Standard No.:	GB/T 20274.3-2008
English Name:	Information security technology Evaluation framework for information systems security assurance Part 3: Management assurance
Chinese Name:	信息安全技术 信息系统安全保障评估框架 第3部分：管理保障
Chinese Classification:	L80    Data encryption
Professional Classification:	GB    National Standard
Issued by:	SAC
Issued on:	2008-07-18
Implemented on:	2008-12-1
Status:	valid
Language:	English
File Format:	PDF
Word Count:	32000 words
Price(USD):	140.0
Delivery:	via email in 1 business day

1 Scope This part of GB/T 20274 establishes the framework for information systems security management assurance and the guideline & general principle for the organization starting, implementing, maintaining, evaluating and improving information security management. This part defines and explains the security management capability level that reflects the information security management assurance capability of the organization in the information system security management assurance work and provides the security management assurance control class requirements of the organization's information security management assurance contents. This part is applicable to all of the organization’s users, developers and evaluation personnel involved in the information system security management. 2 Normative References The following documents contain provisions which, through reference in this text, constitute provisions of this part. For dated reference, subsequent amendments to (excluding any corrigendum), or revisions of, any of these publications do not apply. However, parties to agreements based on this standard are encouraged to investigate the possibility of applying the most recent editions of the standards indicated below. For any undated references, the latest edition of the document referred to applies. GB/T 20274.1 Information Security Technology - Evaluation Framework for Information Systems Security Assurance - Part 1: Introduction and General Model 3 Terms and Definitions For the purposes of this part of GB/T 20274, the terms and definitions specified in GB/T 20274.1 and the following ones apply. 3.1 Control The methods to manage risks include policy, procedure, guide, practice or the structure of the organization and control may be management, technology or engineering control. Note 1: "control" is synonymous with "control measures" and "protective measures". Note 2: in this part, the control of management methods for managing risks will be mainly discussed, i.e. management control. 3.2 Information processing facility Information processing facility refers to all services or infrastructure or the physical location to place them. 4 Structure of This Part The organization structure of this part of GB/T 20274 is as follows: a) Chapter 1 introduces the range of this part; b) Chapter 2 introduces the normative references of this part; c) Chapter 3 describes the terms and definitions applicable to this part; d) Chapter 4 describes the organization structure of this part; e) Chapter 5 describes the framework for information systems security management assurance and further summarizes the control class and capability level of management assurance.

Foreword i 1 Scope 2 Normative References 3 Terms and Definitions 4 Structure of This Part 5 Framework for Information Systems Security Management Assurance 5.1 Overview of Information Management Assurance 5.2 Information Security Management Assurance Control 5.3 Information Security Assurance Management Capability Levels 6 Structure of Information Security Management Assurance Control Class 6.1 General 6.2 Structure of Management Assurance Control Class 6.3 Structure of Management Assurance Control Subclass 6.4 Structure of Management Assurance Control Component 6.5 Allowable Operation 7 MRM Management Assurance Control Class: Management of Risk 7.1 Object Establishment (MRM_TEM) 7.2 Risk Assessment (MRM_RAM) 7.3 Risk Control (MRM_RCT) 7.4 Communication and Monitoring (MRM_CAM) 8 MSP Management Assurance Control Class: Information Security Policy 8.1 Information Security Policy (MSP_SPL) 9 MSO Management Assurance Control Class: Information Security Organization 9.1 Management Support of Information Security (MSO_SOM) 9.2 Information Security Organization Structure (MSO_ORG) 9.3 Responsibility of Information Security (MSO_RES) 9.4 Communication and Cooperation (MSO_CAC) 10 MSP Management Assurance Control Class: Management of Personal Security 10.1 Personal Examination (MPS_PEC) 10.2 Security Awareness and Training (MPS_SAT) 10.3 Examination and Reward & Punishment (MPS_CRP) 10.4 Management of Personnel Change (MPS_PCM) 11 MAM Management Assurance Control Class: Management of Asset 11.1 Asset Register Management (MAM_ARM) 11.2 Asset Management Responsibility (MAM_AMR) 11.3 Asset Classification Management (MAM_ACM) 12 MPE Management Assurance Control Class: Management of Physical and Environmental Security 12.1 Management of Physical Security Area (MPE_PSA) 12.2 Supporting Infrastructure Security (MPE_SIS) 12.3 Equipment Security (MPE_EMS) 13 MCM Management Assurance Control Class: Management of Compliance 14 MSP Management Assurance Control Class: Management of Information Security Planning 15 MSD Management Assurance Control Class: Management of System Development 16 MOP Management Assurance Control Class: Management of Operation 17 MBD Management Assurance Control Class: Management of Business Continuity and Disaster Recovery 17.1 Business Continuity Management (MBD_BCM) 18 MCM Management Assurance Control Class: Management of Emergency Response 18.1 Report Security Event and Security Vulnerability (MER_REW) 18.2 Management of Emergency Response (MER_IMI) 19 Description of Security Management Capability Levels 19.1 General 19.2 Description of Security Management Capability Levels 19.3 Application of Information System Security Assurance Management Capability Levels Bibliography Figure 1 Information System Security Management Assurance Control Class Figure 2 Structure of Management Assurance Control Class Figure 3 Structure of Management Assurance Control Subclass Figure 4 Structure of Management Assurance Control Component Figure 5 Structure of Management Assurance Control Class - Management of Risk (MRM) Figure 6 Structure of Management Assurance Control Class - Information Security Policy (MSP) Figure 7 Structure of Management Assurance Control Class - Information Security Organization (MSO). Figure 8 Structure of Management Assurance Control Class – Management of Personal Security (MPS) Figure 9 Structure of Management Assurance Control Class - Management of Asset (MAM) Figure 10 Structure of Management Assurance Control Class - Management of Physical and Environmental Security (MPE) Figure 11 Structure of Management Assurance Control Class - Management of Compliance (MCM) Figure 12 Structure of Management Assurance Control Class - Management of Information Security Planning (MSP) Figure 13 Structure of Management Assurance Control Class - Management of System Development (MSD) Figure 14 Structure of Management Assurance Control Class - Management of Operation (MOP) Figure 15 Structure of Management Assurance Control Class - Management of Business Continuity and Disaster Recovery (MBD) Figure 16 Structure of Management Assurance Control Class - Management of Emergency Response (MER) Figure 17 Example of the Required Levels of Information System Security Assurance Management Capability