Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 22239-2008 Information security technology - Baseline for classified protection of information system security and has the following main changes with respect to GB/T 22239-2008:
——The standard name is changed to Information security technology - Baseline for classified protection of cybersecurity.
——The classification is adjusted to secure physical environment, secure communication network, secure area boundary, secure computing environment, security management center, security management system, security management organization, security management personnel, secure construction management and secure operation and maintenance management.
——The security requirements of each level are adjusted to general security requirements, special security requirements for cloud computing, special security requirements for mobile communication, special security requirements for internet of things and special security requirements for industrial control system.
——Marks S, A and G of the original security control point are deleted; Annex A is added to describe the relationship between the classification result for targets of classified security and the security requirements, stating how to select security requirements according to the classification result.
——The sequence of Annex A and Annex B is adjusted; Annex C is added to describe the general framework of classified protection of cybersecurity and put forward the requirements for the use of key technologies.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the National Information Security Standardization Technical Committee (SAC/TC 260).
The previous edition of this standard is as follows:
——GB/T 22239-2008.
Introduction
With a view to cooperating with the implementation of Cybersecurity Law of the People's Republic of China and adapting to the proceeding of classified protection of cybersecurity under new technologies and applications such as cloud computing, mobile communication, internet of things, industrial control and big data, GB/T 22239-2008 shall be revised; the revision idea and method are to adjust the contents of GB/T 22239-2008, propose general security requirements in allusion to general security protection requirements and put forward special security requirements in allusion to individualized security protection requirements of new technologies and applications such as cloud computing, mobile communication, internet of things, industrial control and big data in order to form new standard of baseline for classified protection of cybersecurity.
This standard is one of the series standards related to classified protection of cybersecurity.
Standards in relation to this one include:
——GB/T 25058 Information security technology - Implementation guide for classified protection of information system;
——GB/T 22240 Information security technology - Classification guide for classified protection of information system security;
——GB/T 25070 Information security technology - Technical requirements of security design for classified protection of cybersecurity;
——GB/T 28448 Information security technology - Evaluation requirement for classified protection of cybersecurity;
——GB/T 28449 Information security technology - Testing and evaluation process guide for classified protection of cybersecurity.
In the text of this standard, those in bold represent requirements added or strengthened in higher level.
Information security technology - Baseline for classified protection of cybersecurity
1 Scope
This standard specifies the general security requirements and special security requirements for the targets of classified security from Level 1 to Level 4 under the classified protection of cybersecurity.
It applies to guide the security construction and supervisory management for classified non-secret-involved targets.
Note: The Level 5 targets of classified security are very important objects for supervision and management. There are special management mode and security requirements proposed for them, which are not expatiated herein.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the referenced edition is applicable. For undated references, the latest edition of the referenced document (including all amendments) is applicable.
GB 17859 Classified criteria for security protection of computer information system
GB/T 22240 Information security technology - Classification guide for classified protection of information system security
GB/T 25069 Information security technology - Glossary
GB/T 31167-2014 Information security technology - Security guide of cloud computing services
GB/T 31168-2014 Information security technology - Security capability requirements of cloud computing services
GB/T 32919-2016 Information security technology - Application guide to industrial control system security control
3 Terms and definitions
For the purpose of this document, terms and definitions given in GB 17859, GB/T 22240, GB/T 25069, GB/T 31167-2014, GB/T 31168-2014 and GB/T 32919-2016 as well as the following ones are applicable to this document. For ease of use, some terms and definitions in GB/T 31167-2014, GB/T 31168-2014 and GB/T 32919-2016 are relisted as follows.
3.1
cybersecurity
abilities to keep the network away from attack, intrusion, interference, damage, illegal use and unexpected accident, enable the network to operate stably and reliably and ensure the integrity, confidentiality and availability of network data by taking necessary measures
3.2
security protection ability
extent for being protected against threat, detecting security incident, restoring to the previous state after damage, etc.
3.3
cloud computing
mode of gaining access to extensible, flexible and shareable physical or virtual resource pools and acquiring, managing resources through on-demand self-service through Internet
Note: Resource examples include the server, operating system, network, software, application, storage device, etc.
[GB/T 31167-2014, definition 3.1]
3.4
cloud service provider
provider of cloud computing service
Note: The cloud service provider manages, operates and supports the computing infrastructure and software for cloud computing, and delivers cloud computing resources through Internet.
[GB/T 31167-2014, definition 3.3]
3.5
cloud service customer
participant entering into business relationship with the cloud service provider for cloud computing service
[GB/T 31168-2014, definition 3.4]
3.6
cloud computing platform/system
collection of cloud computing infrastructure and service software on it offered by the cloud service provider
3.7
hypervisor
intermediate software layer running between the basic physical server and the operating system, which allow hardware sharing among multiple operating systems and applications
3.8
host machine
physical server that runs the hypervisor
3.9
mobile communication
process of connecting mobile devices to a wired network through wireless communication technology
3.10
mobile device
terminal devices used in mobile services, including general terminal and special terminal devices such as smartphones, tablet computers and personal computers
3.11
wireless access device
communication device that connects mobile devices to a wired network though wireless communication technology
3.12
wireless access gateway
device deployed between a wireless network and a wired network to safeguard the wired network
3.13
mobile application
application developed for mobile devices
3.14
mobile device management system
specialized software for mobile device management, application management and content management, including client software and server software
3.15
internet of things
system formed by connecting sensor nodes via Internet or other networks
3.16
sensor node
device capable of acquiring information from and/or executing operation on objects or environment, as well as conducting network communication
3.17
sensor layer gateway
device for summarizing, properly processing or integrating and forwarding the data collected from sensor node
Foreword i
Introduction iii
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Overview on classified protection of cybersecurity
5.1 Target of classified security
5.2 Different levels of security protection abilities
5.3 General security requirements and special security requirements
6 Level 1 security requirements
6.1 General security requirements
6.2 Special security requirements for cloud computing
6.3 Special security requirements for mobile communication
6.4 Special security requirements for IoT
6.5 Special security requirements for industrial control system
7 Level 2 security requirements
7.1 General security requirements
7.2 Special security requirements for cloud computing
7.3 Special security requirements for mobile communication
7.4 Special security requirements for IoT
7.5 Special security requirements for industrial control system
8 Level 3 security requirements
8.1 General security requirements
8.2 Special security requirements for cloud computing
8.3 Special security requirements for mobile communication
8.4 Special security requirements for IoT
8.5 Special security requirements for industrial control system
9 Level 4 security requirements
9.1 General security requirements
9.2 Special security requirements for cloud computing
9.3 Special security requirements for mobile interconnection
9.4 Special security requirements for IoT
9.5 Special security requirements for industrial control system
10 Level 5 security requirements
Annex A (Normative) Selection and application for general security requirements and special security requirements
Annex B (Normative) Requirements for the integral security protection ability of targets of classified security
Annex C (Normative) Security framework of classified protection and operating requirements of key technology
Annex D (Informative) Description of the application scenarios of cloud computing
Annex E (Informative) Description of the application scenarios of mobile communication
Annex F (Informative) Description of the application scenarios of IoT
Annex G (Informative) Description of the application scenarios of industrial control system
Annex H (Informative) Description of the application scenarios of big data
Bibliography
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 22239-2008 Information security technology - Baseline for classified protection of information system security and has the following main changes with respect to GB/T 22239-2008:
——The standard name is changed to Information security technology - Baseline for classified protection of cybersecurity.
——The classification is adjusted to secure physical environment, secure communication network, secure area boundary, secure computing environment, security management center, security management system, security management organization, security management personnel, secure construction management and secure operation and maintenance management.
——The security requirements of each level are adjusted to general security requirements, special security requirements for cloud computing, special security requirements for mobile communication, special security requirements for internet of things and special security requirements for industrial control system.
——Marks S, A and G of the original security control point are deleted; Annex A is added to describe the relationship between the classification result for targets of classified security and the security requirements, stating how to select security requirements according to the classification result.
——The sequence of Annex A and Annex B is adjusted; Annex C is added to describe the general framework of classified protection of cybersecurity and put forward the requirements for the use of key technologies.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the National Information Security Standardization Technical Committee (SAC/TC 260).
The previous edition of this standard is as follows:
——GB/T 22239-2008.
Introduction
With a view to cooperating with the implementation of Cybersecurity Law of the People's Republic of China and adapting to the proceeding of classified protection of cybersecurity under new technologies and applications such as cloud computing, mobile communication, internet of things, industrial control and big data, GB/T 22239-2008 shall be revised; the revision idea and method are to adjust the contents of GB/T 22239-2008, propose general security requirements in allusion to general security protection requirements and put forward special security requirements in allusion to individualized security protection requirements of new technologies and applications such as cloud computing, mobile communication, internet of things, industrial control and big data in order to form new standard of baseline for classified protection of cybersecurity.
This standard is one of the series standards related to classified protection of cybersecurity.
Standards in relation to this one include:
——GB/T 25058 Information security technology - Implementation guide for classified protection of information system;
——GB/T 22240 Information security technology - Classification guide for classified protection of information system security;
——GB/T 25070 Information security technology - Technical requirements of security design for classified protection of cybersecurity;
——GB/T 28448 Information security technology - Evaluation requirement for classified protection of cybersecurity;
——GB/T 28449 Information security technology - Testing and evaluation process guide for classified protection of cybersecurity.
In the text of this standard, those in bold represent requirements added or strengthened in higher level.
Information security technology - Baseline for classified protection of cybersecurity
1 Scope
This standard specifies the general security requirements and special security requirements for the targets of classified security from Level 1 to Level 4 under the classified protection of cybersecurity.
It applies to guide the security construction and supervisory management for classified non-secret-involved targets.
Note: The Level 5 targets of classified security are very important objects for supervision and management. There are special management mode and security requirements proposed for them, which are not expatiated herein.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the referenced edition is applicable. For undated references, the latest edition of the referenced document (including all amendments) is applicable.
GB 17859 Classified criteria for security protection of computer information system
GB/T 22240 Information security technology - Classification guide for classified protection of information system security
GB/T 25069 Information security technology - Glossary
GB/T 31167-2014 Information security technology - Security guide of cloud computing services
GB/T 31168-2014 Information security technology - Security capability requirements of cloud computing services
GB/T 32919-2016 Information security technology - Application guide to industrial control system security control
3 Terms and definitions
For the purpose of this document, terms and definitions given in GB 17859, GB/T 22240, GB/T 25069, GB/T 31167-2014, GB/T 31168-2014 and GB/T 32919-2016 as well as the following ones are applicable to this document. For ease of use, some terms and definitions in GB/T 31167-2014, GB/T 31168-2014 and GB/T 32919-2016 are relisted as follows.
3.1
cybersecurity
abilities to keep the network away from attack, intrusion, interference, damage, illegal use and unexpected accident, enable the network to operate stably and reliably and ensure the integrity, confidentiality and availability of network data by taking necessary measures
3.2
security protection ability
extent for being protected against threat, detecting security incident, restoring to the previous state after damage, etc.
3.3
cloud computing
mode of gaining access to extensible, flexible and shareable physical or virtual resource pools and acquiring, managing resources through on-demand self-service through Internet
Note: Resource examples include the server, operating system, network, software, application, storage device, etc.
[GB/T 31167-2014, definition 3.1]
3.4
cloud service provider
provider of cloud computing service
Note: The cloud service provider manages, operates and supports the computing infrastructure and software for cloud computing, and delivers cloud computing resources through Internet.
[GB/T 31167-2014, definition 3.3]
3.5
cloud service customer
participant entering into business relationship with the cloud service provider for cloud computing service
[GB/T 31168-2014, definition 3.4]
3.6
cloud computing platform/system
collection of cloud computing infrastructure and service software on it offered by the cloud service provider
3.7
hypervisor
intermediate software layer running between the basic physical server and the operating system, which allow hardware sharing among multiple operating systems and applications
3.8
host machine
physical server that runs the hypervisor
3.9
mobile communication
process of connecting mobile devices to a wired network through wireless communication technology
3.10
mobile device
terminal devices used in mobile services, including general terminal and special terminal devices such as smartphones, tablet computers and personal computers
3.11
wireless access device
communication device that connects mobile devices to a wired network though wireless communication technology
3.12
wireless access gateway
device deployed between a wireless network and a wired network to safeguard the wired network
3.13
mobile application
application developed for mobile devices
3.14
mobile device management system
specialized software for mobile device management, application management and content management, including client software and server software
3.15
internet of things
system formed by connecting sensor nodes via Internet or other networks
3.16
sensor node
device capable of acquiring information from and/or executing operation on objects or environment, as well as conducting network communication
3.17
sensor layer gateway
device for summarizing, properly processing or integrating and forwarding the data collected from sensor node
Contents of GB/T 22239-2019
Foreword i
Introduction iii
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 Overview on classified protection of cybersecurity
5.1 Target of classified security
5.2 Different levels of security protection abilities
5.3 General security requirements and special security requirements
6 Level 1 security requirements
6.1 General security requirements
6.2 Special security requirements for cloud computing
6.3 Special security requirements for mobile communication
6.4 Special security requirements for IoT
6.5 Special security requirements for industrial control system
7 Level 2 security requirements
7.1 General security requirements
7.2 Special security requirements for cloud computing
7.3 Special security requirements for mobile communication
7.4 Special security requirements for IoT
7.5 Special security requirements for industrial control system
8 Level 3 security requirements
8.1 General security requirements
8.2 Special security requirements for cloud computing
8.3 Special security requirements for mobile communication
8.4 Special security requirements for IoT
8.5 Special security requirements for industrial control system
9 Level 4 security requirements
9.1 General security requirements
9.2 Special security requirements for cloud computing
9.3 Special security requirements for mobile interconnection
9.4 Special security requirements for IoT
9.5 Special security requirements for industrial control system
10 Level 5 security requirements
Annex A (Normative) Selection and application for general security requirements and special security requirements
Annex B (Normative) Requirements for the integral security protection ability of targets of classified security
Annex C (Normative) Security framework of classified protection and operating requirements of key technology
Annex D (Informative) Description of the application scenarios of cloud computing
Annex E (Informative) Description of the application scenarios of mobile communication
Annex F (Informative) Description of the application scenarios of IoT
Annex G (Informative) Description of the application scenarios of industrial control system
Annex H (Informative) Description of the application scenarios of big data
Bibliography
