GB/T 28449-2018 English PDF (GBT28449-2018)
GB/T 28449-2018 English PDF (GBT28449-2018)
Regular price
$830.00 USD
Regular price
Sale price
$830.00 USD
Unit price
/
per
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 28449-2018
Historical versions: GB/T 28449-2018
Preview True-PDF (Reload/Scroll if blank)
GB/T 28449-2018: Information security technology -- Testing and evaluation process guide for classified protection of cybersecurity
GB/T 28449-2018
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 28449-2012
Information security technology - Testing and
evaluation process guide for classified protection of
cyber security
ISSUED ON: DECEMBER 28, 2018
IMPLEMENTED ON: JULY 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 7
4 Overview of classified testing and evaluation ... 8
4.1 Overview of classified testing and evaluation process ... 8
4.2 Classified testing and evaluation risks ... 9
4.3 Classified testing and evaluation risk avoidance ... 9
5 Preparation of testing and evaluation ... 10
5.1 Workflow of preparation of testing and evaluation ... 10
5.2 Major tasks of preparation of testing and evaluation ... 11
5.3 Output files of testing and evaluation preparation ... 13
5.4 Duties of both parties in testing and evaluation preparation ... 14
6 Scheme preparations ... 15
6.1 Workflow of scheme preparation ... 15
6.2 Major tasks of scheme preparation ... 15
6.3 Output files of scheme preparation ... 22
6.4 Duties of both parties in scheme preparation ... 22
7 On-site testing and evaluation ... 23
7.1 Work flow of on-site testing and evaluation ... 23
7.2 Main tasks of on-site testing and evaluation ... 24
7.3 Output files of on-site testing and evaluation ... 26
7.4 Duties of both parties in on-site testing and evaluation ... 27
8 Report preparation ... 28
8.1 Work flow of report preparation ... 28
8.2 Main tasks of report preparation ... 29
8.3 Output files of report preparation ... 35
8.4 Duties of both parties in report preparation ... 36
Annex A (Normative) Workflow of classified testing and evaluation ... 37
Annex B (Normative) Requirements for classified testing and evaluation ... 40
Annex C (Normative) Supplement for classified testing and evaluation of new
technology and new application ... 42
Annex D (Normative) Principle and example for confirmation of target of testing
and evaluation ... 47
Annex E (Informative) Modes and work tasks for on-site testing and evaluation
of classified testing and evaluation ... 53
Annex F (Informative) Example for template of classified testing and evaluation
report ... 58
Bibliography ... 87
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This Standard replaces GB/T 28449-2012 “Information security technology -
Testing and evaluation process guide for classified protection of information
system security”. Compared with GB/T 28449-2012, in addition to editorial
modifications, the main technical changes are as follows:
- modified standard’s name to “Information security technology - Testing and
evaluation process guide for classified protection of cyber security”;
- modified tasks in report preparation from 6 tasks to 7 tasks (see 4.1 of this
Edition, 5.4 of Edition 2012);
- in duties of both parties involved in preparation of testing and evaluation
and on-site testing and evaluation, added duties to coordinate multiple
parties and specified in some work tasks involved in multiple parties (see
7.4 of this Edition, 8.4 of Edition 2012);
- added contents of information analysis method in information collection and
analysis task (see 5.2.2 of this Edition);
- added special tasks and requirements that require additional focus for
security testing and evaluation carried out for classified protection target
that is built by using cloud computing, Internet of Things, mobile internet,
industrial control systems, IPv6 system (see Annex C of this Edition);
- deleted testing and evaluation scheme examples (see Annex D of Edition
2012);
- deleted questionnaire template for basic situation of information system
(see Annex E of Edition 2012).
Attention is drawn to the possibility that some contents of this Standard may be
the subject of patent rights. The issuing authority shall not be held responsible
for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of National
Technical Committee on Information Security of Standardization Administration
of China (SAC/TC 260).
The drafting organizations of this Standard: The Third Institute of the Ministry
of Public Security (Information Security Level Protection Assessment Center of
the Ministry of Public Security), The 15th Research Institute of China
Electronics Technology Group Corporation (Information Industry Information
Security Evaluation Center), Beijing Information Security Evaluation Center.
Main drafters of this Standard: Yuan Jing, Ren Weihong, Jiang Lei, Li Sheng,
Zhang Yuxiang, Bi Maning, Li Ming, Zhang Yi, Liu Kaijun, Zhao Qin, Wang Ran,
Liu Haifeng, Qu Jie, Liu Jing, Zhu Jianping, Ma Li, Chen Guangyong.
Version of standard substituted by this Standard is:
- GB/T 28449-2012.
Introduction
Classified testing and evaluation in this Standard is a process for testing and
evaluation organization, based on technical standards such as GB/T 22239 and
GB/T 28448, to test and evaluate whether classified security protection of
classified target meets basic requirements for corresponding classification. It is
an important link to implement classified protection system of cyber security.
During construction, rectification and reform, operator and user of classified
target, through classified testing and evaluation, performs situation analysis to
determine system’s security protection status and existing security problems;
and based on this, determine security requirements for system rectification and
reform.
During operation-maintenance of classified target, operator and user of
classified target regularly perform self-check or entrust testing and evaluation
organization to carry out classified testing and evaluation in terms of security
classified protection status of classified target to inspect and evaluate
information security control ability, so as to determine whether classified target
has security protection ability required by corresponding classification in GB/T
22239. Therefore, classified testing and evaluation report formed by classified
testing and evaluation is an important reference for classified target to carry out
rectification and reinforcement. It is also an important attachment for level three
and above classified targets to put on record. Operator and user shall, based
on classified testing and evaluation report, make plan for rectification.
This Standard is one of series standards related to classified protection of cyber
security.
Information security technology - Testing and
evaluation process guide for classified protection of
cyber security
1 Scope
This Standard standardizes testing and evaluation process for classified
protection of cyber security (hereinafter referred to as “classified testing and
evaluation”). It also specifies testing and evaluation as well as work tasks.
This Standard is applicable for testing and evaluation organization, supervision
department of classified target as well as operation user to carry out testing and
evaluation for classified protection of cyber security.
2 Normative references
The following referenced documents are indispensable for the applicat...
Get QUOTATION in 1-minute: Click GB/T 28449-2018
Historical versions: GB/T 28449-2018
Preview True-PDF (Reload/Scroll if blank)
GB/T 28449-2018: Information security technology -- Testing and evaluation process guide for classified protection of cybersecurity
GB/T 28449-2018
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 28449-2012
Information security technology - Testing and
evaluation process guide for classified protection of
cyber security
ISSUED ON: DECEMBER 28, 2018
IMPLEMENTED ON: JULY 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 7
4 Overview of classified testing and evaluation ... 8
4.1 Overview of classified testing and evaluation process ... 8
4.2 Classified testing and evaluation risks ... 9
4.3 Classified testing and evaluation risk avoidance ... 9
5 Preparation of testing and evaluation ... 10
5.1 Workflow of preparation of testing and evaluation ... 10
5.2 Major tasks of preparation of testing and evaluation ... 11
5.3 Output files of testing and evaluation preparation ... 13
5.4 Duties of both parties in testing and evaluation preparation ... 14
6 Scheme preparations ... 15
6.1 Workflow of scheme preparation ... 15
6.2 Major tasks of scheme preparation ... 15
6.3 Output files of scheme preparation ... 22
6.4 Duties of both parties in scheme preparation ... 22
7 On-site testing and evaluation ... 23
7.1 Work flow of on-site testing and evaluation ... 23
7.2 Main tasks of on-site testing and evaluation ... 24
7.3 Output files of on-site testing and evaluation ... 26
7.4 Duties of both parties in on-site testing and evaluation ... 27
8 Report preparation ... 28
8.1 Work flow of report preparation ... 28
8.2 Main tasks of report preparation ... 29
8.3 Output files of report preparation ... 35
8.4 Duties of both parties in report preparation ... 36
Annex A (Normative) Workflow of classified testing and evaluation ... 37
Annex B (Normative) Requirements for classified testing and evaluation ... 40
Annex C (Normative) Supplement for classified testing and evaluation of new
technology and new application ... 42
Annex D (Normative) Principle and example for confirmation of target of testing
and evaluation ... 47
Annex E (Informative) Modes and work tasks for on-site testing and evaluation
of classified testing and evaluation ... 53
Annex F (Informative) Example for template of classified testing and evaluation
report ... 58
Bibliography ... 87
Foreword
This Standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This Standard replaces GB/T 28449-2012 “Information security technology -
Testing and evaluation process guide for classified protection of information
system security”. Compared with GB/T 28449-2012, in addition to editorial
modifications, the main technical changes are as follows:
- modified standard’s name to “Information security technology - Testing and
evaluation process guide for classified protection of cyber security”;
- modified tasks in report preparation from 6 tasks to 7 tasks (see 4.1 of this
Edition, 5.4 of Edition 2012);
- in duties of both parties involved in preparation of testing and evaluation
and on-site testing and evaluation, added duties to coordinate multiple
parties and specified in some work tasks involved in multiple parties (see
7.4 of this Edition, 8.4 of Edition 2012);
- added contents of information analysis method in information collection and
analysis task (see 5.2.2 of this Edition);
- added special tasks and requirements that require additional focus for
security testing and evaluation carried out for classified protection target
that is built by using cloud computing, Internet of Things, mobile internet,
industrial control systems, IPv6 system (see Annex C of this Edition);
- deleted testing and evaluation scheme examples (see Annex D of Edition
2012);
- deleted questionnaire template for basic situation of information system
(see Annex E of Edition 2012).
Attention is drawn to the possibility that some contents of this Standard may be
the subject of patent rights. The issuing authority shall not be held responsible
for identifying any or all such patent rights.
This Standard was proposed by and shall be under the jurisdiction of National
Technical Committee on Information Security of Standardization Administration
of China (SAC/TC 260).
The drafting organizations of this Standard: The Third Institute of the Ministry
of Public Security (Information Security Level Protection Assessment Center of
the Ministry of Public Security), The 15th Research Institute of China
Electronics Technology Group Corporation (Information Industry Information
Security Evaluation Center), Beijing Information Security Evaluation Center.
Main drafters of this Standard: Yuan Jing, Ren Weihong, Jiang Lei, Li Sheng,
Zhang Yuxiang, Bi Maning, Li Ming, Zhang Yi, Liu Kaijun, Zhao Qin, Wang Ran,
Liu Haifeng, Qu Jie, Liu Jing, Zhu Jianping, Ma Li, Chen Guangyong.
Version of standard substituted by this Standard is:
- GB/T 28449-2012.
Introduction
Classified testing and evaluation in this Standard is a process for testing and
evaluation organization, based on technical standards such as GB/T 22239 and
GB/T 28448, to test and evaluate whether classified security protection of
classified target meets basic requirements for corresponding classification. It is
an important link to implement classified protection system of cyber security.
During construction, rectification and reform, operator and user of classified
target, through classified testing and evaluation, performs situation analysis to
determine system’s security protection status and existing security problems;
and based on this, determine security requirements for system rectification and
reform.
During operation-maintenance of classified target, operator and user of
classified target regularly perform self-check or entrust testing and evaluation
organization to carry out classified testing and evaluation in terms of security
classified protection status of classified target to inspect and evaluate
information security control ability, so as to determine whether classified target
has security protection ability required by corresponding classification in GB/T
22239. Therefore, classified testing and evaluation report formed by classified
testing and evaluation is an important reference for classified target to carry out
rectification and reinforcement. It is also an important attachment for level three
and above classified targets to put on record. Operator and user shall, based
on classified testing and evaluation report, make plan for rectification.
This Standard is one of series standards related to classified protection of cyber
security.
Information security technology - Testing and
evaluation process guide for classified protection of
cyber security
1 Scope
This Standard standardizes testing and evaluation process for classified
protection of cyber security (hereinafter referred to as “classified testing and
evaluation”). It also specifies testing and evaluation as well as work tasks.
This Standard is applicable for testing and evaluation organization, supervision
department of classified target as well as operation user to carry out testing and
evaluation for classified protection of cyber security.
2 Normative references
The following referenced documents are indispensable for the applicat...