Foreword
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 22240-2008 Information security technology - Classification guide for classified protection of information systems security, with respect to which, the following main technical changes have been made:
——the terms and definitions of target of classified protection and information system are modified, and those of cybersecurity, network infrastructure and data resources are added (see Clause 3 hereof; Clause 3 of Edition 2008);
——the methods for determining the to-be-classified target of network infrastructure and data resources are added (see 5.2 and 5.3);
——a description for classification of specific to-be-classified targets is added (see Clause 7);
——the classification process is modified (see 4.4 hereof; 5.1 of Edition 2008).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the National Technical Committee on Information Security of Standardization Administration of China (SAC/TC 260).
The previous edition of this standard is as follows:
——GB/T 22240-2008.
Introduction
With a view to cooperating with the implementation of the Cybersecurity Law of the People's Republic of China and adapting to the proceeding of classified protection of cybersecurity under such new technologies and applications as cloud computing, mobile communication, IoT, industrial control and big data, GB/T 22240-2008 shall be revised. Supplement, refinement and improvement are made in aspects from the definition of the target of classified protection to classification process, so as to form a new classification guide for classified protection of cybersecurity.
National standards in relation to this one include:
——GB/T 22239 Information security technology - Baseline for classified protection of cybersecurity;
——GB/T 25058 Information security technology - Implementation guide for classified protection of cybersecurity;
——GB/T 25070 Information security technology - Technical requirements of security design for classified protection of cybersecurity;
——GB/T 28448 Information security technology - Evaluation requirement for classified protection of cybersecurity;
——GB/T 28449 Information security technology - Testing and evaluation process guide for classified protection of cybersecurity.
Information security technology - Classification guide for classified protection of cybersecurity
1 Scope
This standard specifies the classification method and process of security protection class for targets of classified protection that do not involve state secrets.
This standard is applicable to guide the network operators to carry out the classification of targets of classified protection that do not involve state secrets.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB 17859-1999 Classified criteria for security protection of computer information system
GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity
GB/T 25069 Information security techniques - Terminology
GB/T 29246-2017 Information technology - Security techniques - Information security management systems - Overview and vocabulary
GB/T 31167-2014 Information security technology - Security guide of cloud computing services
GB/T 32919-2016 Information security technology - Application guide to industrial control system security control
GB/T 35295-2017 Information technology - Big data - Terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB 17859-1999, GB/T 22239-2019, GB/T 25069, GB/T 29246-2017, GB/T 31167-2014, GB/T 32919-2016 and GB/T 35295-2017 and the following apply. For the convenience of use, some terms and definitions given in the above standards are listed again below.
3.1
cybersecurity
capability of guaranteeing stable and reliable operation of the network and ensuring the integrity, confidentiality and availability of the network data by taking necessary measures to prevent the network from attack, intrusion, interference, sabotage, illegal use and unexpected accident
[GB/T 22239-2019, Definition 3.1]
3.2
target of classified protection
target on which the classified protection of cybersecurity directly acts
Note: It mainly includes information system, network infrastructure and data resources.
3.3
information system
applications, services, information technology assets, or other information processing components
[GB/T 29246-2017, Definition 2.39]
Note 1: The information system, usually composed of computers or other information terminals and related equipment, carries out information processing or process control according to certain application goals and rules.
Note 2: Typical information systems include office automation system, cloud computing platform/system, IoT, industrial control system and system adopting mobile communication technology, etc.
3.4
network infrastructure
network equipment and facilities that play a basic supporting role for information circulation and network operation
Note: It mainly includes telecommunication network, radio and television transmission network and special communication network of industries or organizations.
3.5
data resources
collection of data that has or is expected to have value
Note: Data resources mostly exist in electronic form.
3.6
object of infringement
social relations infringed when the target of classified protection under the protection according to law is damaged
Note: It is hereinafter referred to as “object”.
3.7
objective
objective external manifestations showing that the object is infringed, including the infringement way and the infringement result
4 Classification principle and process
4.1 Security protection class
According to the factors such as the significance of the target of classified protection in national security, economic construction and social life, and the degree of infringement on national security, social order, public interests and the legitimate rights and interests of citizens, legal persons and other organizations once the target is damaged or its function is lost or the data is tampered with, disclosed, lost or damaged, the security protection of the target of classified protection is classified into the following five classes:
a) Class I, after the target of classified protection is damaged, the legitimate rights and interests of relevant citizens, legal persons and other organizations will be generally damaged, while national security, social order and public interests will not be damaged;
b) Class II, after the target of classified protection is damaged, the legitimate rights and interests of relevant citizens, legal persons and other organizations will suffer serious or particularly serious damage, or social order and public interests will suffer damage, while national security will not be damaged;
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Classification principle and process
4.1 Security protection class
4.2 Classification elements
4.2.1 Overview of classification elements
4.2.2 Object of infringement
4.2.3 Degree of infringement to object
4.3 Relationship between classification elements and security protection class
4.4 Classification process
5 Determination of to-be-classified target
5.1 Information system
5.1.1 Basic characteristics of to-be-classified target
5.1.2 Cloud computing platform/system
5.1.3 IoT
5.1.4 Industrial control system
5.1.5 Systems adopting mobile communication technology
5.2 Network infrastructure
5.3 Data resources
6 Determination of security protection class
6.1 Classification method summary
6.2 Determination of object of infringement
6.3 Degree of infringement to object
6.3.1 Objective of infringement
6.3.2 Comprehensive judgment of the degree of infringement
6.4 Preliminarily determination of classification
7 Determination of security protection class
8 Class change
Bibliography
Foreword
Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 22240-2008 Information security technology - Classification guide for classified protection of information systems security, with respect to which, the following main technical changes have been made:
——the terms and definitions of target of classified protection and information system are modified, and those of cybersecurity, network infrastructure and data resources are added (see Clause 3 hereof; Clause 3 of Edition 2008);
——the methods for determining the to-be-classified target of network infrastructure and data resources are added (see 5.2 and 5.3);
——a description for classification of specific to-be-classified targets is added (see Clause 7);
——the classification process is modified (see 4.4 hereof; 5.1 of Edition 2008).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the National Technical Committee on Information Security of Standardization Administration of China (SAC/TC 260).
The previous edition of this standard is as follows:
——GB/T 22240-2008.
Introduction
With a view to cooperating with the implementation of the Cybersecurity Law of the People's Republic of China and adapting to the proceeding of classified protection of cybersecurity under such new technologies and applications as cloud computing, mobile communication, IoT, industrial control and big data, GB/T 22240-2008 shall be revised. Supplement, refinement and improvement are made in aspects from the definition of the target of classified protection to classification process, so as to form a new classification guide for classified protection of cybersecurity.
National standards in relation to this one include:
——GB/T 22239 Information security technology - Baseline for classified protection of cybersecurity;
——GB/T 25058 Information security technology - Implementation guide for classified protection of cybersecurity;
——GB/T 25070 Information security technology - Technical requirements of security design for classified protection of cybersecurity;
——GB/T 28448 Information security technology - Evaluation requirement for classified protection of cybersecurity;
——GB/T 28449 Information security technology - Testing and evaluation process guide for classified protection of cybersecurity.
Information security technology - Classification guide for classified protection of cybersecurity
1 Scope
This standard specifies the classification method and process of security protection class for targets of classified protection that do not involve state secrets.
This standard is applicable to guide the network operators to carry out the classification of targets of classified protection that do not involve state secrets.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB 17859-1999 Classified criteria for security protection of computer information system
GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity
GB/T 25069 Information security techniques - Terminology
GB/T 29246-2017 Information technology - Security techniques - Information security management systems - Overview and vocabulary
GB/T 31167-2014 Information security technology - Security guide of cloud computing services
GB/T 32919-2016 Information security technology - Application guide to industrial control system security control
GB/T 35295-2017 Information technology - Big data - Terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB 17859-1999, GB/T 22239-2019, GB/T 25069, GB/T 29246-2017, GB/T 31167-2014, GB/T 32919-2016 and GB/T 35295-2017 and the following apply. For the convenience of use, some terms and definitions given in the above standards are listed again below.
3.1
cybersecurity
capability of guaranteeing stable and reliable operation of the network and ensuring the integrity, confidentiality and availability of the network data by taking necessary measures to prevent the network from attack, intrusion, interference, sabotage, illegal use and unexpected accident
[GB/T 22239-2019, Definition 3.1]
3.2
target of classified protection
target on which the classified protection of cybersecurity directly acts
Note: It mainly includes information system, network infrastructure and data resources.
3.3
information system
applications, services, information technology assets, or other information processing components
[GB/T 29246-2017, Definition 2.39]
Note 1: The information system, usually composed of computers or other information terminals and related equipment, carries out information processing or process control according to certain application goals and rules.
Note 2: Typical information systems include office automation system, cloud computing platform/system, IoT, industrial control system and system adopting mobile communication technology, etc.
3.4
network infrastructure
network equipment and facilities that play a basic supporting role for information circulation and network operation
Note: It mainly includes telecommunication network, radio and television transmission network and special communication network of industries or organizations.
3.5
data resources
collection of data that has or is expected to have value
Note: Data resources mostly exist in electronic form.
3.6
object of infringement
social relations infringed when the target of classified protection under the protection according to law is damaged
Note: It is hereinafter referred to as “object”.
3.7
objective
objective external manifestations showing that the object is infringed, including the infringement way and the infringement result
4 Classification principle and process
4.1 Security protection class
According to the factors such as the significance of the target of classified protection in national security, economic construction and social life, and the degree of infringement on national security, social order, public interests and the legitimate rights and interests of citizens, legal persons and other organizations once the target is damaged or its function is lost or the data is tampered with, disclosed, lost or damaged, the security protection of the target of classified protection is classified into the following five classes:
a) Class I, after the target of classified protection is damaged, the legitimate rights and interests of relevant citizens, legal persons and other organizations will be generally damaged, while national security, social order and public interests will not be damaged;
b) Class II, after the target of classified protection is damaged, the legitimate rights and interests of relevant citizens, legal persons and other organizations will suffer serious or particularly serious damage, or social order and public interests will suffer damage, while national security will not be damaged;
Contents of GB/T 22240-2020
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Classification principle and process
4.1 Security protection class
4.2 Classification elements
4.2.1 Overview of classification elements
4.2.2 Object of infringement
4.2.3 Degree of infringement to object
4.3 Relationship between classification elements and security protection class
4.4 Classification process
5 Determination of to-be-classified target
5.1 Information system
5.1.1 Basic characteristics of to-be-classified target
5.1.2 Cloud computing platform/system
5.1.3 IoT
5.1.4 Industrial control system
5.1.5 Systems adopting mobile communication technology
5.2 Network infrastructure
5.3 Data resources
6 Determination of security protection class
6.1 Classification method summary
6.2 Determination of object of infringement
6.3 Degree of infringement to object
6.3.1 Objective of infringement
6.3.2 Comprehensive judgment of the degree of infringement
6.4 Preliminarily determination of classification
7 Determination of security protection class
8 Class change
Bibliography