HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (18 Jan 2025)

GB/T 36959-2018 PDF English


Search result: GB/T 36959-2018_English: PDF (GB/T36959-2018)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 36959-2018English370 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Capability requirements and evaluation specification for assessment organization of classified protection of cybersecurity Valid
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 36959-2018     Related standards: GB/T 36959-2018

PDF Preview: GB/T 36959-2018


GB/T 36959-2018: PDF in English (GBT 36959-2018)

GB/T 36959-2018 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information security technology - Capability requirements and evaluation specification for assessment organization of classified protection of cybersecurity ISSUED ON: DECEMBER 28, 2018 IMPLEMENTED ON: JULY 01, 2019 Issued by: State Administration for Market Regulation; Standardization Administration of PRC. Table of Contents Foreword ... 3  Introduction ... 4  1 Scope ... 5  2 Normative references ... 5  3 Terms and definitions ... 5  4 Capability requirements of assessment organizations ... 6  4.1 Classification of assessment organizations ... 7  4.2 Classification of level evaluation personnel ... 7  4.3 Capability requirements for level I assessment organizations ... 7  4.4 Capability requirements for level II assessment organizations ... 16  4.5 Capability requirements for Level III assessment organizations ... 27  4.6 Normative requirements for activities of assessment organization ... 38  5 Evaluation of the capability of assessment organization ... 39  5.1 Evaluation process ... 39  5.2 First-time evaluation ... 41  5.3 Continuous evaluation ... 43  5.4 Capability review ... 43  Appendix A (Normative) Summary form of requirements for capability enhancement of assessment organizations of classified protection of cybersecurity at all levels ... 44  Appendix B (Normative) Capability requirements for classified protection evaluator of cybersecurity ... 52  Information security technology - Capability requirements and evaluation specification for assessment organization of classified protection of cybersecurity 1 Scope This standard specifies the capability requirements and evaluation specifications of assessment organizations of classified protection of cybersecurity. This standard is applicable to activities such as capability building, operation management, qualification evaluation that intend to become or upgrade to a higher level of assessment organization of cybersecurity protection. 2 Normative references The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard. GB/T 28448 Information security technology - Evaluation requirement for classified protection of cybersecurity GB/T 28449 Information security technology - Testing and evaluation process guide for classified protection of cybersecurity 3 Terms and definitions The terms and definitions as defined in GB/T 28448 as well as the following terms and definitions apply to this document. 3.1 Capability evaluation According to standards and/or other normative documents, the process of e) There are no less than 15 technical and managerial personnel with cybersecurity related work experience; no less than 2 full-time penetration testers, with clear job responsibilities and relatively stable personnel; f) Have a fixed office space, equipped with testing and evaluation tools and experimental environments that meet the needs of the evaluation business; g) It has complete rules and regulations for security and confidentiality management, project management, quality management, personnel management, file management, training and education; h) Does not involve business that may affect the fairness of the evaluation results (except for personal use) such as cybersecurity product development, sales, or information system security integration; i) Other conditions that shall be met. 4.3.2 Organizational management capabilities 4.3.2.1 The manager of the assessment organization shall master the classified protection policy documents and be familiar with relevant standards and specifications. 4.3.2.2 The assessment organization shall organize and set up relevant departments in a certain way; clarify their responsibilities, authorities and mutual relations; ensure the orderly development of various tasks. 4.3.2.3 The assessment organization shall have professional and technical personnel and management personnel competent for the level evaluation work; the proportion of bachelor’s degree (including) or above shall not be less than 70%. 4.3.2.4 The assessment organization shall set up positions that meet the needs of the level evaluation work, such as evaluation technicians, evaluation project team leaders, technical supervisors, quality supervisors, security officers, equipment managers, file managers, etc., with clear job responsibilities and stable personnel. 4.3.2.5 The assessment organization shall formulate complete rules and regulations, including but not limited to the following: a) Project management system The assessment organization shall formulate a comprehensive evaluation project management system in line with its own characteristics in accordance with GB/T 28449, which shall mainly include the organization examinations organized by the designated assessment organization and obtain the certificate of level evaluator. Level evaluation personnel need to hold a permit to work. 4.3.3.1.3 Evaluation technicians, evaluation project team leaders, technical supervisors shall obtain primary, intermediate, advanced level evaluator certificates respectively; the number of evaluators shall not be less than 15. 4.3.3.1.4 In addition to the qualifications of level evaluators, evaluators shall participate in various forms of evaluation business and technical training each year. The total training time of evaluators shall not be less than 40 hours per year. 4.3.3.1.5 The assessment organization shall appoint a technical supervisor who is fully responsible for the technical work of level evaluation. 4.3.3.2 Evaluation capability 4.3.3.2.1 The assessment organization shall prove that it has more than 2 years of work experience in cybersecurity-related work by providing case, process records and other materials. 4.3.3.2.2 The assessment organization shall ensure that it is engaged in evaluation work within its capabilities and has sufficient resources to meet the requirements of the evaluation work, which is specifically reflected in the following aspects: a) Security technology evaluation and implementation capabilities, including the development, use, maintenance and professional judgment of obtaining relevant results in terms of physical and environmental security, network and communication security, equipment and computing security, application and data security, etc.; b) Security management evaluation and implementation capabilities, including security strategy and management system, security management organization and personnel, security construction management, security operation and maintenance management, development, use, maintenance and professional judgment of obtaining relevant results; c) Security testing and analysis capabilities, which refer to the capability to develop test-related work instructions based on actual evaluation requirements, use special evaluation equipment and tools to realize vulnerability discovery and problem analysis; d) The overall evaluation implementation capability, which refers to the capability to give specific results of the overall evaluation based on the form the evaluation report. The evaluation report shall be compiled according to the format and content requirements of the evaluation report template of classified protection of cybersecurity as uniformly formulated by the public security administrative department. The evaluation report shall pass the review and have relevant records. 4.3.4 Security and assurance capabilities of facilities and equipment 4.3.4.1 The assessment organization shall have the necessary office environment, equipment, facilities and management system. The technical equipment and facilities used shall in principle meet the following conditions: a) The product development and production organization is invested by a Chinese citizen, legal person, or invested or controlled by the state, has an independent legal personality within the territory of the People's Republic of China; b) The core technology and key components of the product have our country's independent intellectual property rights; c) The product development and production organizations and their main businesses and technical personnel have no criminal records; d) The product development and production organizations declare that they have not intentionally left or set loopholes, backdoors, Trojan horses and other programs and functions; e) No harm to national security, social order, or public interest; f) It shall be equipped with critical network equipment and special cybersecurity products that have passed security certification or meet the requirements of security testing. 4.3.4.2 The assessment organization shall be equipped with evaluation equipment and tools that meet the requirements of the level evaluation work, such as WEB security detection tools, malicious behavior detection tools, etc., to assist in the discovery of security issues during the testing process. Testing equipment and tools shall pass the testing of authoritative organizations and provide testing reports. 4.3.4.3 The assessment organization shall have a computer room that meets the relevant requirements and the necessary software and hardware equipment to meet the needs of cybersecurity simulation, technical training and simulation testing. 4.3.4.4 The assessment organization shall ensure that the evaluation equipment and tools are in good operating condition; ensure that it provides 4.3.6.2.2 The assessment organization shall prove that its organization is in compliance, the property rights relationship is clear, the capital registration meets the requirements (5 million yuan), by providing documents such as the nature of the organization, shareholding structure, capital contribution, legal person and shareholder identity. 4.3.6.2.3 The assessment organization shall establish and maintain personnel files of staff, including basic personnel information, social background, work experience, training records, professional qualifications, rewards and punishments, etc., to ensure the stability and reliability of personnel. 4.3.6.2.4 The test equipment and tools used by the assessment organization shall have a comprehensive function list; there shall be no hidden functions outside the function list. 4.3.6.2.5 The assessment organization shall attach importance to security and confidentiality work; designate persons responsible for security and confidentiality work. 4.3.6.2.6 The assessment organization shall regularly educate its staff on confidentiality in accordance with the confidentiality management system. The assessment organization and evaluation personnel shall keep the state secrets, work secrets, business secrets, personal privacy, etc., that they learn during the evaluation activities. 4.3.6.2.7 The assessment organization shall clarify the requirements of job confidentiality; sign a "Confidentiality Responsibility Letter" with all personnel; stipulate the security and confidentiality obligations and legal responsibilities it shall perform; be responsible for inspection and implementation. 4.3.6.2.8 The assessment organization shall take technical and management measures to ensure the security, confidentiality and control of information related to the level evaluation, including but not limited to: a) Information provided by the organization under evaluation; b) Data and records generated by the level evaluation activities; c) Analysis and professional judgment based on the above information. 4.3.6.2.9 The assessment organization shall use effective technical means to ensure the security and confidentiality of the level evaluation related information during the entire data life cycle. 4.3.6.3 Standardization of evaluation methods and procedures The assessment organization shall ensure that all working procedures, or insufficient resources; b) The risk that test verification activities may affect the normal operation of the system under test; c) The risk that the access of test equipment and tools may affect the normal operation of the system under test; d) The risk of leakage of important information of the system under test (such as network topology, IP address, business process, security mechanism, security risks and related documents, etc.) that may occur during the evaluation process. 4.3.7.2 The assessment organization shall adopt a variety of measures to avoid and control the risks that the aforementioned system under test may face. 4.3.8 Sustainability 4.3.8.1 The assessment organization shall formulate a strategic plan according to its own situation; ensure the continuous construction and development of the assessment organization through continuous investment. 4.3.8.2 The assessment organization shall periodically review and continuously improve the management system; continuously improve management requirements. Set mid-term and long-term goals; gradually improve quality management capabilities through the realization of goals. 4.3.8.3 The assessment organization shall do a good job of training in accordance with the training system and keep training and evaluation records. 4.3.8.4 The assessment organization shall devote special forces to the summary of evaluation practice and the research of evaluation technology. The assessment organizations shall conduct experience exchanges and technical discussions, to keep pace with the development of evaluation technology. 4.4 Capability requirements for level II assessment organizations 4.4.1 Basic conditions The assessment organization shall have the following basic conditions: a) Enterprises and organizations registered and established within the territory of the People's Republic of China, invested by Chinese citizens, legal persons, or invested by the state; equipment administrators, file administrators, etc., with clear job responsibilities and stable personnel. Among them, technical supervisors and quality supervisors shall be full-time personnel, not concurrently. 4.4.2.5 The assessment organization shall formulate complete rules and regulations, including but not limited to the following: a) Confidentiality management system The confidentiality management system shall be formulated in accordance with the relevant national confidentiality regulations. The system shall specify the scope of confidentiality objects, personnel confidentiality responsibilities, various measures and requirements for confidentiality management during the evaluation process, penalties for violations of the confidentiality system. b) Project management system The assessment organization shall formulate a comprehensive evaluation project management system in line with its own characteristics in accordance with GB/T 28449, which shall mainly include the organization of the evaluation work, job responsibilities, the work content and management requirements of each stage of the evaluation. c) Equipment management system It shall include the relevant responsibilities of organizational personnel in the management of equipment, various regulations on the purchase, use, operation and maintenance of instrument and equipment. d) Document management system It shall include the relevant responsibilities of the staff of the organization in the management of the evaluation documents, the provisions on the borrowing and reading of files, the storage and the destruction, etc. e) Personnel management system It shall include the content and requirements of personnel recruitment, evaluation, daily management, resignation. f) Training and education system It shall include the content and requirements of the formulation of training plans, the implementation of training, the evaluation and induction of training, the establishment of personnel training files. g) Appeal, complaint and dispute handling system following aspects: a) Security technology evaluation implementation capabilities, including the development, use, maintenance and professional judgment of obtaining relevant results in terms of physical and environmental security, network and communication security, equipment and computing security, application and data security, etc. The evaluation guide shall cover the current mainstream products and related technologies; b) Security management evaluation and implementation capabilities, including security strategy and management system, security management organization and personnel, security construction management, security operation and maintenance management and other aspects of the development, use, maintenance and professional judgment of obtaining relevant results; c) Security testing and analysis capabilities, which refer to the development of test-related work instructions based on actual evaluation requirements; the capability to realize vulnerability discovery and problem analysis with the help of special evaluation equipment and tools; having the cryptanalysis evaluation capabilities; d) The overall evaluation implementation capability, which refers to the capability to give specific results of the overall evaluation based on the result recording part, the result summary part and the problem analysis part of the evaluation report’s unit evaluation, from the perspective of security control points and between levels and regions; e) Risk analysis capability, which refers to the capability to establish a set of unified risk analysis methods based on the relevant norms and standards of classified protection, analyze the impact of the security issues in the level evaluation results that may have on the security of the system under evaluation in a scientific and reasonable manner. 4.4.3.2.3 The assessment organization shall strengthen the application of information technology in the implementation of evaluation; with the help of automated means, standardize the evaluation process; optimize the allocation of resources; reduce errors that may be caused by human factors; improve the efficiency of evaluation work. 4.4.3.2.4 The assessment organization shall establish a complete mechanism for the development, maintenance and update of evaluation methods to continuously improve its own evaluation technical capabilities. 4.4.3.2.5 The assessment organization shall combine the industry characteristics and business types of the system under test; analyze the 4.4.4.1 The assessment organization shall have the necessary office environment, equipment, facilities and management system; the technical equipment and facilities used shall in principle meet the following conditions: a) The product development and production organization is invested by a Chinese citizen, legal person, or invested or controlled by the state, meanwhile has an independent legal personality within the territory of the People's Republic of China; b) The core technology and key components of the product have our country's independent intellectual property rights; c) The product development and production organization and their main businesses and technical personnel have no criminal records; d) The product development and production organizations declare that they have not intentionally left or set loopholes, backdoors, Trojan horses and other programs and functions; e) No harm to national security, social order, or public interest; f) It shall be equipped with critical network equipment and special cybersecurity products that have passed security certification or meet the requirements of security testing. 4.4.4.2 The assessment organization shall be equipped with evaluation equipment and tools that meet the requirements of the level evaluation work, such as WEB security detection tools, malicious behavior detection tools, network protocol analysis tools, source code security audit tools, etc., to assist in analyzing and positioning security problem during the testing process. Testing equipment and tools shall pass the testing of authoritative organizations and provide testing reports. 4.4.4.3 The assessment organization shall have a computer room that meets the relevant requirements and the necessary software and hardware equipment; it shall establish a basic environment composed of mainstream network equipment, security equipment, operating systems and database systems, to meet the needs of network simulation, technical training and simulation testing. 4.4.4.4 The assessment organization shall ensure that the evaluation equipment and tools are in good operating condition; ensure that they provide accurate evaluation data through continuous updating and upgrading. 4.4.4.5 The testing equipment and tools shall be properly marked. 4.4.4.6 The assessment organization shall establish a special system, to effectively operate and maintain the computer used for evaluation data strictly implement relevant management norms and technical standards; develop objective, fair and safe evaluation services. 4.4.6.1.2 The personnel of the assessment organization shall be free from commercial, financial and other pressures that may affect the evaluation results. 4.4.6.1.3 The assessment organization shall publicly announce to the public the policies, regulations, standards and norms on which it conducts the evaluation of cybersecurity’s classified protection. 4.4.6.2 Reliability and confidentiality assurance capability 4.4.6.2.1 The legal persons and main staff of the assessment organization are limited to Chinese citizens within the territory of the People's Republic of China; they have no criminal record. 4.4.6.2.2 The assessment organization shall prove that its organization is compliant, the property rights relationship is clear, the capital registration meets the requirements, by providing documents such as the nature of the organization, shareholding structure, capital contribution, legal person, shareholder identity. 4.4.6.2.3 The assessment organization shall establish and maintain personnel files of staff, including basic personnel information, social background, work experience, training records, professional qualifications, rewards and punishments, etc., to ensure the stability and reliability of personnel. 4.4.6.2.4 The test equipment and tools used by the assessment organization shall have a comprehensive function list; there shall be no hidden functions outside the function list. 4.4.6.2.5 The assessment organization shall attach importance to security and confidentiality work; assign persons responsible for security and confidentiality work. 4.4.6.2.6 The assessment organization shall regularly educate the staff on confidentiality in accordance with the confidentiality management system; the assessment organization and evaluation personnel shall keep the state secrets, work secrets, business secrets, personal privacy that they know about in the evaluation activities. 4.4.6.2.7 The assessment organization shall clarify the requirements for job confidentiality; sign a "Confidentiality Responsibility Letter" with all personnel; stipulate its security and confidentiality obligations and legal responsibilities; be responsible for inspection and implementation. 4.4.6.2.8 The assessment organization shall adopt technical and management a) The assessment organization shall issue an evaluation report in accordance with the template format of evaluation report of classified protection of cybersecurity as uniformly formulated by the public security administrative department. b) The evaluation report shall include all evaluation results, professional judgments based on these results, all information needed to understand and interpret these results. The above information shall be correctly, accurately and clearly stated. c) The evaluation report shall be reviewed by the evaluation project team leader as the first editor; the technical director (or quality director) shall be responsible for review; the organization manager or its authorized personnel shall issue or approve it. d) The assessment organization that has passed the capability evaluation shall uniformly stamp the special identification on qualified capability of the assessment organization, register, archive the level evaluation report issued by it. 4.4.6.6 Security management capabilities Assessment organizations shall pay attention to their own security and improve security management capabilities by deploying security measures. 4.4.7 Risk control capability 4.4.7.1 The assessment organization shall fully estimate the risks that the evaluation may bring to the system under test. The risks include but are not limited to the following: a) The risk caused by the assessment organization due to its own capability or insufficient resources; b) The risk that test verification activities may affect the normal operation of the system under test; c) The risk that the access of test equipment and tools may affect the normal operation of the system under test; d) The risk of leakage of important information of the system under test (such as network topology, IP address, business process, security mechanism, security risks and related documents, etc.) that may occur during the evaluation process. 4.4.7.2 The assessment organization shall adopt a variety of measures to avoid and control the risks that the aforementioned system under test may face. China and have no criminal record; e) There are no less than 50 technical and managerial personnel with cybersecurity related work experience; no less than 5 full-time penetration testers, with clear job responsibilities and relatively stable personnel; f) Have a fixed office space, equipped with testing and evaluation tools and experimental environments that meet the needs of the evaluation business; g) It has complete rules and regulations for security and confidentiality management, project management, quality management, personnel management, file management, training and education; h) Does not involve business that may affect the fairness of the evaluation results (except for personal use) such as cybersecurity product development, sales, or information system security integration; i) Other conditions that shall be met. 4.5.2 Organizational management capabilities 4.5.2.1 The manager of the assessment organization shall master the classified protection policy documents and be familiar with relevant standards and specifications. 4.5.2.2 The assessment organization shall clearly establish the department to carry out the level ...... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.