Information security technology -
Evaluation requirement for classified protection of cybersecurity
1 Scope
This standard specifies both the general requirements and special requirements for security testing and evaluation of targets of classified security.
This standard is applicable to security testing and evaluation for the security status of targets of classified security performed by and provides guideline to the security testing and evaluation service institutions, operation and use units of target of classified security and competent departments, and may also be used as a reference for cybersecurity competent departments when carrying out supervision and inspection of classified protection of cybersecurity.
Note: The targets of classified security of Level 5 are very important supervision and management targets and special management mode and security testing and evaluation requirements are proposed for them, which are not described herein.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB 17859-1999 Classified criteria for security protection of computer information system
GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity
GB/T 25069 Information security technology - Glossary
GB/T 25070-2019 Information security technology - Technical requirements of security design for information system classified protection
GB/T 28449-2018 Information security technology - Testing and evaluation process guide for classified protection of cybersecurity
GB/T 31167-2014 Information security technology - Security guide of cloud computing services
GB/T 31168-2014 Information security technology - Security capability requirements of cloud computing services
GB/T 32919-2016 Information security technology - Application guide to industrial control system security control
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB 17859-1999, GB/T 25069, GB/T 22239-2019, GB/T 25070-2019, GB/T 31167-2014, GB/T 31168-2014 and GB/T 32919-2016 and the following apply. For easy reference, some terms and definitions given in GB/T 31167-2014 and GB/T 31168-2014 are listed below.
3.1
interview
process by which the testing and evaluation personnel guide the personnel related to the target of classified security to communicate purposefully (pertinently) to help the testing and evaluation personnel understand, clarify or obtain evidence
3.2
examine
process by which the testing and evaluation personnel understand, clarify or obtain evidence by observing, checking and analyzing the targets of testing and evaluation, such as system documents, and various devices and related security configurations
3.3
test
process by which the testing and evaluation personnel use predetermined methods/tools to make the targets of testing and evaluation (various devices or security configurations) produce specific results, and compare the operational results with the expected results
3.4
evaluate
process of comprehensively evaluating and predicting the possible threats and possible consequences of the targets of testing and evaluation
3.5
target of testing and evaluation
target of different testing and evaluation methods in testing and evaluation for classified cybersecurity protection, mainly involving related supporting system documents, devices, facilities, personnel, etc.
3.6
testing and evaluation for classified cybersecurity protection
activity of testing and evaluation agencies testing and evaluating the status of classified protection of cybersecurity not involving state secrets in accordance with the provisions of the national classified protection system of cybersecurity and according to the relevant management specifications and technical standards
3.7
cloud service provider
provider of cloud computing service
Note: The cloud service provider manages, operates and supports the computing infrastructure and software of cloud computing, and delivers the cloud computing resources through the Internet.
[GB/T 31167-2014, Definition 3.3]
3.8
cloud service customer
participant entering into business relationship with the cloud service provider to use the cloud computing service
[GB/T 31168-2014, Definition 3.4]
3.9
hypervisor
intermediate software layer operated between the basic physical server and the operating system, which may allow sharing of hardware by multiple operating systems and applications
3.10
host machine
physical server that operates the hypervisor
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
AP: Wireless Access Point
APT: Advanced Persistent Threat
DDoS: Distributed Denial of Service
SSID: Service Set Identifier
WEP: Wired Equivalent Privacy
WiFi: Wireless Fidelity
WPS: Wi-Fi Protected Setup
5 General about testing and evaluation for classified cybersecurity protection
5.1 Testing and evaluation method for classified cybersecurity protection
The basic method for implementing the testing and evaluation for classified cybersecurity protection is to obtain the required evidence data and give a judgment on whether a specific level of security protection ability is achieved in allusion of certain target of testing and evaluation, adopting relevant testing and evaluation means and following certain testing and evaluation procedures. See GB/T 28449-2018 for the detailed process and method of testing and evaluation for classified cybersecurity protection.
In this standard, the testing and evaluation for each requirement item constitutes a single testing and evaluation, and all the specific testing and evaluation contents for a certain requirement item constitute the testing and evaluation implementation. Each specific testing and evaluation implementation requirement item (hereinafter referred to as "testing and evaluation requirement item") in a single testing and evaluation corresponds to the requirement item (testing and evaluation index) included in the security control point. Interview, examine, and test or one or two of them may be used for testing and evaluating each requirement item. The content of implementation of testing and evaluation completely covers the testing and evaluation requirements of all requirement items in GB/T 22239-2019 and GB/T 25070-2019. When using, the single testing and evaluation requirements for each requirement item in GB/T 22239-2019 shall be extracted from the implementation of single testing and evaluation, and testing and evaluation guideline shall be developed according to these testing and evaluation requirements to regulate and guide the testing and evaluation activities for classified cybersecurity protection.
According to the research results, the business process and data flow of the target of classified security shall be analyzed and the testing and evaluation scope determined. Combined with the security level of the target of classified security, comprehensively analyze the functions and characteristics of each device and component in the system, determine the technical-level targets of testing and evaluation from the importance, security, sharing, comprehensiveness, and appropriateness of the components of the target of classified security, and define the personnel and management documents related thereto as the manage-level targets of testing and evaluation. The target of testing and evaluation may be described according to categories, including machine room, business application software, host operating system, database management systems, network interconnection device, security device, interviewers, and security management documents.
Testing and evaluation for classified cybersecurity protection involve testing and evaluation intensity, including testing and evaluation extent (coverage) and testing and evaluation depth (strength). For the implementation of testing and evaluation with high security protection level, the target of testing and evaluation with wider coverage and stronger testing and evaluation means shall be selected, and the testing and evaluation evidence with higher credibility may be obtained. See Annex A for the specific description of testing and evaluation intensity.
The testing and evaluation requirement at each level includes 5 parts, namely general requirements for security testing and evaluation, special requirements for security testing and evaluation of cloud computing, special requirements for security testing and evaluation of mobile interconnection, special requirements for security testing and evaluation of internet of things and special requirements for security testing and evaluation of industrial control system. See Annex B for security evaluation methods which may be referred by big data.
5.2 Single testing and evaluation and overall testing and evaluation
Testing and evaluation for classified cybersecurity protection includes single testing and evaluation and overall testing and evaluation.
Single testing and evaluation is the testing and evaluation in allusion to each security requirement item, which supports the repeatability and reproducibility of the testing and evaluation results. In this standard, the single testing and evaluation consists of testing and evaluation index, target of testing and evaluation, implementation of testing and evaluation and unit judgment results. For convenience of use, each testing and evaluation unit is numbered, and the specific description is shown in Annex C.
Overall testing and evaluation is to adjust the overall security protection ability of the target of classified security based on the single testing and evaluation. The overall security protection ability shall be judged from two perspectives of view, namely longitudinal-depth protection and measure complementarity.
6 Level 1 testing and evaluation requirements
6.1 General requirements for security testing and evaluation
6.1.1 Physical environment security
6.1.1.1 Physical access control
6.1.1.1.1 Testing and evaluation unit (L1-PES1-01)
The requirements for this testing and evaluation unit are as follows:
a) Testing and evaluation index: special personnel shall be designated or electronic access control system shall be arranged at the entrance and exit of the machine room to control, identify and record the personnel entering the room.
b) Target of testing and evaluation: electronic access control system and duty record of machine room.
c) Implementation of testing and evaluation: it shall be examined whether special personnel are designated or electronic access control system is arranged.
d) Unit judgment: if the answer to the above implementation content is affirmative, the index requirements for this testing and evaluation unit are met; otherwise, not met.
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General about testing and evaluation for classified cybersecurity protection
5.1 Testing and evaluation method for classified cybersecurity protection
5.2 Single testing and evaluation and overall testing and evaluation
6 Level 1 testing and evaluation requirements
6.1 General requirements for security testing and evaluation
6.2 Special requirements for security testing and evaluation of cloud computing
6.3 Special requirements for security testing and evaluation of mobile interconnection
6.4 Special requirements for security testing and evaluation of internet of things
6.5 Special requirements for security testing and evaluation of industrial control system
7 Level 2 testing and evaluation requirements
7.1 General requirements for security testing and evaluation
7.2 Special requirements for security testing and evaluation of cloud computing
7.3 Special requirements for security testing and evaluation of mobile interconnection
7.4 Special requirements for security testing and evaluation of internet of things
7.5 Special requirements for security testing and evaluation of industrial control system
8 Level 3 testing and evaluation requirements
8.1 General requirements for security testing and evaluation
8.2 Special requirements for security testing and evaluation of cloud computing
8.3 Special requirements for security testing and evaluation of mobile interconnection
8.4 Special requirements for security testing and evaluation of internet of things
8.5 Special requirements for security testing and evaluation of industrial control system
9 Level 4 testing and evaluation requirements
9.1 General requirements for security testing and evaluation
9.2 Special requirements for security testing and evaluation of cloud computing
9.3 Special requirements for security testing and evaluation of mobile interconnection
9.4 Special requirements for security testing and evaluation of internet of things
9.5 Special requirements for security testing and evaluation of industrial control system
10 Level 5 testing and evaluation requirements
11 Overall testing and evaluation
11.1 General
11.2 Testing and evaluation of security control points
11.3 Testing and evaluation of inter-security control points
11.4 Testing and evaluation of inter-areas
12 Conclusion of testing and evaluation
12.1 Risk analysis and evaluation
12.2 Conclusion of testing and evaluation for classified cybersecurity protection
Annex A (Informative) Testing and evaluation intensity
Annex B (Informative) Security evaluation methods which may be referred by big data
Annex C (Normative) Numbering description of testing and evaluation unit
Bibliography
Information security technology -
Evaluation requirement for classified protection of cybersecurity
1 Scope
This standard specifies both the general requirements and special requirements for security testing and evaluation of targets of classified security.
This standard is applicable to security testing and evaluation for the security status of targets of classified security performed by and provides guideline to the security testing and evaluation service institutions, operation and use units of target of classified security and competent departments, and may also be used as a reference for cybersecurity competent departments when carrying out supervision and inspection of classified protection of cybersecurity.
Note: The targets of classified security of Level 5 are very important supervision and management targets and special management mode and security testing and evaluation requirements are proposed for them, which are not described herein.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB 17859-1999 Classified criteria for security protection of computer information system
GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity
GB/T 25069 Information security technology - Glossary
GB/T 25070-2019 Information security technology - Technical requirements of security design for information system classified protection
GB/T 28449-2018 Information security technology - Testing and evaluation process guide for classified protection of cybersecurity
GB/T 31167-2014 Information security technology - Security guide of cloud computing services
GB/T 31168-2014 Information security technology - Security capability requirements of cloud computing services
GB/T 32919-2016 Information security technology - Application guide to industrial control system security control
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB 17859-1999, GB/T 25069, GB/T 22239-2019, GB/T 25070-2019, GB/T 31167-2014, GB/T 31168-2014 and GB/T 32919-2016 and the following apply. For easy reference, some terms and definitions given in GB/T 31167-2014 and GB/T 31168-2014 are listed below.
3.1
interview
process by which the testing and evaluation personnel guide the personnel related to the target of classified security to communicate purposefully (pertinently) to help the testing and evaluation personnel understand, clarify or obtain evidence
3.2
examine
process by which the testing and evaluation personnel understand, clarify or obtain evidence by observing, checking and analyzing the targets of testing and evaluation, such as system documents, and various devices and related security configurations
3.3
test
process by which the testing and evaluation personnel use predetermined methods/tools to make the targets of testing and evaluation (various devices or security configurations) produce specific results, and compare the operational results with the expected results
3.4
evaluate
process of comprehensively evaluating and predicting the possible threats and possible consequences of the targets of testing and evaluation
3.5
target of testing and evaluation
target of different testing and evaluation methods in testing and evaluation for classified cybersecurity protection, mainly involving related supporting system documents, devices, facilities, personnel, etc.
3.6
testing and evaluation for classified cybersecurity protection
activity of testing and evaluation agencies testing and evaluating the status of classified protection of cybersecurity not involving state secrets in accordance with the provisions of the national classified protection system of cybersecurity and according to the relevant management specifications and technical standards
3.7
cloud service provider
provider of cloud computing service
Note: The cloud service provider manages, operates and supports the computing infrastructure and software of cloud computing, and delivers the cloud computing resources through the Internet.
[GB/T 31167-2014, Definition 3.3]
3.8
cloud service customer
participant entering into business relationship with the cloud service provider to use the cloud computing service
[GB/T 31168-2014, Definition 3.4]
3.9
hypervisor
intermediate software layer operated between the basic physical server and the operating system, which may allow sharing of hardware by multiple operating systems and applications
3.10
host machine
physical server that operates the hypervisor
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
AP: Wireless Access Point
APT: Advanced Persistent Threat
DDoS: Distributed Denial of Service
SSID: Service Set Identifier
WEP: Wired Equivalent Privacy
WiFi: Wireless Fidelity
WPS: Wi-Fi Protected Setup
5 General about testing and evaluation for classified cybersecurity protection
5.1 Testing and evaluation method for classified cybersecurity protection
The basic method for implementing the testing and evaluation for classified cybersecurity protection is to obtain the required evidence data and give a judgment on whether a specific level of security protection ability is achieved in allusion of certain target of testing and evaluation, adopting relevant testing and evaluation means and following certain testing and evaluation procedures. See GB/T 28449-2018 for the detailed process and method of testing and evaluation for classified cybersecurity protection.
In this standard, the testing and evaluation for each requirement item constitutes a single testing and evaluation, and all the specific testing and evaluation contents for a certain requirement item constitute the testing and evaluation implementation. Each specific testing and evaluation implementation requirement item (hereinafter referred to as "testing and evaluation requirement item") in a single testing and evaluation corresponds to the requirement item (testing and evaluation index) included in the security control point. Interview, examine, and test or one or two of them may be used for testing and evaluating each requirement item. The content of implementation of testing and evaluation completely covers the testing and evaluation requirements of all requirement items in GB/T 22239-2019 and GB/T 25070-2019. When using, the single testing and evaluation requirements for each requirement item in GB/T 22239-2019 shall be extracted from the implementation of single testing and evaluation, and testing and evaluation guideline shall be developed according to these testing and evaluation requirements to regulate and guide the testing and evaluation activities for classified cybersecurity protection.
According to the research results, the business process and data flow of the target of classified security shall be analyzed and the testing and evaluation scope determined. Combined with the security level of the target of classified security, comprehensively analyze the functions and characteristics of each device and component in the system, determine the technical-level targets of testing and evaluation from the importance, security, sharing, comprehensiveness, and appropriateness of the components of the target of classified security, and define the personnel and management documents related thereto as the manage-level targets of testing and evaluation. The target of testing and evaluation may be described according to categories, including machine room, business application software, host operating system, database management systems, network interconnection device, security device, interviewers, and security management documents.
Testing and evaluation for classified cybersecurity protection involve testing and evaluation intensity, including testing and evaluation extent (coverage) and testing and evaluation depth (strength). For the implementation of testing and evaluation with high security protection level, the target of testing and evaluation with wider coverage and stronger testing and evaluation means shall be selected, and the testing and evaluation evidence with higher credibility may be obtained. See Annex A for the specific description of testing and evaluation intensity.
The testing and evaluation requirement at each level includes 5 parts, namely general requirements for security testing and evaluation, special requirements for security testing and evaluation of cloud computing, special requirements for security testing and evaluation of mobile interconnection, special requirements for security testing and evaluation of internet of things and special requirements for security testing and evaluation of industrial control system. See Annex B for security evaluation methods which may be referred by big data.
5.2 Single testing and evaluation and overall testing and evaluation
Testing and evaluation for classified cybersecurity protection includes single testing and evaluation and overall testing and evaluation.
Single testing and evaluation is the testing and evaluation in allusion to each security requirement item, which supports the repeatability and reproducibility of the testing and evaluation results. In this standard, the single testing and evaluation consists of testing and evaluation index, target of testing and evaluation, implementation of testing and evaluation and unit judgment results. For convenience of use, each testing and evaluation unit is numbered, and the specific description is shown in Annex C.
Overall testing and evaluation is to adjust the overall security protection ability of the target of classified security based on the single testing and evaluation. The overall security protection ability shall be judged from two perspectives of view, namely longitudinal-depth protection and measure complementarity.
6 Level 1 testing and evaluation requirements
6.1 General requirements for security testing and evaluation
6.1.1 Physical environment security
6.1.1.1 Physical access control
6.1.1.1.1 Testing and evaluation unit (L1-PES1-01)
The requirements for this testing and evaluation unit are as follows:
a) Testing and evaluation index: special personnel shall be designated or electronic access control system shall be arranged at the entrance and exit of the machine room to control, identify and record the personnel entering the room.
b) Target of testing and evaluation: electronic access control system and duty record of machine room.
c) Implementation of testing and evaluation: it shall be examined whether special personnel are designated or electronic access control system is arranged.
d) Unit judgment: if the answer to the above implementation content is affirmative, the index requirements for this testing and evaluation unit are met; otherwise, not met.
Contents of GB/T 28448-2019
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General about testing and evaluation for classified cybersecurity protection
5.1 Testing and evaluation method for classified cybersecurity protection
5.2 Single testing and evaluation and overall testing and evaluation
6 Level 1 testing and evaluation requirements
6.1 General requirements for security testing and evaluation
6.2 Special requirements for security testing and evaluation of cloud computing
6.3 Special requirements for security testing and evaluation of mobile interconnection
6.4 Special requirements for security testing and evaluation of internet of things
6.5 Special requirements for security testing and evaluation of industrial control system
7 Level 2 testing and evaluation requirements
7.1 General requirements for security testing and evaluation
7.2 Special requirements for security testing and evaluation of cloud computing
7.3 Special requirements for security testing and evaluation of mobile interconnection
7.4 Special requirements for security testing and evaluation of internet of things
7.5 Special requirements for security testing and evaluation of industrial control system
8 Level 3 testing and evaluation requirements
8.1 General requirements for security testing and evaluation
8.2 Special requirements for security testing and evaluation of cloud computing
8.3 Special requirements for security testing and evaluation of mobile interconnection
8.4 Special requirements for security testing and evaluation of internet of things
8.5 Special requirements for security testing and evaluation of industrial control system
9 Level 4 testing and evaluation requirements
9.1 General requirements for security testing and evaluation
9.2 Special requirements for security testing and evaluation of cloud computing
9.3 Special requirements for security testing and evaluation of mobile interconnection
9.4 Special requirements for security testing and evaluation of internet of things
9.5 Special requirements for security testing and evaluation of industrial control system
10 Level 5 testing and evaluation requirements
11 Overall testing and evaluation
11.1 General
11.2 Testing and evaluation of security control points
11.3 Testing and evaluation of inter-security control points
11.4 Testing and evaluation of inter-areas
12 Conclusion of testing and evaluation
12.1 Risk analysis and evaluation
12.2 Conclusion of testing and evaluation for classified cybersecurity protection
Annex A (Informative) Testing and evaluation intensity
Annex B (Informative) Security evaluation methods which may be referred by big data
Annex C (Normative) Numbering description of testing and evaluation unit
Bibliography