GB/T 36630.1-2018 (GB/T36630.1-2018, GBT 36630.1-2018, GBT36630.1-2018)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
GB/T 36630.1-2018 | English | 130 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information security technology -- Controllability evaluation index for security of information technology products -- Part 1: General principles
| Valid |
GB/T 36630.1-2018
|
Preview PDF: GB/T 36630.1-2018
Standard ID | GB/T 36630.1-2018 (GB/T36630.1-2018) | Description (Translated English) | Information security technology -- Controllability evaluation index for security of information technology products -- Part 1: General principles | Sector / Industry | National Standard (Recommended) | Classification of Chinese Standard | L80 | Classification of International Standard | 35.040 | Word Count Estimation | 10,110 | Date of Issue | 2018-09-17 | Date of Implementation | 2019-04-01 | Drafting Organization | China Electronic Information Industry Development Research Institute, the First Institute of the Ministry of Public Security, China Electronics Technology Standardization Research Institute, China Information Security Research Institute Co., Ltd., China Electronics Technology Group Corporation, National Information Technology Security Research Center, and the Ministry of Industry and Information Technology IC Promotion Center, China Software Testing Center, Third Institute of Public Security, China Information Security Evaluation Center, China Information and Communication Research Institute, etc. | Administrative Organization | National Information Security Standardization Technical Committee (SAC/TC 260) | Proposing organization | National Information Security Standardization Technical Committee (SAC/TC 260) | Issuing agency(ies) | State Administration of Markets and China National Standardization Administration |
GB/T 36630.1-2018
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information Security Technology - Controllability
Evaluation Index for Security of Information
Technology Products - Part 1: General Principles
ISSUED ON: SEPTEMBER 17, 2018
IMPLEMENTED ON: APRIL 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Overview of controllability for security ... 6
4.1 Risk analysis ... 6
4.2 Guarantee of controllability for security ... 7
4.2.1 Guarantee objectives ... 7
4.2.2 Guarantee requirements ... 7
5 Evaluation of controllability for security ... 8
5.1 Evaluation principle ... 8
5.1.1 Scientific and reasonable ... 8
5.1.2 Objective and fair ... 9
5.1.3 Protection of intellectual property ... 9
5.2 Evaluation index system ... 9
5.2.1 System framework ... 9
5.2.2 R&D production evaluation ... 11
5.2.3 Supply chain evaluation ... 12
5.2.4 Operation and maintenance service evaluation ... 12
5.3 Evaluation implementation ... 12
5.3.1 Evaluation process ... 12
5.3.2 Evaluation method ... 13
5.3.3 Evaluation result ... 13
References ... 15
Information Security Technology - Controllability
Evaluation Index for Security of Information
Technology Products - Part 1: General Principles
1 Scope
This part of GB/T 36630 specifies the concept and guarantee objectives of the
controllability for security of information technology products, and gives the
evaluation principles, evaluation index system and implementation process of
controllability for security of information technology products.
This part is applicable to the evaluation implementer to evaluate the
controllability for security of information technology products; also, it can be
used as reference by information technology product suppliers and users to
ensure controllability for security of products during product supply and
application.
2 Normative references
The following document is indispensable for the application of this document.
For dated references, only the dated version applies to this document. For
undated references, the latest edition (including all amendments) applies to this
document.
GB/T 25069-2010, Information security technology glossary
3 Terms and definitions
Terms and definitions determined by GB/T 25069-2010 and the following ones
are applicable to this document.
3.1 Information technology product
Hardware, software, system, and service which are equipped with functions to
collect, store, process, transmit, control, exchange, and display data or
information.
Note: Information technology products include computers and their auxiliary
equipment, communication equipment, network equipment, automatic
control equipment, operating systems, databases, application software
e) Other situations that may endanger national security and the public
interest.
4.2 Guarantee of controllability for security
4.2.1 Guarantee objectives
Guarantee of controllability for security is the basis for the user to trust that
information technology products meet their requirements on controllability for
security. Its objectives are to protect the user's data control right, product control
right and product selection right:
a) Data control right refers that the user can control its own data; and the
information technology product supplier does not obtain the user's data in
any form without authorization and damage the user’s control right over
its own data;
b) Product control right means that the user can control its products
independently; and the information technology product supplier does not
control and manipulate the user's product through the network without
authorization, and damage the user's control right over the products which
are owned and used by the it;
c) Product selection right means that the user can select the products to be
used independently; and the information technology product supplier
cannot use the user’s dependence to take improper interests or to damage
the user's rights, such as stopping the provision of reasonable security
technical support, forcing the user to update, and maliciously interrupting
product supply.
4.2.2 Guarantee requirements
In view of the guarantee objects of controllability for security, and the potential
risks which are faced by information technology products in every link of life
cycle, such as R&D, production, supply and operation and maintenance
services, the information technology products and their providers are required
to provide security guarantee requirements. Among them, the main risks that
affect the user’s data control right come from the links such as data collection,
transmission, storage, processing, use and destruction; in order to effectively
control relevant risks, it shall ensure that product data-related implementation
is consistent with its claimed function and data-related service is compliant. The
risks that affect the user's product control right mainly come from the links such
as product R&D, production, supply, operation and maintenance services; in
order to effectively control corresponding risks, it shall ensure that product
control-related implementation is consistent with its claimed function and
control-related service is compliant. The risks that affect the user’s product
selection right mainly come from the links such as the supply chain, operation
5.1.2 Objective and fair
The evaluation indexes are objective and non-discriminatory; the evaluation
process is fair and equitable; and the scoring rules for similar information
technology products are unified.
5.1.3 Protection of intellectual property
Fully respect the intellectual property of the supplier; protect the legitimate
rights and interests of the supplier. The intellectual property of the supplier is
not infringed during the evaluation process.
5.2 Evaluation index system
5.2.1 System framework
In order to effectively control the risks faced by information technology products
in terms of controllability for security, and to achieve the guarantee objectives
of controllability for security, formulate the evaluation index system of
controllability for security in accordance with guarantee requirements of
controllability for security, which includes two evaluation categories, namely
priority evaluation items and general evaluation items:
a) Priority evaluation items refer to indexes that seriously affect controllability
for security of products; indexes of this category are given priority at the
beginning of evaluation. In the evaluation process, if the priority evaluation
item does not meet the requirements, the evaluation result is 0 points, and
no subsequent general evaluation is required. Whether to set the priority
evaluation item and which index is selected as the priority evaluation item
are determined by the technical characteristics of the information
technology product itself. For example, the intellectual property of the
central processor product can be set as a priority evaluation item. If the
evaluated product is found of infringement act which is judicially judged
and not properly handled, according to the judgmental principle of the
priority evaluation item, the evaluation result of controllability for security
of the central processor is directly determined as 0 points;
b) General evaluation item is a series of indexes which are set to evaluate
the controllability for security for the risks that the information technology
products may face during the whole life cycle. According to the life cycle
of information technology products, the index items are divided into three
categories: R&D production evaluation, supply chain evaluation, and
operation and maintenance service evaluation. Table 2 gives the index
items and evaluation contents which correspond to each evaluation
category, and clarifies the corresponding relationship between each index
item and the guarantee objective of controllability for security. In this
standard, specific information technology products such as central
5.2.3 Supply chain evaluation
The category of supply chain evaluation mainly includes two indexes: product
continuous supply capability and product supply chain support capability:
a) The index of product continuous supply capability mainly evaluates the
supplier's ability to continuously supply products; it focuses on contents
such as product supply, core team, product delivery management;
b) The index of product supply chain support capability mainly evaluates the
supply chain reliability of the supplier; it focuses on contents such as the
controllability for security of core components, the traceability of each link
in the supply chain, and the stability of the supply chain.
5.2.4 Operation and maintenance service evaluation
The category of operation and maintenance service evaluation mainly includes
two indexes: product service support capability and data processing normative:
a) The index of product service support capability mainly evaluates the
supplier's ability to provide continuous operation and maintenance
services for the user; it focuses the evaluation of contents such as service
timeliness, service normative and service sustainability;
b) The index of data processing normative mainly evaluates the normative
aspects of the supplier's operation of the user’s data; it focuses on the
evaluation of operational normative contents such as data collection, data
transmission, data storage, data processing, data usage and data
destruction.
5.3 Evaluation implementation
5.3.1 Evaluation process
The evaluation process mainly includes four stages: evaluation preparation,
program development, on-site implementation, and analysis and evaluation:
a) In the stage of evaluation preparation, after the evaluation implementer
receives the evaluation application from the user, it communicates with
the supplier the required evaluation materials, including the evaluation
samples, materials and evidence which are to be provided, and reviews
whether the evaluation materials provided by the supplier is conditional
according to the evaluation index of the specific product; after the approval,
it forms the evaluation implementation team, and sets the expert group as
needed;
b) In the stage of program development, the evaluation implementer
determines the evaluation method, procedure and progress for the
......
|