Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 28449-2018 English PDF (GBT28449-2018)

GB/T 28449-2018 English PDF (GBT28449-2018)

Regular price $830.00 USD
Regular price Sale price $830.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 28449-2018 to get it for Purchase Approval, Bank TT...

GB/T 28449-2018: Information security technology -- Testing and evaluation process guide for classified protection of cybersecurity

This Standard standardizes testing and evaluation process for classified protection of cyber security (hereinafter referred to as classified testing and evaluation. It also specifies testing and evaluation as well as work tasks. This Standard is applicable for testing and evaluation organization, supervision department of classified target as well as operation user to carry out testing and evaluation for classified protection of cyber security.
GB/T 28449-2018
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 28449-2012
Information security technology - Testing and
evaluation process guide for classified protection of
cyber security
ISSUED ON: DECEMBER 28, 2018
IMPLEMENTED ON: JULY 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 7
4 Overview of classified testing and evaluation ... 8
4.1 Overview of classified testing and evaluation process ... 8
4.2 Classified testing and evaluation risks ... 9
4.3 Classified testing and evaluation risk avoidance ... 9
5 Preparation of testing and evaluation ... 10
5.1 Workflow of preparation of testing and evaluation ... 10
5.2 Major tasks of preparation of testing and evaluation ... 11
5.3 Output files of testing and evaluation preparation ... 13
5.4 Duties of both parties in testing and evaluation preparation ... 14 6 Scheme preparations ... 15
6.1 Workflow of scheme preparation ... 15
6.2 Major tasks of scheme preparation ... 15
6.3 Output files of scheme preparation ... 22
6.4 Duties of both parties in scheme preparation ... 22
7 On-site testing and evaluation ... 23
7.1 Work flow of on-site testing and evaluation ... 23
7.2 Main tasks of on-site testing and evaluation ... 24
7.3 Output files of on-site testing and evaluation ... 26
7.4 Duties of both parties in on-site testing and evaluation ... 27
8 Report preparation ... 28
8.1 Work flow of report preparation ... 28
8.2 Main tasks of report preparation ... 29
8.3 Output files of report preparation ... 35
8.4 Duties of both parties in report preparation ... 36
Annex A (Normative) Workflow of classified testing and evaluation ... 37 Annex B (Normative) Requirements for classified testing and evaluation ... 40 Annex C (Normative) Supplement for classified testing and evaluation of new technology and new application ... 42
Annex D (Normative) Principle and example for confirmation of target of testing and evaluation ... 47
Annex E (Informative) Modes and work tasks for on-site testing and evaluation of classified testing and evaluation ... 53
Annex F (Informative) Example for template of classified testing and evaluation report ... 58
Bibliography ... 87
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009. This Standard replaces GB/T 28449-2012 ?€?Information security technology - Testing and evaluation process guide for classified protection of information system security?€?. Compared with GB/T 28449-2012, in addition to editorial modifications, the main technical changes are as follows:
- modified standard?€?s name to ?€?Information security technology - Testing and evaluation process guide for classified protection of cyber security?€?;
- modified tasks in report preparation from 6 tasks to 7 tasks (see 4.1 of this Edition, 5.4 of Edition 2012);
- in duties of both parties involved in preparation of testing and evaluation and on-site testing and evaluation, added duties to coordinate multiple parties and specified in some work tasks involved in multiple parties (see 7.4 of this Edition, 8.4 of Edition 2012);
- added contents of information analysis method in information collection and analysis task (see 5.2.2 of this Edition);
- added special tasks and requirements that require additional focus for security testing and evaluation carried out for classified protection target that is built by using cloud computing, Internet of Things, mobile internet, industrial control systems, IPv6 system (see Annex C of this Edition);
- deleted testing and evaluation scheme examples (see Annex D of Edition 2012);
- deleted questionnaire template for basic situation of information system (see Annex E of Edition 2012).
Attention is drawn to the possibility that some contents of this Standard may be the subject of patent rights. The issuing authority shall not be held responsible for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of National Technical Committee on Information Security of Standardization Administration of China (SAC/TC 260).
The drafting organizations of this Standard: The Third Institute of the Ministry of Public Security (Information Security Level Protection Assessment Center of the Ministry of Public Security), The 15th Research Institute of China
Electronics Technology Group Corporation (Information Industry Information Security Evaluation Center), Beijing Information Security Evaluation Center. Main drafters of this Standard: Yuan Jing, Ren Weihong, Jiang Lei, Li Sheng, Zhang Yuxiang, Bi Maning, Li Ming, Zhang Yi, Liu Kaijun, Zhao Qin, Wang Ran, Liu Haifeng, Qu Jie, Liu Jing, Zhu Jianping, Ma Li, Chen Guangyong.
Version of standard substituted by this Standard is:
- GB/T 28449-2012.
Introduction
Classified testing and evaluation in this Standard is a process for testing and evaluation organization, based on technical standards such as GB/T 22239 and GB/T 28448, to test and evaluate whether classified security protection of classified target meets basic requirements for corresponding classification. It is an important link to implement classified protection system of cyber security. During construction, rectification and reform, operator and user of classified target, through classified testing and evaluation, performs situation analysis to determine system?€?s security protection status and existing security problems; and based on this, determine security requirements for system rectification and reform.
During operation-maintenance of classified target, operator and user of classified target regularly perform self-check or entrust testing and evaluation organization to carry out classified testing and evaluation in terms of security classified protection status of classified target to inspect and evaluate information security control ability, so as to determine whether classified target has security protection ability required by corresponding classification in GB/T 22239. Therefore, classified testing and evaluation report formed by classified testing and evaluation is an important reference for classified target to carry out rectification and reinforcement. It is also an important attachment for level three and above classified targets to put on record. Operator and user shall, based on classified testing and evaluation report, make plan for rectification. This Standard is one of series standards related to classified protection of cyber security.
Information security technology - Testing and
evaluation process guide for classified protection of
cyber security
1 Scope
This Standard standardizes testing and evaluation process for classified protection of cyber security (hereinafter referred to as ?€?classified testing and evaluation?€?). It also specifies testing and evaluation as well as work tasks. This Standard is applicable for testing and evaluation organization, supervision department of classified target as well as operation user to carry out testing and evaluation for classified protection of cyber security.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB 17859, Classified criteria for security protection of computer information system
GB/T 22239, Information security technology - Baseline for classified
protection of cybersecurity
GB/T 25069, Information security technology - Glossary
GB/T 28448, Information security technology - Evaluation requirement for classified protection of cybersecurity
3 Terms and definitions
For the purposes of this document, the terms and definitions defined in GB 17859, GB/T 22239 and GB/T 28448 apply.
4 Overview of classified testing and evaluation
4.1 Overview of classified testing and evaluation process
Testing and evaluation process and tasks in this Standard are based on the first classified testing and evaluation that is carried by entrusted testing and evaluation organization on classified target. If operator and user have performed self-check or entrusted testing and evaluation organization has carried out above classified testing and evaluation once, testing and evaluation organization and personnel shall, according to actual situation, adjust partial work tasks (see Annex A). Testing and evaluation organization that carries out classified testing and evaluation shall carry out related work strictly according to classified testing and evaluation requirements given in Annex B.
Classified testing and evaluation process includes four basic testing and evaluation activities: preparation of testing and evaluation, scheme preparation, on-site testing and evaluation, report preparation. Communication and
negotiation between relevant parties of testing and evaluation shall be conducted throughout entire classified testing and evaluation. Each testing and evaluation has one set of determined work tasks. See Table 1 for details. Table 1 -- Classified testing and evaluation process
Testing and evaluation Main work tasks
Preparation of testing and evaluation
Work start
Information collection and analysis
Tool and form preparation
Scheme preparation
Confirmation of target of testing and evaluation
Confirmation of indicator of testing and evaluation
Confirmation of content of testing and evaluation
Confirmation of tool testing method
Development of testing and evaluation guide
Preparation of scheme of testing and evaluation
On-site testing and evaluation
Preparation of on-site testing and evaluation
Record of testing and evaluation and result
Result confirmation and material return
Report preparation
Determination of individual testing and evaluation
result
Determination of unit testing and evaluation result
Overall testing and evaluation
Evaluation of system security assurance
Risk analysis of security problem
Formation of classified testing and evaluation
conclusion
Preparation of testing and evaluation report
This Standard gives corresponding working procedure, main task, output file as well as duties of relevant parties of each activity. Each work task has corresponding input, task description and output product.
4.2 Classified testing and evaluation risks
4.2.1 Risk that affects system?€?s normal operation
During on-site testing and evaluation, it needs to conduct a certain verification testing to equipment and system. Some testing contents need on-board
verification and need checking some information, which might cause a certain impact on system?€?s operation even cause possible mis-operation.
In addition, when it uses testing tool to conduct vulnerability scanning test, performance test and penetration test, it might cause a certain impact on network and system?€?s load. Penetration attack test might also affect normal operation of server and system, for example, it might cause reboot, service interruption, and code implanted during penetration process is not completely cleaned up.
4.2.3 Risk of Trojan implant
After testing and evaluation personnel completes penetration test, he or she may intentionally or unintentionally not clean or not clean thoroughly testing tool that is used during penetration test process, or because testing computer has Trojan program. All may bring Trojan implant risk in system under test. 4.3 Classified testing and evaluation risk avoidance
During classified testing and evaluation, it shall take the following measures to avoid risks:
a) Signing of a commissioned testing and evaluation agreement
Before testing and evaluation are officially started, testing and evaluation party and party under test and evaluated need to, in a mode of
commissioned agreement, SPECIFY goal, scope, personnel composition,
planning, implementation steps and requirements of testing and
evaluation as well as responsibilities and obligations of both parties, so as to make both parties of testing and evaluation reach a consensus on basic problems in testing and evaluation process.
c) Avoidance of on-site testing and evaluation risk
Before on-site testing and evaluation, testing and evaluation organization shall sign an on-site testing and evaluation letter of authorization with relevant organization to require relevant parties to back up system and data, and develop emergency response plans for possible events.
When conducting verification testing and tool testing, it shall avoid
business peaks. Conduct when system resource is idle. Or configure an
analog/simulation environment that is consistent with production
environment. In the analog/simulation environment, conduct testing such as vulnerability scanning. For on-board verification testing, contents to be verified are proposed by testing and evaluation personnel; actual
operation is conducted by technical personnel of system operation, using organization. The entire on-site testing and evaluation process requires full supervision of system operation and using organization.
d) Testing and evaluation site restoration
After testing and evaluation are completed, testing and evaluation
personnel shall return all privileges acquired during testing and evaluation process, return relevant documents borrowed during testing and
evaluation process, and restore testing and evaluation environment to the status before testing and evaluation are performed.
5 Preparation of testing and evaluation
5.1 Workflow of preparation of testing and evaluation
Preparation of testing and evaluation is to start testing and evaluation project smoothly, to collect relevant material of classified target, to prepare material required by testing and evaluation, and to lay a good foundation for preparation of testing and evaluation scheme.
Preparation of testing and evaluation includes three major tasks: work start, information collection and analysis, tool and form preparation. See Figure 1 for basic workflow of these three tasks.
Figure 1 -- Basic workflow of preparation of testing and evaluation
5.2 Major tasks of preparation of testing and evaluation
5.2.1 Work start
In work start task, testing and evaluation organization builds a project team for classified testing and evaluation so as to obtain basic information of testing and evaluation entrusted organization and classified target. Make full preparation for implementation of entire classified testing and evaluation project in terms of basic information, personnel, planning.
Input: commissioned testing and evaluation agreement.
Task description:
a) According to commissioned testing and evaluation agreement signed by both parties of testing and evaluation as well as system scale, testing and evaluation organization builds a testing and evaluation project team to make full preparation from perspective of personnel, to prepare project planning proposal.
b) Testing and evaluation organization requires testing and evaluation
entrusted organization to provide basic information, prepare information so as to make a comprehensive understanding of classified target under
test.
Work start
Information collection and analysis
Tool and form preparation
Output/product: project planning proposal.
5.2.2 Information collection and analysis
Through checking material that has been obtained by classified target under test or using system survey form, testing and evaluation organization knows composition of entire system and protection situation as well as relevant situation of responsible department, so as to lay a foundation for on-site testing and evaluation as well as security evaluation.
Input: project planning proposal, system survey form, relevant information of classified target under test.
Task description:
a) Testing and evaluation organization collects relevant information required for classified testing and evaluation, including management structure,
technical system, operation, construction plan, and related test files during construction of testing and evaluation trusted organization. See Annex C for supplementary collection information of cloud computing platform,
Internet of Things, mobile internet, industrial control system.
b) Testing and evaluation organization submits system survey form to testing and evaluation entrusted organization, supervises and urges relevant
personnel of classified target under test to correctly fill in survey form. c) Testing and evaluation organization takes back survey form that has been filled, analyzes survey results so as to understand and be familiar with actual situation of classified target under test.
When analyzing collected information, it may use the following methods: 1) Use system analysis method to analyze entire network structure and
system composition, including network structure, external boundary,
number and level of classified target, distribution of classified target at different security protection levels, and load application.
2) Use decomposition and comprehensive analysis method to analyze
classified target boundary and system composition component,
including physical and logical boundaries, hardware resources,
software resources, information resources.
3) Use comparison and analogy analysis method to analyze interrelation
of classified target, including application architecture, application
processing flow, processing information type, business data processing
flow, service target, number of users.
d) If information in survey form is inaccurate, imperfect or contradictory, testing and evaluation organization shall negotiate and confirm with form filling personnel. If necessary, schedule an on-site investigation to have a face-to-face communication and confirmation with relevant personnel, so as to ensure accuracy and completeness of system information survey.
Output/product: completed survey form, various technical information related to classified target under test.
5.2.3 Tool and form preparation
Before testing and evaluation project members conduct on-site testing and evaluation, they shall be familiar with classified target under test, adjust testing and evaluation tools and prepare various forms.
Input: completed survey form, various technical information related to classified target under test.
Task description:
a) Testing and evaluation personnel adjust testing and evaluation tools that shall be used in this testing and evaluation process, including vulnerability scanning tool, permeability testing tool, performance testing tool, and protocol analysis tool.
b) Testing and evaluation personnel stimulate architecture of classified target under test in testing and evaluation environment to make preparation for testing and evaluation guide of relevant network and target of testing and evaluation such as host device and performs necessary tool verification. 5.3 Output files of testing and evaluation preparation
Output files of testing and evaluation preparation and conten...

View full details