Skip to product information
1 of 6

PayPal, credit cards. Download editable-PDF & invoice In 1 second!

GB/T 36630.1-2018 English PDF (GBT36630.1-2018)

GB/T 36630.1-2018 English PDF (GBT36630.1-2018)

Regular price $125.00 USD
Regular price Sale price $125.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 36630.1-2018 to get it for Purchase Approval, Bank TT...

GB/T 36630.1-2018: Information security technology -- Controllability evaluation index for security of information technology products -- Part 1: General principles

This part of GB/T 36630 specifies the concept and guarantee objectives of the controllability for security of information technology products, and gives the evaluation principles, evaluation index system and implementation process of controllability for security of information technology products.
GB/T 36630.1-2018
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information Security Technology - Controllability
Evaluation Index for Security of Information
Technology Products - Part 1: General Principles
ISSUED ON: SEPTEMBER 17, 2018
IMPLEMENTED ON: APRIL 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Overview of controllability for security ... 6
4.1 Risk analysis ... 6
4.2 Guarantee of controllability for security ... 7
4.2.1 Guarantee objectives ... 7
4.2.2 Guarantee requirements ... 7
5 Evaluation of controllability for security ... 8
5.1 Evaluation principle ... 8
5.1.1 Scientific and reasonable ... 8
5.1.2 Objective and fair ... 9
5.1.3 Protection of intellectual property ... 9
5.2 Evaluation index system ... 9
5.2.1 System framework ... 9
5.2.2 R&D production evaluation ... 11
5.2.3 Supply chain evaluation ... 12
5.2.4 Operation and maintenance service evaluation ... 12
5.3 Evaluation implementation ... 12
5.3.1 Evaluation process ... 12
5.3.2 Evaluation method ... 13
5.3.3 Evaluation result ... 13
References ... 15
Information Security Technology - Controllability
Evaluation Index for Security of Information
Technology Products - Part 1: General Principles
1 Scope
This part of GB/T 36630 specifies the concept and guarantee objectives of the controllability for security of information technology products, and gives the evaluation principles, evaluation index system and implementation process of controllability for security of information technology products.
This part is applicable to the evaluation implementer to evaluate the
controllability for security of information technology products; also, it can be used as reference by information technology product suppliers and users to ensure controllability for security of products during product supply and application.
2 Normative references
The following document is indispensable for the application of this document. For dated references, only the dated version applies to this document. For undated references, the latest edition (including all amendments) applies to this document.
GB/T 25069-2010, Information security technology glossary
3 Terms and definitions
Terms and definitions determined by GB/T 25069-2010 and the following ones are applicable to this document.
3.1 Information technology product
Hardware, software, system, and service which are equipped with functions to collect, store, process, transmit, control, exchange, and display data or information.
Note: Information technology products include computers and their auxiliary equipment, communication equipment, network equipment, automatic
control equipment, operating systems, databases, application software
e) Other situations that may endanger national security and the public
interest.
4.2 Guarantee of controllability for security
4.2.1 Guarantee objectives
Guarantee of controllability for security is the basis for the user to trust that information technology products meet their requirements on controllability for security. Its objectives are to protect the user's data control right, product control right and product selection right:
a) Data control right refers that the user can control its own data; and the information technology product supplier does not obtain the user's data in any form without authorization and damage the user?€?s control right over its own data;
b) Product control right means that the user can control its products
independently; and the information technology product supplier does not control and manipulate the user's product through the network without
authorization, and damage the user's control right over the products which are owned and used by the it;
c) Product selection right means that the user can select the products to be used independently; and the information technology product supplier
cannot use the user?€?s dependence to take improper interests or to damage the user's rights, such as stopping the provision of reasonable security technical support, forcing the user to update, and maliciously interrupting product supply.
4.2.2 Guarantee requirements
In view of the guarantee objects of controllability for security, and the potential risks which are faced by information technology products in every link of life cycle, such as R&D, production, supply and operation and maintenance
services, the information technology products and their providers are required to provide security guarantee requirements. Among them, the main risks that affect the user?€?s data control right come from the links such as data collection, transmission, storage, processing, use and destruction; in order to effectively control relevant risks, it shall ensure that product data-related implementation is consistent with its claimed function and data-related service is compliant. The risks that affect the user's product control right mainly come from the links such as product R&D, production, supply, operation and maintenance services; in order to effectively control corresponding risks, it shall ensure that product control-related implementation is consistent with its claimed function and control-related service is compliant. The risks that affect the user?€?s product selection right mainly come from the links such as the supply chain, operation 5.1.2 Objective and fair
The evaluation indexes are objective and non-discriminatory; the evaluation process is fair and equitable; and the scoring rules for similar information technology products are unified.
5.1.3 Protection of intellectual property
Fully respect the intellectual property of the supplier; protect the legitimate rights and interests of the supplier. The intellectual property of the supplier is not infringed during the evaluation process.
5.2 Evaluation index system
5.2.1 System framework
In order to effectively control the risks faced by information technology products in terms of controllability for security, and to achieve the guarantee objectives of controllability for security, formulate the evaluation index system of controllability for security in accordance with guarantee requirements of controllability for security, which includes two evaluation categories, namely priority evaluation items and general evaluation items:
a) Priority evaluation items refer to indexes that seriously affect controllability for security of products; indexes of this category are given priority at the beginning of evaluation. In the evaluation process, if the priority evaluation item does not meet the requirements, the evaluation result is 0 points, and no subsequent general evaluation is required. Whether to set the priority evaluation item and which index is selected as the priority evaluation item are determined by the technical characteristics of the information
technology product itself. For example, the intellectual property of the central processor product can be set as a priority evaluation item. If the evaluated product is found of infringement act which is judicially judged and not properly handled, according to the judgmental principle of the
priority evaluation item, the evaluation result of controllability for security of the central processor is directly determined as 0 points;
b) General evaluation item is a series of indexes which are set to evaluate the controllability for security for the risks that the information technology products may face during the whole life cycle. According to the life cycle of information technology products, the index items are divided into three categories: R&D production evaluation, supply chain evaluation, and
operation and maintenance service evaluation. Table 2 gives the index
items and evaluation contents which correspond to each evaluation
category, and clarifies the corresponding relationship between each index item and the guarantee objective of controllability for security. In this standard, specific information technology products such as central
5.2.3 Supply chain evaluation
The category of supply chain evaluation mainly includes two indexes: product continuous supply capability and product supply chain support capability: a) The index of product continuous supply capability mainly evaluates the supplier's ability to continuously supply products; it focuses on contents such as product supply, core team, product delivery management;
b) The index of product supply chain support capability mainly evaluates the supply chain reliability of the supplier; it focuses on contents such as the controllability for security of core components, the traceability of each link in the supply chain, and the stability of the supply chain.
5.2.4 Operation and maintenance service evaluation
The category of operation and maintenance service evaluation mainly includes two indexes: product service support capability and data processing normative: a) The index of product service support capability mainly evaluates the supplier's ability to provide continuous operation and maintenance
services for the user; it focuses the evaluation of contents such as service timeliness, service normative and service sustainability;
b) The index of data processing normative mainly evaluates the normative aspects of the supplier's operation of the user?€?s data; it focuses on the evaluation of operational normative contents such as data collection, data transmission, data storage, data processing, data usage and data
destruction.
5.3 Evaluation implementation
5.3.1 Evaluation process
The evaluation process mainly includes four stages: evaluation preparation, program development, on-site implementation, and analysis and evaluation: a) In the stage of evaluation preparation, after the evaluation implementer receives the evaluation application from the user, it communicates with the supplier the required evaluation materials, including the evaluation samples, materials and evidence which are to be provided, and reviews
whether the evaluation materials provided by the supplier is conditional according to the evaluation index of the specific product; after the approval, it forms the evaluation implementation team, and sets the expert group as needed;
b) In the stage of program development, the evaluation implementer
determines the evaluation method, procedure and progress for the

View full details