GB/T 28449-2018 PDF English
US$830.00 · In stock · Download in 9 secondsGB/T 28449-2018: Information security technology - Testing and evaluation process guide for classified protection of cyber security Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedureStatus: Valid GB/T 28449: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivery | Name of Chinese Standard | Status |
| GB/T 28449-2018 | English | 830 |
Add to Cart
|
0-9 seconds. Auto-delivery
|
Information security technology - Testing and evaluation process guide for classified protection of cyber security
| Valid |
| GB/T 28449-2012 | English | RFQ |
ASK
|
10 days
|
Information security technology -- Testing and evaluation process guide for classified protection of information system security
| Obsolete |
Excerpted PDFs (Download full copy in 9 seconds upon purchase)PDF Preview: GB/T 28449-2018
GB/T 28449-2018: Information security technology - Testing and evaluation process guide for classified protection of cyber security
---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT28449-2018
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 28449-2012
Information security technology - Testing and
evaluation process guide for classified protection of
cyber security
Issued on: DECEMBER 28, 2018
Implemented on: JULY 01, 2019
Issued by. State Administration for Market Regulation;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword... 4
Introduction... 6
1 Scope... 7
2 Normative references... 7
3 Terms and definitions... 7
4 Overview of classified testing and evaluation... 8
5 Preparation of testing and evaluation... 10
6 Scheme preparations... 15
7 On-site testing and evaluation... 23
8 Report preparation... 28
Annex A (Normative) Workflow of classified testing and evaluation... 37
Annex B (Normative) Requirements for classified testing and evaluation... 40
Annex C (Normative) Supplement for classified testing and evaluation of new
technology and new application... 42
Annex D (Normative) Principle and example for confirmation of target of testing
and evaluation... 47
Annex E (Informative) Modes and work tasks for on-site testing and evaluation
of classified testing and evaluation... 53
Annex F (Informative) Example for template of classified testing and evaluation
report... 58
Bibliography... 87
1 Scope
This Standard standardizes testing and evaluation process for classified
protection of cyber security (hereinafter referred to as “classified testing and
evaluation”). It also specifies testing and evaluation as well as work tasks.
This Standard is applicable for testing and evaluation organization, supervision
department of classified target as well as operation user to carry out testing and
evaluation for classified protection of cyber security.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB 17859, Classified criteria for security protection of computer information
system
GB/T 22239, Information security technology - Baseline for classified
protection of cybersecurity
GB/T 25069, Information security technology - Glossary
GB/T 28448, Information security technology - Evaluation requirement for
classified protection of cybersecurity
3 Terms and definitions
For the purposes of this document, the terms and definitions defined in GB
17859, GB/T 22239 and GB/T 28448 apply.
4 Overview of classified testing and evaluation
4.1 Overview of classified testing and evaluation process
Testing and evaluation process and tasks in this Standard are based on the first
classified testing and evaluation that is carried by entrusted testing and
evaluation organization on classified target. If operator and user have
performed self-check or entrusted testing and evaluation organization has
carried out above classified testing and evaluation once, testing and evaluation
organization and personnel shall, according to actual situation, adjust partial
work tasks (see Annex A). Testing and evaluation organization that carries out
classified testing and evaluation shall carry out related work strictly according
to classified testing and evaluation requirements given in Annex B.
Classified testing and evaluation process includes four basic testing and
evaluation activities. preparation of testing and evaluation, scheme preparation,
on-site testing and evaluation, report preparation. Communication and
negotiation between relevant parties of testing and evaluation shall be
conducted throughout entire classified testing and evaluation. Each testing and
evaluation has one set of determined work tasks. See Table 1 for details.
4.2 Classified testing and evaluation risks
4.2.1 Risk that affects system’s normal operation
During on-site testing and evaluation, it needs to conduct a certain verification
testing to equipment and system. Some testing contents need on-board
verification and need checking some information, which might cause a certain
impact on system’s operation even cause possible mis-operation.
In addition, when it uses testing tool to conduct vulnerability scanning test,
performance test and penetration test, it might cause a certain impact on
network and system’s load. Penetration attack test might also affect normal
operation of server and system, for example, it might cause reboot, service
interruption, and code implanted during penetration process is not completely
cleaned up.
4.2.2 Risk of sensitive information disclosure
Testing and evaluation personnel intentionally or unintentionally discloses
information of system status under test, such as network topology, IP address,
business process, business data, security mechanism, security risk, and related
file information.
4.2.3 Risk of Trojan implant
After testing and evaluation personnel completes penetration test, he or she
may intentionally or unintentionally not clean or not clean thoroughly testing tool
that is used during penetration test process, or because testing computer has
Trojan program. All may bring Trojan implant risk in system under test.
4.3 Classified testing and evaluation risk avoidance
During classified testing and evaluation, it shall take the following measures to
avoid risks.
5 Preparation of testing and evaluation
5.1 Workflow of preparation of testing and evaluation
Preparation of testing and evaluation is to start testing and evaluation project
smoothly, to collect relevant material of classified target, to prepare material
required by testing and evaluation, and to lay a good foundation for preparation
of testing and evaluation scheme.
Preparation of testing and evaluation includes three major tasks. work start,
information collection and analysis, tool and form preparation. See Figure 1 for
basic workflow of these three tasks.
5.2 Major tasks of preparation of testing and evaluation
5.2.1 Work start
In work start task, testing and evaluation organization builds a project team for
classified testing and evaluation so as to obtain basic information of testing and
evaluation entrusted organization and classified target. Make full preparation
for implementation of entire classified testing and evaluation project in terms of
basic information, personnel, planning.
Input. commissioned testing and evaluation agreement.
Task description.
a) According to commissioned testing and evaluation agreement signed by
both parties of testing and evaluation as well as system scale, testing and
evaluation organization builds a testing and evaluation project team to
make full preparation from perspective of personnel, to prepare project
planning proposal.
b) Testing and evaluation organization requires testing and evaluation
entrusted organization to provide basic information, prepare information
so as to make a comprehensive understanding of classified target under
test.
5.2.2 Information collection and analysis
Through checking material that has been obtained by classified target under
test or using system survey form, testing and evaluation organization knows
composition of entire system and protection situation as well as relevant
situation of responsible department, so as to lay a foundation for on-site testing
and evaluation as well as security evaluation.
Input. project planning proposal, system survey form, relevant information of
classified target under test.
Task description.
a) Testing and evaluation organization collects relevant information required
for classified testing and evaluation, including management structure,
technical system, operation, construction plan, and related test files during
construction of testing and evaluation trusted organization. See Annex C
for supplementary collection information of cloud computing platform,
Internet of Things, mobile internet, industrial control system.
b) Testing and evaluation organization submits system survey form to testing
and evaluation entrusted organization, supervises and urges relevant
personnel of classified target under test to correctly fill in survey form.
c) Testing and evaluation organization takes back survey form that has been
filled, analyzes survey results so as to understand and be familiar with
actual situation of classified target under test.
When analyzing collected information, it may use the following methods.
1) Use system analysis method to analyze entire network structure and
system composition, including network structure, external boundary,
number and level of classified target, distribution of classified target at
different security protection levels, and load application.
2) Use decomposition and comprehensive analysis method to analyze
classified target boundary and system composition component,
including physical and logical boundaries, hardware resources,
software resources, information resources.
3) Use comparison and analogy analysis method to analyze interrelation
of classified target, including application architecture, application
processing flow, processing information type, business data processing
flow, service target, number of users.
d) If information in survey form is inaccurate, imperfect or contradictory,
testing and evaluation organization shall negotiate and confirm with form
filling personnel. If necessary, schedule an on-site investigation to have a
face-to-face communication and confirmation with relevant personnel, so
as to ensure accuracy and completeness of system information survey.
Output/product. completed survey form, various technical information related to
classified target under test.
5.2.3 Tool and form preparation
Before testing and evaluation project members conduct on-site testing and
evaluation, they shall be familiar with classified target under test, adjust testing
and evaluation tools and prepare various forms.
Input. completed survey form, various technical information related to classified
target under test.
Task description.
a) Testing and evaluation personnel adjust testing and evaluation tools that
shall be used in this testing and evaluation process, including vulnerability
scanning tool, permeability testing tool, performance testing tool, and
protocol analysis tool.
b) Testing and evaluation personnel stimulate architecture of classified target
under test in testing and evaluation environment to make preparation for
testing and evaluation guide of relevant network and target of testing and
evaluation such as host device and performs necessary tool verification.
c) Prepare and print forms, mainly including risk notification form, file transfer
form, meeting record form, meeting check-in form.
Output/product. list of selected testing and evaluation tools, various printed
forms.
6 Scheme preparations
6.1 Workflow of scheme preparation
Scheme preparation is to organize relevant information of classified target that
is obtained in testing and evaluation preparation, so as to provide the most
basic files and guide plan to on-site testing and evaluation.
Scheme preparation includes six major tasks. confirmation of target of testing
and evaluation, confirmation of testing and evaluation indicators, confirmation
of testing and evaluation contents, confirmation of tool testing method,
development of testing and evaluation guide and preparation of testing and
evaluation scheme. See Figure 2 for basic workflow.
Figure 2 -- Basic workflow of scheme preparation
6.2 Major tasks of scheme preparation
6.2.1 Confirmation of target of testing and evaluation
6.2.2 Confirmation of testing and evaluation indicators
According to classification results of classified target under test, confirm basic
testing and evaluation indicators for testing and evaluation of this time.
According to business needs of testing and evaluation entrusted organization
and classified target under test, confirm special testing and evaluation
indicators for testing and evaluation of this time.
Input. completed survey form, GB 17859, GB/T 22239, industry specification,
business requirement file.
Task description.
a) According to classification results of classified target under test, including
security protection level of business information and security protection
level of system service, obtain combination of basic security requirements
of system service guarantee class (class A) of classified target under test,
basic security requirements of business information security class (class
S) as well as basic security requirements of general security protection
class (class G).
b) According to combination of basic security requirements of class A, class
S and class G of classified target under test, from GB/T 22239 and
industry specification, select basic security requirements at corresponding
level as basic testing and evaluation indicators.
c) According to actual situation of classified target under test, confirm testing
and evaluation indicators that are not applicable.
d) According to business needs of testing and evaluation entrusted
organization and classified target under test, confirm special testing and
evaluation indicators.
e) Describe confirmed basic testing and evaluation indicators and special
testing and evaluation indicators. Analyze reasons why indicators are not
applicable.
Output/product. testing and evaluation indicators part in testing and evaluation
scheme.
6.2.3 Confirmation of testing and evaluation contents
This sub-clause confirms specific implementation contents of on-site testing
and evaluation, i.e., testing and evaluation content of individual item.
Input. completed system survey form, target of testing and evaluation part in
testing and evaluation scheme, testing and evaluation indicators part in testing
and evaluation scheme.
Task description.
According to GB/T 22239, combine testing and evaluation indicators obtained
above and target of testing and evaluation together. Make testing and
evaluation indicators mapped on each target of testing and evaluation. By
combining with characteristics of target of testing and evaluation, explain testing
and evaluation method that is adopted by each target of testing and evaluation.
This constitutes contents of individual testing and evaluation that can be
specifically tested and evaluated. Testing and evaluation contents are
foundation for testing and evaluation personnel to develop testing and
evaluation guide.
Output/product. implementation part of testing and evaluation in testing and
evaluation scheme.
6.2.4 Confirmation of tool testing method
In classified testing and evaluation, use testing tools for testing. Testing tools
could be vulnerability scanner, penetration test tool set, protocol analyzer. See
Annex C for supplementary test contents of Internet of Things, mobile internet,
industrial control system.
Input. implementation part of testing and evaluation in testing and evaluation
scheme, GB/T 22239, list of selected testing and evaluation tools.
Task description.
a) Confirm tool testing environment. According to real-time requirements for
system under test, it may select production environment or backup
environment that is same with production environment in each security
configuration, production verification environment or testing environment
as tool testing environment.
b) Confirm target of testing and evaluation under test.
c) Select testing path. Access of testing tool uses step-to-step and point-to-
point access from outside to inside, from other network to local network,
that is, testing tool is accessed from outside of boundary of classified
target under test, is accessed within classified target under test, is
accessed to regional network different from target of testing and
evaluation, or is accessed within same network area of target of testing
and evaluation.
d) According to testing path, confirm access point of testing tool.
When it is accessed from outside of classified target under test, testing
tool is generally accessed on system boundary device (usually it is
switching equipment). At this point, vulnerability scanner is accessed to
scan and detect exposed security vulnerability of classified target device
under test. At this access point, protocol analyzer is accessed to capture
network data packet of application program, to check its security
encryption and integrity protection. At this access point, use penetration
testing toolset. Try to use security vulnerability of classified target device
under test so as to cross system boundaries then intrude into classified
target device under test.
7 On-site testing and evaluation
7.1 Work flow of on-site testing and evaluation
Through communication and coordination with testing and evaluation entrusted
organization, on-site testing and evaluation lays a good foundation for smooth
on-site testing and evaluation. According to testing and evaluation scheme,
implement on-site testing and evaluation. Specifically implement testing and
evaluation scheme, testing and evaluation method into on-site testing and
evaluation. On-site testing and evaluation shall obtain sufficient evidence and
information required for report preparation.
On-site testing and evaluation includes preparation of on-site testing and
evaluation, on-site testing and evaluation and results record, result confirmation
and material return, See Figure 3 for basic work flow.
8 Report preparation
8.1 Work flow of report preparation
After on-site testing and evaluation end, testing and evaluation organization
shall gather and analyze testing and evaluation results obtained by testing and
evaluation (or known as testing and evaluation evidence) to form conclusion of
classified testing and evaluation and prepare testing and evaluation report.
Testing and evaluation personnel, after making preliminary judgement on
individual testing and evaluation result, still need to perform determination of
unit testing and evaluation result, overall testing and evaluation and system
security assurance evaluation. After overall testing and evaluation, some
individual testing and evaluation results might change. It shall require further
modification on individual testing and evaluation result. Then conduct risk
assessment on security problems to form conclusion of classified testing and
evaluation. Analysis and report preparation include seven main tasks.
determination of individual testing and evaluation result, determination of unit
testing and evaluation result, overall testing and evaluation, system security
assurance assessment, security problem risk assessment, formation of
classified testing and evaluation conclusion as well as report preparation of
testing and evaluation report. See Figure 4 for basic work flow.
8.2 Main tasks of report preparation
8.2.1 Determination of individual testing and evaluation result
This task is mainly for individual testing and evaluation item. Combing with
specific target of testing and evaluation, it objectively and accurately analyzes
testing and evaluation evidence to form preliminary individual testing and
evaluation results. Individual testing and evaluation results are a foundation to
form conclusion of classified testing and evaluation.
Input. testing and evaluation evidence and evidence source record that are
confirmed by testing and evaluation entrusted organization, testing and
evaluation guide.
8.2.2 Determination of unit testing and evaluation result
This task is mainly to gather individual testing and evaluation result, to
separately conduct statistics on individual testing and evaluation result of
different target of testing and evaluation, so as to determine unit testing and
evaluation result.
Input. record part of classified testing and evaluation result in testing and
evaluation report.
8.2.3 Overall testing and evaluation
For incompatible item or partially compatible item in individual testing and
evaluation result, adopt one-by-one determination method, consider from
security control inter-points, inter-levels to give specific results for overall testing
and evaluation.
Input. record part of classified testing and evaluation result in testing and
evaluation report and individual testing and evaluation result.
Task description.
......
Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.
Tips & Frequently Asked QuestionsQuestion 1: How long will the true-PDF of English version of GB/T 28449-2018 be delivered?Answer: The full copy PDF of English version of GB/T 28449-2018 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice. Question 2: Can I share the purchased PDF of GB/T 28449-2018_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 28449-2018_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 28449-2018 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds. Question 5: Should I purchase the latest version GB/T 28449-2018?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 28449-2018 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically. How to buy and download a true PDF of English version of GB/T 28449-2018?A step-by-step guide to download PDF of GB/T 28449-2018_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).
Step 2: Search keyword "GB/T 28449-2018".
Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart.
Step 4: Select payment option (Via payment agents Stripe or PayPal).
Step 5: Customize Tax Invoice -- Fill up your email etc.
Step 6: Click "Checkout".
Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively.
Step 8: Optional -- Go to download PDF.
Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice.
See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9
|