GB/T 34942-2025 English PDFGB/T 34942: Historical versions
Basic dataStandard ID: GB/T 34942-2025 (GB/T34942-2025)Description (Translated English): Cybersecurity technology - The assessment method for security capability of cloud computing service Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.030 Word Count Estimation: 166,143 Date of Issue: 2025-08-01 Date of Implementation: 2026-02-01 Older Standard (superseded by this standard): GB/T 34942-2017 Issuing agency(ies): State Administration for Market Regulation, Standardization Administration of China GB/T 34942-2025: Cybersecurity technology - The assessment method for security capability of cloud computing service---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT34942-2025 ICS 35.030 CCSL80 National Standard of the People's Republic of China Replaces GB/T 34942-2017 Cybersecurity Technology Cloud computing service security capability assessment method Released on August 1, 2025 Implementation on February 1, 2026 State Administration for Market Regulation The National Standardization Administration issued Table of ContentsPreface VII Introduction VIII 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Abbreviations 2 5 Overview 2 5.1 Evaluation Principles 2 5.2 Assessment Content 3 5.3 Evaluating the evidence 3 5.4 Evaluation Implementation Process 3 5.5 Comprehensive Assessment 5 6 System Development and Supply Chain Security Assessment Methods 6 6.1 Resource Allocation 6 6.2 System Lifecycle 6 6.3 Procurement Process 7 6.4 System Documentation 9 6.5 Criticality Analysis 10 6.6 External Services 10 6.7 Developer Security Architecture 12 6.8 Development Process, Standards and Tools 13 6.9 Development Process Configuration Management 15 6.10 Developer Security Testing and Assessment 16 6.11 Training provided by developers 20 6.12 Component Authenticity 20 6.13 Unsupported System Components 21 6.14 Supply Chain Protection 22 7 System and Communication Protection Assessment Methods 25 7.1 Boundary Protection 25 7.2 Transmission confidentiality and integrity protection 28 7.3 Network Interruption 29 7.4 Trusted Path 30 7.5 Password Usage and Management 31 7.6 Device Access Protection 31 7.7 Mobile Code 33 7.8 Session Authentication 34 7.9 Malicious Code Protection 35 7.10 Memory Protection 37 7.11 System Virtualization Security 37 7.12 Network Virtualization Security 40 7.13 Storage Virtualization Security 41 7.14 Communication protection of security management functions 43 8 Access Control Assessment Methods 45 8.1 User identification and authentication 45 8.2 Identifier Management 46 8.3 Authentication Credential Management 47 8.4 Authentication Credentials Feedback 49 8.5 Cryptographic Module Authentication 49 8.6 Account Management 50 8.7 Enforcement of Access Control 51 8.8 Information Flow Control 52 8.9 Least Privilege 54 8.10 Unsuccessful Login Attempts 55 8.11 System Usage Notice 56 8.12 Previous Visit Notice 56 8.13 Concurrent Session Control 57 8.14 Session Lock 57 8.15 Actions to be taken if marking and identification are not carried out 58 8.16 Security Attributes 58 8.17 Remote Access 59 8.18 Wireless Access 60 8.19 Use of external information systems 61 8.20 Publicly accessible content 63 8.21 Global WAN (Web) Access Security 63 8.22 API Access Security 64 9 Data Protection Assessment Methodology 65 9.1 General Data Security 65 9.2 Media Access and Use 66 9.3 Residual Information Protection 69 9.4 Data Usage Protection 70 9.5 Data Sharing Protection 70 9.6 Data Migration Protection 71 10 Configuration Management Assessment Methods 72 10.1 Configuration Management Plan 72 10.2 Baseline Configuration 73 10.3 Change Control 75 10.4 Configuration Parameters 78 10.5 Principle of Minimum Functionality 79 10.6 Information System Component List 80 11 Maintenance Management Assessment Methods 82 11.1 Controlled Maintenance 82 11.2 Maintenance Tools 84 11.3 Remote Maintenance 85 11.4 Maintenance Personnel 86 11.5 Timely Maintenance 88 11.6 Bug Fixes 88 11.7 Safety Function Verification 89 11.8 Software and Firmware Integrity 90 12 Emergency Response Assessment Methods 91 12.1 Incident Handling Plan 91 12.2 Event Handling 93 12.3 Incident Report 94 12.4 Event Handling Support 95 12.5 Security Alert 96 12.6 Error Handling 97 12.7 Emergency Response Plan 98 12.8 Emergency Response Training 100 12.9 Emergency Drills 101 12.10 Information System Backup 102 12.11 Supporting Customers' Business Continuity Plans 104 12.12 Telecommunication Services 105 13 Audit Assessment Methods 106 13.1 Auditable Events 106 13.2 Audit Record Contents 107 13.3 Audit Record Storage Capacity 107 13.4 Response to Audit Process Failure 108 13.5 Audit review, analysis and reporting 109 13.6 Audit Processing and Report Generation 111 13.7 Timestamp 112 13.8 Audit Information Protection 113 13.9 Non-repudiation 114 13.10 Audit Record Retention 115 14 Risk Assessment and Continuous Monitoring Assessment Methodology 116 14.1 Risk Assessment 116 14.2 Vulnerability Scanning 117 14.3 Continuous Monitoring 118 14.4 Information System Monitoring 120 14.5 Spam Monitoring 122 15 Security Organization and Personnel 123 15.1 Security Policies and Procedures 123 15.2 Security Organization 124 15.3 Job Risks and Responsibilities 125 15.4 Personnel Screening 126 15.5 Staff Resignation 126 15.6 Personnel Transfer 128 15.7 Third-party personnel safety 128 15.8 Personnel Punishment 129 15.9 Safety Training 130 16 Physical and Environmental Security Assessment Methods 131 16.1 Physical Facilities and Equipment Site Selection 131 16.2 Physical and Environmental Planning 132 16.3 Physical Environment Access Authorization 134 16.4 Physical Environment Access Control 135 16.5 Output Device Access Control 137 16.6 Physical Access Monitoring 137 16.7 Visitor Access Records 138 16.8 Equipment Transport and Removal 139 Appendix A (Informative) Common Cloud Computing Service Vulnerabilities 141 A.1 Overview 141 A.2 System Development and Supply Chain Security 141 A.3 System and Communication Protection 142 A.4 Access Control 143 A.5 Data Protection 145 A.6 Configuration Management 147 A.7 Maintenance Management 149 A.8 Emergency Response 150 A.9 Audit 151 A.10 Risk Assessment and Continuous Monitoring Assessment Methodology 152 A.11 Security Organization and Personnel 154 A.12 Physical and Environmental Security 155 Appendix B (Informative) Description of Single Safety Requirements Assessment 156 Reference 157 Preface This document is in accordance with the provisions of GB/T 1.1-2020 "Guidelines for standardization work Part 1.Structure and drafting rules for standardization documents" Drafting. This document replaces GB/T 34942-2017 "Information Security Technology Cloud Computing Service Security Capability Assessment Method" and is in line with GB/T Compared with 34942-2017, in addition to structural adjustments and editorial changes, the main technical changes are as follows. a) The applicable limits of the scope have been changed (see Chapter 1, Chapter 1 of the.2017 edition); b) Added assessment requirements for different capability levels and comprehensive assessment requirements (see 5.2 and 5.5); c) The specific assessment methods have been changed (see Chapters 6 to 8, 10 to 14, and Chapters 5 to 14 of the.2017 edition); d) Added data protection assessment method (see Chapter 9). Please note that some of the contents of this document may involve patents. The issuing organization of this document does not assume the responsibility for identifying patents. This document is proposed and coordinated by the National Cybersecurity Standardization Technical Committee (SAC/TC260). This document was drafted by. China Electronics Technology Standardization Institute, China Cybersecurity Review and Certification and Market Supervision Big Data Center, National Information Technology Security Research Center, China Information Security Evaluation Center, China Academy of Information and Communications Technology, University of Science and Technology of China, Sichuan University China University of Posts and Telecommunications, China National Cyberspace Administration of China, China Great Wall Internet System Application Co., Ltd., State Information Center, National Industrial Information Security Development Research Institute Research Center, National Computer Network Emergency Response Technology Coordination Center, the 15th Research Institute of China Electronics Technology Group Corporation, and the Software Research Institute of the Chinese Academy of Sciences. Institute of Information Engineering, Chinese Academy of Sciences, Hangzhou Anheng Information Technology Co., Ltd., Beijing University of Aeronautics and Astronautics, Beijing Institute of Technology University of Posts and Telecommunications, Chongqing University of Electronic Science and Technology, Xidian University, Beijing University of Chemical Technology, Renmin University of China, Communication University of China, Tsinghua University, Shanghai Municipal Information Security Evaluation and Certification Center, the 30th Research Institute of China Electronics Technology Group Corporation, the Archives Information Center of Chongqing Municipal Market Supervision Administration, Mongolia Digital Economy Security Technology Co., Ltd., China Mobile Communications Co., Ltd. Research Institute, Huawei Cloud Computing Technology Co., Ltd., Alibaba Cloud Computing Co., Ltd., Tianyi Cloud Technology Co., Ltd., and AsiaInfo Technologies (Chengdu) Co., Ltd. The main drafters of this document are. Yang Jianjun, Wang Huili, Jia Dawen, He Yanzhe, Wu Yang, Hu Huaming, Lu Xia, Zhang Lina, Liu Jialiang, Zhang Jianjun, Li Jingchun, Zuo Xiaodong, Chen Xingshu, Min Jinghua, Zhou Yachao, Shi Dawei, Chen Yonggang, Zhang Liwu, Yang Chen, Fang Yong, Cao Ling, Zhang Mingtian, Wu Bin, Ma Qingdong, Qu Ping, Zhang Dongju, Ji Lei, Li Yanwei, Huo Shanshan, Wu Qianhong, Yang Zhen, Huang Yonghong, Ma Wenping, Xi Ning, Yang Li, Pei Qingqi, Wang Mingyan, Qin Bo, Yang Yang, Ge Xiaonan, Yan Min, Jiang Zhengtao, Li Na, Cai Yuyuan, Liu Yan, Ge Zhenpeng, Fan Xiaohui, Xiao Min, Han Xuefeng, Li Lianlei, Gao Qiang, Xu Yu, Jin Song, Zhang Ling, Li Fengfeng, Fang Qiang, Si Boyang, and Liao Shuangxiao. The previous versions of this document and the documents it replaces are as follows. ---First published in.2017 as GB/T 34942-2017; ---This is the first revision.introductionGB/T 31168-2023 "Information Security Technology Cloud Computing Service Security Capability Requirements" puts forward the requirements for cloud service providers to ensure the security of cloud computing environment. The security capabilities that should be possessed to ensure the security of customer information and business in a cloud computing environment. This standard divides the cloud computing service security capability requirements into general requirements, enhanced requirements, and Strong requirements and advanced requirements, enhanced requirements and advanced requirements are the supplement and reinforcement of the lower level requirements. Cloud service providers should have appropriate security capabilities depending on the sensitivity and business importance. This document is the supporting evaluation standard of GB/T 31168-2023, corresponding to Chapter 6 to Chapter 16 of GB/T 31168-2023 This document also provides the corresponding evaluation methods from Chapter 6 to Chapter 16. Provide guidance for the security capability assessment of computing services. Third-party assessment agencies can develop corresponding security assessment plans, using multiple methods such as interviews, inspections, and tests. This document can also provide a reference for cloud service providers to conduct self-assessments. Cybersecurity Technology Cloud computing service security capability assessment method1 ScopeThis document establishes the principles and implementation process for conducting assessments based on GB/T 31168-2023 and describes the specific safety requirements for each Methods for conducting assessments. This document is suitable for third-party assessment agencies to assess the security capabilities of cloud service providers when providing cloud computing services. It provides a reference for service providers when conducting self-assessment.2 Normative referencesThe contents of the following documents constitute the essential clauses of this document through normative references in this document. For referenced documents without a date, only the version corresponding to that date applies to this document; for referenced documents without a date, the latest version (including all amendments) applies to This document. GB/T 20984-2022 Information security technology - Information security risk assessment method GB/T 25069-2022 Information Security Technical Terminology GB/T 31167-2023 Information Security Technology - Cloud Computing Service Security Guidelines GB/T 31168-2023 Information security technology - Cloud computing service security capability requirements GB/T 35273 Information Security Technology Personal Information Security Specification GB/T 37972 Information Security Technology - Regulatory Framework for Cloud Computing Service Operations GB 50174 Data Center Design Specification3 Terms and DefinitionsThe terms and definitions defined in GB/T 25069-2022, GB/T 31167-2023 and GB/T 31168-2023 and the following terms and definitions apply In this document. 3.1 cloud computing A model that provides access to scalable and flexible physical or virtual resource pools over the network and enables on-demand self-service acquisition and management. Note. Examples of resources include servers, operating systems, networks, software, applications, and storage devices. [Source. GB/T 31168-2023, 3.1] 3.2 The ability to provide one or more resources using cloud computing (3.1) using defined interfaces. [Source. GB/T 31168-2023, 3.2] 3.3 cloud service provider A party providing cloud computing services (3.2). ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 34942-2025_English be delivered?Answer: Upon your order, we will start to translate GB/T 34942-2025_English as soon as possible, and keep you informed of the progress. The lead time is typically 1 ~ 3 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 34942-2025_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 34942-2025_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.Question 5: Should I purchase the latest version GB/T 34942-2025?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 34942-2025 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically. |
