Ir directamente a la información del producto
1 de 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 36959-2018 English PDF (GBT36959-2018)

GB/T 36959-2018 English PDF (GBT36959-2018)

Precio habitual $370.00 USD
Precio habitual Precio de oferta $370.00 USD
Oferta Agotado
Los gastos de envío se calculan en la pantalla de pago.
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 36959-2018
Historical versions: GB/T 36959-2018
Preview True-PDF (Reload/Scroll if blank)

GB/T 36959-2018: Information security technology -- Capability requirements and evaluation specification for assessment organization of classified protection of cybersecurity
GB/T 36959-2018
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Capability
requirements and evaluation specification for
assessment organization of classified protection of
cybersecurity
ISSUED ON: DECEMBER 28, 2018
IMPLEMENTED ON: JULY 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3 
Introduction ... 4 
1 Scope ... 5 
2 Normative references ... 5 
3 Terms and definitions ... 5 
4 Capability requirements of assessment organizations ... 6 
4.1 Classification of assessment organizations ... 7 
4.2 Classification of level evaluation personnel ... 7 
4.3 Capability requirements for level I assessment organizations ... 7 
4.4 Capability requirements for level II assessment organizations ... 16 
4.5 Capability requirements for Level III assessment organizations ... 27 
4.6 Normative requirements for activities of assessment organization ... 38 
5 Evaluation of the capability of assessment organization ... 39 
5.1 Evaluation process ... 39 
5.2 First-time evaluation ... 41 
5.3 Continuous evaluation ... 43 
5.4 Capability review ... 43 
Appendix A (Normative) Summary form of requirements for capability
enhancement of assessment organizations of classified protection of
cybersecurity at all levels ... 44 
Appendix B (Normative) Capability requirements for classified protection
evaluator of cybersecurity ... 52 
Information security technology - Capability
requirements and evaluation specification for
assessment organization of classified protection of
cybersecurity
1 Scope
This standard specifies the capability requirements and evaluation
specifications of assessment organizations of classified protection of
cybersecurity.
This standard is applicable to activities such as capability building, operation
management, qualification evaluation that intend to become or upgrade to a
higher level of assessment organization of cybersecurity protection.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 28448 Information security technology - Evaluation requirement for
classified protection of cybersecurity
GB/T 28449 Information security technology - Testing and evaluation
process guide for classified protection of cybersecurity
3 Terms and definitions
The terms and definitions as defined in GB/T 28448 as well as the following
terms and definitions apply to this document.
3.1
Capability evaluation
According to standards and/or other normative documents, the process of
e) There are no less than 15 technical and managerial personnel with
cybersecurity related work experience; no less than 2 full-time penetration
testers, with clear job responsibilities and relatively stable personnel;
f) Have a fixed office space, equipped with testing and evaluation tools and
experimental environments that meet the needs of the evaluation
business;
g) It has complete rules and regulations for security and confidentiality
management, project management, quality management, personnel
management, file management, training and education;
h) Does not involve business that may affect the fairness of the evaluation
results (except for personal use) such as cybersecurity product
development, sales, or information system security integration;
i) Other conditions that shall be met.
4.3.2 Organizational management capabilities
4.3.2.1 The manager of the assessment organization shall master the classified
protection policy documents and be familiar with relevant standards and
specifications.
4.3.2.2 The assessment organization shall organize and set up relevant
departments in a certain way; clarify their responsibilities, authorities and
mutual relations; ensure the orderly development of various tasks.
4.3.2.3 The assessment organization shall have professional and technical
personnel and management personnel competent for the level evaluation work;
the proportion of bachelor’s degree (including) or above shall not be less than
70%.
4.3.2.4 The assessment organization shall set up positions that meet the needs
of the level evaluation work, such as evaluation technicians, evaluation project
team leaders, technical supervisors, quality supervisors, security officers,
equipment managers, file managers, etc., with clear job responsibilities and
stable personnel.
4.3.2.5 The assessment organization shall formulate complete rules and
regulations, including but not limited to the following:
a) Project management system
The assessment organization shall formulate a comprehensive evaluation
project management system in line with its own characteristics in
accordance with GB/T 28449, which shall mainly include the organization
examinations organized by the designated assessment organization and obtain
the certificate of level evaluator. Level evaluation personnel need to hold a
permit to work.
4.3.3.1.3 Evaluation technicians, evaluation project team leaders, technical
supervisors shall obtain primary, intermediate, advanced level evaluator
certificates respectively; the number of evaluators shall not be less than 15.
4.3.3.1.4 In addition to the qualifications of level evaluators, evaluators shall
participate in various forms of evaluation business and technical training each
year. The total training time of evaluators shall not be less than 40 hours per
year.
4.3.3.1.5 The assessment organization shall appoint a technical supervisor who
is fully responsible for the technical work of level evaluation.
4.3.3.2 Evaluation capability
4.3.3.2.1 The assessment organization shall prove that it has more than 2 years
of work experience in cybersecurity-related work by providing case, process
records and other materials.
4.3.3.2.2 The assessment organization shall ensure that it is engaged in
evaluation work within its capabilities and has sufficient resources to meet the
requirements of the evaluation work, which is specifically reflected in the
following aspects:
a) Security technology evaluation and implementation capabilities, including
the development, use, maintenance and professional judgment of
obtaining relevant results in terms of physical and environmental security,
network and communication security, equipment and computing security,
application and data security, etc.;
b) Security management evaluation and implementation capabilities,
including security strategy and management system, security
management organization and personnel, security construction
management, security operation and maintenance management,
development, use, maintenance and professional judgment of obtaining
relevant results;
c) Security testing and analysis capabilities, which refer to the capability to
develop test-related work instructions based on actual evaluation
requirements, use special evaluation equipment and tools to realize
vulnerability discovery and problem analysis;
d) The overall evaluation implementation capability, which refers to the
capability to give specific results of the overall evaluation based on the
form the evaluation report. The eva...
Ver todos los detalles