1 Scope
This part of GB/T 20274 establishes the framework for information systems security management assurance and the guideline & general principle for the organization starting, implementing, maintaining, evaluating and improving information security management. This part defines and explains the security management capability level that reflects the information security management assurance capability of the organization in the information system security management assurance work and provides the security management assurance control class requirements of the organization's information security management assurance contents.
This part is applicable to all of the organization’s users, developers and evaluation personnel involved in the information system security management.
2 Normative References
The following documents contain provisions which, through reference in this text, constitute provisions of this part. For dated reference, subsequent amendments to (excluding any corrigendum), or revisions of, any of these publications do not apply. However, parties to agreements based on this standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. For any undated references, the latest edition of the document referred to applies.
GB/T 20274.1 Information Security Technology - Evaluation Framework for Information Systems Security Assurance - Part 1: Introduction and General Model
3 Terms and Definitions
For the purposes of this part of GB/T 20274, the terms and definitions specified in GB/T 20274.1 and the following ones apply.
3.1
Control
The methods to manage risks include policy, procedure, guide, practice or the structure of the organization and control may be management, technology or engineering control.
Note 1: "control" is synonymous with "control measures" and "protective measures".
Note 2: in this part, the control of management methods for managing risks will be mainly discussed, i.e. management control.
3.2
Information processing facility
Information processing facility refers to all services or infrastructure or the physical location to place them.
4 Structure of This Part
The organization structure of this part of GB/T 20274 is as follows:
a) Chapter 1 introduces the range of this part;
b) Chapter 2 introduces the normative references of this part;
c) Chapter 3 describes the terms and definitions applicable to this part;
d) Chapter 4 describes the organization structure of this part;
e) Chapter 5 describes the framework for information systems security management assurance and further summarizes the control class and capability level of management assurance.
Foreword i
1 Scope
2 Normative References
3 Terms and Definitions
4 Structure of This Part
5 Framework for Information Systems Security Management Assurance
5.1 Overview of Information Management Assurance
5.2 Information Security Management Assurance Control
5.3 Information Security Assurance Management Capability Levels
6 Structure of Information Security Management Assurance Control Class
6.1 General
6.2 Structure of Management Assurance Control Class
6.3 Structure of Management Assurance Control Subclass
6.4 Structure of Management Assurance Control Component
6.5 Allowable Operation
7 MRM Management Assurance Control Class: Management of Risk
7.1 Object Establishment (MRM_TEM)
7.2 Risk Assessment (MRM_RAM)
7.3 Risk Control (MRM_RCT)
7.4 Communication and Monitoring (MRM_CAM)
8 MSP Management Assurance Control Class: Information Security Policy
8.1 Information Security Policy (MSP_SPL)
9 MSO Management Assurance Control Class: Information Security Organization
9.1 Management Support of Information Security (MSO_SOM)
9.2 Information Security Organization Structure (MSO_ORG)
9.3 Responsibility of Information Security (MSO_RES)
9.4 Communication and Cooperation (MSO_CAC)
10 MSP Management Assurance Control Class: Management of Personal Security
10.1 Personal Examination (MPS_PEC)
10.2 Security Awareness and Training (MPS_SAT)
10.3 Examination and Reward & Punishment (MPS_CRP)
10.4 Management of Personnel Change (MPS_PCM)
11 MAM Management Assurance Control Class: Management of Asset
11.1 Asset Register Management (MAM_ARM)
11.2 Asset Management Responsibility (MAM_AMR)
11.3 Asset Classification Management (MAM_ACM)
12 MPE Management Assurance Control Class: Management of Physical and Environmental Security
12.1 Management of Physical Security Area (MPE_PSA)
12.2 Supporting Infrastructure Security (MPE_SIS)
12.3 Equipment Security (MPE_EMS)
13 MCM Management Assurance Control Class: Management of Compliance
14 MSP Management Assurance Control Class: Management of Information Security Planning
15 MSD Management Assurance Control Class: Management of System Development
16 MOP Management Assurance Control Class: Management of Operation
17 MBD Management Assurance Control Class: Management of Business Continuity and Disaster Recovery
17.1 Business Continuity Management (MBD_BCM)
18 MCM Management Assurance Control Class: Management of Emergency Response
18.1 Report Security Event and Security Vulnerability (MER_REW)
18.2 Management of Emergency Response (MER_IMI)
19 Description of Security Management Capability Levels
19.1 General
19.2 Description of Security Management Capability Levels
19.3 Application of Information System Security Assurance Management Capability Levels
Bibliography
Figure 1 Information System Security Management Assurance Control Class
Figure 2 Structure of Management Assurance Control Class
Figure 3 Structure of Management Assurance Control Subclass
Figure 4 Structure of Management Assurance Control Component
Figure 5 Structure of Management Assurance Control Class - Management of Risk (MRM)
Figure 6 Structure of Management Assurance Control Class - Information Security Policy (MSP)
Figure 7 Structure of Management Assurance Control Class - Information Security Organization (MSO).
Figure 8 Structure of Management Assurance Control Class – Management of Personal Security (MPS)
Figure 9 Structure of Management Assurance Control Class - Management of Asset (MAM)
Figure 10 Structure of Management Assurance Control Class - Management of Physical and Environmental Security (MPE)
Figure 11 Structure of Management Assurance Control Class - Management of Compliance (MCM)
Figure 12 Structure of Management Assurance Control Class - Management of Information Security Planning (MSP)
Figure 13 Structure of Management Assurance Control Class - Management of System Development (MSD)
Figure 14 Structure of Management Assurance Control Class - Management of Operation (MOP)
Figure 15 Structure of Management Assurance Control Class - Management of Business Continuity and Disaster Recovery (MBD)
Figure 16 Structure of Management Assurance Control Class - Management of Emergency Response (MER)
Figure 17 Example of the Required Levels of Information System Security Assurance Management Capability