Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GM/T 0115-2021 PDF English

US$635.00 · In stock · Download in 9 seconds
GM/T 0115-2021: Testing and evaluation requirements for information system cryptography application
Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure
Status: Valid
Standard IDUSDBUY PDFDeliveryStandard Title (Description)Status
GM/T 0115-2021635 Add to Cart Auto, 9 seconds. Testing and evaluation requirements for information system cryptography application Valid

Similar standards

GB/T 15843.1   GA/T 1389   GM/T 0118   

GM/T 0115-2021: Testing and evaluation requirements for information system cryptography application


---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GMT0115-2021
GM CRYPTOGRAPHY INDUSTRY STANDARD ICS 35.040 CCS L 80 Testing and Evaluation Requirements for Information System Cryptography Application Issued on. OCTOBER 19, 2021 Implemented on. MAY 1, 2022 Issued by. State Cryptography Administration

Table of Contents

Foreword... 3 1 Scope... 4 2 Normative References... 4 3 Terms and Definitions... 4 4 Overview... 5 5 General Testing and Evaluation Requirements... 8 5.1 Compliance of Cryptographic Algorithms... 8 5.2 Compliance of Cryptographic Technology... 8 5.3 Compliance of Cryptographic Products... 9 5.4 Compliance of Cryptographic Services... 10 5.5 Key Management Security... 10 6 Testing and Evaluation Requirements for Cryptography Application Technology and Cryptography Application Management... 11 6.1 Physical and Environmental Security... 11 6.2 Network and Communication Security... 14 6.3 Equipment and Computing Security... 19 6.4 Application and Data Security... 24 6.5 Management Systems... 31 6.6 Personnel Management... 36 6.7 Construction and Operation... 41 6.8 Emergency Response... 45 7 Overall Testing and Evaluation Requirements... 48 7.1 Overview... 48 7.2 Inter-unit Testing and Evaluation... 48 7.3 Inter-level Testing and Evaluation... 49 8 Risk Analysis and Evaluation... 49 9 Testing and Evaluation Conclusions... 50 Appendix A (informative) Key Lifecycle Management Inspection Points... 51 Appendix B (informative) Typical Cryptographic Product Application Testing and Evaluation Technology... 57 Appendix C (informative) Typical Cryptographic Function Testing and Evaluation Technology... 61 Bibliography... 64

1 Scope

This document specifies the testing and evaluation requirements for different levels of cryptography application in information systems. From the perspectives of cryptographic algorithm compliance, cryptographic technology compliance, cryptographic product compliance, cryptographic service compliance and key management security, etc., it proposes the general testing and evaluation requirements for cryptography application from Level 1 to Level 5.From four technological levels. physical and environmental security of information systems, network and communication security, equipment and computing security, application and data security, etc., it proposes the testing and evaluation requirements for cryptography application technology from Level 1 to Level 4.From four management perspectives. management system, personnel management, construction and operation, and emergency response, it proposes the testing and evaluation requirements for cryptography application management from Level 1 to Level 4.In addition, the requirements for the testing and evaluation links, such as. overall testing and evaluation, risk analysis and evaluation, and testing and evaluation conclusions, etc., are provided. This document is applicable to guide and standardize the security evaluation of commercial cryptography application in the planning, construction and operation of information system cryptography application. NOTE. for Level 5 cryptography application testing and evaluation requirements, only general testing and evaluation requirements are described in this document.

2 Normative References

The contents of the following documents constitute indispensable clauses of this document through the normative references in the text. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 39786-2021 Information Security Technology - Baseline for Information System Cryptography Application GM/Z 4001 Cryptology Terminology

3 Terms and Definitions

The terms and definitions defined in GB/T 39786-2021 and GM/Z 4001, and the following are applicable to this document. 3.1 commercial cryptography application security evaluation staff Personnel engaged in security evaluation of commercial cryptography application in a commercial cryptography application security evaluation institution.

4 Overview

In accordance with GB/T 39786-2021, the testing and evaluation requirements for information system cryptography application are divided into general testing and evaluation requirements, testing and evaluation requirements for cryptography application technology, and testing and evaluation requirements for cryptography application management.

5 General Testing and Evaluation Requirements

5.1 Compliance of Cryptographic Algorithms See the specific testing and evaluation units below. 5.2 Compliance of Cryptographic Technology See the specific testing and evaluation units below. 5.3 Compliance of Cryptographic Products See the specific testing and evaluation units below. 5.5 Key Management Security See the specific testing and evaluation units below.

6 Testing and Evaluation Requirements for Cryptography Application Technology and Cryptography Application Management

6.1 Physical and Environmental Security 6.1.1 Identity authentication See the specific testing and evaluation units below. 6.2.2 Communication data integrity See the specific testing and evaluation units below. 6.2.4 Integrity of network boundary access control information See the specific testing and evaluation units below. 6.3 Equipment and Computing Security 6.3.1 Identity authentication See the specific testing and evaluation units below. 6.4 Application and Data Security 6.4.1 Identity authentication See the specific testing and evaluation units below. 6.4.4 Important data transmission confidentiality See the specific testing and evaluation units below. 6.4.7 Important data storage integrity See the specific testing and evaluation units below. 6.5 Management Systems 6.5.1 Security management systems with cryptography application See the specific testing and evaluation units below. 6.5.2 Key management rules See the specific testing and evaluation units below. 6.7.4 Cryptography application security evaluation conducted before putting into operation See the specific testing and evaluation units below. a) Testing and evaluation indicators 1) Before putting it into operation, conduct a cryptography application security evaluation (Level 1 to Level 2). 2) Before putting it into operation, conduct a cryptography application security evaluation. The system may be officially operated only after passing the evaluation (Level 3 to Level 4). c) Testing and evaluation objects Cryptography application security evaluation report, and responsible person of the system. d) Testing and evaluation implementation 1) For Level 1 to Level 2 system, check whether a cryptography application security evaluation is organized before the information system is put into operation; check whether there is a cryptography application security evaluation report formulated before the system is put into operation. 2) For Level 3 to Level 4 system, check whether a cryptography application security evaluation is organized before the information system is put into operation; check whether there is a cryptography application security evaluation report formulated before the system is put into operation and whether the system has passed the evaluation. e) Result determination For an individual testing and evaluation object, if the above contents of testing and evaluation implementation of the corresponding level are all YES, then, the testing and evaluation object complies with the testing and evaluation indicator requirements of this unit; otherwise, it does not comply with, or it partially complies with the testing and evaluation indicator requirements of this unit. For this testing and evaluation unit, summarize the determination results of all the testing and evaluation objects involved in the unit. If the determination results are all conforming, then, the testing and evaluation result of this unit is conforming; if the determination results are all non- conforming, then, the testing and evaluation result of this unit is non-conforming; otherwise, the testing and evaluation result of this unit is partially conforming. 6.7.5 Regular cryptography application security evaluation and offensive and defensive confrontation exercises See the specific testing and evaluation units below. a) Testing and evaluation indicators During the operation process, strictly implement the established cryptography application security management system, regularly carry out cryptography application security evaluation and offensive and defensive confrontation exercises and make rectifications based on the evaluation results (Level 3 to Level 4). b) Testing and evaluation objects Cryptography application security management system, cryptography application security evaluation report, offensive and defensive confrontation exercise report, and rectification documents. c) Testing and evaluation implementation Check whether the party responsible for the information system has strictly implemented the establish cryptography application security management system, regularly conducted cryptography application security evaluation and offensive and defensive confrontation exercises after the information system is put into operation, and whether there are corresponding cryptography application security evaluation report and offensive and defensive confrontation exercise report; check whether rectification schemes are formulated based on the evaluation results and whether corresponding rectifications are made. d) Result determination For an individual testing and evaluation object, if the above contents of testing and evaluation implementation are all YES, then, the testing and evaluation object complies with the testing and evaluation indicator requirements of this unit; otherwise, it does not comply with, or it partially complies with the testing and evaluation indicator requirements of this unit. For this testing and evaluation unit, summarize the determination results of all the testing and evaluation objects involved in the unit. If the determination results are all conforming, then, the testing and evaluation result of this unit is conforming; if the determination results are all non-conforming, then, the testing and evaluation result of this unit is non-conforming; otherwise, the testing and evaluation result of this unit is partially conforming. 6.8 Emergency Response

7 Overall Testing and Evaluation Requirements

7.1 Overview For the overall testing and evaluation, the testing and evaluation, and comprehensive security analysis shall be conducted from the inter-unit and inter-level perspectives. 7.2 Inter-unit Testing and Evaluation After the unit testing and evaluation is completed, inter-unit testing and evaluation shall be conducted on the non-conforming and partially conforming items existing in the unit testing and evaluation results, focusing on analyzing whether there is mutual compensation between units in the information system. 7.3 Inter-level Testing and Evaluation After the unit testing and evaluation is completed, inter-level testing and evaluation shall be conducted on the non-conforming and partially conforming items existing in the unit testing and evaluation results, focusing on analyzing whether there is mutual compensation between levels in the information system.

8 Risk Analysis and Evaluation

The cryptography application security evaluation report shall conduct risk analysis and evaluation of non-conforming and partially conforming items in the unit testing and evaluation results after the overall testing and evaluation.

9 Testing and Evaluation Conclusions

The cryptography application security evaluation report shall provide the testing and evaluation conclusions of the information system and confirm that the information system reaches the corresponding level of protection requirements. GM/T 0115-2021 GM CRYPTOGRAPHY INDUSTRY STANDARD ICS 35.040 CCS L 80 Testing and Evaluation Requirements for Information System Cryptography Application Issued on. OCTOBER 19, 2021 Implemented on. MAY 1, 2022 Issued by. State Cryptography Administration

Table of Contents

Foreword... 3 1 Scope... 4 2 Normative References... 4 3 Terms and Definitions... 4 4 Overview... 5 5 General Testing and Evaluation Requirements... 8 5.1 Compliance of Cryptographic Algorithms... 8 5.2 Compliance of Cryptographic Technology... 8 5.3 Compliance of Cryptographic Products... 9 5.4 Compliance of Cryptographic Services... 10 5.5 Key Management Security... 10 6 Testing and Evaluation Requirements for Cryptography Application Technology and Cryptography Application Management... 11 6.1 Physical and Environmental Security... 11 6.2 Network and Communication Security... 14 6.3 Equipment and Computing Security... 19 6.4 Application and Data Security... 24 6.5 Management Systems... 31 6.6 Personnel Management... 36 6.7 Construction and Operation... 41 6.8 Emergency Response... 45 7 Overall Testing and Evaluation Requirements... 48 7.1 Overview... 48 7.2 Inter-unit Testing and Evaluation... 48 7.3 Inter-level Testing and Evaluation... 49 8 Risk Analysis and Evaluation... 49 9 Testing and Evaluation Conclusions... 50 Appendix A (informative) Key Lifecycle Management Inspection Points... 51 Appendix B (informative) Typical Cryptographic Product Application Testing and Evaluation Technology... 57 Appendix C (informative) Typical Cryptographic Function Testing and Evaluation Technology... 61 Bibliography... 64

1 Scope

This document specifies the testing and evaluation requirements for different levels of cryptography application in information systems. From the perspectives of cryptographic algorithm compliance, cryptographic technology compliance, cryptographic product compliance, cryptographic service compliance and key management security, etc., it proposes the general testing and evaluation requirements for cryptography application from Level 1 to Level 5.From four technological levels. physical and environmental security of information systems, network and communication security, equipment and computing security, application and data security, etc., it proposes the testing and evaluation requirements for cryptography application technology from Level 1 to Level 4.From four management perspectives. management system, personnel management, construction and operation, and emergency response, it proposes the testing and evaluation requirements for cryptography application management from Level 1 to Level 4.In addition, the requirements for the testing and evaluation links, such as. overall testing and evaluation, risk analysis and evaluation, and testing and evaluation conclusions, etc., are provided. This document is applicable to guide and standardize the security evaluation of commercial cryptography application in the planning, construction and operation of information system cryptography application. NOTE. for Level 5 cryptography application testing and evaluation requirements, only general testing and evaluation requirements are described in this document.

2 Normative References

The contents of the following documents constitute indispensable clauses of this document through the normative references in the text. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 39786-2021 Information Security Technology - Baseline for Information System Cryptography Application GM/Z 4001 Cryptology Terminology

3 Terms and Definitions

The terms and definitions defined in GB/T 39786-2021 and GM/Z 4001, and the following are applicable to this document. 3.1 commercial cryptography application security evaluation staff Personnel engaged in security evaluation of commercial cryptography application in a commercial cryptography application security evaluation institution.

4 Overview

In accordance with GB/T 39786-2021, the testing and evaluation requirements for information system cryptography application are divided into general testing and evaluation requirements, testing and evaluation requirements for cryptography application technology, and testing and evaluation requirements for cryptography application management.

5 General Testing and Evaluation Requirements

5.1 Compliance of Cryptographic Algorithms See the specific testing and evaluation units below. 5.2 Compliance of Cryptographic Technology See the specific testing and evaluation units below. 5.3 Compliance of Cryptographic Products See the specific testing and evaluation units below. 5.5 Key Management Security See the specific testing and evaluation units below.

6 Testing and Evaluation Requirements for Cryptography Application Technology and Cryptography Application Management

6.1 Physical and Environmental Security 6.1.1 Identity authentication See the specific testing and evaluation units below. 6.2.2 Communication data integrity See the specific testing and evaluation units below. 6.2.4 Integrity of network boundary access control information See the specific testing and evaluation units below. 6.3 Equipment and Computing Security 6.3.1 Identity authentication See the specific testing and evaluation units below. 6.4 Application and Data Security 6.4.1 Identity authentication See the specific testing and evaluation units below. 6.4.4 Important data transmission confidentiality See the specific testing and evaluation units below. 6.4.7 Important data storage integrity See the specific testing and evaluation units below. 6.5 Management Systems 6.5.1 Security management systems with cryptography application See the specific testing and evaluation units below. 6.5.2 Key management rules See the specific testing and evaluation units below. 6.7.4 Cryptography application security evaluation conducted before putting into operation See the specific testing and evaluation units below. a) Testing and evaluation indicators 1) Before putting it into operation, conduct a cryptography application security evaluation (Level 1 to Level 2). 2) Before putting it into operation, conduct a cryptography application security evaluation. The system may be officially operated only after passing the evaluation (Level 3 to Level 4). c) Testing and evaluation objects Cryptography application security evaluation report, and responsible person of the system. d) Testing and evaluation implementation 1) For Level 1 to Level 2 system, check whether a cryptography application security evaluation is organized before the information system is put into operation; check whether there is a cryptography application security evaluation report formulated before the system is put into operation. 2) For Level 3 to Level 4 system, check whether a cryptography application security evaluation is organized before the information system is put into operation; check whether there is a cryptography application security evaluation report formulated before the system is put into operation and whether the system has passed the evaluation. e) Result determination For an individual testing and evaluation object, if the above contents of testing and evaluation implementation of the corresponding level are all YES, then, the testing and evaluation object complies with the testing and evaluation indicator requirements of this unit; otherwise, it does not comply with, or it partially complies with the testing and evaluation indicator requirements of this unit. For this testing and evaluation unit, summarize the determination results of all the testing and evaluation objects involved in the unit. If the determination results are all conforming, then, the testing and evaluation result of this unit is conforming; if the determination results are all non- conforming, then, the testing and evaluation result of this unit is non-conforming; otherwise, the testing and evaluation result of this unit is partially conforming. 6.7.5 Regular cryptography application security evaluation and offensive and defensive confrontation exercises See the specific testing and evaluation units below. a) Testing and evaluation indicators During the operation process, strictly implement the established cryptography application security management system, regularly carry out cryptography application security evaluation and offensive and defensive confrontation exercises and make rectifications based on the evaluation results (Level 3 to Level 4). b) Testing and evaluation objects Cryptography application security management system, cryptography application security evaluation report, offensive and defensive confrontation exercise report, and rectification documents. c) Testing and evaluation implementation Check whether the party responsible for the information system has strictly implemented the establish cryptography application security management system, regularly conducted cryptography application security evaluation and offensive and defensive confrontation exercises after the information system is put into operation, and whether there are corresponding cryptography application security evaluation report and offensive and defensive confrontation exercise report; check whether rectification schemes are formulated based on the evaluation results and whether corresponding rectifications are made. d) Result determination For an individual testing and evaluation object, if the above contents of testing and evaluation implementation are all YES, then, the testing and evaluation object complies with the testing and evaluation indicator requirements of this unit; otherwise, it does not comply with, or it partially complies with the testing and evaluation indicator requirements of this unit. For this testing and evaluation unit, summarize the determination results of all the testing and evaluation objects involved in the unit. If the determination results are all conforming, then, the testing and evaluation result of this unit is conforming; if the determination results are all non-conforming, then, the testing and evaluation result of this unit is non-conforming; otherwise, the testing and evaluation result of this unit is partially conforming. 6.8 Emergency Response

7 Overall Testing and Evaluation Requirements

7.1 Overview For the overall testing and evaluation, the testing and evaluation, and comprehensive security analysis shall be conducted from the inter-unit and inter-level perspectives. 7.2 Inter-unit Testing and Evaluation After the unit testing and evaluation is completed, inter-unit testing and evaluation shall be conducted on the non-conforming and partially conforming items existing in the unit testing and evaluation results, focusing on analyzing whether there is mutual compensation between units in the information system. 7.3 Inter-level Testing and Evaluation After the unit testing and evaluation is completed, inter-level testing and evaluation shall be conducted on the non-conforming and partially conforming items existing in the unit testing and evaluation results, focusing on analyzing whether there is mutual compensation between levels in the information system.

8 Risk Analysis and Evaluation

The cryptography application security evaluation report shall conduct risk analysis and evaluation of non-conforming and partially conforming items in the unit testing and evaluation results after the overall testing and evaluation.

9 Testing and Evaluation Conclusions

The cryptography application security evaluation report shall provide the testing and evaluation conclusions of the information system and confirm that the information system reaches the corresponding level of protection requirements. ......
Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.
Image 1     Image 2     Image 3     

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of English version of GM/T 0115-2021 be delivered?Answer: The full copy PDF of English version of GM/T 0115-2021 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice.

Question 2: Can I share the purchased PDF of GM/T 0115-2021_English with my colleagues?Answer: Yes. The purchased PDF of GM/T 0115-2021_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GM/T 0115-2021 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds.

How to buy and download a true PDF of English version of GM/T 0115-2021?

A step-by-step guide to download PDF of GM/T 0115-2021_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).
Step 2: Search keyword "GM/T 0115-2021".
Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart.
Step 4: Select payment option (Via payment agents Stripe or PayPal).
Step 5: Customize Tax Invoice -- Fill up your email etc.
Step 6: Click "Checkout".
Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively.
Step 8: Optional -- Go to download PDF.
Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice.
See screenshots for above steps: Steps 1~3    Steps 4~6    Step 7    Step 8    Step 9