标准搜索结果: 'GB/T 22239-2019英文版'
| 标准号码 | 内文 | 价格(元) | 第2步 | 交付天数[PDF] | 标准名称 | 相关标准 |
| GB/T 22239-2019 |
英文版
| 1050 |
购买全文
|
现货, 9秒内下载
|
信息安全技术 网络安全等级保护基本要求
|
GBT 22239-2019
|
标准编号: GB/T 22239-2019 (GB/T22239-2019)
中文名称: 信息安全技术 网络安全等级保护基本要求
英文名称: Information security technology -- Baseline for classified protection of cybersecurity
行业: 国家标准 (推荐)
中标分类: L80
国际标准分类: 35.040
字数估计: 90,933
发布日期: 2019-05-10
实施日期: 2019-12-01
旧标准 (被替代): GB/T 22239-2008
引用标准: GB 17859; GB/T 22240; GB/T 25069; GB/T 31167-2014; GB/T 31168-2014; GB/T 32919-2016
起草单位: 公安部第三研究所(公安部信息安全等级保护评估中心)、国家能源局信息中心、阿里云计算有限公司、中国科学院信息工程研究所(信息安全国家重点实验室)、新华三技术有限公司、华为技术有限公司、启明星辰信息技术集团股份有限公司、北京鼎普科技股份有限公司、中国电子信息产业集团有限公司第六研究所、公安部第一研究所、国家信息中心、山东微分电子科技有限公司、中国电子科技集团公司第十五研究所(信息产业信息安全测评中心)、浙江大学、工业和信息化部计算机与微电子发展研究中心(中国软件评测中心)、浙江国利信安科技有限公司、机械工业仪
归口单位: 全国信息安全标准化技术委员会(SAC/TC 260)
提出机构: 全国信息安全标准化技术委员会(SAC/TC 260)
发布机构: 国家市场监督管理总局、中国国家标准化管理委员会
范围: 本标准规定了网络安全等级保护的第一级到第四级等级保护对象的安全通用要求和安全扩展要求。本标准适用于指导分等级的非涉密对象的安全建设和监督管理。
GB/T 22239-2019: 信息安全技术 网络安全等级保护基本要求
GB/T 22239-2019 英文名称: Information security technology -- Baseline for classified protection of cybersecurity
1 范围
本标准规定了网络安全等级保护的第一级到第四级等级保护对象的安全通用要求和安全扩展
要求。
本标准适用于指导分等级的非涉密对象的安全建设和监督管理。
注:第五级等级保护对象是非常重要的监督管理对象,对其有特殊的管理模式和安全要求,所以不在本标准中进行描述。
2 规范性引用文件
下列文件对于本文件的应用是必不可少的。凡是注日期的引用文件,仅注日期的版本适用于本文
件。凡是不注日期的引用文件,其最新版本(包括所有的修改单)适用于本文件。
GB 17859 计算机信息系统 安全保护等级划分准则
GB/T 22240 信息安全技术 信息系统安全等级保护定级指南
GB/T 25069 信息安全技术 术语
GB/T 31167-2014 信息安全技术 云计算服务安全指南
GB/T 31168-2014 信息安全技术 云计算服务安全能力要求
GB/T 32919-2016 信息安全技术 工业控制系统安全控制应用指南
3 术语和定义
GB 17859、GB/T 22240、GB/T 25069、GB/T 31167-2014、GB/T 31168-2014和GB/T 32919-
2016界定的以及下列术语和定义适用于本文件。为了便于使用,以下重复列出了GB/T 31167-2014、GB/T 31168-2014和GB/T 32919-2016中的一些术语和定义。
3.1
网络安全
通过采取必要措施,防范对网络的攻击、侵入、干扰、破坏和非法使用以及意外事故,使网络处于稳定可靠运行的状态,以及保障网络数据的完整性、保密性、可用性的能力。
3.2
安全保护能力
能够抵御威胁、发现安全事件以及在遭到损害后能够恢复先前状态等的程度。
3.3
云计算
通过网络访问可扩展的、灵活的物理或虚拟共享资源池,并按需自助获取和管理资源的模式。
注:资源实例包括服务器、操作系统、网络、软件、应用和存储设备等。
3.4
云服务商
云计算服务的供应方。
注:云服务商管理、运营、支撑云计算的计算基础设施及软件,通过网络交付云计算的资源。
3.5
云服务客户
为使用云计算服务同云服务商建立业务关系的参与方。
3.6
云计算平台/系统
云服务商提供的云计算基础设施及其上的服务软件的集合。
3.7
虚拟机监视器
运行在基础物理服务器和操作系统之间的中间软件层,可允许多个操作系统和应用共享硬件。
3.8
宿主机
运行虚拟机监视器的物理服务器。
3.9
移动互联
采用无线通信技术将移动终端接入有线网络的过程。
3.10
移动终端
在移动业务中使用的终端设备,包括智能手机、平板电脑、个人电脑等通用终端和专用终端设备。
3.11
无线接入设备
采用无线通信技术将移动终端接入有线网络的通信设备。
3.12
无线接入网关
部署在无线网络与有线网络之间,对有线网络进行安全防护的设备。
3.13
移动应用软件
针对移动终端开发的应用软件。
3.14
移动终端管理系统
用于进行移动终端设备管理、应用管理和内容管理的专用软件,包括客户端软件和服务端软件。
3.15
物联网
将感知节点设备通过互联网等网络连接起来构成的系统。
3.16
感知节点设备
对物或环境进行信息采集和/或执行操作,并能联网进行通信的装置。
3.17
感知网关节点设备
将感知节点所采集的数据进行汇总、适当处理或数据融合,并进行转发的装置。
3.18
工业控制系统
工业控制系统(ICS)是一个通用术语,它包括多种工业生产中使用的控制系统,包括监控和数据采
集系统(SCADA)、分布式控制系统(DCS)和其他较小的控制系统,如可编程逻辑控制器(PLC),现已广泛应用在工业部门和关键基础设施中。
4 缩略语
下列缩略语适用于本文件。
AP:无线访问接入点
DCS:集散控制系统
ERP:企业资源计划
FTP:文件传输协议
HMI:人机界面
IaaS:基础设施即服务
ICS:工业控制系统
IoT:物联网
IP:互联网协议
IT:信息技术
MES:制造执行系统
PLC:可编程逻辑控制器
RFID:射频识别
SaaS:软件即服务
SCADA:数据采集与监视控制系统
SSID:服务集标识
TCB:可信计算基
USB:通用串行总线
WEP:有线等效加密
WPS:WiFi保护设置
GB/T 22239-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 22239-2008
Information security technology -
Baseline for classified protection of cybersecurity
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 01, 2019
Issued by: State Market Regulatory Administration;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 11
5 Overview of Classified protection of cybersecurity ... 12
5.1 Object under classified protection ... 12
5.2 Different classes of security protection ability ... 12
5.3 General security requirements and security extension requirements ... 13
6 Level 1 security requirements ... 14
6.1 General security requirements ... 14
6.2 Security extension requirements of cloud computing ... 20
6.3 Security extension requirements of mobile internet ... 22
6.4 Security extension requirements for IoT ... 22
6.5 Security extension requirements for industrial control systems ... 23
7 Level 2 security requirements ... 25
7.1 General security requirements ... 25
7.2 Extension requirements for cloud computing security ... 40
7.3 Extension requirements for mobile Internet security ... 43
7.4 Extension requirements for IoT security ... 45
7.5 Security extension requirements for industrial control systems ... 46
8 Level 3 security requirements ... 48
8.1 General security requirements ... 48
8.2 Extension requirements for cloud computing security ... 71
8.3 Extension requirements for mobile Internet security ... 76
8.4 Extension requirements for IoT security ... 78
8.5 Security extension requirements for industrial control systems ... 80
9 Level 4 security requirements ... 83
9.1 General security requirements ... 83
9.2 Extension requirements for cloud computing security ... 106
9.3 Extension requirements for mobile internet security ... 111
9.4 Extension requirements for IoT security ... 113
9.5 Extension requirements for security of industrial control systems ... 116
10 Level 5 security requirements ... 119
Appendix A (Normative) Selection and use of general security requirements and
security extension requirements ... 120
Appendix B (Normative) Requirements on overall security protection ability of
the object under classified protection ... 124
Appendix C (Normative) Security framework of classified protection and
requirements for key technology use ... 126
Appendix D (Informative) Description of cloud computing application scenarios
... 129
Appendix E (Informative) Description of mobile internet application scenarios
... 130
Appendix F (Informative) Description of IoT application scenario ... 131
Appendix G (Informative) Description of application scenarios of industrial
control systems ... 133
Appendix H (Informative) Descriptions on big data application scenarios ... 137
References ... 145
Information security technology -
Baseline for classified protection of cybersecurity
1 Scope
This standard specifies the general security requirements and security
extension requirements for the project under classified protection from level 1
to level 4 of the classified protection of cybersecurity.
This standard is applicable to guide the security construction and supervision
Note: The class-5 protection object is a very important supervision and management
object. It has special management modes and security requirements, so it is not
described in this standard.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB 17859 Classified criteria for security protection of computer information
GB/T 22240 Information security technology - Classification guide for
classified protection of information system security
GB/T 25069 Information security technology glossary
GB/T 31167-2014 Information security technology - Security guide of cloud
computing services
GB/T 31168-2014 Information security technology - Security ability
requirements of cloud computing services
GB/T 32919-2016 Information security technology - Application guide to
industrial control system security control
Cloud service customer
Participants who use cloud computing services to establish business
relationships with cloud service providers.
[GB/T 31168-2014, definition 3.4]
3.6
Cloud computing platform / system
A collection of cloud computing infrastructure and service software provided
by a cloud service provider.
3.7
An intermediate software layer that runs between the underlying physical
server and the operating system, allowing multiple operating systems and
applications to share hardware.
3.8
Host machine
The physical server running the hypervisor.
3.9
Mobile communication
The process of using a wireless communication technology to connect a
3.10
Mobile device
Terminal device used in mobile business, including general-purpose
terminals and special-purpose terminal device such as smart phones, tablets,
personal computers.
3.11
Wireless access device
A communication device that uses wireless communication technology to
WEP: Wired Equivalent Privacy
5 Overview of Classified protection of cybersecurity
5.1 Object under classified protection
The object under classified protection refers to the objects in the classified
protection of cybersecurity. It usually refers to a system consisting of computers
or other information terminals and related device that collects, stores, transmits,
exchanges, processes information in accordance with certain rules and
procedures. It mainly includes basic information networks, cloud computing
platforms / systems, big data applications / platforms / resources, Internet of
Things (IoT), industrial control systems, systems using mobile internet
harm to national security, economic construction, and social life, and the degree
of harm to national security, social order, public interests, the legitimate rights
and interests of citizens, legal persons, and other organizations after damage,
divided into five protection classes from low to high.
See GB/T 22240 for the method of determining the security protection level of
the protected object.
5.2 Different classes of security protection ability
The basic security protection abilities that different classes of protected objects
shall possess are as follows:
resource damage caused by malicious attacks from individuals, threat sources
with few resources, general natural disasters, other threats of a considerable
degree of harm. After the damage, it may restore some functions.
Level 2 security protection ability: It shall be able to protect against important
resource damage caused by malicious attacks from small external sources,
threat sources with a small amount of resources, general natural disasters,
other threats of considerable harm. It may find important security loopholes and
handle security incidents, restore some functions within a period of time after
they are damaged.
resource damage caused by malicious attacks from externally organized
groups, threat sources with richer resources, more severe natural disasters,
scenarios of cloud computing are as shown in Appendix D; the application
scenarios of mobile Internet are as shown in Appendix E; the IoT application
scenarios are as shown in Appendix F; the application scenarios of industrial
control system are as shown in Appendix G; the application scenarios of big
data are as shown in Appendix H. For the objects under classified protection
that use other special technologies or in special application scenarios, it shall
take special security measures as a supplement to security risks on the basis
6 Level 1 security requirements
6.1 General security requirements
6.1.1 Security physical environment
6.1.1.1 Physical access control
At the entrance and exit of the computer room, it shall assign a special person
on duty or equip with an electronic access control system to control, identify
and record the entering personnel.
6.1.1.2 Protection against theft and vandalism
Device or main components shall be fixed and identified with obvious signs that
6.1.1.3 Lightning protection
All kinds of cabinets, facilities and device shall be safely grounded through the
grounding system.
6.1.1.4 Fire prevention
The computer room shall be equipped with fire extinguishing device.
6.1.1.5 Waterproof and moisture-proof
It shall take measures to prevent rainwater from penetrating through the
windows, roof and walls of the computer room.
6.1.1.6 Temperature and humidity control
temperature and humidity changes in the computer room are within the range
allowed by the device operation.
This requirement includes:
a) It shall identify and authenticate the identity of the logged-in user. The
identity is unique; the identity authentication information has complexity
requirements and is replaced regularly;
b) It shall have the function of handling the login failure; it shall be configured
and enabled to end the session, limit the number of illegal logins,
automatically log out when the login connection times out.
This requirement includes:
a) It shall assign accounts and permissions to logged-in users;
b) It shall rename or delete the default account; modify the default password
of the default account;
c) It shall delete or deactivate the redundant and expired accounts in time,
to avoid the existence of shared accounts.
6.1.4.3 Intrusion prevention
This requirement includes:
a) It shall follow the principle of minimum installation, to install only the
|