1 Scope
GB/T 20274 describes the model of information systems security assurance, establishes the framework for information systems security assurance and formulates the general security assurance requirements of information systems from technology, management and engineering of information systems security.
This part of GB/T 20274 specifies the basic concept and model of information systems security assurance and establishes the framework for information systems security assurance.
This part is applicable to all relevant parties of information systems security assurance work, including the design developer, engineering executor, evaluator and certification licenser.
This part is not applicable to the following aspects:
a) Evaluation on personnel skill and capability, but the requirements for personnel security are not reflected in the management assurance;
b) System evaluation methodology;
c) Inherent quality evaluation by cryptographic algorithm.
2 Normative References
The following documents contain provisions which, through reference in this text, constitute provisions of this part. For dated reference, subsequent amendments to (excluding any corrigendum), or revisions of, any of these publications do not apply. However, parties to agreements based on this standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. For any undated references, the latest edition of the document referred to applies.
GB/T 9387.2-1995 Information Processing Systems - Open Systems Interconnection - Basic Reference Model - Part 2: Security Architecture (idt ISO 7498-2: 1989)
GB/T 18336-2001 Information Technology - Security Techniques - Evaluation Criteria For IT Security (idt ISO/IEC 15408:1999)
3 Terms, Definitions and Abbreviations
3.1 Terms and Definitions
For purpose of this part, the following terms and definitions apply.
3.1.1
Access control
Prevent the unauthorized application of the resources, including use certain resource in unauthorized way.
[GB/T 9837.2-1995, 3.3.1]
3.1.2
Accountability
A property, it ensures that the effect of an entity can be traced to the entity uniquely.
[GB/T 9837.2-1995, 3.3.3]
3.1.3
Asset
The information or resource protected in the information systems security policy.
[GB/T18336.1-2001, 3.3.1]
3.1.4
Attack
A kind of behavior bypassing the security control in the information systems. The success of attack depends on the vulnerability of information systems and the validity of existing countermeasures.
3.1.5
Audit
The independent observation and examination on the system record and activity for the purpose of testing the adequacy of system control, ensuring the compliance with the established policy and operation, finding the vulnerability in security and suggesting making any designated change in control, policy and accumulation.
[GB/T 9837.2-1995, 3.3.5]
3.1.6
Authentication
Verify the alleged identity of the entity.
3.1.7
Authorization
Award authority, including the access based on access right.
[GB/T 9837.2-1995, 3.3.10]
3.1.8
Authorized user
Foreword i
Introduction ii
0.1 Meaning of Information Systems Security Assurance ii
0.2 Purpose and Significance of Compiling Framework for Information Systems Security Assurance Evaluation iii
1 Scope
2 Normative References
3 Terms, Definitions and Abbreviations
3.1 Terms and Definitions
3.2 Abbreviations
4 Overview
4.1 Introduction
4.2 Target Readers of Evaluation Framework for ISSA
4.3 Evaluation Context
4.4 Document Structure of Evaluation Framework for ISSA
5 General Model
5.1 Overview
5.2 Context of Security Assurance
5.3 ISSA Evaluation
5.4 Generation of ISPP and ISST
5.5 Description Materials of Information Systems Security Assurance (ISSA)
6 ISSA Evaluation and Evaluation Results
6.1 Introduction
6.2 ISPP and ISST Requirements
6.3 TOE Requirements
6.4 Declaration of Evaluation Result
6.5 Application of TOE Evaluation Result
Appendix A (Normative) Information Systems Protection Profile (ISPP)
A.1 Overview
A.2 ISPP Content
A.2.1 Content and Expression
A.2.2 ISPP Introduction
A.2.3 TOE Description
A.2.4 TOE Security Environment
A.2.5 Security Assurance Purpose
A.2.6 Information Systems Security Assurance Requirements
A.2.7 ISPP Application Explanation
A.2.8 Declaration of Conformity
Appendix B (Normative) Specifications of Information Systems Security Target (ISST)
B.1 Overview
B.2 ISST Content
B.2.1 Content and Form
B.2.2 ISST Introduction
B.2.3 TOE Description
B.2.4 TOE Security Environment
B.2.5 Security Assurance Purpose
B.2.6 Security Assurance Requirements
B.2.7 TOE Summary Specifications
B.2.8 ISPP Declaration
B.2.9 Declaration of Conformity
Appendix C (Informative) Description of Information System
C.1 Overview
C.2 Description Specifications of Information System
C.3 Explanation for Description of Information System
Appendix D (Informative) Explanation of Information Systems Assurance Level (ISAL)
D.1 Overview
D.2 Classification of Information System Mission
D.3 Grading of Information System Threats
D.4 Information Systems Assurance Level (ISAL) Matrix
D.5 ISAL Grading Requirements
Bibliography
Figure 1 Evaluation Context
Figure 2 Concept and Relationship of Information Systems Security
Figure 3 Model of ISSA
Figure 4 Security Assurance Elements of ISSA Life Cycle
Figure 5 Concept and Relationship of ISSA Evaluation
Figure 6 Description of ISSA Evaluation
Figure 7 Entirety and Application of ISSA Evaluation
Figure 8 Generation Process of ISPP and ISST
Figure 9 Organization and Structure of Security Assurance Control Requirements
Figure 10 Application of Security Assurance Requirements
Figure 11 Evaluation Results
Figure A.1 ISPP Content
Figure B.1 ISST Content
Figure C.1 Description Specifications of Information System for ISSA Evaluation
Figure C.2 Technical Reference Model of Information System
Figure D.1 Example for Requirements of Information System Security Management Capability Maturity Level
Figure D.2 Example for Requirements of Information System Security Engineering Capability Maturity Level
Table 1 Guide to Using the Evaluation Framework for ISSA
Table D.1 Example for Classification of Information System Mission
Table D.2 Example for Classification of Information System Threats
Table D.3 Example of ISAL Matrix
Table D.4 Example of ISAL Requirements