Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB/T 20261-2020 PDF English

US$1820.00 · In stock · Download in 9 seconds
GB/T 20261-2020: Information security technology. System security engineering. Capability maturity model
Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure
Status: Valid

GB/T 20261: Historical versions

Standard IDUSDBUY PDFDeliveryStandard Title (Description)Status
GB/T 20261-20201820 Add to Cart Auto, 9 seconds. Information security technology. System security engineering. Capability maturity model Valid
GB/T 20261-2006RFQ ASK 3 days Information technology -- Systems security engineering -- Capability maturity model Obsolete

Similar standards

GB/T 20269   GB/T 20270   GB/T 20271   GB/T 37027   

GB/T 20261-2020: Information security technology. System security engineering. Capability maturity model


---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT20261-2020
GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 20261-2006 Information security technology - System security engineering - Capability maturity model (ISO/IEC 21827.2008, Information technology - Security techniques - Systems security engineering - Capability maturity model, MOD) Issued on. NOVEMBER 19, 2020 Implemented on. JUNE 01, 2021 Issued by. State Administration for Market Regulation; Standardization Administration of the People’s Republic of China.

Table of Contents

Foreword... 4 Introduction... 6 0.1 General... 6 0.2 How should the SSE-CMM® be used?... 8 0.3 Benefits of using the SSE-CMM®... 8 1 Scope... 10 2 Normative references... 11 3 Terms and definitions... 11 4 Overview of System Security Engineering... 20 4.1 Development Background of Security Engineering... 20 4.2 Importance of Security Engineering... 21 4.3 Security Engineering Organizations... 22 4.4 Security Engineering Life Cycle... 22 4.5 Security Engineering and Other Disciplines... 22 4.6 Security Engineering Specialties... 23 5 Model System Architecture... 24 5.1 Security Engineering Process Overview... 24 5.2 SSE-CMM® Architecture Description... 27 5.3 Summary Chart... 39 6 Security Base Practices... 41 6.1 Description of Security Base Practices... 41 6.2 PA01 – Administer Security Controls... 42 6.3 PA02 – Assess Impact... 47 6.4 PA03 – Assess Security Risk... 52 6.5 PA04 – Assess Threat... 57 6.6 PA05 – Assess Vulnerability... 61 6.7 PA06 – Build Assurance Argument... 66 6.8 PA07 – Coordinate Security... 71 6.9 PA08 – Monitor Security Posture... 74 6.10 PA09 – Provide Security Input... 81 6.11 PA10 – Specify Security Needs... 87 6.12 PA11 – Verify and Validate Security... 93 Annex A (informative) Structural Changes of This Standard Compared with ISO/IEC 21827.2008... 97 Annex B (informative) Technical Differences Between This Standard and ISO/IEC 21827.2008 and Their Reasons... 100 Annex C (normative) Generic Practices... 103 C.1 General... 103 C.2 Capability Level 1 - Performed Basically... 104 C.3 Capability Level 2 – Planned and Tracked... 105 C.4 Capability Level 3 – Sufficiently Defined... 112 C.5 Capability Level 4 – Quantitatively Controlled... 117 C.6 Capability Level 5 – Continuously Improving... 120 Annex D (normative) Project and Organizational Base Practices... 124 D.1 General... 124 D.2 General Security Considerations... 124 D.3 PA12 – Ensure Quality... 125 D.4 PA13 – Manage Configurations... 131 D.5 PA14 – Manage Project Risks... 136 D.6 PA15 – Monitor and Control Technical Effort... 141 D.7 PA16 – Plan Technical Effort... 145 D.8 PA17 – Define Organization's Systems Engineering Process... 154 D.9 PA18 – Improve Organization's Systems Engineering Processes... 158 D.10 PA19 – Manage Product Line Evolution... 162 D.11 PA20 – Manage Systems Engineering Support Environment... 165 D.12 PA21 – Provide Ongoing Skills and Knowledge... 171 D.13 PA22 – Coordinate with Suppliers... 177 Annex E (informative) Capability Maturity Model Concepts... 183 E.1 General... 183 E.2 Process Improvement... 183 E.3 Expected Results... 184 E.4 Common Misunderstandings... 185 E.5 Key Concepts... 186 Annex F (informative) Information Security Services and Security Engineering Process Domain Correspondence Table... 192 Annex G (informative) Comparison Table of Major Changes Between GB/T 20261- XXXX and GB/T 20261-2006... 194 Bibliography... 199

Foreword

This Standard was drafted in accordance with the rules given in GB/T 1.1-2009. This Standard replaces GB/T 20261-2006, Information technology - Systems security engineering - Capability maturity model. Compared with GB/T 20261-2006, the main technical changes are as follows (see Annex G for the comparison of main changes). – Modify some normative references (see Clause 2; Clause 2 of the 2006 edition); – Add terms and definitions, namely “base practices; BP”, “capability”, “information security event”, “information security incident”, “process area; PA”, “risk management”; – Modify the definitions of “assurance”, “engineering group”, “work product” in Terms and definitions; and modify “residual risk” to “residual risk” (see Clause 3; Clause 3 the 2006 edition). – Remove the term “practices” (see 3.24 of the 2006 edition); – Modify some clause and sub-clause titles, merge, adjust and delete some contents that are related or not suitable as national standards (see 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 5.1); – Delete the original Clause 5, and adjust the original Clause 6 and Clause 7 to Clause 5 and Clause 6 (Clause 5, Clause 6 and Clause 7 of the 2006 edition); – Add BP.06.03 Define Security Measures in Clause 6, and the additions and revisions of ISO/IEC 21827.2008 relative to ISO/IEC 21827.2002 (see Clause 6); – Add Annex A and Annex B (see Annex A, Annex B); – Modify the definition of the five levels of capability level in Annex C to be consistent with the description of the current standard GB/T 30271 and other standards; – Modify the error message that the serial process area number does not match the process area description in Annex D (see D.6.1.1, D.7.7.3, D.9.3.3, D.11.1.1, D.11.4, D.11.4.1, D.12.3.1); – Add Annex F to facilitate the mapping relationship between the standard model and the current security services (see Annex F); – Add a comparison table of major changes compared with GB/T 20261-2006 (see Annex G). This Standard uses the redrafting method to modify and adopt ISO/IEC 21827.2008 Information technology - Security techniques - Systems Security Engineering - Capability Maturity Model® (SSE-CMM®). Compared with ISO/IEC 21827.2008, this Standard makes many adjustments in structure. Annex A gives a comparison list in clause numbers between this Standard and ISO/IEC 21827.2008. This Standard has technical differences compared with ISO/IEC 21827.2008.Annex B gives a list of the corresponding technical differences and their reasons. This Standard makes the following editorial changes. – Modify the standard name to Information security technology - System security engineering - Capability maturity model. Please note that some of the contents of this document may involve patents. The issuing organization of this document is not responsible for identifying these patents. This Standard shall be under the jurisdiction of National Information Security Standardization Technical Committee (SAC/TC 260). Drafting organizations of this Standard. Beijing Integrity Technology Co., Ltd., China Information Technology Security Evaluation Center, Zhongxin Cyber Security Co., Ltd., China Electronics Standardization Institute, Topsec Network Technology Inc., Beijing Qianxin Technology Co., Ltd., Beijing JN TASS Technology Co., Ltd., Third Research Institute of the Ministry of Public Security of PRC, The State Information Center, Beijing University of Posts and Telecommunications, Beijing Venus Information Security Technology Co., Ltd. Main drafters of this Standard. Sun Mingliang, Zhu Shengtao, Wang Jun, Wen Zhe, Li Bin, Wei Hua, Wang Yan, Zhang Xiaofei, Cai Jingjing, Chen Guanzhi, Wang Yan, Guo Ying, Zheng Xinhua, Yang Jianjun, Liu Xiangang, Shangguan Xiaoli, Xu Yuna, Ren Weihong, Yuan Jing, Gao Yanan, Yu Huiying, Li Xiaoyong, Lv Lidan, Hou Xiaoxiong, Mi Kai, Wu Xuan, Qiao Peng, Liu Leijie, Liang Feng. The previous version – replaced by this Standard – of the standard is. – GB/T 20261-2006.

1 Scope

This Standard specifies the Systems Security Engineering – Capability Maturity Model (SSE-CMM®). The SSE-CMM® is a process reference model focused upon the requirements for implementing security in a system or series of related systems that are the information technology security (ITS) domain.

2 Normative references

The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. GB/T 18336.1-2015, Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 1.Introduction and General Model (ISO/IEC 15408- 1.2009, IDT)

3 Terms and definitions

For the purposes of this document, the following terms and definitions, as well as those defined in GB/T 25069-2010, GB/T 29246-2017, GB/T 18336.1-2015 and GB/T 30271-2013, apply. For ease of use, some terms and definitions in GB/T 25069-2010 are repeated below.

4 Overview of System Security Engineering

Security engineering is becoming an increasingly critical discipline and should be a key component in multi-disciplinary, concurrent, engineering teams. This applies to the development, integration, operation, administration, maintenance, and evolution of systems and applications as well as to the development, delivery, and evolution of products.

5 Model System Architecture

An unwanted incident is made up of three components. threat, vulnerability, and impact. Vulnerabilities are properties of the asset that may be exploited by a threat and include weaknesses. If either the threat or the vulnerability is not present there can be no unwanted incident and thus no risk.

6 Security Base Practices

Security configuration of all devices (or equipment) requires management. This base practice recognizes that system security relies to a great extent on a number of interrelated components (hardware, software, and procedures) and that normal configuration management practices may not capture the interrelated dependencies required for secure systems. ......
Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.
Image 1     Image 2     Image 3     

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of English version of GB/T 20261-2020 be delivered?Answer: The full copy PDF of English version of GB/T 20261-2020 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.

Question 2: Can I share the purchased PDF of GB/T 20261-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 20261-2020_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 20261-2020 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.

Question 5: Should I purchase the latest version GB/T 20261-2020?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 20261-2020 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.

How to buy and download a true PDF of English version of GB/T 20261-2020?

A step-by-step guide to download PDF of GB/T 20261-2020_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).
Step 2: Search keyword "GB/T 20261-2020".
Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart.
Step 4: Select payment option (Via payment agents Stripe or PayPal).
Step 5: Customize Tax Invoice -- Fill up your email etc.
Step 6: Click "Checkout".
Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively.
Step 8: Optional -- Go to download PDF.
Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice.
See screenshots for above steps: Steps 1~3    Steps 4~6    Step 7    Step 8    Step 9