HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (8 Dec 2024)

GB/T 36630.1-2018 English PDF

GB/T 36630.1-2018 (GB/T36630.1-2018, GBT 36630.1-2018, GBT36630.1-2018)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 36630.1-2018English130 Add to Cart 0--9 seconds. Auto-delivery Information security technology -- Controllability evaluation index for security of information technology products -- Part 1: General principles Valid GB/T 36630.1-2018
Preview PDF: GB/T 36630.1-2018

BASIC DATA
Standard ID GB/T 36630.1-2018 (GB/T36630.1-2018)
Description (Translated English) Information security technology -- Controllability evaluation index for security of information technology products -- Part 1: General principles
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.040
Word Count Estimation 10,110
Date of Issue 2018-09-17
Date of Implementation 2019-04-01
Drafting Organization China Electronic Information Industry Development Research Institute, the First Institute of the Ministry of Public Security, China Electronics Technology Standardization Research Institute, China Information Security Research Institute Co., Ltd., China Electronics Technology Group Corporation, National Information Technology Security Research Center, and the Ministry of Industry and Information Technology IC Promotion Center, China Software Testing Center, Third Institute of Public Security, China Information Security Evaluation Center, China Information and Communication Research Institute, etc.
Administrative Organization National Information Security Standardization Technical Committee (SAC/TC 260)
Proposing organization National Information Security Standardization Technical Committee (SAC/TC 260)
Issuing agency(ies) State Administration of Markets and China National Standardization Administration


GB/T 36630.1-2018 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information Security Technology - Controllability Evaluation Index for Security of Information Technology Products - Part 1: General Principles ISSUED ON: SEPTEMBER 17, 2018 IMPLEMENTED ON: APRIL 01, 2019 Issued by: State Administration for Market Regulation; Standardization Administration of the People's Republic of China. Table of Contents Foreword ... 3  Introduction ... 4  1 Scope ... 5  2 Normative references ... 5  3 Terms and definitions ... 5  4 Overview of controllability for security ... 6  4.1 Risk analysis ... 6  4.2 Guarantee of controllability for security ... 7  4.2.1 Guarantee objectives ... 7  4.2.2 Guarantee requirements ... 7  5 Evaluation of controllability for security ... 8  5.1 Evaluation principle ... 8  5.1.1 Scientific and reasonable ... 8  5.1.2 Objective and fair ... 9  5.1.3 Protection of intellectual property ... 9  5.2 Evaluation index system ... 9  5.2.1 System framework ... 9  5.2.2 R&D production evaluation ... 11  5.2.3 Supply chain evaluation ... 12  5.2.4 Operation and maintenance service evaluation ... 12  5.3 Evaluation implementation ... 12  5.3.1 Evaluation process ... 12  5.3.2 Evaluation method ... 13  5.3.3 Evaluation result ... 13  References ... 15  Information Security Technology - Controllability Evaluation Index for Security of Information Technology Products - Part 1: General Principles 1 Scope This part of GB/T 36630 specifies the concept and guarantee objectives of the controllability for security of information technology products, and gives the evaluation principles, evaluation index system and implementation process of controllability for security of information technology products. This part is applicable to the evaluation implementer to evaluate the controllability for security of information technology products; also, it can be used as reference by information technology product suppliers and users to ensure controllability for security of products during product supply and application. 2 Normative references The following document is indispensable for the application of this document. For dated references, only the dated version applies to this document. For undated references, the latest edition (including all amendments) applies to this document. GB/T 25069-2010, Information security technology glossary 3 Terms and definitions Terms and definitions determined by GB/T 25069-2010 and the following ones are applicable to this document. 3.1 Information technology product Hardware, software, system, and service which are equipped with functions to collect, store, process, transmit, control, exchange, and display data or information. Note: Information technology products include computers and their auxiliary equipment, communication equipment, network equipment, automatic control equipment, operating systems, databases, application software e) Other situations that may endanger national security and the public interest. 4.2 Guarantee of controllability for security 4.2.1 Guarantee objectives Guarantee of controllability for security is the basis for the user to trust that information technology products meet their requirements on controllability for security. Its objectives are to protect the user's data control right, product control right and product selection right: a) Data control right refers that the user can control its own data; and the information technology product supplier does not obtain the user's data in any form without authorization and damage the user’s control right over its own data; b) Product control right means that the user can control its products independently; and the information technology product supplier does not control and manipulate the user's product through the network without authorization, and damage the user's control right over the products which are owned and used by the it; c) Product selection right means that the user can select the products to be used independently; and the information technology product supplier cannot use the user’s dependence to take improper interests or to damage the user's rights, such as stopping the provision of reasonable security technical support, forcing the user to update, and maliciously interrupting product supply. 4.2.2 Guarantee requirements In view of the guarantee objects of controllability for security, and the potential risks which are faced by information technology products in every link of life cycle, such as R&D, production, supply and operation and maintenance services, the information technology products and their providers are required to provide security guarantee requirements. Among them, the main risks that affect the user’s data control right come from the links such as data collection, transmission, storage, processing, use and destruction; in order to effectively control relevant risks, it shall ensure that product data-related implementation is consistent with its claimed function and data-related service is compliant. The risks that affect the user's product control right mainly come from the links such as product R&D, production, supply, operation and maintenance services; in order to effectively control corresponding risks, it shall ensure that product control-related implementation is consistent with its claimed function and control-related service is compliant. The risks that affect the user’s product selection right mainly come from the links such as the supply chain, operation 5.1.2 Objective and fair The evaluation indexes are objective and non-discriminatory; the evaluation process is fair and equitable; and the scoring rules for similar information technology products are unified. 5.1.3 Protection of intellectual property Fully respect the intellectual property of the supplier; protect the legitimate rights and interests of the supplier. The intellectual property of the supplier is not infringed during the evaluation process. 5.2 Evaluation index system 5.2.1 System framework In order to effectively control the risks faced by information technology products in terms of controllability for security, and to achieve the guarantee objectives of controllability for security, formulate the evaluation index system of controllability for security in accordance with guarantee requirements of controllability for security, which includes two evaluation categories, namely priority evaluation items and general evaluation items: a) Priority evaluation items refer to indexes that seriously affect controllability for security of products; indexes of this category are given priority at the beginning of evaluation. In the evaluation process, if the priority evaluation item does not meet the requirements, the evaluation result is 0 points, and no subsequent general evaluation is required. Whether to set the priority evaluation item and which index is selected as the priority evaluation item are determined by the technical characteristics of the information technology product itself. For example, the intellectual property of the central processor product can be set as a priority evaluation item. If the evaluated product is found of infringement act which is judicially judged and not properly handled, according to the judgmental principle of the priority evaluation item, the evaluation result of controllability for security of the central processor is directly determined as 0 points; b) General evaluation item is a series of indexes which are set to evaluate the controllability for security for the risks that the information technology products may face during the whole life cycle. According to the life cycle of information technology products, the index items are divided into three categories: R&D production evaluation, supply chain evaluation, and operation and maintenance service evaluation. Table 2 gives the index items and evaluation contents which correspond to each evaluation category, and clarifies the corresponding relationship between each index item and the guarantee objective of controllability for security. In this standard, specific information technology products such as central 5.2.3 Supply chain evaluation The category of supply chain evaluation mainly includes two indexes: product continuous supply capability and product supply chain support capability: a) The index of product continuous supply capability mainly evaluates the supplier's ability to continuously supply products; it focuses on contents such as product supply, core team, product delivery management; b) The index of product supply chain support capability mainly evaluates the supply chain reliability of the supplier; it focuses on contents such as the controllability for security of core components, the traceability of each link in the supply chain, and the stability of the supply chain. 5.2.4 Operation and maintenance service evaluation The category of operation and maintenance service evaluation mainly includes two indexes: product service support capability and data processing normative: a) The index of product service support capability mainly evaluates the supplier's ability to provide continuous operation and maintenance services for the user; it focuses the evaluation of contents such as service timeliness, service normative and service sustainability; b) The index of data processing normative mainly evaluates the normative aspects of the supplier's operation of the user’s data; it focuses on the evaluation of operational normative contents such as data collection, data transmission, data storage, data processing, data usage and data destruction. 5.3 Evaluation implementation 5.3.1 Evaluation process The evaluation process mainly includes four stages: evaluation preparation, program development, on-site implementation, and analysis and evaluation: a) In the stage of evaluation preparation, after the evaluation implementer receives the evaluation application from the user, it communicates with the supplier the required evaluation materials, including the evaluation samples, materials and evidence which are to be provided, and reviews whether the evaluation materials provided by the supplier is conditional according to the evaluation index of the specific product; after the approval, it forms the evaluation implementation team, and sets the expert group as needed; b) In the stage of program development, the evaluation implementer determines the evaluation method, procedure and progress for the ......