GB/T 20274.3-2008 PDF EnglishUS$145.00 · In stock · Download in 9 seconds
GB/T 20274.3-2008: Information security technology -- Evaluation framework for information systems security assurance -- Part 3: Management assurance Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure Status: Valid
Similar standardsGB/T 20274.3-2008: Information security technology -- Evaluation framework for information systems security assurance -- Part 3: Management assurance---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT20274.3-2008 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information Security Technology - Evaluation Framework for Information Systems Security Assurance - Part 3.Management Assurance Issued on. JULY 18, 2008 Implemented on. DECEMBER 1, 2008 Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People’s Republic of China; Standardization Administration of the People's Republic of China. Table of ContentsForeword... 5 1 Scope... 6 2 Normative References... 6 3 Terms and Definitions... 6 4 Structure of This Part... 7 5 Framework for Information Systems Security Management Assurance... 8 6 Structure of Information Security Management Assurance Control Class... 12 7 MRM Management Assurance Control Class. Management of Risk... 16 8 MSP Management Assurance Control Class. Information Security Policy... 22 9 MSO Management Assurance Control Class. Information Security Organization... 26 10 MSP Management Assurance Control Class. Management of Personal Security... 33 11 MAM Management Assurance Control Class. Management of Asset... 39 12 MPE Management Assurance Control Class. Management of Physical and Environmental Security... 43 13 MCM Management Assurance Control Class. Management of Compliance... 53 14 MSP Management Assurance Control Class. Management of Information Security Planning... 59 15 MSD Management Assurance Control Class. Management of System Development ... 63 16 MOP Management Assurance Control Class. Management of Operation... 68 17 MBD Management Assurance Control Class. Management of Business Continuity and Disaster Recovery... 89 18 MCM Management Assurance Control Class. Management of Emergency Response ... 96 19 Description of Security Management Capability Levels... 101 Bibliography... 1081 ScopeThis Part of GB/T 20274 establishes the framework for information systems security management assurance, and specifies the guideline & general principle for the organization starting, implementing, maintaining, evaluating and improving information security management. This Part defines and explains the security management capability level that reflects the information security management assurance capability of the organization in the information system security management assurance work, and provides the security management assurance control class requirements of the organization's information security management assurance contents. This Part is applicable to all of the organization’s users, developers and evaluation personnel involved in the information system security management.2 Normative ReferencesThe following documents contain provisions which, through reference in this text, constitute the provisions of this Part. For the dated reference, the subsequent amendments (excluding corrigendum) or revisions of these publications do not apply. However, the parties who enter into agreement based on this Standard are encouraged to investigate the possibility of applying the latest edition of the standard indicated below. For any undated references, the latest edition of the document referred to applies. GB/T 20274.1 Information Security Technology - Evaluation Framework for Information Systems Security Assurance - Part 1.Introduction and General Model3 Terms and DefinitionsFor the purposes of this Part of GB/T 20274, the terms and definitions specified in GB/T 20274.1 AND the following ones apply. 3.1 Control The method that manages risks, including policy, procedure, guide, practice or the structure of the organization; control may be management, technology or engineering control.4 Structure of This PartThe organization structure of this Part of GB/T 20274 is as follows.5 Framework for Information Systems Security Management Assurance5.1 Overview of Information Management Assurance Part 1 of this Standard puts forward the information security assurance model (refer to Figure 3 in Part 1 of this Standard) and describes the relationship of assurance elements (technology, engineering, management and personnel), information features and life cycle of information system security therein. 5.2 Information Security Management Assurance Control Information security management assurance control established the contents and working range of information security management assurance framework of the organization. In Part 1 "Introduction and General Model" of "Evaluation Framework for Information Systems Security Assurance", three-dimensional structure figure of information system security was given, i.e. 5.3 Information Security Assurance Management Capability Levels In the management assurance control module, the management assurance control class involved in information security management is presented, which is the optimal practice reflection abstracted from information security management process.6 Structure of Information Security Management Assurance Control Class6.1 General This chapter defines the structure of information security management assurance class used in this Part. The information security management assurance control class is expressed by management assurance control class, management assurance control subclass, management assurance control module and optional management strengthening elements. 6.2 Structure of Management Assurance Control Class Each management assurance control class includes the name of and introduction to a management assurance control class, and one or more management assurance control subclass(es). Figure 2 shows the structure of management assurance control classes used in this Part. 6.4 Structure of Management Assurance Control Module Management assurance control module is the management control measure for information security assurance to realize the security management assurance purpose. Each management assurance control module includes one name, one control and one optional explanation of the management assurance control module as well as one or multiple optional management strengthening elements. Figure 4 shows the structure of management assurance control module.7 MRM Management Assurance Control Class. Management of RiskInformation security management assurance shall put risk and policy into the core. 7.1 Object Establishment (MRM_TEM) 7.1.1 Purpose of security assurance management Determine the object of risk management according to the business target and characteristic of the system to be protected. 7.1.2 MRM_TEM.1 Establish risk management object 7.1.2.1 Control of management assurance control module Determine the range and object of information security risk management as well as the characteristic and security requirements of the object. 7.1.3 MRM_TEM.2 Identify and evaluate asset 7.1.3.1 Control of management assurance control module Identify the system asset related to risk management object and make evaluation according to the asset security value. 7.1.4 MRM_TEM.3 Formulate security baseline 7.1.4.1 Control of management assurance control module The organization shall formulate system security baseline prior to the risk assessment. 7.2 Risk Assessment (MRM_RAM) 7.2.1 Purpose of security assurance management Identify, analyze and evaluate the risk confronted by the information system. 7.2.2 MRM_RAM.1 Identify risk 7.2.3 MRM_RAM.2 Analyze risk 7.2.3.1 Control of management assurance control module The organization shall analyze the motivation of threat source, the capability of threat behavior, the possibility of vulnerability to be used and the influence to the system after the vulnerability is used. 7.2.4 MRM_RAM.3 Assess risk 7.2.4.1 Control of management assurance control module The organization shall evaluate the grade of threat source motivation, the grade of the capability of threat conduct, the grade of the vulnerability being used, the asset value grade and influence degree and evaluate the risk grade comprehensively. 7.3 Risk Control (MRM_RCT) 7.3.1 Purpose of security assurance management Select and implement appropriate security measures according to the risk assessment result and control the risk at acceptable range. 7.3.2 MRM_RCT.1 Establish control objective 7.3.2.1 Control of management assurance control module The organization shall determine the acceptable risk grade, judge whether the risk is acceptable and establish the target of risk control. 7.3.3 MRM_TCT.2 Select control measures 7.3.3.1 Control of management assurance control module The organization shall select risk control mode and measure. 7.3.4 MRM_RCT.3 Implement control measures 7.3.4.1 Control of management assurance control module Formulate risk control implementation plan and implement risk control measures. 7.3.4.2 Explanation of management assurance control module The organization shall formulate risk control implementation plan according to the system security baseline, risk control target and risk control mode. The risk control implementation plan includes the range, object, implementation method, cost budget and scheduling... of risk control. The implementation process and result shall be recorded in implementing risk control measures. 7.3.5 MRM_RCT.4 Verify control measures 7.4 Communication and Monitoring (MRM_CAM) 7.4.1 Purpose of security assurance management Provide personal communication mechanism and process control for the implementation of object establishment, risk assessment and risk control. 7.4.2 MSP_CAM.1 Communication8 MSP Management Assurance Control Class. Information Security PolicyInformation security management assurance shall put risk and policy into the core. 8.1 Information Security Policy (MSP_SPL) 8.1.1 Purpose of security assurance management Standardize the construction, operation and management of the information security system by defining a set of rules, so as to point out direction for information security construction and make the information security work comply with the business requirements and the requirements of relevant laws and regulations. 8.1.2 MSP_SPL.1 Formulate security policy 8.1.2.1 Control of management assurance control module The organization shall prepare security policy document. 8.1.3 MSP_SPL.2 Examine and approve security policy 8.1.3.1 Control of management assurance control module The security policy document shall be examined and approved by the decision-making level of the organization. 8.1.4.1 Control of management assurance control module Security policy documents shall be released to all staff of the organization and the staff at all levels shall conduct routine work under the guidance of security policy. 8.1.5 MSP_SPL.4 Maintain and update security policy 8.1.5.1 Control of management assurance control module Examine the security policy regularly or when significant change occurs to maintain the applicability, sufficiency and effectiveness of the policy.9 MSO Management Assurance Control Class. Information Security OrganizationThe information security organization is the basis of information security management and needs the commitment and support from the highest management level of the organization. It needs to establish perfect information security organization structure, corresponding posts, responsibilities, functions and powers as well as perfect internal and external communication and cooperation organization and mechanism. 9.1 Management Support of Information Security (MSO_SOM) 9.1.1 Purpose of security assurance management The management level shall provide assurance, support and clear guidance, explicit security responsibility, coordinate and examine the security of the organization. 9.1.2 MSO_IOA.1 Support from the management level 9.2 Information Security Organization Structure (MSO_ORG) 9.2.1 Purpose of security assurance management The organization shall establish sound information security organization system to start and control the information security in the organization. 9.2.2 MSO_ORG.1 Establishment and maintenance of organization structure 9.3.3 MSO_RES.2 Requirements of responsibility separation 9.3.3.1 Control of management assurance control module The organization shall separate the management, implementation and responsibility range of some tasks and strengthen supervision force to reduce the risks brought by illegal modification or misusage of powers. 9.3.4 MSO_RES.3 Independent audit requirements 9.3.4.1 Control of management assurance control module Independent examination shall be carried out for the organization's information system security and its control policy (e.g. the control target, policy, process, procedure, etc. of the information security) at the planned time interval or when the security implementation has great changes. 9.4 Communication and Cooperation (MSO_CAC) 9.4.1 Purpose of security assurance management The organization shall establish and maintain the effective communication and cooperation mechanism of the internal and external organization according to the requirements of business continuity and risk assessment. 9.4.2 MSO_CAC.1 Internal coordination of information security activity 9.4.3 MSO_CAC.2 Maintain the cooperation with external organization 9.4.3.1 Control of management assurance control module The communication and cooperation with the associated functional organization, operator and service provider, etc. related to the system and business of the organization shall be established to maintain the timeliness and effectiveness of the cooperation with external organizations. ......Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al. Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of English version of GB/T 20274.3-2008 be delivered?Answer: The full copy PDF of English version of GB/T 20274.3-2008 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.Question 2: Can I share the purchased PDF of GB/T 20274.3-2008_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 20274.3-2008_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 20274.3-2008 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.How to buy and download a true PDF of English version of GB/T 20274.3-2008?A step-by-step guide to download PDF of GB/T 20274.3-2008_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).Step 2: Search keyword "GB/T 20274.3-2008". Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart. Step 4: Select payment option (Via payment agents Stripe or PayPal). Step 5: Customize Tax Invoice -- Fill up your email etc. Step 6: Click "Checkout". Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively. Step 8: Optional -- Go to download PDF. Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice. See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9 |
