1 Scope
This part of GB/T 20274 establishes the framework for information system security engineering assurance and the guide & general principle for the organization starting, implementing, maintaining, evaluating and improving information security engineering. This part defines and explains the security engineering capability level that reflects the information security engineering assurance capability of the organization in the information system security engineering assurance work and provides the security engineering assurance control class requirements of the organization's information security engineering assurance contents.
This part of GB/T 20274 is applicable to the organization for starting, implementing, maintaining, evaluating and improving the information security engineering and all the users, developers and evaluation personnel involved in the information system security engineering.
2 Normative References
The following documents contain provisions which, through reference in this text, constitute provisions of this part. For dated reference, subsequent amendments to (excluding any corrigendum), or revisions of, any of these publications do not apply. However, parties to agreements based on this standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. For any undated references, the latest edition of the document referred to applies.
GB/T 20274.1 Information Security Technology - Evaluation Framework for Information Systems Security Assurance - Part 1: Introduction and General Model
3 Terms and Definitions
For the purposes of this part of GB/T 20274, the terms and definitions specified in GB/T 20274.1 and the following ones apply.
3.1.1
Validation
The solution meets the user's operation security requirements.
3.1.2
Verification
The solution meets the security requirements.
4 Structure of This Part
Foreword i
1 Scope
2 Normative References
3 Terms and Definitions
4 Structure of This Part
5 Framework for Information Systems Security Engineering Assurance
5.1 Overview of Information Systems Security Engineering Assurance
5.2 Information Systems Security Engineering Assurance Control
5.3 Information Systems Security Engineering Capability Maturity Level
6 Structure of Information Security Engineering Assurance Control Class
6.1 General
6.2 Structure of Security Engineering Assurance Control Class
6.3 Structure of Security Engineering Assurance Control Subclass
6.4 Structure of Security Engineering Assurance Control Component
7 PRM Security Engineering Assurance Control Class: Process of Risk
7.1 Introduction of Security Engineering Assurance Control Class in Process of Risk
7.2 System Definition (PRM_SDF)
7.3 Assessment of Threat (PRM_ATT)
7.4 Assessment of Vulnerability (PRM_AVL)
7.5 Assessment of Influence (PRM_AIM)
7.6 Assessment of Security Risk (PRM_ASR)
8 PEN Security Engineering Assurance Control Class: Process of Engineering
8.1 Introduction of Security Engineering Assurance Control Class in Process of Engineering
8.2 Identification of Security Requirements (PEN_ISR)
8.3 High-level Security Design (PEN_HSD)
8.4 Detailed Security Design (PEN_DSD)
8.5 Security Engineering Execution (PEN_SEE)
8.6 Provision of Security Input (PEN_PSI)
8.7 Monitoring of Security Posture (PEN_MSP)
8.8 Management of Security Control (PEN_MSC)
8.9 Coordination of Security (PEN_COS)
9 PAS Security Engineering Assurance Control Class: Process of Assurance
9.1 Introduction of Security Engineering Assurance Control Class in Process of Assurance
9.2 Verification and Validation of Security (PAS_VVS)
9.3 Establishment of Assurance Evidence (PAS_EAE)
10 Capability Level of Security Engineering Assurance Control Class
10.1 General
10.2 Description of Security Engineering Capability Levels
10.3 Requirements of Capability Level of Information System Security Engineering
Bibliography
Figure 1 Life Cycle of Security Engineering Process
Figure 2 Structure of Security Engineering Assurance Control Class
Figure 3 Structure of Security Engineering Assurance Control Subclass
Figure 4 Structure of Security Engineering Assurance Control Component
Figure 5 Description of Process of Risk
Figure 6 Structure of Security Engineering Assurance Control Subclass - System Definition (PRM_SDF)
Figure 7 Structure of Security Engineering Assurance Control Subclass – Assessment of Threat (PRM_ATT)
Figure 8 Structure of Security Engineering Assurance Control Subclass - Assessment of Vulnerability (PRM_AVL)
Figure 9 Structure of Security Engineering Assurance Control Subclass – Assessment of Influence (PRM_AIM)
Figure 10 Structure of Security Engineering Assurance Control Subclass – Assessment of Security Risk (PRM_ASR)
Figure 11 Introduction of Security Engineering Assurance Control Class in Process of Engineering
Figure 12 Structure of Security Engineering Assurance Control Subclass – Identification of Security Requirements (PEN_ISR)
Figure 13 Structure of Security Engineering Assurance Control Subclass - High-level Security Design (PEN_HSD)
Figure 14 Structure of Security Engineering Assurance Control Subclass - Detailed Security Design (PEN_DSD)
Figure 15 Structure of Security Engineering Assurance Control Subclass - Security Engineering Execution (PEN_SEE)
Figure 16 Structure of Security Engineering Assurance Control Subclass – Provision of Security Input (PEN_PSI)
Figure 17 Structure of Security Engineering Assurance Control Subclass – Monitoring of Security Posture (PEN_MSP)
Figure 18 Structure of Security Engineering Assurance Control Subclass – Management of Security Control (PEN_MSC)
Figure 19 Structure of Security Engineering Assurance Control Subclass - Coordination of Security (PEN_COS)
Figure 20 Introduction of Security Engineering Assurance Control Class in Process of Assurance
Figure 21 Structure of Security Engineering Assurance Control Subclass - Verification and Validation of Security (PAS_VVS)
Figure 22 Structure of Security Engineering Assurance Control Subclass – Establishment of Assurance Evidence (PAS_EAE)
Figure 23 Required Capability Level of Information Systems Security Engineering
Table 1 Relationship between Security Engineering Life Cycle and Process Domain