this Standard: The Third Institute of the Ministry of Public Security (Information Security Level Protection Assessment Center of the Ministry of Public Security), The 15th Research Institute of China Electronics Technology Group Corporation (Information Industry Information Security Evaluation Center), Beijing Information Security Evaluation Center. Main drafters of this Standard: Yuan Jing, Ren Weihong, Jiang Lei, Li Sheng, Zhang Yuxiang, Bi Maning, Li Ming, Zhang Yi, Liu Kaijun, Zhao Qin, Wang Ran, Liu Haifeng, Qu Jie, Liu Jing, Zhu Jianping, Ma Li, Chen Guangyong. Version of standard substituted by this Standard is: - GB/T 28449-2012. Introduction Classified testing and evaluation in this Standard is a process for testing and evaluation organization, based on technical standards such as GB/T 22239 and GB/T 28448, to test and evaluate whether classified security protection of classified target meets basic requirements for corresponding classification. It is an important link to implement classified protection system of cyber security. During construction, rectification and reform, operator and user of classified target, through classified testing and evaluation, performs situation analysis to determine system’s security protection status and existing security problems; and based on this, determine security requirements for system rectification and reform. During operation-maintenance of classified target, operator and user of classified target regularly perform self-check or entrust testing and evaluation organization to carry out classified testing and evaluation in terms of security classified protection status of classified target to inspect and evaluate information security control ability, so as to determine whether classified target has security protection ability required by corresponding classification in GB/T 22239. Therefore, classified testing and evaluation report formed by classified testing and evaluation is an important reference for classified target to carry out rectification and reinforcement. It is also an important attachment for level three and above classified targets to put on record. Operator and user shall, based on classified testing and evaluation report, make plan for rectification. This Standard is one of series standards related to classified protection of cyber security. Information security technology - Testing and evaluation process guide for classified protection of cyber security 1 Scope This Standard standardizes testing and evaluation process for classified protection of cyber security (hereinafter referred to as “classified testing and evaluation”). It also specifies testing and evaluation as well as work tasks. This Standard is applicable for testing and evaluation organization, supervision department of classified target as well as operation user to carry out testing and evaluation for classified protection of cyber security. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. GB 17859, Classified criteria for security protection of computer information system GB/T 22239, Information security technology - Baseline for classified protection of cybersecurity GB/T 25069, Information security technology - Glossary GB/T 28448, Information security technology - Evaluation requirement for classified protection of cybersecurity 3 Terms and definitions For the purposes of this document, the terms and definitions defined in GB 17859, GB/T 22239 and GB/T 28448 apply. 4 Overview of classified testing and evaluation 4.1 Overview of classified testing and evaluation process Testing and evaluation process and tasks in this Standard are based on the first classified testing and evaluation that is carried by entrusted testing and evaluation organization on classified target. If operator and user have performed self-check or entrusted testing and evaluation organization has carried out above classified testing and evaluation once, testing and evaluation organization and personnel shall, according to actual situation, adjust partial work tasks (see Annex A). Testing and evaluation organization that carries out classified testing and evaluation shall carry out related work strictly according to classified testing and evaluation requirements given in Annex B. Classified testing and evaluation process includes four basic testing and evaluation activities: preparation of testing and evaluation, scheme preparation, on-site testing and evaluation, report preparation. Communication and negotiation between relevant parties of testing and evaluation shall be conducted throughout entire classified testing and evaluation. Each testing and evaluation has one set of determined work tasks. See Table 1 for details. Table 1 -- Classified testing and evaluation process Testing and evaluation Main work tasks Preparation of testing and evaluation Work start Information collection and analysis Tool and form preparation Scheme preparation Confirmation of target of testing and evaluation Confirmation of indicator of testing and evaluation Confirmation of content of testing and evaluation Confirmation of tool testing method Development of testing and evaluation guide Preparation of scheme of testing and evaluation On-site testing and evaluation Preparation of on-site testing and evaluation Record of testing and evaluation and result Result confirmation and material return Report preparation Determination of individual testing and evaluation result Determination of unit testing and evaluation result Overall testing and evaluation Evaluation of system security assurance Risk analysis of security problem Formation of classified testing and evaluation conclusion Preparation of testing and evaluation report This Standard gives corresponding working procedure, main task, output file as well as duties of relevant parties of each activity. Each work task has corresponding input, task description and output product. 4.2 Classified testing and evaluation risks 4.2.1 Risk that affects system’s normal operation During on-site testing and evaluation, it needs to conduct a certain verification testing to equipment and system. Some testing contents need on-board verification and need checking some information, which might cause a certain impact on system’s operation even cause possible mis-operation. In addition, when it uses testing tool to conduct vulnerability scanning test, performance test and penetration test, it might cause a certain impact on network and system’s load. Penetration attack test might also affect normal operation of server and system, for example, it might cause reboot, service interruption, and code implanted during penetration process is not completely cleaned up. 4.2.3 Risk of Trojan implant After testing and evaluation personnel completes penetration test, he or she may intentionally or unintentionally not clean or not clean thoroughly testing tool that is used during penetration test process, or because testing computer has Trojan program. All may bring Trojan implant risk in system under test. 4.3 Classified testing and evaluation risk avoidance During classified testing and evaluation, it shall take the following measures to avoid risks: a) Signing of a commissioned testing and evaluation agreement Before testing and evaluation are officially started, testing and evaluation party and party under test and evaluated need to, in a mode of commissioned agreement, SPECIFY goal, scope, personnel composition, planning, implementation steps and requirements of testing and evaluation as well as responsibilities and obligations of both parties, so as to make both parties of testing and evaluation reach a consensus on basic problems in testing and evaluation process. c) Avoidance of on-site testing and evaluation risk Before on-site testing and evaluation, testing and evaluation organization shall sign an on-site testing and evaluation letter of authorization with relevant organization to require relevant parties to back up system and data, and develop emergency response plans for possible events. When conducting verification testing and tool testing, it shall avoid business peaks. Conduct when system resource is idle. Or configure an analog/simulation environment that is consistent with production environment. In the analog/simulation environment, conduct testing such as vulnerability scanning. For on-board verification testing, contents to be verified are proposed by testing and evaluation personnel; actual operation is conducted by technical personnel of system operation, using organization. The entire on-site testing and evaluation process requires full supervision of system operation and using organization. d) Testing and evaluation site restoration After testing and evaluation are completed, testing and evaluation personnel shall return all privileges acquired during testing and evaluation process, return relevant documents borrowed during testing and evaluation process, and restore testing and evaluation environment to the status before testing and evaluation are performed. 5 Preparation of testing and evaluation 5.1 Workflow of preparation of testing and evaluation Preparation of testing and evaluation is to start testing and evaluation project smoothly, to collect relevant material of classified target, to prepare material required by testing and evaluation, and to lay a good foundation for preparation of testing and evaluation scheme. Preparation of testing and evaluation includes three major tasks: work start, information collection and analysis, tool and form preparation. See Figure 1 for basic workflow of these three tasks. Figure 1 -- Basic workflow of preparation of testing and evaluation 5.2 Major tasks of preparation of testing and evaluation 5.2.1 Work start In work start task, testing and evaluation organization builds a project team for classified testing and evaluation so as to obtain basic information of testing and evaluation entrusted organization and classified target. Make full preparation for implementation of entire classified testing and evaluation project in terms of basic information, personnel, planning. Input: commissioned testing and evaluation agreement. Task description: a) According to commissioned testing and evaluation agreement signed by both parties of testing and evaluation as well as system scale, testing and evaluation organization builds a testing and evaluation project team to make full preparation from perspective of personnel, to prepare project planning proposal. b) Testing and evaluation organization requires testing and evaluation entrusted organization to provide basic information, prepare information so as to make a comprehensive understanding of classified target under test. Work start Information collection and analysis Tool and form preparation Output/product: project planning proposal. 5.2.2 Information collection and analysis Through checking material that has been obtained by classified target under test or using system survey form, testing and evaluation organization knows composition of entire system and protection situation as well as relevant situation of responsible department, so as to lay a foundation for on-site testing and evaluation as well as security evaluation. Input: project planning proposal, system survey form, relevant information of classified target under test. Task description: a) Testing and evaluation organization collects relevant information required for classified testing and evaluation, including management structure, technical system, operation, construction plan, and related test files during construction of testing and evaluation trusted organization. See Annex C for supplementary collection information of cloud computing platform, Internet of Things, mobile internet, industrial control system. b) Testing and evaluation organization submits system survey form to testing and evaluation entrusted organization, supervises and urges relevant personnel of classified target under test to correctly fill in survey form. c) Testing and evaluation organization takes back survey form that has been filled, analyzes survey results so as to understand and be familiar with actual situation of classified target under test. When analyzing collected information, it may use the following methods: 1) Use system analysis method to analyze entire network structure and system composition, including network structure, external boundary, number and level of classified target, distribution of classified target at different security protection levels, and load application. 2) Use decomposition and comprehensive analysis method to analyze classified target boundary and system composition component, including physical and logical boundaries, hardware resources, software resources, information resources. 3) Use comparison and analogy analysis method to analyze interrelation of classified target, including application architecture, application processing flow, processing information type, business data processing flow, service target, number of users. d) If information in survey form is inaccurate, imperfect or contradictory, testing and evaluation organization shall negotiate and confirm with form filling personnel. If necessary, schedule an on-site investigation to have a face-to-face communication and confirmation with relevant personnel, so as to ensure accuracy and completeness of system information survey. Output/product: completed survey form, various technical information related to classified target under test. 5.2.3 Tool and form preparation Before testing and evaluation project members conduct on-site testing and evaluation, they shall be familiar with classified target under test, adjust testing and evaluation tools and prepare various forms. Input: completed survey form, various technical information related to classified target under test. Task description: a) Testing and evaluation personnel adjust testing and evaluation tools that shall be used in this testing and evaluation process, including vulnerability scanning tool, permeability testing tool, performance testing tool, and protocol analysis tool. b) Testing and evaluation personnel stimulate architecture of classified target under test in testing and evaluation environment to make preparation for testing and evaluation guide of relevant network and target of testing and evaluation such as host device and performs necessary tool verification. 5.3 Output files of testing and evaluation preparation Output files of testing and evaluation preparation and contents are shown as Table 2. Table 2 -- Output files of testing and evaluation preparation and contents Task Output file File content Work start Project planning proposal Project overview, work basis, technical ideas, work content and project organization Information collection and analysis Completed survey form, various technical information Security protection level of classified target under test, business situation, data situation, network situation, hardware and software related to classified target under test situation, management mode and related departments and roles Tool and form preparation List of selected testing and evaluation tools Various printed forms: risk notification form, file transfer form, meeting record form, meeting check-in form Risk notification, document name of handover, meeting minutes, meeting attendance form 5.4 Duties of both parties in testing and evaluation preparation Duties of testing and evaluation organization: a) Set up a project team for classified testing and evaluation. b) Point out basic information that shall be provided by testing and evaluation entrusted organization. c) Prepare survey form of basic situation of classified target under test. Submit to testing and evaluation entrusted organization. d) Introduce working flow and method of security testing and evaluation to testing and evaluation entrusted organization. e) Explain possible risks that might be brought by testing and evaluation as well as avoidance method to testing and evaluation entrusted organization. f) Understand informatization construction of testing and evaluation entrusted organization as well as basic situation of classified target under test. g) Initially analyze security situation of system. h) Prepare testing and evaluation tools and files. Duties of testing and evaluation entrusted organization: a) Introduce informatization construction and development of itself to testing and evaluation organization. b) Provide relevant information required by testing and evaluation organization. c) Provide support and coordination for information collection by testing and evaluation personnel. d) Correctly fill survey form. 6 Scheme preparations 6.1 Workflow of scheme preparation Scheme preparation is to organize relevant information of classified target that is obtained in testing and evaluation preparation, so as to provide the most basic files and guide plan to on-site testing and evaluation. Scheme preparation includes six major tasks: confirmation of target of testing and evaluation, confirmation of testing and evaluation indicators, confirmation of testing and evaluation contents, confirmation of tool testing method, development of testing and evaluation guide and preparation of testing and evaluation scheme. See Figure 2 for basic workflow. Figure 2 -- Basic workflow of scheme preparation 6.2 Major tasks of scheme preparation 6.2.1 Confirmation of target of testing and evaluation According to results of system survey, analyze entire business flow of classified target under test, data flow, scope, characteristics as well as main functions of each device and components so as to confirm target of testing and evaluation of this testing and evaluation. Input: completed survey form, various technical information related to classified target under test. Task description: a) Identify and describe overall structure of classified target under test According to basic situation of classified target under test obtained from survey form, identify overall structure of classified target under test and describe it. b) Identify and describe boundaries of classified target under test According to completed survey form, identify boundaries of classified target under test as well as boundary device and describe. c) Identify and describe network area of classified target under test In general, classified target shall, according to business type as well as its degree of importance, divide classified target into different areas. According to area division, describe main business application, business flow, area boundaries as well as connection between them in every area. d) Identify and describe main devices of classified target under test When describing devices in system, taking area as clue, specifically describe devices deployed in each area. Describe major business born by each device, situation of software installation as well as main connection between each device. e) Confirm target of testing and evaluation Combining security level and degree of importance of classified target under test, comprehensively analyze functions and characteristics of each device and component in system. Confirm target of testing and evaluation of technical level from attributes such as importance, security, sharing, comprehensiveness and appropriateness of components of classified target under test. Confirm personnel and management file related to classified target under test as target of testing and evaluation. See Annex D for confirmation rules and examples for target of testing and evaluation. f) Describe target of testing and evaluation When describing target of testing and evaluation, according to category, describe target of testing and evaluation, including computer room, business application software, host operating system, database management system, network interconnection equipment, security equipment, interviewers, and security management files. Output/product: target of testing and evaluation part of testing and evaluation scheme. 6.2.2 Confirmation of testing and evaluation indicators According to classification results of classified target under test, confirm basic testing and evaluation indicators for testing and evaluation of this time. According to business needs of testing and evaluation entrusted organization and classified target under test, confirm special testing and evaluation indicators for testing and evaluation of this time. Input: completed survey form, GB 17859, GB/T 22239, industry specification, business requirement file. Task description: a) According to classification results of classified target under test, including security protection level of business information and security protection level of system service, obtain combination of basic security requirements of system service guarantee class (class A) of classified target under test, basic security requirements of business information security class (class S) as well as basic security requirements of general security protection class (class G). b) According to combination of basic security requirements of class A, class S and class G of classified target under test, from GB/T 22239 and industry specification, select basic security requirements at corresponding level as basic testing and evaluation indicators. c) According to actual situation of classified target under test, confirm testing and evaluation indicators that are not applicable. d) According to business needs of testing and evaluation entrusted organization and classified target under test, confirm special testing and evaluation indicators. 6.2.3 Confirmation of testing and evaluation contents This sub-clause confirms specific implementation contents of on-site testing and evaluation, i.e., testing and evaluation content of individual item. Input: completed system survey form, target of testing and evaluation part in testing and evaluation scheme, tes...... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.