1 Scope
This standard specifies management requirements for information system security engineering (hereinafter referred to as security engineering) as the instructions for construction of information system safety engineering by the owner, the developer and the third party, upon which all parties can base security engineering management system.
This standard, in accordance with five security protection levels specified in GB 17859-1999, specifies different requirements for management of information system security engineering.
This standard is applicable for the owner and the developer of information system to manage security engineering, which can be referred by all parties concerned.
2 Normative References
The following standards contain provisions which, through reference in this text, constitute provisions of this standard. For dated references, subsequent amendments to (excluding correction to), or revisions of, any of these publications do not apply. However, the parties to agreements based on this standard are encouraged to investigate the possibility of applying the most recent editions of the standards. For undated references, the latest edition of the normative document referred to applies.
GB 17859-1999 Classified Criteria for Security Protection of Computer Information System
GB/T 20269-2006 Information Security Technology - Information System Security Management Requirements
GB/T 20271-2006 Information Security Technology - Common Security Techniques Requirement for Information System
3 Terminologies and Definitions
For the purposes of this standard, the following terminologies and definitions apply.
3.1
Security engineering
The process of system engineering to ensure confidentiality, integrity and availability of information system.
3.2
Security engineering lifecycle
Activities related to security engineering throughout the lifecycle of information system include concept formation, concept development and definition, verification and validation, engineering implementation development and manufacture, production and deployment, operation and support, and termination.
3.3
Security engineering guide
Guiding information defined by engineering group on how to select, design and implement engineering system structure.
3.4
Vulnerability
A weakness of an asset or a group of assets, which can be exploited by certain threat.
3.5
Risk
The probability for certain threat to make an asset or a group of assets lost or damaged by exploiting its or their vulnerability.
3.6
Owner
The party to organize the construction of information system security engineering.
3.7
Developer
The party to provide services for the construction of information system security engineering.
3.8
Third party
A neutral organization or institution, independent of the owner and the developer, which is engaged in activities relating to the construction of information system security engineering.
Foreword i
1 Scope
2 Normative References
3 Terminologies and Definitions
4 Security Engineering System
4.1 Overview
4.2 Goal of Security Engineering
4.3 Fundamental Relation
5 Qualification Assurance Requirements
5.1 System Integration Qualification Requirement
5.2 Personnel Qualification Requirement
5.3 Third-party Service Requirement
5.4 Security Product Requirement
5.5 Engineering Supervision Requirement
5.6 Requirement for Compliance with Laws, Regulations and Policies
6 Organizational Assurance Requirements
6.1 Define Organizational Process of System Engineering
6.2 Improve Organizational Process of System Engineering
6.3 Manage the Evolution of Series of Products
6.4 Manage Support Environment of System Engineering
6.5 Host Training
6.6 Coordinate with Supplier
7 Engineering Implementation Requirements
7.1 Manage Security Control
7.2 Assess Impacts
7.3 Assess Security Risk
7.4 Assess Threats
7.5 Assess Vulnerability
7.6 Build Assurance Argument
7.7 Coordinate Security
7.8 Monitor Security Posture
7.9 Provide Security Input
7.10 Specify Security Requirements
7.11 Verify and Validate Security
8 Project Implementation Requirements
8.1 Quality Assurance
8.2 Manage Configuration
8.3 Manage Project Risk
8.4 Monitor Technical Activities
8.5 Plan Technical Activities
9 Grading Requirements for Security Engineering Management
9.1 Level 1: the User's Discretionary Protection Level
9.2 Level 2: System Audit Protection Level
9.3 Level 3: Security Label Protection Level
9.4 Level 4: Structured Protection Level
9.5 Level 5: Access Verification Protection Level
9.6 Comparison Table of Security Protection Level Classification and Security Engineering Requirements
10 Process and Requirements of Security Engineering
10.1 Security Engineering Process
10.2 Security Engineering Requirements of Security Engineering Process in Each Stage
Appendix A (Informative) Corresponding Relationship between Security Engineering Requirements and Security Protection Level/Security Engineering Process
Bibliography
1 Scope
This standard specifies management requirements for information system security engineering (hereinafter referred to as security engineering) as the instructions for construction of information system safety engineering by the owner, the developer and the third party, upon which all parties can base security engineering management system.
This standard, in accordance with five security protection levels specified in GB 17859-1999, specifies different requirements for management of information system security engineering.
This standard is applicable for the owner and the developer of information system to manage security engineering, which can be referred by all parties concerned.
2 Normative References
The following standards contain provisions which, through reference in this text, constitute provisions of this standard. For dated references, subsequent amendments to (excluding correction to), or revisions of, any of these publications do not apply. However, the parties to agreements based on this standard are encouraged to investigate the possibility of applying the most recent editions of the standards. For undated references, the latest edition of the normative document referred to applies.
GB 17859-1999 Classified Criteria for Security Protection of Computer Information System
GB/T 20269-2006 Information Security Technology - Information System Security Management Requirements
GB/T 20271-2006 Information Security Technology - Common Security Techniques Requirement for Information System
3 Terminologies and Definitions
For the purposes of this standard, the following terminologies and definitions apply.
3.1
Security engineering
The process of system engineering to ensure confidentiality, integrity and availability of information system.
3.2
Security engineering lifecycle
Activities related to security engineering throughout the lifecycle of information system include concept formation, concept development and definition, verification and validation, engineering implementation development and manufacture, production and deployment, operation and support, and termination.
3.3
Security engineering guide
Guiding information defined by engineering group on how to select, design and implement engineering system structure.
3.4
Vulnerability
A weakness of an asset or a group of assets, which can be exploited by certain threat.
3.5
Risk
The probability for certain threat to make an asset or a group of assets lost or damaged by exploiting its or their vulnerability.
3.6
Owner
The party to organize the construction of information system security engineering.
3.7
Developer
The party to provide services for the construction of information system security engineering.
3.8
Third party
A neutral organization or institution, independent of the owner and the developer, which is engaged in activities relating to the construction of information system security engineering.
Contents of GB/T 20282-2006
Foreword i
1 Scope
2 Normative References
3 Terminologies and Definitions
4 Security Engineering System
4.1 Overview
4.2 Goal of Security Engineering
4.3 Fundamental Relation
5 Qualification Assurance Requirements
5.1 System Integration Qualification Requirement
5.2 Personnel Qualification Requirement
5.3 Third-party Service Requirement
5.4 Security Product Requirement
5.5 Engineering Supervision Requirement
5.6 Requirement for Compliance with Laws, Regulations and Policies
6 Organizational Assurance Requirements
6.1 Define Organizational Process of System Engineering
6.2 Improve Organizational Process of System Engineering
6.3 Manage the Evolution of Series of Products
6.4 Manage Support Environment of System Engineering
6.5 Host Training
6.6 Coordinate with Supplier
7 Engineering Implementation Requirements
7.1 Manage Security Control
7.2 Assess Impacts
7.3 Assess Security Risk
7.4 Assess Threats
7.5 Assess Vulnerability
7.6 Build Assurance Argument
7.7 Coordinate Security
7.8 Monitor Security Posture
7.9 Provide Security Input
7.10 Specify Security Requirements
7.11 Verify and Validate Security
8 Project Implementation Requirements
8.1 Quality Assurance
8.2 Manage Configuration
8.3 Manage Project Risk
8.4 Monitor Technical Activities
8.5 Plan Technical Activities
9 Grading Requirements for Security Engineering Management
9.1 Level 1: the User's Discretionary Protection Level
9.2 Level 2: System Audit Protection Level
9.3 Level 3: Security Label Protection Level
9.4 Level 4: Structured Protection Level
9.5 Level 5: Access Verification Protection Level
9.6 Comparison Table of Security Protection Level Classification and Security Engineering Requirements
10 Process and Requirements of Security Engineering
10.1 Security Engineering Process
10.2 Security Engineering Requirements of Security Engineering Process in Each Stage
Appendix A (Informative) Corresponding Relationship between Security Engineering Requirements and Security Protection Level/Security Engineering Process
Bibliography