Foreword
This document is drafted in accordance with the provisions of GB/T 1.1-2020 "Guidelines for standardization work Part 1: Structure and drafting rules of standardized documents".
This document is part 1 of GB/T 20274 "Information Security Technology Information System Security Assurance Assessment Framework".GB/T 20274 has published the following parts.
Part 1:Introduction and general model.
Part 2:Technical Assurance.
Part 3:Management Assurance.
Part 4:Engineering Assurance
This document replaces GB/T 20274.1-2006 "Information Security Technology Information System Security Assurance Assessment Framework Part 1 Brief and General Model", compared with GB/T 20274.1-2006, in addition to structural adjustments and editorial changes, to technical changes are as follows.
a) deleted the inapplicable boundary (see Chapter 1 of the 2006 version)
b) Changed the definition of "information system" and "information system security assurance", deleted other terms, added the term and definition of "organizational security policy", and deleted the acronym ( See Chapter 3, 2006 Edition, 31 and 3.2).
C) Changed the description of the target audience (see Chapter 4, 4.2 of the 2006 edition).
d) Removed "Assessment Context" and "Document Structure of the Information Systems Security Assurance Assessment Framework" (see 4.3 and 4.4 of the 2006 edition). e) Changed "General Model" to "Information Systems Security Assurance Model". (see Chapter 5, 5.1 and 5.2 of the 2006 edition).
0 will be "information system security description materials" to "information system security elements", deleted the content of ISPP and SST (see Chapter 6, the 2006 version of 5.5).
g) deleted "information security overall and application" and "the use of security requirements" (see 5.3.4 and 5.5.3 of the 2006 edition); 6 changed the "information system security assessment concepts and relationships The diagram and text description of "information system security assessment concepts and relationships" (see 7.1, 5.3.2 of the 2006 edition); o change "security in the information system life cycle" to "information system security assessment content" (see 7.2, 5.3.2 of the 2006 edition) 5.2.2.2 of the 2006 version).
Changed the textual description and graphical content of "information system security assessment" (see 7.2, 5.3.3 of the 2006 edition).
Changed "information system security assessment and assessment results" to "information system security assessment determination", deleted the content related to ISPP and ISST, and added assessment guidelines and requirements for security level determination (see 7.3, chapter 6 of the 2006 edition). Please note that some of the contents of this document may be proprietary. The issuer of this document does not assume responsibility for identifying patents.
Introduction
GB/T 20274 "Information Security Technology Information System Security Assurance Assessment Framework" is based on GB/T 18336 "Information Technology Security Technology Information Technology Security Assessment Guidelines", extending from products to information technology systems, and further combining with other domestic and international standards and specifications in the field of information system security, extending and supplementing them to form a common framework for describing and assessing the security content and capability of information systems. GB/T 20274 is a basic and framework standard for guiding information system security assessment, providing a standardized and standardized common description language, structure and method for all relevant parties engaged in information system security work (including design developers, engineering implementers, assessors, certification and accreditors, etc.). GB/T 20274 aims to give the basic concept and model of information system security assurance, establish the security requirements and competence level requirements in technical, management and engineering aspects, and consists of four parts. Part 1: Introduction and general model. The purpose is to give the basic concepts and models of information system security assurance, and propose a framework for information system security assurance assessment.
Part 2:Technical Assurance. The purpose is to establish the basic requirements of information system security in terms of technology and the corresponding capability level requirements.
Part 3: Management Assurance. The purpose is to establish the basic requirements of information systems in the management of security and the corresponding level of competence requirements.
Part 4: engineering security. The purpose is to establish the basic requirements of the security of information systems in engineering and the corresponding ability to level requirements.
1 Scope
This document gives the basic concept and model of information system security, information system security assessment framework This document is applicable to guide system builders, operators, service providers and evaluators to carry out information system security work.
2 normative reference documents
The following documents constitute the essential provisions of this document through the normative references in the text. Among them, note the date of the reference document, only the date of the corresponding version applies to this document: do not note the date of the reference document, its latest version (including all the revision of the list) applies to this document.
GB/T 18336.1-2015 Information Technology Security Technology Information Technology Security Assessment Guidelines Part 1: Introduction and General Model Terms
GB/T 25069-2022 Information security technology
3 terms and definitions
GB/T 25069-2022 and GB/T 18336.1-2015 defined in and the following terms and definitions apply to this document.
4 Overview
Relevant parties related to the work of information system security assurance assessment, generally including information system builders, information system operators, service providers and assessors, etc. Information system builders include planning, design and engineering implementation personnel. Builders refer to the common description language, methods and structures from the technical, management and engineering areas of information system security assurance to express their information system security requirements. The use of this document can help builders to better describe their information system security requirements, the preparation of information system security programs and specifications to meet the requirements of their operating environment. The builder can understand the current status of its information system security assurance based on the assessment of information system security assurance, and further refine and continuously improve the security assurance capability of its information system based on the assessment results.
Information system operators refer to the common description language, methods and structures, from the technical and management areas of information system security to express their information system security requirements. The operator can use this document with the information system builder and other relevant personnel for more effective communication and mutual understanding. Based on the assessment of information system security, the operator can understand the current status of its information system security, and can further improve and continuously improve the security capability of its information system based on the assessment results, and gain confidence in its information system security.
Service providers refer to the common description language, methods and structures from the technical, management and engineering areas of information system security to express the relevant information system security requirements, and effective communication with system operators and builders and project implementation.
The evaluator refers to this document to define the content of the information system security assurance assessment, and carries out the information system security assurance assessment based on the defined assessment content.
5 Information system security assurance model and level
6 Information system security elements
6.1 Information system security elements of the structure
Security assurance elements according to the different security technology, security management and security engineering field, divided into security technology security requirements, security management security requirements and security engineering security requirements. The security assurance elements use the hierarchical structure of "class, subclass and component". Users should select specific security requirements based on the results of risk assessment. The relationship between the different structures of the security assurance elements is shown in Figure 3.
7 Information system security assessment framework
7.1 Information system security assessment concepts and relationships
Information system security assurance assessment is to make an objective assessment of the specific work and activities of information system security assurance in the operating environment in which the information system is located, and to provide all relevant parties of the information system with objective evidence collected by the information system security assurance assessment that the security assurance work of the information system can achieve its security assurance strategy and can reduce the risk it faces to its acceptable level of Subjective confidence. The object of information system security assessment is the information system, which includes not only the information technology system that only discusses technology, but also the human and management areas related to the operating environment in which the information system is located. Information system security is a dynamic and continuous process, involving the entire life cycle of the information system, so the assessment of information system security should also provide a dynamic and continuous confidence. Adequate identification and proper implementation of security assurance elements is also an important prerequisite for risk reduction. The concepts and relationships of information system security assurance assessment are shown in Figure 5.
7.2 Information system security assurance assessment content
In the information system security assurance model, the information system survival cycle level and the security assurance element level are not isolated from each other, but are interrelated and inseparable. The relationship between them is shown in Figure 6
7.3 Information system security assurance assessment determination
The information system security assurance capability level is judged by the information system security assurance assessment. When assessing the information system, the assessor should state.
Whether the security elements of the information system are sufficient to control the risks faced within an acceptable range; a)
b) whether the security elements of the information system are correctly designed and implemented, and determine the corresponding level. The evaluator is appropriate for the information system engineering security, technical security and management security three levels of independent assessment, and give the corresponding assessment conclusions. For the assessment of the information system as a whole, the assessment results of the engineering, technical and management levels should be integrated, and the lowest assurance capability level among the three levels should be taken as the assessment result of the overall information system.
Bibliography
Foreword
Introduction
1 Scope
2 normative reference documents
4 Overview
5 Information system security assurance model and level
6 Information system security elements
7 Information system security assessment framework
Bibliography