Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 36959-2018 English PDF (GBT36959-2018)

GB/T 36959-2018 English PDF (GBT36959-2018)

Regular price $365.00 USD
Regular price Sale price $365.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 36959-2018 to get it for Purchase Approval, Bank TT...

GB/T 36959-2018: Information security technology -- Capability requirements and evaluation specification for assessment organization of classified protection of cybersecurity

This standard specifies the capability requirements and evaluation specifications of assessment organizations of classified protection of cybersecurity. This standard is applicable to activities such as capability building, operation management, qualification evaluation that intend to become or upgrade to a higher level of assessment organization of cybersecurity protection.
GB/T 36959-2018
GB
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Capability
requirements and evaluation specification for
assessment organization of classified protection of
cybersecurity
ISSUED ON: DECEMBER 28, 2018
IMPLEMENTED ON: JULY 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Capability requirements of assessment organizations ... 6
4.1 Classification of assessment organizations ... 7
4.2 Classification of level evaluation personnel ... 7
4.3 Capability requirements for level I assessment organizations ... 7 4.4 Capability requirements for level II assessment organizations ... 16 4.5 Capability requirements for Level III assessment organizations ... 27 4.6 Normative requirements for activities of assessment organization ... 38 5 Evaluation of the capability of assessment organization ... 39
5.1 Evaluation process ... 39
5.2 First-time evaluation ... 41
5.3 Continuous evaluation ... 43
5.4 Capability review ... 43
Appendix A (Normative) Summary form of requirements for capability
enhancement of assessment organizations of classified protection of
cybersecurity at all levels ... 44
Appendix B (Normative) Capability requirements for classified protection evaluator of cybersecurity ... 52
Information security technology - Capability
requirements and evaluation specification for
assessment organization of classified protection of
cybersecurity
1 Scope
This standard specifies the capability requirements and evaluation
specifications of assessment organizations of classified protection of
cybersecurity.
This standard is applicable to activities such as capability building, operation management, qualification evaluation that intend to become or upgrade to a higher level of assessment organization of cybersecurity protection.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB/T 28448 Information security technology - Evaluation requirement for classified protection of cybersecurity
GB/T 28449 Information security technology - Testing and evaluation
process guide for classified protection of cybersecurity
3 Terms and definitions
The terms and definitions as defined in GB/T 28448 as well as the following terms and definitions apply to this document.
3.1
Capability evaluation
According to standards and/or other normative documents, the process of e) There are no less than 15 technical and managerial personnel with
cybersecurity related work experience; no less than 2 full-time penetration testers, with clear job responsibilities and relatively stable personnel; f) Have a fixed office space, equipped with testing and evaluation tools and experimental environments that meet the needs of the evaluation
business;
g) It has complete rules and regulations for security and confidentiality management, project management, quality management, personnel
management, file management, training and education;
h) Does not involve business that may affect the fairness of the evaluation results (except for personal use) such as cybersecurity product
development, sales, or information system security integration;
i) Other conditions that shall be met.
4.3.2 Organizational management capabilities
4.3.2.1 The manager of the assessment organization shall master the classified protection policy documents and be familiar with relevant standards and specifications.
4.3.2.2 The assessment organization shall organize and set up relevant
departments in a certain way; clarify their responsibilities, authorities and mutual relations; ensure the orderly development of various tasks.
4.3.2.3 The assessment organization shall have professional and technical personnel and management personnel competent for the level evaluation work; the proportion of bachelor?€?s degree (including) or above shall not be less than 70%.
4.3.2.4 The assessment organization shall set up positions that meet the needs of the level evaluation work, such as evaluation technicians, evaluation project team leaders, technical supervisors, quality supervisors, security officers, equipment managers, file managers, etc., with clear job responsibilities and stable personnel.
4.3.2.5 The assessment organization shall formulate complete rules and
regulations, including but not limited to the following:
a) Project management system
The assessment organization shall formulate a comprehensive evaluation
project management system in line with its own characteristics in
accordance with GB/T 28449, which shall mainly include the organization examinations organized by the designated assessment organization and obtain the certificate of level evaluator. Level evaluation personnel need to hold a permit to work.
4.3.3.1.3 Evaluation technicians, evaluation project team leaders, technical supervisors shall obtain primary, intermediate, advanced level evaluator certificates respectively; the number of evaluators shall not be less than 15. 4.3.3.1.4 In addition to the qualifications of level evaluators, evaluators shall participate in various forms of evaluation business and technical training each year. The total training time of evaluators shall not be less than 40 hours per year.
4.3.3.1.5 The assessment organization shall appoint a technical supervisor who is fully responsible for the technical work of level evaluation.
4.3.3.2 Evaluation capability
4.3.3.2.1 The assessment organization shall prove that it has more than 2 years of work experience in cybersecurity-related work by providing case, process records and other materials.
4.3.3.2.2 The assessment organization shall ensure that it is engaged in evaluation work within its capabilities and has sufficient resources to meet the requirements of the evaluation work, which is specifically reflected in the following aspects:
a) Security technology evaluation and implementation capabilities, including the development, use, maintenance and professional judgment of
obtaining relevant results in terms of physical and environmental security, network and communication security, equipment and computing security,
application and data security, etc.;
b) Security management evaluation and implementation capabilities,
including security strategy and management system, security
management organization and personnel, security construction
management, security operation and maintenance management,
development, use, maintenance and professional judgment of obtaining
relevant results;
c) Security testing and analysis capabilities, which refer to the capability to develop test-related work instructions based on actual evaluation
requirements, use special evaluation equipment and tools to realize
vulnerability discovery and problem analysis;
d) The overall evaluation implementation capability, which refers to the capability to give specific results of the overall evaluation based on the form the evaluation report. The evaluation report shall be compiled
according to the format and content requirements of the evaluation report template of classified protection of cybersecurity as uniformly formulated by the public security administrative department. The evaluation report shall pass the review and have relevant records.
4.3.4 Security and assurance capabilities of facilities and equipment
4.3.4.1 The assessment organization shall have the necessary office
environment, equipment, facilities and management system. The technical equipment and facilities used shall in principle meet the following conditions: a) The product development and production organization is invested by a Chinese citizen, legal person, or invested or controlled by the state, has an independent legal personality within the territory of the People's
Republic of China;
b) The core technology and key components of the product have our
country's independent intellectual property rights;
c) The product development and production organizations and their main
businesses and technical personnel have no criminal records;
d) The product development and production organizations declare that they have not intentionally left or set loopholes, backdoors, Trojan horses and other programs and functions;
e) No harm to national security, social order, or public interest;
f) It shall be equipped with critical network equipment and special
cybersecurity products that have passed security certification or meet the requirements of security testing.
4.3.4.2 The assessment organization shall be equipped with evaluation
equipment and tools that meet the requirements of the level evaluation work, such as WEB security detection tools, malicious behavior detection tools, etc., to assist in the discovery of security issues during the testing process. Testing equipment and tools shall pass the testing of authoritative organizations and provide testing reports.
4.3.4.3 The assessment organization shall have a computer room that meets the relevant requirements and the necessary software and hardware equipment to meet the needs of cybersecurity simulation, technical training and simulation testing.
4.3.4.4 The assessment organization shall ensure that the evaluation
equipment and tools are in good operating condition; ensure that it provides 4.3.6.2.2 The assessment organization shall prove that its organization is in compliance, the property rights relationship is clear, the capital registration meets the requirements (5 million yuan), by providing documents such as the nature of the organization, shareholding structure, capital contribution, legal person and shareholder identity.
4.3.6.2.3 The assessment organization shall establish and maintain personnel files of staff, including basic personnel information, social background, work experience, training records, professional qualifications, rewards and
punishments, etc., to ensure the stability and reliability of personnel. 4.3.6.2.4 The test equipment and tools used by the assessment organization shall have a comprehensive function list; there shall be no hidden functions outside the function list.
4.3.6.2.5 The assessment organization shall attach importance to security and confidentiality work; designate persons responsible for security and
confidentiality work.
4.3.6.2.6 The assessment organization shall regularly educate its staff on confidentiality in accordance with the confidentiality management system. The assessment organization and evaluation personnel shall keep the state secrets, work secrets, business secrets, personal privacy, etc., that they learn during the evaluation activities.
4.3.6.2.7 The assessment organization shall clarify the requirements of job confidentiality; sign a "Confidentiality Responsibility Letter" with all personnel; stipulate the security and confidentiality obligations and legal responsibilities it shall perform; be responsible for inspection and implementation.
4.3.6.2.8 The assessment organization shall take technical and management measures to ensure the security, confidentiality and control of information related to the level evaluation, including but not limited to:
a) Information provided by the organization under evaluation;
b) Data and records generated by the level evaluation activities;
c) Analysis and professional judgment based on the above information.
4.3.6.2.9 The assessment organization shall use effective technical means to ensure the security and confidentiality of the level evaluation related information during the entire data life cycle.
4.3.6.3 Standardization of evaluation methods and procedures
The assessment organization shall ensure that all working procedures,
or insufficient resources;
b) The risk that test verification activities may affect the normal operation of the system under test;
c) The risk that the access of test equipment and tools may affect the normal operation of the system under test;
d) The risk of leakage of important information of the system under test (such as network topology, IP address, business process, security mechanism,
security risks and related documents, etc.) that may occur during the
evaluation process.
4.3.7.2 The assessment organization shall adopt a variety of measures to avoid and control the risks that the aforementioned system under test may face. 4.3.8 Sustainability
4.3.8.1 The assessment organization shall formulate a strategic plan according to its own situation; ensure the continuous construction and development of the assessment organization through continuous investment.
4.3.8.2 The assessment organization shall periodically review and continuously improve the management system; continuously improve management
requirements. Set mid-term and long-term goals; gradually improve quality management capabilities through the realization of goals.
4.3.8.3 The assessment organization shall do a good job of training in
accordance with the training system and keep training and evaluation records. 4.3.8.4 The assessment organization shall devote special forces to the
summary of evaluation practice and the research of evaluation technology. The assessment organizations shall conduct experience exchanges and technical discussions, to keep pace with the development of evaluation technology. 4.4 Capability requirements for level II assessment
organizations
4.4.1 Basic conditions
The assessment organization shall have the following basic conditions:
a) Enterprises and organizations registered and established within the
territory of the People's Republic of China, invested by Chinese citizens, legal persons, or invested by the state;
equipment administrators, file administrators, etc., with clear job responsibilities and stable personnel. Among them, technical supervisors and quality
supervisors shall be full-time personnel, not concurrently.
4.4.2.5 The assessment organization shall formulate complete rules and
regulations, including but not limited to the following:
a) Confidentiality management system
The confidentiality management system shall be formulated in
accordance with the relevant national confidentiality regulations. The
system shall specify the scope of confidentiality objects, personnel
confidentiality responsibilities, various measures and requirements for confidentiality management during the evaluation process, penalties for violations of the confidentiality system.
b) Project management system
The assessment organization shall formulate a comprehensive evaluation
project management system in line with its own characteristics in
accordance with GB/T 28449, which shall mainly include the organization of the evaluation work, job responsibilities, the work content and
management requirements of each stage of the evaluation.
c) Equipment management system
It shall include the relevant responsibilities of organizational personnel in the management of equipment, various regulations on the purchase, use,
operation and maintenance of instrument and equipment.
d) Document management system
It shall include the relevant responsibilities of the staff of the organization in the management of the evaluation documents, the provisions on the
borrowing and reading of files, the storage and the destruction, etc.
e) Personnel management system
It shall include the content and requirements of personnel recruitment, evaluation, daily management, resignation.
f) Training and education system
It shall include the content and requirements of the formulation of training plans, the implementation of training, the evaluation and induction of
training, the establishment of personnel training files.
g) Appeal, complaint and dispute handling system
following aspects:
a) Security technology evaluation implementation capabilities, including the development, use, maintenance and professional judgment of obtaining
relevant results in terms of physical and environmental security, network and communication security, equipment and computing security,
application and data security, etc. The evaluation guide shall cover the current mainstream products and related technologies;
b) Security management evaluation and implementation capabilities,
including security strategy and management system, security
management organization and personnel, security construction
management, security operation and maintenance management and
other aspects of the development, use, maintenance and professional
judgment of obtaining relevant results;
c) Security testing and analysis capabilities, which refer to the development of test-related work instructions based on actual evaluation requirements; the capability to realize vulnerability discovery and problem analysis with the help of special evaluation equipment and tools; having the
cryptanalysis evaluation capabilities;
d) The overall evaluation implementation capability, which refers to the capability to give specific results of the overall evaluation based on the result recording part, the result summary part and the problem analysis part of the evaluation report?€?s unit evaluation, from the perspective of security control points and between levels and regions;
e) Risk analysis capability, which refers to the capability to establish a set of unified risk analysis methods based on the relevant norms and standards of classified protection, analyze the impact of the security issues in the level evaluation results that may have on the security of the system under evaluation in a scientific and reasonable manner.
4.4.3.2.3 The assessment organization shall strengthen the application of information technology in the implementation of evaluation; with the help of automated means, standardize the evaluation process; optimize the allocation of resources; reduce errors that may be caused by human factors; improve the efficiency of evaluation work.
4.4.3.2.4 The assessment organization shall establish a complete mechanism for the development, maintenance and update of evaluation methods to
continuously improve its own evaluation technical capabilities.
4.4.3.2.5 The assessment organization shall combine the industry
characteristics and business types of the system under test; analyze the 4.4.4.1 The assessment organization shall have the necessary office
environment, equipment, facilities and management system; the technical equipment and facilities used shall in principle meet the following conditions: a) The product development and production organization is invested by a Chinese citizen, legal person, or invested or controlled by the state,
meanwhile has an independent legal personality within the territory of the People's Republic of China;
b) The core technology and key components of the product have our
country's independent intellectual property rights;
c) The product...

View full details