GB/T 20274.4-2008 PDF EnglishUS$145.00 · In stock · Download in 9 seconds
GB/T 20274.4-2008: Information security technology -- Evaluation framework for information systems security assurance -- Part 4: Engineering assurance Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure Status: Valid
Similar standardsGB/T 20274.4-2008: Information security technology -- Evaluation framework for information systems security assurance -- Part 4: Engineering assurance---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT20274.4-2008 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information Security Technology - Evaluation Framework for Information Systems Security Assurance - Part 4.Engineering Assurance Issued on. JULY 18, 2008 Implemented on. DECEMBER 1, 2008 Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People’s Republic of China; Standardization Administration of the People's Republic of China. Table of ContentsForeword... 4 1 Scope... 5 2 Normative References... 5 3 Terms and Definitions... 5 4 Structure of This Part... 6 5 Framework of Information Systems Security Engineering Assurance... 6 6 Structure of Information Security Engineering Assurance Control Class... 11 7 PRM Security Engineering Assurance Control Class. Process of Risk... 14 8 PEN Security Engineering Assurance Control Class. Engineering Process... 33 9 PAS Security Engineering Assurance Control Class. Assurance Process... 69 10 Capability Level of Security Engineering Assurance Control Class... 78 Bibliography... 85ForewordGB/T 20274 "Information Security Technology - Evaluation Framework for Information Systems Security Assurance" is divided into the flowing four parts. - Part 1.Introduction and General Model - Part 2.Technical Assurance - Part 3.Management Assurance - Part 4.Engineering Assurance This Part is Part 4 of GB/T 20274. This Part was proposed by and shall be under the jurisdiction of the National Technical Committee on Information Technology Security of Standardization Administration of China. Drafting organization of this Part. China Information Technology Security Certification Center. Chief drafters of this Part. Wu Shizhong, Wang Haisheng, Chen Xiaohua, Wang Guisi, Li Shoupeng, Jiang Changqing, Peng Yong, Zhang Li, Yao Yizhan, Ban Xiaofang, Li Jing, Wang Qing, Zou Qi, Qian Weiming, Jiang Diansheng, Lu Li, Sun Chenghao, Men Xuesong, Du Yuge and Yang Zaishan. Information Security Technology - Evaluation Framework for Information Systems Security Assurance - Part 4.Engineering Assurance1 ScopeThis Part of GB/T 20274 establishes the framework for information system security engineering assurance and the guide & general principle for the organization starting, implementing, maintaining, evaluating and improving information security engineering. This Part defines and explains the security engineering capability level that reflects the information security engineering assurance capability of the organization in the information system security engineering assurance work, and provides the security engineering assurance control class requirements of the organization's information security engineering assurance contents. This Part of GB/T 20274 is applicable to the organization for starting, implementing, maintaining, evaluating and improving the information security engineering; and all the users, developers and evaluation personnel who are involved in the information system security engineering.2 Normative ReferencesThe following documents contain provisions which, through reference in this text, constitute the provisions of this Part. For dated reference, the subsequent amendments (excluding corrigendum) or revisions of these publications do not apply. However, the parties who enter into an agreement based on this Standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. For any undated references, the latest edition of the document referred to applies. GB/T 20274.1 Information Security Technology - Evaluation Framework for Information Systems Security Assurance - Part 1.Introduction and General Model3 Terms and DefinitionsFor the purposes of this Part of GB/T 20274, the terms and definitions specified in GB/T 20274.1 and the following ones apply. 3.1.1 Validation The solution that meets the user's operation security requirements.4 Structure of This PartThe organization structure of this Part of GB/T 20274 is as follows.5 Framework of Information Systems Security Engineering Assurance5.1 Overview of Information Systems Security Engineering Assurance Part 1 of this Standard puts forward the information security assurance model (refer to Figure 3 in Part 1 of this Standard) and describes the relationship among assurance elements (technology, engineering, management and personnel), security features and life cycle of information system security therein. 5.2 Information Systems Security Engineering Assurance Control 5.2.1 Information systems security engineering assurance control class This Part divides information system security engineering into three basic process domains (i.e. information system security engineering assurance control class). risk, engineering and assurance. Although these domains are interdependent, they may be considered separately. In the simplest level, risk process identifies and ranks in the order of priority the inherent risk of the developed product or system. Security engineering process determines and implements the solution to the problems caused by risks by acting together with other engineering disciplines. Finally, assurance process establishes confidence for security solution and transfers such confidence to the users. 5.2.3 Corresponding relationship between security engineering life cycle and process domain The relationship between security engineering life cycle and process domain is shown in Table 1. 5.3 Information System Security Engineering Capability Maturity Level In the engineering process modules, the process domain involved in information security engineering process is specified and it is the optimal reflection of the practice abstracted from information security engineering process. Engineering process capability, which is the measurable range achievable by complying with an engineering process, reflects the planned cost, function and quality target measurement reached by the organization in implementing information security project through the organization’s capability in implementing each process domain of the security engineering.6 Structure of Information Security Engineering Assurance Control Class6.1 General This chapter defines the structure of information security engineering assurance control class used in this Part. The information security engineering assurance control class is expressed by security engineering assurance control class, security engineering assurance control subclass and security engineering assurance control module. 6.2 Structure of Security Engineering Assurance Control Class Each security engineering assurance control class includes one name of the security engineering assurance control class, the introduction of a security engineering assurance control class and one or more security engineering assurance control subclass(es). Figure 2 shows the structure of security engineering assurance control classes used in this Part. 6.3 Structure of Security Engineering Assurance Control Subclass One security engineering assurance control class includes one or multiple security engineering assurance control subclasses. Each security engineering assurance control subclass includes one name of the security engineering assurance control subclass, one purpose of the security assurance project and one or multiple security engineering assurance control module(s) (control measure(s)) for realizing this security engineering assurance purpose. 6.4 Structure of Security Engineering Assurance control module Security engineering assurance control module is the engineering control measure of information security assurance to realize security engineering assurance purpose. Each security engineering assurance control module includes one name, one control and one optional explanation of the security engineering assurance control module.7 PRM Security Engineering Assurance Control Class. Process of Risk7.1 Introduction of Security Engineering Assurance Control Class in Process of Risk One primary target of security engineering is to reduce risk. Risk assessment is the process to recognize the problem not yet taken place. The risk is evaluated by inspecting the possibility and vulnerability of threat and considering the potential influence of accident. 7.2 System Definition (PRM_SDF) 7.2.1 Purpose of security engineering assurance The system definition of security engineering assurance control subclass aims at identifying the system task and mission, i.e. 7.3.3 PRM_ATT.2 Identify man-made threat 7.3.3.1 Control of security engineering assurance control module PRM. Process of risk 7.3.4 PRM_ATT.3 Identify the measuring block of threat 7.3.4.1 Control of security engineering assurance control module Identify the suitable measuring blocks and application scope in specific environment. Most natural threats and many man-made threats have relevant measuring blocks. In most cases, the whole measuring block is not applicable to particular case. 7.4 Assess Vulnerability (PRM_AVL) 7.4.1 Purpose of security engineering assurance Identify and characterize the security vulnerability of the system. The purpose of assessing security vulnerability is to obtain the understanding to the system security vulnerability in one given environment. 7.4.5 PRM_AVL.4 Compose system vulnerability Assess the system vulnerability and make comprehensive collection of the result of specific vulnerability and the combination of all kinds of specific vulnerabilities. 7.4.6 PRM_AVL.5 Monitor vulnerability and its characteristics Monitor the frequent changes of vulnerability and its characteristic changes. 7.5 Assess Impact (PRM_AIM) 7.5.1 Purpose of security engineering assurance The purpose of assessing influence is to identify the influence on system and assess the occurrence possibility of influences. Influences may be tangible, e.g. income loss or economic punishment, and may also be intangible, e.g. reputation and credit loss. The target of this security engineering assurance control subclass is to identify and characterize the risk's security influence on the system.8 PEN Security Engineering Assurance Control Class. Engineering Process8.1 Introduction of Engineering Process of Engineering Process Security Control Class Security engineering, like other engineering disciplines, is a process running through concept, design, implementation, testing, acceptance, operation, maintenance and abandonment. During the whole process, security engineer must work closely with other parts of the system engineering group. 8.2 Identify Security Requirements (PEN_ISR) 8.2.1 Purpose of security engineering assurance The purpose of identifying security requirements is to mark the security need of the system clearly. The security basis of the definition system related to security Identify security requirements 8.2.3 PEN_ISR.2 Identify available laws, policies and restrictions 8.2.3.1 Control of security engineering assurance control module The laws, policies, standards, external effects and restrictions of the management system shall be identified. 8.2.4 PEN_ISR.3 Identify system security relevance 8.2.4.1 Control of security engineering assurance control module Identify the system applications to determine the contextual environment of security. The purpose of this security engineering assurance control module is to identify whether the system context affects the security. 8.2.7 PEN_ISR.6 Define security-related need 8.2.7.1 Control of security engineering assurance control module Define a series of consistent illustrations that define the executive protection of the system. 8.3 High-level Security Design (PEN_HSD) 8.3.1 Purpose of security engineering assurance The high-level security design of information system includes system architecture, design and achieved needs; corresponding design principle and suggestion, security architecture suggestion and protective principle shall be established to obtain security model and security architecture for reliability analysis; all the security mechanisms shall be ensured to be corresponding to the high-level security designs, and the latter shall be of specific security mechanism to ensure.9 PAS Security Engineering Assurance Control Class. Assurance Process9.1 Introduction to Security Engineering Assurance Control Class in Assurance Process Assurance refers to the confidence level that the security needs are fulfilled. It is the important outcome of security engineering. Assurance has many forms. Security engineering process assurance provides one form. 9.2 Verify and Validate Security (PAS_VVS) 9.2.1 Purpose of security engineering assurance The purpose of security verification and validation is to ensure that the solution has verified and validated security. Verify the solution by observation, demonstration, analysis and testing, based on security requirements, architecture and design. Validate the solution according to the operation security need of the customer. 9.2.2 PAS_VVS.1 Identify the targets of verification and validation 9.2.2.1 Control of security engineering assurance control module Identify the solutions for verification and validation. 9.2.2.2 Explanation of security engineering assurance control module 1.Identify the targets of verification and validation. 9.2.5 PAS_VVS.4 Execute validation 9.2.5.1 Control of security engineering assurance control module Validate the solution and demonstrate that the solution has fulfilled the previous abstract requirements, and finally satisfied the customer's operation security need. The purpose of this security engineering assurance control module is to validate that the solution has effectively fulfilled the previous abstract requirements. There are multiple methods for such validation, including testing the solution in operation or typical test setting environment. The method applied is identified in PAS_VVS.2 "define the methods of verification and validation". 9.2.5.2 Explanation of security engineering assurance control module This practice involves traceability. ......Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al. Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of English version of GB/T 20274.4-2008 be delivered?Answer: The full copy PDF of English version of GB/T 20274.4-2008 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.Question 2: Can I share the purchased PDF of GB/T 20274.4-2008_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 20274.4-2008_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 20274.4-2008 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.How to buy and download a true PDF of English version of GB/T 20274.4-2008?A step-by-step guide to download PDF of GB/T 20274.4-2008_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).Step 2: Search keyword "GB/T 20274.4-2008". Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart. Step 4: Select payment option (Via payment agents Stripe or PayPal). Step 5: Customize Tax Invoice -- Fill up your email etc. Step 6: Click "Checkout". Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively. Step 8: Optional -- Go to download PDF. Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice. See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9 |
