PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 20273-2019 English PDF (GBT20273-2019)
GB/T 20273-2019 English PDF (GBT20273-2019)
Precio habitual
$610.00 USD
Precio habitual
Precio de oferta
$610.00 USD
Precio unitario
/
por
Los gastos de envío se calculan en la pantalla de pago.
No se pudo cargar la disponibilidad de retiro
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 20273-2019
Historical versions: GB/T 20273-2019
Preview True-PDF (Reload/Scroll if blank)
GB/T 20273-2019: Information security technology -- Security technical requirements for database management system
GB/T 20273-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 20273-2006
Information Security Technology - Security Technical
Requirements for Database Management System
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 1, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative References ... 5
3 Terms, Definitions and Abbreviations ... 6
3.1 Terms and Definitions ... 6
3.2 Abbreviations ... 6
4 Description of Evaluation Target ... 7
4.1 An Overview of Evaluation Target ... 7
4.2 Security Features of Evaluation Target ... 8
4.3 Evaluation Target Deployment Mode ... 9
5 Definition of Security Issues ... 10
5.1 Data Assets ... 10
5.2 Threats ... 10
5.3 Organization Security Policy ... 13
5.4 Hypotheses ... 15
6 Security Objectives ... 18
6.1 TOE Security Objectives ... 18
6.2 Environment Security Objectives ... 22
7 Security Requirements ... 25
7.1 Extension Component Definition ... 25
7.2 Requirements of Security Function ... 27
7.3 Requirements of Security Assurance ... 46
8 Fundamental Principle ... 69
8.1 Fundamental Principle of Security Objectives ... 69
8.2 Fundamental Principle of Security Requirements ... 83
8.3 Component Dependency ... 93
Appendix A (informative) Instruction of Standard Amendment and Application
... 96
Bibliography ... 101
Information Security Technology - Security Technical
Requirements for Database Management System
1 Scope
This Standard stipulates the description of database management system evaluation
target; the definition, security objectives and requirements of security issues of different
evaluation assurance levels of database management system; the fundamental
principles between the definition of security issues and security objectives, and
between security objectives and security requirements.
This Standard is applicable to the test, evaluation and procurement of database
management system. It may also be applied to the guidance of the research and
development of database management system.
NOTE: Level-EAL2, Level-EAL3 and Level-EAL4 security requirements stipulated in this
Standard are applicable to not only the security evaluation of database
management system based on GB/T 18336.1-2015, GB/T 18336.2-2015 and
GB/T 18336.3-2015, but also GB/T 17859-1999-based database security
evaluation of second-level database system audit protection, third-level security
label protection, fourth-level structural protection. Please refer to A.1 in Appendix
A for relevant correspondences.
2 Normative References
The following documents are indispensable to the application of this document. In
terms of references with a specified date, only versions with a specified date are
applicable to this document. In terms of references without a specified date, the latest
version (including all the modifications) is applicable to this document.
GB/T 18336.1-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 1: Introduction and General Model
GB/T 18336.2-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 2: Security Functional Components
GB/T 18336.3-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 3: Security Assurance Components
GB/T 25069-2010 Information Security Technology - Glossary
GB/T 28821-2012 Technical Requirements of Relational Database Management
System
4 Description of Evaluation Target
4.1 An Overview of Evaluation Target
In this Standard, target of evaluation (TOE) refers to management software and
database object that it manages included in the database management system
(DBMS).
Management software included in DBMS shall provide database language, which
defines, operates and manages database object; provide database control language
and maintain data integrity of DBMS operation through data model semantic
constraints; provide database backup, restore and recovery mechanism, guarantee
the availability of database when there are breakdowns in DBMS operation. Relational
database management system (RDBMS) shall provide transaction management
mechanism, guarantee the atomicity, consistency, isolation and durability (ACID) of
transactions in multi-user database concurrent operations.
DBMS mainly includes the following constituent parts:
a) Database: constituted of physical files, such as: data file that stores user data
and TOE security functionality (TSF) data; log file that stores database
transaction processing process; control file that maintains the integrity of
DBMS operations, etc. The database object being stored includes: model
object, non-model object, database dictionary object, etc.
b) Database instance: include components like query engine, transaction
manager, data storage manager, etc. Implement basic functions: the definition,
management, query, update and control of database object.
c) Database language and its access interface: provide database language and
database development interface specifications, such as: structured query
language (SQL), open database connectivity (ODBC), JAVA database
connectivity (JDBC), etc.; allow authorized users to define database structure
through database development interface, access and modify database object
data, demonstrate relevant configuration parameters of DBMS operation, and
execute various maintenance operations on user data and relevant data of
DBMS operation.
d) DBMS operation maintenance auxiliary means: provide DBMS operation
maintenance auxiliary means or interfaces, such as: initiation and shutdown
of database instance; online, offline, opening and closing of database or data
file; database checkpoint control; database log archiving; external data import,
etc.
user/authorized administrator’s functions like parallel sessions.
NOTE: DBMS software and the security of its management data assets are not
isolated. Under the production environment, the IT environment of DBMS
operation (operating system, network system and hardware, etc.), together
with DBMS, establish a security system of TOE. In the description of TOE,
security target (ST) author clearly indicates and identifies the correlation
between the architecture of DBMS evaluation, and the various components
of IT environment.
4.3 Evaluation Target Deployment Mode
If any internal and external entity of DBMS needs to obtain data assets of TOE
management, firstly, it shall satisfy corresponding security policies of TOE and the
operating environment. TOE operating environment target might include multiple
security control components, which involve multiple security policies, such as:
equipment’s physical security, environmental physical security, system’s physical
security and personnel security management, etc. These operating environment
security policies prevent DBMS software and the database that it manages from
security threats in the operating environment of DBMS.
This Standard may be adopted to evaluate DBMS security of multiple deployment
structures, which include, but are not limited to the following architectures:
a) Centralized architecture: DBMS software and database application program
are installed and operated on a host; user can only send o...
Get QUOTATION in 1-minute: Click GB/T 20273-2019
Historical versions: GB/T 20273-2019
Preview True-PDF (Reload/Scroll if blank)
GB/T 20273-2019: Information security technology -- Security technical requirements for database management system
GB/T 20273-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 20273-2006
Information Security Technology - Security Technical
Requirements for Database Management System
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 1, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative References ... 5
3 Terms, Definitions and Abbreviations ... 6
3.1 Terms and Definitions ... 6
3.2 Abbreviations ... 6
4 Description of Evaluation Target ... 7
4.1 An Overview of Evaluation Target ... 7
4.2 Security Features of Evaluation Target ... 8
4.3 Evaluation Target Deployment Mode ... 9
5 Definition of Security Issues ... 10
5.1 Data Assets ... 10
5.2 Threats ... 10
5.3 Organization Security Policy ... 13
5.4 Hypotheses ... 15
6 Security Objectives ... 18
6.1 TOE Security Objectives ... 18
6.2 Environment Security Objectives ... 22
7 Security Requirements ... 25
7.1 Extension Component Definition ... 25
7.2 Requirements of Security Function ... 27
7.3 Requirements of Security Assurance ... 46
8 Fundamental Principle ... 69
8.1 Fundamental Principle of Security Objectives ... 69
8.2 Fundamental Principle of Security Requirements ... 83
8.3 Component Dependency ... 93
Appendix A (informative) Instruction of Standard Amendment and Application
... 96
Bibliography ... 101
Information Security Technology - Security Technical
Requirements for Database Management System
1 Scope
This Standard stipulates the description of database management system evaluation
target; the definition, security objectives and requirements of security issues of different
evaluation assurance levels of database management system; the fundamental
principles between the definition of security issues and security objectives, and
between security objectives and security requirements.
This Standard is applicable to the test, evaluation and procurement of database
management system. It may also be applied to the guidance of the research and
development of database management system.
NOTE: Level-EAL2, Level-EAL3 and Level-EAL4 security requirements stipulated in this
Standard are applicable to not only the security evaluation of database
management system based on GB/T 18336.1-2015, GB/T 18336.2-2015 and
GB/T 18336.3-2015, but also GB/T 17859-1999-based database security
evaluation of second-level database system audit protection, third-level security
label protection, fourth-level structural protection. Please refer to A.1 in Appendix
A for relevant correspondences.
2 Normative References
The following documents are indispensable to the application of this document. In
terms of references with a specified date, only versions with a specified date are
applicable to this document. In terms of references without a specified date, the latest
version (including all the modifications) is applicable to this document.
GB/T 18336.1-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 1: Introduction and General Model
GB/T 18336.2-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 2: Security Functional Components
GB/T 18336.3-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 3: Security Assurance Components
GB/T 25069-2010 Information Security Technology - Glossary
GB/T 28821-2012 Technical Requirements of Relational Database Management
System
4 Description of Evaluation Target
4.1 An Overview of Evaluation Target
In this Standard, target of evaluation (TOE) refers to management software and
database object that it manages included in the database management system
(DBMS).
Management software included in DBMS shall provide database language, which
defines, operates and manages database object; provide database control language
and maintain data integrity of DBMS operation through data model semantic
constraints; provide database backup, restore and recovery mechanism, guarantee
the availability of database when there are breakdowns in DBMS operation. Relational
database management system (RDBMS) shall provide transaction management
mechanism, guarantee the atomicity, consistency, isolation and durability (ACID) of
transactions in multi-user database concurrent operations.
DBMS mainly includes the following constituent parts:
a) Database: constituted of physical files, such as: data file that stores user data
and TOE security functionality (TSF) data; log file that stores database
transaction processing process; control file that maintains the integrity of
DBMS operations, etc. The database object being stored includes: model
object, non-model object, database dictionary object, etc.
b) Database instance: include components like query engine, transaction
manager, data storage manager, etc. Implement basic functions: the definition,
management, query, update and control of database object.
c) Database language and its access interface: provide database language and
database development interface specifications, such as: structured query
language (SQL), open database connectivity (ODBC), JAVA database
connectivity (JDBC), etc.; allow authorized users to define database structure
through database development interface, access and modify database object
data, demonstrate relevant configuration parameters of DBMS operation, and
execute various maintenance operations on user data and relevant data of
DBMS operation.
d) DBMS operation maintenance auxiliary means: provide DBMS operation
maintenance auxiliary means or interfaces, such as: initiation and shutdown
of database instance; online, offline, opening and closing of database or data
file; database checkpoint control; database log archiving; external data import,
etc.
user/authorized administrator’s functions like parallel sessions.
NOTE: DBMS software and the security of its management data assets are not
isolated. Under the production environment, the IT environment of DBMS
operation (operating system, network system and hardware, etc.), together
with DBMS, establish a security system of TOE. In the description of TOE,
security target (ST) author clearly indicates and identifies the correlation
between the architecture of DBMS evaluation, and the various components
of IT environment.
4.3 Evaluation Target Deployment Mode
If any internal and external entity of DBMS needs to obtain data assets of TOE
management, firstly, it shall satisfy corresponding security policies of TOE and the
operating environment. TOE operating environment target might include multiple
security control components, which involve multiple security policies, such as:
equipment’s physical security, environmental physical security, system’s physical
security and personnel security management, etc. These operating environment
security policies prevent DBMS software and the database that it manages from
security threats in the operating environment of DBMS.
This Standard may be adopted to evaluate DBMS security of multiple deployment
structures, which include, but are not limited to the following architectures:
a) Centralized architecture: DBMS software and database application program
are installed and operated on a host; user can only send o...
Share
