|
US$999.00 · In stock
Delivery: <= 7 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 20009-2019: Information security technology - Security evaluation criteria for database management system
Status: Valid GB/T 20009: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 20009-2019 | English | 999 |
Add to Cart
|
7 days [Need to translate]
|
Information security technology - Security evaluation criteria for database management system
| Valid |
GB/T 20009-2019
|
| GB/T 20009-2005 | English | RFQ |
ASK
|
6 days [Need to translate]
|
Information security technology -- Data base management systems security evaluation criteria
| Obsolete |
GB/T 20009-2005
|
PDF similar to GB/T 20009-2019
Basic data | Standard ID | GB/T 20009-2019 (GB/T20009-2019) | | Description (Translated English) | Information security technology - Security evaluation criteria for database management system | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 50,530 | | Date of Issue | 2019-08-30 | | Date of Implementation | 2020-03-01 | | Older Standard (superseded by this standard) | GB/T 20009-2005 | | Quoted Standard | GB/T 18336.1-2015; GB/T 18336.2-2015; GB/T 18336.3-2015; GB/T 20273-2019; GB/T 25069-2010; GB/T 30270-2013 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | | Summary | This standard specifies the general principles, contents and methods of security assessment of database management systems. This standard applies to the testing and evaluation of database management systems, and can also be used to guide the development of database management systems. | GB/T 20009-2019: Information security technology - Security evaluation criteria for database management system
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Security evaluation criteria for database management system
ICS 35.040
L80
National Standards of People's Republic of China
Replace GB/T 20009-2005
Information Security Technology
Security Evaluation Criteria for Database Management System
2019-08-30 released
2020-03-01 Implementation
State Administration for Market Regulation
Issued by China National Standardization Administration
Table of contents
Preface Ⅲ
1 Scope 1
2 Normative references 1
3 Terms and definitions, abbreviations 1
3.1 Terms and definitions 1
3.2 Abbreviations 1
4 General Principles of Evaluation 2
4.1 Overview 2
4.2 Evaluation requirements 2
4.3 Assess the environment 2
4.4 Evaluation Process 3
5 Evaluation content 3
5.1 Safety function evaluation 3
5.2 Security assurance assessment 22
5.3 Evaluation method 35
Appendix A (informative appendix) Standard revision instructions 40
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 20009-2005 "Guidelines for Security Evaluation of Information Security Technology Database Management Systems". versus
Compared with GB/T 20009-2005, the main technical changes except for editorial changes are as follows.
---Modified Chapter 3 terms and definitions and abbreviations (see 3.1 and 3.2, Chapter 3 of the.2005 edition);
---Chapter 4 "Security Environment" is revised, and the title is revised to the General Rules of Evaluation, which describes the overall requirements, evaluation requirements, and
Assessment environment and assessment process (see Chapter 4, Chapter 4 of the.2005 edition);
---Modified the evaluation content in Chapter 5, and defined the safety functions in GB/T 20273-2019 according to GB/T 30270-2013
Components and safety assurance component evaluation content (see Chapter 5, Chapter 5 of the.2005 edition);
--- Deleted Appendix A "Threats and Countermeasures Faced by Database Management Systems" (see Appendix A of the.2005 edition);
---Listed the EAL2, EAL3 and EAL4 component list and evaluation criteria according to the concept of evaluation assurance level.
Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. China Information Security Evaluation Center, Tsinghua University, Beijing Jiangnan Tianan Technology Co., Ltd., Ministry of Public Security Third Research
Institute, Peking University, Wuhan Dameng Database Co., Ltd., Tianjin Nanda General Data Technology Co., Ltd.
The main drafters of this standard. Zhang Baofeng, Bi Haiying, Ye Xiaojun, Wang Feng, Wang Jianmin, Chen Guanzhi, Lu Zhen, Shen Liang, Gu Jian, Song Haohao,
Zhao Yujie, Ji Zengrui, Liu Yuhan, Liu Xueyang, Hu Wenhui, Fu Quan, Fang Hongxia, Feng Yuan, Li Dejun.
The previous versions of the standard replaced by this standard are as follows.
---GB/T 20009-2005.
Information Security Technology
Security Evaluation Criteria for Database Management System
1 Scope
According to GB/T 20273-2019, this standard specifies the general rules, evaluation content and evaluation methods of database management system security evaluation.
This standard applies to the testing and evaluation of database management systems, and can also be used to guide the development of database management systems.
Note. The evaluation content and evaluation methods of EAL2, EAL3 and EAL4 specified in this standard are applicable to all parts based on GB/T 18336-2015
The database management system security evaluation is also applicable to the second-level system audit protection level and third-level security of the database based on GB 17859-1999.
The security evaluation of the database management system of the full-marked protection level and the fourth-level structured protection level. For the corresponding relationship, please refer to Appendix A in A.1.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all revised versions) applies to this document.
GB/T 18336.1~18336.3-2015 Information Technology Security Technology Information Technology Security Evaluation Criteria
GB/T 20273-2019 Information security technology database management system security technical requirements
GB/T 25069-2010 Information Security Technical Terms
GB/T 30270-2013 Information technology security technology Information technology security assessment method
3 Terms and definitions, abbreviations
3.1 Terms and definitions
The terms and definitions defined in GB/T 25069-2010, GB/T 30270-2013 and GB/T 20273-2019 apply to this document.
3.2 Abbreviations
The following abbreviations apply to this document.
4 General Rules of Evaluation
4.1 Overview
This standard provides the evaluation of the database management system (DBMS) defined in GB/T 20273-2019 in accordance with GB/T 30270-2013
Object (TOE) evaluation content and evaluation method of safety function components and safety assurance components.
4.2 Evaluation requirements
When conducting a security assessment of the database management system, first complete the assessment according to the security objective assessment method of GB/T 30270-2013
Based on the evaluation of DBMSST, the safety function and safety guarantee of DBMS are evaluated.
a) The goal of safety function assessment is to ensure the integrity and integrity of the design and implementation of safety function components defined in GB/T 20273-2019.
Confirmation, generally through the evaluation evidence analysis provided by the DBMS initiator and the TOE safety function (TSF) independence test to confirm
Ensure that the DBMS security functions meet the functional requirements claimed by its security goals. The independence test should be based on the database product manufacturer’s proposal
A series of evaluation evidence (such as analysis, design and test documents) and TOE security policy (TSP) provided by the evaluator in accordance with ST
The TSS in the database analyzes the evidence materials of the evaluation object provided by the DBMS developer, and compares it according to the different evaluation guarantee levels.
The DBMS security function components are sampled and tested, or the evaluator can design corresponding test cases and complete the DBMS independently
The functional test of the security function component verifies that the implementation of TSF complies with the database management system outline specification.
b) The goal of security assurance assessment is to discover the flaws or vulnerabilities in the design and implementation of the DBMS, so as to require development during the assessment process.
The developer corrects the corresponding errors of the evaluation object, thereby reducing the risk of safety function failure during the operation of the DBMS after the release.
Capability. Therefore, the security assessment requires testers to test whether the DBMS can withstand various security in a simulated real application environment.
Full attack to determine whether the assessment object has potential security weaknesses or security vulnerabilities. Penetration testing technology is to eliminate
Effective methods for defects or vulnerabilities in the design or implementation of the DBMS. Testers need to follow the communication protocol of the database product
Security attack surface assessment evidence data such as discussion, structured query language, database development interface, stored procedure/function, etc.
Penetration testing technologies such as testing test the credibility of the implementation mechanism of the safety function components to ensure the design of the safety function components.
There are no unknown weaknesses/defects in design, implementation and testing.
4.3 Assess the environment
Under the support of different network environments and server environments, general database products provide solutions for a variety of security strategies and security control mechanisms.
A solution to meet the safety requirements of the target consumers. The test environment of the database management system is divided into three categories. non-cluster database services
Test environment and cluster database service test environment, cluster test environment is subdivided into shared storage cluster test environment and non-shared storage
The cluster test environment.
A certain test environment should be selected according to the system of GB/T 30270-2013 safety assessment basic principles, processes and procedures,
Product safety function and safety assurance are evaluated. Each evaluation activity of the security component of the database management system includes two general evaluation tasks.
a) Evaluation evidence input evaluation. The evaluation initiator shall provide the safety evaluation agency with all necessary evaluation materials for the DBMS safety evaluation
Material. The evaluation initiator should prepare or develop TOE-related evaluation evidence in accordance with GB/T 30270-2013.
Some inputs require evaluation.
b) Evaluation result output evaluation. The purpose of the output task evaluation of the safety evaluation agency is to evaluate the output observation report and evaluation technology
The report should satisfy the principle of repeatability and reproducibility of the evaluation results, and should maintain the consistency of the types and quantities of information reported.
4.4 Evaluation process
The safety assessment process according to GB/T 30270-2013 includes assessment preparation, assessment implementation, assessment results and other stages, as follows.
a) Evaluation preparation stage. The evaluation initiator shall provide the evaluator with safety goals in accordance with GB/T 30270-2013, and the evaluator shall analyze its
feasibility. The evaluator may need the sponsor to provide other supporting information related to the evaluation. Evaluation initiator or ST development
The evaluator will provide the evaluator with part of the object to be evaluated. The evaluator reviews the security goals and then informs the initiator to
Necessary supplements and improvements to facilitate the implementation of the evaluation process in the future. When the evaluator believes that the initiator of the evaluation
When the materials are ready, the evaluation process enters the next stage.
b) Evaluation implementation stage. The evaluator generates a list of products to be evaluated, evaluation activities, and evaluation based on GB/T 30270-2013
The feasibility study report of documents such as sampling requirements for estimation methods. The initiator and the evaluator sign an agreement during the evaluation preparation phase
The agreement contains the basic framework of evaluation, while taking into account the limitations of the evaluation system and any changes in national laws and regulations.
Claim. After the agreement is signed, the evaluator can enter the evaluation implementation stage. The main activities included at this stage are.
1) The evaluator checks the evaluation objects that the initiator or developer should deliver, and then performs the necessary evaluation activities in accordance with GB/T 30270-2013.
2) During the evaluation phase, the evaluator may write an observation report. In this report, the evaluator will ask the supervisor (review agency)
How to meet its regulatory requirements.
3) The supervisor responds to the evaluator's request for explanation, and then allows the next evaluation.
4) The supervisor may also confirm and point out some potential defects or threats, and then ask the initiator or developer to provide additional information.
c) Evaluation of the final result stage. The evaluator will comprehensively evaluate the TOE based on the document review, test conditions, and on-site inspection results.
And write evaluation technical report.
5 Evaluation content
5.1 Safety function evaluation
5.1.1 Overview
In the description of the safety function component evaluation content, the bold text in square brackets [] indicates the completed operation, and the black italic content table
The indication also needs to be determined by the ST author in the safety target to determine the assignment and selection items.
5.1.2 Security audit (FAU category)
5.1.2.1 Audit data generation (FAU_GEN.1)
The audit data generation component should automatically generate corresponding audits in accordance with database standard audits and fine-grained audit strategies set by security goals
Event log information. The security assessment of this component is as follows.
a) The different levels of audit strategies provided by the assessment object should be tested to produce the following auditable event records.
1) Start and close the database audit function;
2) The startup and shutdown of the database instance and its component services;
3) Non-default value modification events of database instance configuration parameters;
4) Database object structure modification event;
5) Auditable events of the database audit level [minimum] listed in GB/T 20273-2019;
6) Other auditable events for database security auditors that can bypass the special definition of the access control strategy [assignment. audit event defined by the ST author];
7) All auditable events that do not specify the audit level [assignment. fine-grained audit events at the database object data operation level].
b) Check that the audit records contain at least the following information.
1) Event type, event date and time, subject's associated identity/group/role, database objects involved,
Information about the host that generated the audit event and the result of the event operation (success or failure);
2) Audit data should be generated according to the evaluation object [assignment. audit event specified by the ST author] and the prescribed format [assignment. data type and format];
3) For each audit event type, the auditable event definition based on the security function components included in GB/T 20273-2019.
c) The audit data generation strategy configuration management API or tool of the database management system should be checked to confirm the effectiveness of the audit data generation mechanism and function.
5.1.2.2 User Identity Association (FAU_GEN.2)
The user identity correlation component should associate audit events with the identity of the subject, so that auditable events can be traced back to a single database user identity
Requirements. The security assessment of this component is as follows.
a) The audit record should be able to view whether each audit event is associated with the identity of the user who triggered the audit event;
b) Audit records should be able to see whether each audit event is related to the [assignment. the user identity specified by the ST author]
Authentication method] associated database session information;
c) It should be checked and provided to associate the user identity in the audit record with the user’s group/role identity to view the auxiliary view or management API/work
Tool, confirm that you can see the user identity related information.
5.1.2.3 Audit review (FAU_SAR.1)
The audit review component provides authorized administrators with the ability to obtain and interpret audit data. The security assessment of this component is as follows.
a) It should be tested whether the audit information listed below can be read and obtained from the audit records.
1) User identification;
2) Audit event type;
3) Database object identification;
4) [Assignment. Audit event specified by ST author] specified by the evaluation object;
b) It should be tested whether the audit record reading and management interface (such as a graphical interface) that meets the review conditions is provided in a way that users can understand;
c) It should be tested that when the authorized user is an external IT entity, the audit data should be unambiguously represented in a standardized electronic way;
d) It should be tested whether all unauthorized users are prohibited from accessing audit data.
5.1.2.4 Restricted audit access (FAU_SAR.2)
The restricted audit access component only allows authorized administrators to access part of the audit data. The security assessment of this component is as follows.
a) It should be tested whether the audit information can be accessed according to [Selection. Subject ID, Host ID, Object ID, [Assignment. Audit Conditions Specified by ST Author]];
b) It should be tested whether it can be based on [Select. Auditable security event for success, Auditable security event for failure, [Assignment. ST author specifies its
He chooses conditions】】Check audit information;
c) It should be tested whether the audit information can be consulted according to [Selection. Database System Authority, Database Object Authority, [Assignment. Authority Level Specified by ST Author]];
d) The management audit data authorization control mechanism and audit data authorization administrator (security administrator) should be tested to control authorized administrator access
[Assignment of audit data. ST author designated role/system authority];
e) It should be tested whether security administrators or authorized administrators who have been granted audit data access rights are allowed to access audit data views or interfaces;
f) It should be tested whether all unauthorized users are prohibited from accessing audit data.
5.1.2.5 Optional audit review (FAU_SAR.3)
The optional audit review component allows authorized administrators to select audit data to be reviewed based on specified search criteria. The security assessment of this component is as follows.
a) It should be tested whether the audit records can be searched according to the search and classification conditions of the values in the audit data fields, and the audit data that authorized administrators care about should be filtered;
b) It should be tested whether the returned audit data can be sorted and summarized;
c) It should be tested whether the authorized administrator is allowed to use [Select. SQL statement, [Assignment. ST author specified method]] to search for and sort audit data;
d) It should be tested whether to provide application development interface capabilities for accessing audit data or audit data analysis auxiliary tools;
e) It should be tested whether all unauthorized users are prohibited from accessing audit data.
5.1.2.6 Selective audit (FAU_SEL.1)
The selective audit component defines the ability to add or exclude events from the auditable event set. The security assessment of this component is as follows.
a) It should be tested whether it can be based on [selection. object identity, user identity, group identity, subject identity, host identity, [assignment. ST author
Determine subject attributes】】Select auditable events from the audit event set;
b) It should be tested whether it can be selected according to [selection. database system authority, statement-level audit, authority-level audit, mode object-level audit, column-level
Data authority, row-level data authority, [assignment. ST author specifies user operation authority level]] select auditable events from the audit event set;
c) It should be tested whether it can select auditable events from the set of audit events according to [Select. success, failure, both auditable security event options, [assignment. ST author specified conditions]];
d) It should be tested whether the auditable events can be selected from the audit event set according to the additional attribute list related to the product audit function.
5.1.2.7 Audit data availability guarantee (FAU_STG.2)
The audit data availability guarantee component ensures that the TSF can also maintain the product when an unexpected situation occurs in the audit data storage of the database management system.
Raw audit data. The security assessment of this component is as follows.
a) It should be tested whether it can provide database system tables or external files to save audit event data and maintain audit data authorization control
And audit data storage management capabilities;
b) The effectiveness of maintenance and control audit event data storage capacity parameters should be tested;
c) The stored audit records should be tested and protected, and the access mechanism that only allows security administrators or authorized administrators to access audit records;
d) TSF should be tested to [choice. prevent, detect] unauthorized modification of audit records stored in the audit trail;
e) The provided audit data backup, export and other management interfaces/auxiliary tools should be tested, and only security administrators or authorized administrators
To operate these auxiliary functions;
f) The audit event should be tested for data encryption and decryption storage protection capabilities;
g) It should be tested when TSF [Select. Audit storage exhausted, invalid, attacked], to ensure that [Assignment. Metric to save audit records] audit records will remain valid.
5.1.2.8 Prevent loss of audit data (FAU_STG.4)
The audit data loss prevention component specifies when the audit trail stored in the database is full or the external disk stored in the database is left empty.
The action taken when the time overflows. The security assessment of this component is as follows.
a) The audit data [selection. multiplexing, [assignment. ST author specified backup method]] function should be tested, and the audit data storage location designation and other management capabilities should be verified;
b) Audit data archiving function should be tested, including remote archiving function;
c) Check the available space of audit data storage to view the view/tool function;
d) It is necessary to check whether the audit record data is full, and provide information on ignoring auditable events, preventing auditable events, and rewriting audit records.
Cover the earliest stored audit record or [assignment. other actions taken when the audit storage fails] and other processing mechanisms.
5.1.3 Password support (FCS type)
5.1.3.1 Key generation (FCS_CKM.1)
If the key is generated by an external environment, check whether the key generator provided by the external environment is based on the algorithm and key specified by the national standard
Length to generate the key; otherwise, the user key and data key provided by the evaluation object are generated. The security assessment of this component is as follows.
a) The user key storage device or key management server operation interface should be tested to confirm that the database key storage location is safe and
It can be checked, including providing the same type of key backup and recovery mechanism as the data itself.
b) The user key and data key of the database shall be detected to separate the management interface and management tools from the encrypted database itself.
c) It should be tested whether it can be based on the specific key generation algorithm [assignment] of the evaluation object [assignment. list of standards and specifications specified by the ST author].
Value. Key Generation Algorithm] and the specified key length [Assignment. Key Length] to generate the key.
d) Key generation should be tested to provide the following key management functions.
1) Key attribute configuration management should be provided. Examples of key attributes include user key type [choice. public key, private key
Key, secret key [assignment. ST author specified key type]], validity period and use purpose [choice. digital signature, key plus
Encryption, key agreement, data encryption, [assignment. ST author designated use]];
2) Key storage and its use interface should be provided, allowing the evaluation object to interact with the external database application program interface and encryption equipment.
e) It should be checked whether the assignment of the password generation algorithm complies with the relevant standards and parameters recognized by the national competent authority.
5.1.3.2 Key Destruction (FCS_CKM.4)
The key destruction component provides a key destruction function that complies with the password management algorithm specified by the country. The security assessment of this component is as follows.
a) It should be tested whether the key destruction method according to the evaluation object...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 20009-2019_English be delivered?Answer: Upon your order, we will start to translate GB/T 20009-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 7 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 20009-2019_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 20009-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. Question 5: Should I purchase the latest version GB/T 20009-2019?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 20009-2019 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.
|