China National Information Security Evaluation Certification Center
Development is the hard truth, but it is not safe to develop without safety.
Foreword
Information technology and cyberspace have injected new vitality into all aspects of society, science, technology, culture, education and management. At the same time, people have benefited a lot of benefits to informationization, as well as increasingly prominent information security issues. Information security products and information systems have inherent sensitivity and speciality directly affect the national security interests and economic benefits. Government departments, civil users, manufacturers and law enforcement agencies have a very urgent requirements for information technology, "credible" requirements, safety assessment and certification becoming an objective demand in the information era.
Governments have attached great importance to information security certification, establishing a assessment and certification system that adapts to their own information development. The United States listed information security as one of the important contents of its national security. Under the support of the National Safety Agency, the US Safety Agency shall be responsible for the assessment and certification of information security products under the support of the National Standard Technology Research Institute. Western countries are experiencing ways to make information security assessment and certification becomes an important area in the process of informationization, which is widely concerned.
On February 9, 1999, my country officially established the China National Information Security Evaluation Certification Center.
Safety assessment certification is an important guarantee for the health development of information technology.
What is a assessment and certification?
1) Evaluation and certification
Evaluation certification is an important part of the modern quality certification system. Its essence is a neutral authority, through scientific norms, justified testing and evaluation, confirming that the products and services provided by the supplier provide public, objective and advanced standard. Specifically, the object of evaluation and certification is a product or process, and its basis is a technical specification confirmed by national standards, industry standards or certification bodies; its method is to sample the product to test the test and the quality assurance of suppliers. That is, the quality system is reviewed, as well as post-regular supervision; its nature is the authority of inspection technology and government authorization certification, according to the scientific justice evaluation activities in strict procedures; its representation is a certification certificate and Certification mark.
The evaluation and certification system has been internationally nearly 100 years. At present, more than 80 countries in the world have established the assessment and certification system. my country has started to promote quality certification system since the 1980s. Since the "Standardization Law" in the early 1980s, the "Regulations on the Quality Certification Management of the People's Republic of China" and "Quality Law" in the 1990s have formed a more complete legal and regulatory framework and the management specifications for supporting. More and more companies have actively participated in the certification activities. All walks of life will begin to pay attention to the brand of products and services, and gradually guided their consumption behavior through certification, and combine quality and equity. Certification activities, as a national and society's effective way to conduct quality supervision and technical control of products, which has become more and more accepted by all aspects of society.
2) Safety certification
Due to information security directly involves national interests, security and sovereignty, governments, assessment certifications for information products and information system security are more stringent than other products. Information security certification has become a new field of national assessment certification work in the information age. First of all, in the market access, developed countries provide strict import and export control, through the enactment of relevant laws, regulations and technical standards, implement security certification systems to control the safety performance of foreign import products and domestic export products. Second, for domestic use products, mandatory certification, any security products that have not been compulsory certification will not be available, sales and use. Third, the core technology in information technology and information security technology is directly controlled by the government, such as password technology and password products, most developed countries are strictly controlled, even if the government allows the exported cryptographic products, its key technology is still controlled in the government. Hands. Fourth, under the support and guidance of the national information security departments, authorized by the Standardization and Quality and Technical Supervision, authorized and relying on professional functional institutions to provide technical support, forming a combination of government administration and technical support, and depends on management system.
Information security is a sensitive problem that involves deep stakeholders. We believe that in accordance with international practice, my country's information security assessment certification, after a period of operation, the corresponding products will gradually implement mandatory supervision and management: ie, do not sell and use it through certification. Thus, the quality supervision, technical control and product market access in the comprehensive management of national information security, and more scientific norms. The standard itself has a technology and protects the market.
Standard and norms of evaluation and certification
Standard is technical regulations, as a basis and scale, no standards are not evaluated. In the special high-tech field of information security, if there is no standard, the national legislation, law enforcement will lose its biased due to lack of corresponding technical scale, will eventually bring serious consequences to the management of national information security. For example, the production, sales management of information security products, market access management, the formulation of information security products procurement policy, the safety management of various information systems (networks), the judiciary of electronic network illegal crimes Management, etc., there is no dependence on the corresponding standard.
As the International Standardization Organization issued a standard ISO / IEC 15408 (ie information technology security assessment criteria, also known as General Guidelines: CC) at the end of last year, and the world's national security assessment of information technology is different, and the situation is gradually Changing CC as an universal scale and method for assessing information technology security, using CC to guide developers' development, guidance evaluation certification authority for IT products or system security, help users Proposing the safety requirements for the required product or system and procurement according to this request. Developed countries such as the United States, Canada and the European Union have established or are establishing the national information security assessment system in accordance with CC, and there are 14 countries have signed an international mutual confirmation agreement, Japan, South Korea and Israel. Stepping up construction Preparation to join the CC mutual recognition agreement.
Although information security technical standards are technical basis, means, and foundations for information security regulations, but the implementation of information security technology standards must be guaranteed and implemented in regulations of information security. In promoting information security technology standardization processes, relevant state departments must also greatly strengthen legislative construction and law enforcement efforts of information security regulations. Only "Standards" and "Regulations" are close, in-depth, comprehensive combinations to effectively protect national information security.
my country's information security standardization work, although the start is late, but in the past 10 years, the National Information Security Standards Committee and its subordinates under the leadership of the National Quality and Technical Supervision Bureau have developed my country's information security standards. A large number of jobs, national standards, national troops, industry standards are involved in information security. In order to adapt to the rapid development of my country's informationization, the State Council unplugged the specialty project, which emerged for dozens of technical standards, which became the basis of my country's information security assessment certification.
At present, information system security evaluation criteria and testing standards, commercial password product safety technical requirements, information security service assessment criteria, information security engineering quality management requirements and other standards will be introduced soon. Under the leadership and support of the National Quality and Technical Supervision Bureau, the framework of the national information security standard system has been initially formed, and will be promoted by the government authorities in the framework, and gradually launched my country's information on the principle of the emergency use. The relevant standards of safety technology development and management applications.
Customs in my country's information security
my country's information security evaluation and certification system
my country has long attached great importance to information security and confidentiality, and from sensitivity, specialty and strategic height, and below finally under the absolute leadership of the country. my country's information security authorities are divided into labor, and all their duties have formed a management system for safeguarding national information security.
According to the national letter office [1998] No. 018 and the national Quality Technical Regulatory Bureau, the spirit of [1998] No. 138, China National Information Security Evaluation Certification is based on the Quality Law of the People's Republic of China, "The People's Republic of China Certification Management Regulations and national policies, laws, regulations, laws, regulations, and national certification bodies established in accordance with the International General Guidelines, are one of the national information security infrastructure. The Evaluation Certification Center shall conduct information security assessment certification according to the relevant national information security authorization approved by the National Quality and Technical Supervision Bureau, and publish information security assessment certification according to relevant standards and norms, and release the country's highest recognition of information security products: National information safety certificate. The National Information Security Evaluation Certification Management Committee is the regulatory body of the Certification Center; the Certification Center is a physical institution that represents the specific implementation of information security assessment certification in the country. The Certification Center is a complete work system by several information security assessment branches as a technical support. All information security inspection and assessment branches shall authorize the certification center and approved through the National Accounts of China and China Product Quality Certification Body. Energy to establish. According to the development of national information security assessment certification, there will be a technical system for the establishment of several national information security assessment branches, formation of national information security assessment certification, reasonable, resource optimization, and national information security assessment certification.
The management committee consists of the representatives of information security-related management, the use of department, academia, and manufacturers. The main responsibility is to determine the development strategy of the evaluation and certification center, promote the standard research and guidelines for the central test certification, and evaluate the evaluation The fairness, scientificity of certification work is supervised. The Management Committee sets the expert committee and complaints, and the Commission on the Commission.
Evaluation and certification work system
According to the certification product catalog issued by the National Quality and Technical Supervision Bureau, the China National Information Security Evaluation Calibration is carried out in the external certification business: product type certification, product certification, information system security certification, information security service certification.
The China National Information Security Evaluation Certification Center has two service functions. On the one hand, facing the society, facing the industry and the market, providing technical services for relevant vendors and users; on the other hand, it is necessary to provide technical support for administrative and law enforcement for the competent authorities of information security.
The above four types of certified general procedures are: application certification - product type test - Quality system assessment - issued certificate - post-certificate supervision - handling disputes and complaints.
Main benefits of certification
Certification will enhance the user's trust of certified products, which promotes the market acceptance of information security products; reduces the security risks of information systems or networks, and enhances market advantages of information security products. Certification not only provides a reference for the development and development unit of information security products, guiding them to develop products that meet the actual needs and safety standards of the country, but also provide safety indicators for users of the government and business sectors, guiding them to choose the right product. In addition, certification provides improved services for systems or networks that have not been safely guaranteed to reduce network security risks.
The National Information Security Evaluation Certification Center promises to all the evaluation certification work, to ensure the intellectual property and trade secrets of the application unit, and will launch a series of publicity activities around the assessment of information security products. . Moreover, the use of the certified units on markets, advertisements and other promotions around their certified products, can use the center's certification mark, badge, and "national information security certification".
The Center's certification standards and certification procedures have been approved by the Expert Committee and the Administration Committee, but the certification process is a dynamic process. The center will increase the difficulty of certification test according to the technical development of information security products and the use requirements of end users. It should be noted that the central authentication program ensures that the risk of product safety is reduced to national standards and the public acceptable level, and the product or system to achieve the central certification standard is only achieved by the state's management security risks, and does not indicate This product completely eliminates security risks.
my country's information security evaluation and certification system construction and prospects
Since my country's information security assessment certification has been carried out in the past two years, the formulation of information security assessment standards in my country has a fairly gap. For the current situation, the research and development of the procedural norms in the evaluation norms are the earliest, and its available results are also available, basically meet the program control needs of information security products and information systems at this stage. However, with the details of my country's information networking applications, specialization, further development of this area of business technical specifications, and it is also a urgency. As for the methodological norms and basis, it is in the stage where it is just starting. The construction of my country's information security evaluation system, at least six aspects: organizational system construction, technical system construction, standard system construction, policy and regulatory system construction, discipline system construction, talent training education system construction.
my country's information security assessment certification is to improve the certification system, implement standard norms, formulate technical standards, cultivate assessment agencies, strengthen research and development, and promote international mutual recognition.
