Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is drafted in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 28449-2012 Information security technology—Testing and evaluation process guide for classified protection of information system security. In addition to editorial changes, the following main technical changes have been made with respect to GB/T 28449-2012:
—The standard title was changed from Information security technology—Testing and evaluation process guide for classified protection of information system security to Information security technology—Testing and evaluation process guide for classified protection of cybersecurity.
—The report preparation activity has been modified from 6 tasks to 7 tasks (see 4.1; 5.4 of the 2012 edition);
—The responsibility for coordinating multiple parties has been added to the responsibilities of both parties in the T&E preparation activity and on-site T&E activity, and has also been articulated in some tasks involving multiple parties (see 7.4; 8.4 of the 2012 edition);
—Information analysis methods has been added to information collection and analysis tasks (see 5.2.2);
—Special tasks and requirements that require additional focus have been added in the security testing and evaluation of classified protection targets constructed by cloud computing, Internet of Things, mobile Internet, industrial control systems, IPv6 systems, etc. (see Annex C);
—The example for T&E scheme has been canceled (see Annex D of the 2012 edition);
—The template of the basic information survey form of the information system has been canceled (see Annex E of the 2012 edition).
Attention is drawn to the possibility that some of the elements of this standard may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the National Technical Committee on Information Security of Standardization Administration of China (SAC/TC 260).
The previous editions of this standard are as follows:
—GB/T 28449-2012.
Introduction
For the purpose of this standard, testing and evaluation refers to the process by which the testing and evaluation body tests and evaluates whether the security status of the rated object meets the basic requirements of the corresponding level according to technical standards such as GB/T 22239 and GB/T 28448. It is important to implement the classified protection system for cybersecurity.
During construction and rectification of the rated object, the operator and user of the rated object conduct a status analysis through the testing and evaluation to determine the current status of the system's security protection and identify existing security problems and then the system's rectification security needs.
During operation and maintenance of the rated object, the operator and user of the rated object regularly conduct self-inspection or the testing and evaluation on the security status of the rated object through an T&E agency, to review and evaluate information security management and control capabilities and thus to determine whether the rated object has the security protection capabilities required by the corresponding level in GB/T 22239. Therefore, the report formed through the T&E activities is an important basis for the rectification and reinforcement of the rated object, and is also an important attachment for the filing of the rated object above the third level. The T&E conclusion of the rated object is expressed by either “non-conforming” or “basically conforming”, and its operator and user shall formulate a plan for rectification based on the T&E report.
This standard is one of the series standards related to classified protection of cybersecurity.
Information security technology—
Testing and evaluation process guide for classified protection of cybersecurity
1 Scope
This standard regulates the working processes of testing and evaluation for classified protection of cybersecurity (hereinafter referred to as "testing and evaluation" and “T&E”), and specifies the testing and evaluation activities and their tasks.
This standard is applicable to T&E works for classified protection of cybersecurity performed by T&E agency, and competent authority, operator and user of the rated object.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB 17859 Classified Criteria for Security Protection of Computer Information System
GB/T 22239 Information security technology—Baseline for classified protection of information system security
GB/T 25069 Information security technology—Glossary
GB/T 28448 Information security technology—Testing and evaluation requirement for classified protection of information system
3 Terms and definitions
For the purpose of this document, the terms and definitions given in GB 17859, GB 22239 and GB/T 28448 apply.
4 General about testing and evaluation
4.1 General about T&E process
The T&E work processes and tasks in this standard are based on the initial testing and evaluation of the rated object by the commissioned T&E agency. Where the self-inspection of the operator and user or the commissioned T&E agency has performed more than one testing and evaluation, the T&E agency and staff shall adapt some of their work tasks to the actual situation (see Annex A). The T&E agency shall carry out related works strictly in accordance with the requirements of the T&E works given in Annex B.
The T&E process consists of four basic activities: T&E preparation, scheme preparation, on-site testing and evaluation, and report preparation. The communication and negotiation between the parties involved in the testing and evaluation shall run through the entire T&E process. Each testing and evaluation has a defined set of tasks, as detailed in Table 1.
Foreword i
Introduction iii
1 Scope
2 Normative references
3 Terms and definitions
4 General about testing and evaluation
4.1 General about T&E process
4.2 T&E risks
4.3 T&E risk aversion
5 T&E preparation
5.1 Workflow of T&E preparation
5.2 Major tasks of T&E preparation
5.3 Output documents for T&E preparation
5.4 Responsibilities of both parties in T&E preparation
6 Scheme preparation
6.1 Workflow of scheme preparation
6.2 Major tasks of scheme preparation
6.3 Output document of scheme preparation activity
6.4 Responsibilities of both parties in the scheme preparation activity
7 On-site testing and evaluation
7.1 Workflow of on-site testing and evaluation
7.2 Major tasks of on-site T&E activity
7.3 On-site T&E activity output documents
7.4 Responsibilities of both parties in on-site T&E activity
8 Report preparation
8.1 Workflow of report preparation
8.2 Major tasks of report preparation
8.3 Output document of report preparation activity
8.4 Responsibilities of both parties in the report preparation activity
Annex A (Normative) T&E workflow
Annex B (Normative) T&E work requirements
Annex C (Normative) Supplement to T&E implementation for new technologies and new applications
Annex D (Normative) Criteria and examples for determining the T&E targets
Annex E (Informative) On-site T&E methods and tasks for T&E
Annex F (Informative) Format of T&E report
Bibliography