| GB/T 20282-2006 PDF EnglishUS$145.00 · In stock · Download in 9 seconds GB/T 20282-2006: Information security technology -- Information system security engineering management requirements Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure Status: Valid 
 Similar standardsGB/T 20282-2006: Information security technology -- Information system security engineering management requirements---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT20282-2006 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.020 L 09 Information Security Technology - Information System Security Engineering Management Requirements Issued on. MAY 31, 2006 Implemented on. DECEMBER 1, 2006 Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People’s Republic of China; Standardization Administration of the People’s Republic of China. Table of Contents1 Scope... 5 2 Normative References... 5 3 Terms and Definitions... 6 4 Security Engineering System... 7 5 Qualification Assurance Requirements... 8 6 Organizational Assurance Requirements... 9 7 Engineering Implementation Requirements... 15 8 Project Implementation Requirements... 27 9 Grading Requirements for Security Engineering Management... 35 10 Process and Requirements of Security Engineering... 49 Appendix A (Informative) Corresponding Relationship between Security Engineering Requirements and Security Protection Level/Security Engineering Process... 57 References... 62ForewordAppendix A of this Standard is informative. This Standard was proposed by and is under the jurisdiction of National Committee on Information Security of Standardization Administration of China. Drafting organizations of this Standard. the 30th Research Institute of China Electronics Technology Group Corporation (CETC 30), Shanghai 30wish Information Security Co., Ltd. and Shanghai Institute of Standardization. Main drafters of this Standard. Zhang Jianjun, Wei Zhong, Ye Ming, Chen Changsong and Kong Yitong. Information Security Technology - Information System Security Engineering Management Requirements1 ScopeThis Standard specifies management requirements for information system security engineering (hereinafter referred to as security engineering) as the instructions for construction of information system safety engineering by the owner, the developer and the third party, upon which all parties can base security engineering management system. This Standard, in accordance with five security protection levels specified in GB 17859-1999, specifies different requirements for management of information system security engineering. This Standard is applicable for the owner and the developer of information system to manage security engineering, which can be referred by all parties concerned.2 Normative ReferencesThe provisions in following documents become the provisions of this Standard through reference in this Standard. For dated references, the subsequent amendments (excluding corrections) or revisions do not apply to this Standard, however, parties who reach an agreement based on this Standard are encouraged to study if the latest versions of these documents are applicable. For undated references, the latest edition of the referenced document applies. GB 17859-1999 Classified Criteria for Security Protection of Computer Information System GB/T 20269-2006 Information Security Technology - Information System Security Management Requirements GB/T 20271-2006 Information Security Technology - Common Security Techniques Requirement for Information System3 Terms and DefinitionsFor the purposes of this Standard, the following terminologies and definitions apply. 3.1 Security engineering The process of system engineering that ensures confidentiality, integrity and availability of information system. 3.2 Security engineering lifecycle Activities that relate to security engineering throughout the lifecycle of information system, including concept formation, concept development and definition, verification and validation, engineering implementation development and manufacture, production and deployment, operation and support, and termination. 3.3 Security engineering guide Guiding information that is defined by engineering group on how to select, design and implement engineering system structure. 3.4 Vulnerability A weakness of an asset or a group of assets, which can be exploited by certain threat. 3.5 Risk The probability for certain threat that makes an asset or a group of assets lost or damaged by exploiting its or their vulnerability.4 Security Engineering System4.1 Overview This Standard defines that security engineering management requirements system consists of specific requirements for different grades of engineering. 4.2 Goal of Security Engineering Understand security risks of the owner, base reasonable security requirements on the identified security risks, translate security requirements to security guides that can be used for other implementation activities of the project, set up confidence and assurance about information security on the basis of proper and effective security mechanism; 4.3 Fundamental Relation Security engineering is composed of security level and assurance and implementation, and different levels of security engineering correspond to different requirements of assurance and implementation. The assurance consists of qualification assurance requirements and organizational assurance requirements while the implementation consists of engineering implementation requirements and project implementation requirements.5 Qualification Assurance Requirements5.1 System Integration Qualification Requirement System integration qualifications approved by national authorities. 5.2 Personnel Qualification Requirement Security service personnel qualifications approved by national authorities. 5.4 Security Product Requirement Information security products shall have licenses for production, management and marketing in China, and meet corresponding grade; 5.5 Engineering Supervision Requirement 5.6 Requirement for Compliance with Laws, Regulations and Policies The system shall comply with national laws, regulations and policies.6 Organizational Assurance Requirements6.1 Define Organizational Process of System Engineering 6.1.1 Basic requirements A Standard process with explicit goal shall be defined for system engineering, which can be used to define the process of new engineering project through tailoring. 6.1.2 Set process goal 6.2 Improve Organizational Process of System Engineering 6.2.1 Basic requirements Measure and improve the process of system engineering, improve the benefit and efficiency of the organizational process of system engineering through the improvements on the basis of the definition of the standard system engineering process. 6.2.2 Assess the process 6.2.3 Plan process improvement Based on the analysis on the effects of potential improvements, process improvement plan shall be developed to achieve the goal of the process. 6.2.4 Change standard process Change standard organizational process of system engineering so as to reflect the improvement of the goal. 6.2.5 Communicate about process improvement Communicate with existing project team and other related teams on process improvement. 6.3 Manage the Evolution of Series of Products 6.3.1 Basic requirements Services, devices and new technologies shall be introduced to renew products, reduce engineering expense and obtain optimal benefits from engineering progress and implementation. 6.3.6 Insert product technology 6.4.4 Acquire support environment for system engineering 6.4.6 Insert new technology 6.4.7 Maintain the environment 6.4.8 Monitor the support environment of system engineering 6.5 Host Training 6.5.1 Basic requirements Establish a complete training system, which can provide employees with effective knowledge and skill trainings meeting organizational needs and applicable to system engineering activities. 6.5.2 Define training requirement 6.5.3 Select the method for acquisition of knowledge or skill 6.5.4 Ensure the availability of skills and knowledge Ensure that the skills and knowledge are available for system engineering activities. 6.5.5 Prepare training materials 6.5.6 Training personnel 6.5.8 Keep training record 6.5.8.1 Keep a record of the training and experience. 6.5.8.2 Keep training records so as to track the performance, skills and ability of each trainee. 6.5.9 Maintain training materials 6.6 Coordinate with Supplier 6.6.1 Basic requirements Build ties to the supplier according to engineering needs, so as to ensure the supplier can provide the required product or service for system engineering. 6.6.2 Determine system components or services Determine system components or services that shall be provided by other external organizations. 6.6.3 Determine competent supplier or distributor 6.6.5 Make requests7 Engineering Implementation Requirements7.1 Manage Security Control 7.1.1 Basic requirements Ensure the designed security characteristics of system in operation and the configuration and normal use of security measures. 7.1.2 Establish security responsibility 7.1.3 Manage security configuration 7.1.4 Improve security awareness and popularize training and education programs 7.1.5 Manage security service and control mechanism 7.2 Assess Impacts 7.2.1 Basic requirements Make the impacts on the system, and assess the possibility of potential impacts. 7.6 Build Assurance Argument 7.6.1 Basic requirements Identify and define needs-related assurance evidence, including evidence generation and analysis activities, including additional evidence, document list and process required for supporting needs assurance, and evidences certifying compliance with the security needs that can be clearly provided to the owner. The Project requires building activation records related to assurance evidence, including management, identifying, plan, packaging and submission of security assurance evidence. 7.6.2 Identify assurance goal 7.6.3 Define assurance strategy 7.6.5 Analyze evidence Security assurance evidence is analyzed to ensure that engineering products are sound and correct relative to the baseline system. 7.6.6 Provide assurance argument 7.7 Coordinate Security 7.7.1 Basic requirement Relationship among security organizations, other engineering organizations and exterior organizations related to security engineering shall be coordinated and maintained so as to ensure all the departments have an awareness of participating in security engineering. 7.7.2 Define coordination goal Define and build relationships of contact and obligation with other organizations that shall be accepted by all the departments involved. 7.7.3 Identify coordination mechanism Identify security engineering coordination mechanism and define its implementation method. 7.7.4 Promote coordination8 Project Implementation Requirements8.1 Quality Assurance 8.1.1 Basic requirements Deviation shall be found out by means of process measurement and monitoring as well as work product measurement; implementation of project quality goal shall be ensured through quality analysis, improvement and quality correction monitoring. This requirement item is related to 7.6.Assurance can be considered as a special type of security-related quality. 8.1.2 Monitor consistency of the defined process 8.1.3 Measure quality of work product 8.1.3.1 The designed work product measuring method shall be used to assess whether the work product can meet the owner's or engineering requirements or not; product measurement is also in favor of solving the problems appearing in segregated system development process. 8.1.4 Measure process quality Measure quality of the system engineering process used in the project. 8.1.5 Analyze quality measurement 8.1.6 Participate in quality activities Relevant employees shall be involved during quality problems determining and reporting process. 8.1.7 Initiate quality improvements Initiate quality problems or improvements themed activities. 8.1.8 Detect correction requirements 8.2 Manage Configuration 8.2.1 Basic requirements Data and status of configuration unit determined in the system shall be maintained; 8.2.2 Establish configuration management method 8.2.3 Determine configuration unit 8.2.3.1 Determine the configuration unit constituting baseline. 8.2.5 Control changes 8.3 Manage Project Risk9 Grading Requirements for Security Engineering Management9.1 Level 1.the User's Discretionary Protection Level 9.1.1 Engineering goal and scope Goal. in this level, basic requirement items which meet the qualification assurance shall basically reach those for organization assurance, engineering implementation and project implementation. The individual in the organization in this level can recognize that an action shall be executed and agree that it will be executed when required. 9.1.3 Organization assurance requirements In the process of organization assurance, the process of the following 6 requirements shall be complete and explicit, shall basically reach the goal of each requirement; the individual in the organization in this level can recognize that an action shall be executed and agree that it will be executed when required. 9.1.4 Engineering implementation requirements In the process of security engineering, the process of 11 requirements shall be complete and explicit, shall basically reach the goal of each requirement; the individual in the organization can recognize that an action shall be executed and agree that it will be executed when required. 9.1.5 Project implementation requirements In the process of security project implementation, the process of the following 5 requirements shall be complete and explicit, shall basically reach the goal of each requirement; the individual in the organization can recognize that an action shall be executed and agree that it will be executed when required. 9.2 Level 2.System Audit Protection Level 9.2.1 Engineering goal and scope Goal. in this level, qualification assurance requirements shall be met, and basic requirement items for organization assurance, engineering implementation and project implementation are planned and tracked. 9.2.2 Qualification assurance requirements Qualification assurance shall meet the following 5 requirement items. ......Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al. Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of English version of GB/T 20282-2006 be delivered?Answer: The full copy PDF of English version of GB/T 20282-2006 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.Question 2: Can I share the purchased PDF of GB/T 20282-2006_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 20282-2006_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 20282-2006 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.How to buy and download a true PDF of English version of GB/T 20282-2006?A step-by-step guide to download PDF of GB/T 20282-2006_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).Step 2: Search keyword "GB/T 20282-2006". Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart. Step 4: Select payment option (Via payment agents Stripe or PayPal). Step 5: Customize Tax Invoice -- Fill up your email etc. Step 6: Click "Checkout". Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively. Step 8: Optional -- Go to download PDF. Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice. See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9 |