GB/T 36637-2018 English PDFUS$599.00 ยท In stock
Delivery: <= 5 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 36637-2018: Information security technology -- Guidelines for the information and communication technology supply chain risk management Status: Valid
Basic dataStandard ID: GB/T 36637-2018 (GB/T36637-2018)Description (Translated English): Information security technology -- Guidelines for the information and communication technology supply chain risk management Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.040 Word Count Estimation: 30,384 Date of Issue: 2018-10-10 Date of Implementation: 2019-05-01 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 36637-2018: Information security technology -- Guidelines for the information and communication technology supply chain risk management---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. (Information Security Technology ICT Supply Chain Security Risk Management Guide) ICS 35.040 L80 National Standards of People's Republic of China Information security technology ICT Supply Chain Security Risk Management Guide Published on.2018-10-10 2019-05-01 implementation State market supervision and administration China National Standardization Administration issued ContentForeword III Introduction IV 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Abbreviations 2 5 Overview 2 6 ICT Supply Chain Security Risk Management Process 3 6.1 Overview 3 6.2 Background Analysis 3 6.3 Risk Assessment 4 6.4 Risk Disposal 7 6.5 Risk Supervision and Inspection 7 6.6 Risk communication and record 8 7 ICT Supply Chain Security Risk Control Measures 8 7.1 Overview 8 7.2 Technical security measures 8 7.3 Management Security Measures 10 Appendix A (informative) ICT Supply Chain Overview 16 Appendix B (informative) ICT Supply Chain Security Threats 18 Appendix C (informative) ICT supply chain security vulnerability 21 Reference 25ForewordThis standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that some of the contents of this document may involve patents. The issuing organization of this document is not responsible for identifying these patents. This standard is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). This standard was drafted. China Electronics Technology Standardization Institute, Institute of Software, Chinese Academy of Sciences, Lenovo (Beijing) Co., Ltd., Huawei Technology Co., Ltd., Zhejiang Ant Micro Finance Service Group Co., Ltd., Alibaba (Beijing) Software Service Co., Ltd., Beijing Jing Dongpu Land Pickup E-Commerce Co., Ltd., China Information and Communication Research Institute, Microsoft (China) Co., Ltd., Inspur Electronic Information Industry Co., Ltd. Co., Ltd., National Information Technology Security Research Center, Intel (China) Co., Ltd., Beijing Saixi Technology Development Co., Ltd., Ali Cloud Computing Co., Ltd., China Information Security Certification Center, State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing Industrial University, Beijing University of Posts and Telecommunications, Beijing Zhongdian Puhua Information Technology Co., Ltd. The main drafters of this standard. Liu Xianang, Hu Ying, Qing Sihan, Ye Runguo, Sun Yan, Li Xinxin, Xue Yongbo, Fan Kefeng, Wang Wei, Bai Xiaoyuan, Huang Shaoqing, Liu Tao, Zhao Jiang, Yang Yidong, Zhao Dandan, Zhang Fan, Chen Xing, Ning Hua, Fan Dongyang, Chen Yu, Wu Di, Zhu Hongru, Yang Zhen, Ma Zhanyu, Cao Zhanfeng.IntroductionWith the popularization of information and communication technologies, it is crucial to strengthen the security and control of the ICT supply chain. Currently, countries around the world It has been widely recognized in the ICT industry that the supply chain of the ICT industry in the traditional industry is more complex and there is a greater probability of security risks. strengthen ICT supply chain security management enhances customers' trust in the ICT supply chain and the ICT industry. Compared to traditional supply chains, ICT supply chains have many different characteristics, such as. ICT supply chain covers all ICT products and services. The life cycle includes not only the supply phase of traditional supply chain production, integration, warehousing, delivery, but also the design and development phase of product services. And after-sales operation and maintenance; ICT products are developed, integrated or delivered by globally distributed suppliers, and the global distribution of supply chains enables customers to supply The mastery of the chain and the ability to control security risks are declining; traditional supply chains focus on how to effectively deliver products to customers, or The strength of supply chain robustness, while ICT supply chain security is more concerned about whether there will be additional features injected into products and services, delivered products And whether the service is consistent with expectations. These characteristics make the ICT supply chain have more security risks than the traditional supply chain, and strengthen ICT supply. The security risk management of the chain should not be delayed. This standard does not regulate the safety code of conduct for information technology product suppliers. Recommended in critical information infrastructure or critical information systems Use this standard. However, due to individual needs and relevance, organizations can choose to apply standards to other systems or specific organizations, but applications The control measures of this standard may increase the potential cost of the organization and external suppliers, and the organization needs to weigh the cost and risk. Information security technology ICT Supply Chain Security Risk Management Guide1 ScopeThis standard specifies the security risk management process and control measures for the information and communication technology (hereinafter referred to as ICT) supply chain. This standard applies to ICT suppliers and operators of important information systems and key information infrastructures. Insurance management, also applicable to suppliers and demanders who guide ICT products and services to strengthen supply chain security management, but also for third-party assessment machines Refer to the ICT supply chain for security risk assessment.2 Normative referencesThe following documents are indispensable for the application of this document. For dated references, only dated versions apply to this article. Pieces. For undated references, the latest edition (including all amendments) applies to this document. GB/T 25069-2010 Information Security Technology Terminology GB/T 31722-2015 Information technology security technology information security risk management3 Terms and definitionsThe following terms and definitions as defined in GB/T 25069-2010 and GB/T 31722-2015 apply to this document. 3.1 ICT demand side ICTacquirer Organizations or individuals who obtain ICT products and services from other organizations. Note 1. Access may or may not involve exchange of funds. Note 2. Operators of critical information systems and critical information infrastructure are typically ICT acquirers who obtain network products and services from ICT providers. 3.2 ICT supplier ICTsupplier Organizations that provide ICT products and services. Note 1. The supplier can also be called a supplier or a supplier. Note 2. The supplier can be an internal or external organization. Note 3. ICT suppliers include product suppliers, service providers, system integrators, manufacturers, distributors, agents, etc. 3.3 Supply relationship supplierrelation An agreement between the acquirer and the supplier that can be used to conduct business, provide products and services, and achieve business benefits. Note 1. The acquirer and the supplier can be the same institution. Note 2. In the supply chain, the demand side of the upstream institution is also the supplier of the downstream institution. The end customer can understand it as a special demand side. 3.4 ICT supply chain ICTsupplychain The supply chain of ICT products and services refers to the network link that connects the demander and the supplier through resources and processes to satisfy the supply relationship. It can be used to provide ICT products and services to the acquirer. ...... |
