GB/T 18336.4-2024 English PDFUS$514.00 ยท In stock
Delivery: <= 5 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 18336.4-2024: Cybersecurity technology - Evaluation criteria for IT security - Part 4: Framework for specification of evaluation methods and activities Status: Valid
Basic dataStandard ID: GB/T 18336.4-2024 (GB/T18336.4-2024)Description (Translated English): Cybersecurity technology - Evaluation criteria for IT security - Part 4: Framework for specification of evaluation methods and activities Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.030 Word Count Estimation: 26,273 Date of Issue: 2024-04-25 Date of Implementation: 2024-11-01 Older Standard (superseded by this standard): GB/T 18336.3-2015 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 18336.4-2024: Cybersecurity technology - Evaluation criteria for IT security - Part 4: Framework for specification of evaluation methods and activities---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. ICS 35:030 CCSL80 National Standards of People's Republic of China Partially replaces GB/T 18336:3-2015 Cybersecurity Technology Information Technology Security Assessment Criteria Part 4: Normative framework for assessment methods and activities Published on April 25, 2024, implemented on November 1, 2024 State Administration for Market Regulation The National Standardization Administration issued Table of ContentsPreface III Introduction V 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Evaluation methods and general model of evaluation activities 2 4:1 Concepts and Models 2 4:2 Using derivative methods to develop assessment methods and assessment activities 3 4:3 Verb usage in descriptions of assessment methods and assessment activities 5 4:4 Conventions for describing evaluation methods and evaluation activities 5 5 Structure of the evaluation method 5 5:1 Overview 5 5:2 Specification of evaluation methods 6 6 Structure of the Assessment Activity10 6:1 Overview 10 6:2 Description of the assessment activities 11 Appendix NA (Informative) Abbreviations 14 Reference 15ForewordThis document is in accordance with the provisions of GB/T 1:1-2020 "Guidelines for standardization work Part 1: Structure and drafting rules for standardization documents" Drafting: This document is part 4 of GB/T 18336 "Cybersecurity Technology Information Technology Security Assessment Criteria": GB/T 18336 has been Post the following parts: --- Part 1: Introduction and general model; --- Part 2: Safety functional components; --- Part 3: Safety assurance components; --- Part 4: Normative framework for assessment methods and activities; --- Part 5: Predefined security requirements package: This document and GB/T 18336:3-2024 "Cybersecurity Technology Information Technology Security Assessment Criteria Part 3: Security Assurance Group GB/T 18336:5-2024 "Information Security Technology Network Technology Security Assessment Criteria Part 5: Predefined Security Requirements Package" Replace GB/T 18336:3-2015 "Information Technology Security Technology Information Technology Security Assessment Criteria Part 3: Security Assurance" Components: This document partially replaces GB/T 18336:3-2015 "Network Technology Security Technology Information Technology Security Assessment Criteria Part 3" Compared with GB/T 18336:3-2015, in addition to structural adjustments and editorial changes, the main technical changes are as follows: --- Added the general model of evaluation methods and evaluation activities (see Chapter 4); --- Deleted the protection model (see Chapter 5 of GB/T 18336:3-2015 edition); --- Deleted the safety assurance component (see Chapter 6 of GB/T 18336:3-2015 edition); --- Added the structure of the evaluation method (see Chapter 5); --- Added the structure of evaluation activities (see Chapter 6); --- Deleted the assessment assurance level (see Chapter 7 of GB/T 18336:3-2015 edition); --- Deleted the combined guarantee package (see Chapter 8 of GB/T 18336:3-2015 edition); --- Deleted APE category: Assurance profile evaluation (see Chapter 9 of GB/T 18336:3-2015 edition); --- Deleted ASE category: Safety objective assessment (see Chapter 10 of GB/T 18336:3-2015 edition); --- Deleted ADV category: Development (see Chapter 11 of GB/T 18336:3-2015 edition); --- Deleted AGD category: Guidance document (see Chapter 12 of GB/T 18336:3-2015 edition); --- Deleted the ALC class: Lifecycle support (see Chapter 13 of GB/T 18336:3-2015 edition); --- Deleted ATE category: Test (see Chapter 14 of GB/T 18336:3-2015 edition); --- Deleted the AVA category: Vulnerability assessment (see Chapter 15 of GB/T 18336:3-2015 edition); --- Deleted ACO category: combination (see Chapter 16 of GB/T 18336:3-2015 edition): This document is equivalent to ISO /IEC 15408-4:2022 "Information security, network security and privacy protection information technology security assessment standards" Part 4: Normative framework for assessment methods and activities: The following minimal editorial changes were made to this document: --- In order to coordinate with the existing standards, the name of the standard will be changed to "Cybersecurity Technology Information Technology Security Assessment Criteria Part 4: Assessment Normative framework for assessment methods and activities; --- Add informative Appendix NA "Abbreviations": Please note that some of the contents of this document may involve patents: The issuing organization of this document does not assume the responsibility for identifying patents: This document was proposed and coordinated by the National Cybersecurity Standardization Technical Committee (SAC/TC260): This document was drafted by: China Information Security Evaluation Center, China National Accreditation Service for Conformity Assessment, China Electronics Technology Standardization Research Institute Institute of Information Technology, China Cyber Security Review Technology and Certification Center, China Electronics Technology Group Corporation No: 15 Research Institute, China Trade Promotion Information Technology Co:, Ltd: Ren Company, Beijing University of Posts and Telecommunications, China Academy of Space Systems Science and Engineering, National Radio and Television Administration Radio and Television Science Research Institute, Beijing Qihoo Technology Co:, Ltd:, State Grid Xinjiang Electric Power Co:, Ltd: Electric Power Research Institute, Venusstar Information Technology Group Co:, Ltd:, Beijing Shenzhou Green Alliance Technology Co:, Ltd:, H3C Technologies Co:, Ltd:, and Yuanjiang Shengbang (Beijing) Network Technology Co:, Ltd: The main drafters of this document are: Shi Hongsong, Zhang Baofeng, Li Fengjuan, Yang Yongsheng, Xu Yuan, Gao Jinping, Liu Yuhan, Lin Yanghuichen, Wang Chenyu, Tao Xiaofeng, Wang Zhiyuan, Liu Jia, Wang Feng, Shen Yongbo, Zhang Yi, Li Mingxuan, Zhang Jinchuan, Huo Shanshan, Sun Jun, Ding Feng, Wu Dapeng, Liu Jian, Zhang Yi, Quan Xiaowen, Ye Jianwei, Xie Wei, Wan Xiaolan, Xie Shihua, Bi Haiying, Jia Wei, Deng Hui, Wang Shuyi, and Liu Hongwei: This document was first published in:2001 as GB/T 18336:3-2001, revised for the first time in:2008, and revised for the second time in:2015: This is the third revision, partially replacing GB/T 18336:3-2015, and is numbered GB/T 18336:4:IntroductionThe readers of this document are mainly assessors who adopt GB/T 18336-2024 and certifiers who confirm the assessors' behavior, as well as Assessment sponsors, developers, PP/ST authors and other groups interested in IT security: GB/T 18336 is planned to consist of five parts: --- Part 1: Introduction and general model: This aims to provide an overall overview of GB/T 18336 and define the basic principles of information technology security assessment: The paper introduces general concepts and principles and gives a general model for evaluation: --- Part 2: Safety functional components: Aims to establish a set of standardized templates for functional components that can be used to describe safety functional requirements: These functional components are structured in the form of classes and families, and specific functions are constructed through component selection, refinement, and cutting: safety functional requirements: --- Part 3: Security assurance components: Aims to establish a set of standardized templates for security assurance components that can be used to describe security assurance requirements: These security assurance components are structured in classes and families, defining the criteria for evaluation of PP, ST, and TOE: Then, specific security requirements are constructed through component selection, refinement, and tailoring: --- Part 4: Normative framework for evaluation methods and activities: Aims to provide a standardized framework for normative evaluation methods and activities: These assessment methods and activities are included in the PP, ST and any supporting documents for assessors to use based on The evaluation work is carried out based on the models described in other parts of GB/T 18336: --- Part 5: Predefined security requirement packages: Aims to provide security assurance requirements and security functions commonly used by stakeholders Required packages, examples of packages provided include Evaluation Assurance Level (EAL) and Combined Assurance Package (CAP): GB/T 18336 provides a set of general security functions and safeguard measures for the security assessment of information technology (IT) products: ISO /IEC 18045 is a standard set by GB/T 18336: Some of the safeguard requirements provide supporting methods: This document describes a framework that can be used to derive assessment activities from ISO /IEC 18045 work units and group them into assessment Method (EM): Evaluation activities or evaluation methods may be included in the PP and any supporting documents: When determining whether a specific assessment method/assessment activity is to be used for a block, package or safety target (ST), ISO /IEC 18045 requires the assessor to When assessing, the assessor follows and reports on the relevant assessment methods/assessment activities: As described in GB/T 18336:1, in some cases, the assessment The authorising body can decide not to approve the use of a particular assessment method/assessment activity: In this case, the assessment authorising body can decide not to approve the use of a particular assessment method/assessment activity: The assessment method/assessment activities required by ST will be assessed: This document also allows the definition of assessment activities for extended SARs, in which case the assessment activities are derived from the same criteria as those defined for extended SARs: If this document refers to the use of SAR in ISO /IEC 18045 or ISO /IEC 15408-3 (such as when defining the rationale for the assessment activity), then in the case of an extended SAR, such reference will also apply to the criteria defined for the extended SAR: Equivalent behavioral elements and units of work: For the sake of simplicity, this document specifies how to define assessment methods and assessment activities, but does not itself prescribe the methods or activities of assessment: Example: The following notes appearing in other parts of GB/T 18336 and GB/T 30270-2024 describe the provisions of those documents regarding the boldface This document does not use those conventions, but the notes are retained here for consistency with other standards: Note: This document uses bold and italic fonts in some cases to distinguish terms from the rest of the text: For layered components, when the requirements are enhanced or modified beyond those of the previous component, In addition, any new or enhanced allowed operations beyond the previous components are highlighted in bold: Conventionally italic text is used to indicate text with precise meaning: For security assurance requirements, this convention also applies to special verbs related to assessment: Cybersecurity Technology Information Technology Security Assessment Criteria Part 4: Normative framework for assessment methods and activities1 ScopeThis document provides a standardized framework for specifying objective, repeatable and reproducible assessment methods and activities: This document does not prescribe how to evaluate, adopt or maintain evaluation methods and activities: The relevant parties who propose assessment methods and assessment activities within a certain field are responsible:2 Normative referencesThe contents of the following documents constitute the essential clauses of this document through normative references in this document: For referenced documents without a date, only the version corresponding to that date applies to this document; for referenced documents without a date, the latest version (including all amendments) applies to This document: ISO /IEC 15408-1 Information security, network security and privacy protection Information technology security evaluation criteria Part 1: Introduction and Note: GB/T 18336:1-2024 Cybersecurity technology Information technology security assessment criteria Part 1: Introduction and general model (ISO /IEC 15408- 1:2022,IDT) ISO /IEC 15408-2 Information security, network security and privacy protection Information technology security evaluation criteria Part 2: Security functions Note: GB/T 18336:2-2024 Cybersecurity technology Information technology security evaluation criteria Part 2: Security functional components (ISO /IEC 15408-2: 2022, IDT) ISO /IEC 15408-3 Information security, network security and privacy protection Information technology security evaluation criteria Part 3: Security protection Note: GB/T 18336:3-2024 Cybersecurity technology Information technology security assessment criteria Part 3: Security assurance components (ISO /IEC 15408-3: 2022, IDT) Note: GB/T 30270-2024 Cybersecurity Technology Information Technology Security Assessment Method (ISO /IEC 18045:2022, IDT)3 Terms and definitionsTerms and definitions defined in ISO /IEC 15408-1, ISO /IEC 15408-2, ISO /IEC 15408-3 and ISO /IEC 18045 apply to For use in this document: NOTE: Appendix NA gives the abbreviations used in this document: ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 18336.4-2024_English be delivered?Answer: Upon your order, we will start to translate GB/T 18336.4-2024_English as soon as possible, and keep you informed of the progress. The lead time is typically 3 ~ 5 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 18336.4-2024_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 18336.4-2024_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
