HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (29 Sep 2024)

GB 17859-1999 PDF in English


GB 17859-1999 (GB17859-1999) PDF English
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB 17859-1999English90 Add to Cart 0-9 seconds. Auto-delivery. Classified criteria for security protection of computer information system  
Standards related to (historical): GB 17859-1999
PDF Preview

GB 17859-1999: PDF in English

GB 17859-1999 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.020 L 09 Classified Criteria for Security Protection of Computer Information System ISSUED ON. SEPTEMBER 13, 1999 IMPLEMENTED ON. JANUARY 1, 2001 Issued by. State Quality Technical Supervision Bureau Table of Contents Foreword ... 3  1  Scope ... 4  2  Normative References ... 4  3  Definitions ... 4  4  Level Classification Criteria ... 5  Foreword This Standard has three main goals. firstly, providing reference for the formulation of safety codes for computer information system and the supervision and inspection by law-enforcing departments; secondly, providing technical support for safety products development; and thirdly, providing technical guidance for construction and management of safety system. This Standard is prepared by reference to American trusted computer system evaluation criterion (DoD 5200.28-STD) and explanation on computer network system (NCSC-TG-005). In the text of this Standard, those in bold represent the performance requirements that are not appeared in lower level or being strengthened. This Standard is the first part of serial standards for security protection of computer information system. The serial standards for security protection level of computer information system cover. Classified Criteria for Security Protection of Computer Information System; Guideline for Application of Classified Criteria for Security Protection of Computer Information System; Evaluation Criteria for Security Protection of Computer Information System; ... This Standard shall be implemented in accordance with specifications of the supporting national standards. This Standard was proposed by and shall be under the jurisdiction of the Ministry of Public Security of the People's Republic of China. Drafting organizations of this Standard. Tsinghua University, Peking University AND Chinese Academy of Sciences. Chief drafting staffs of this Standard. Hu Daoyuan, Wang Lifu, Qing Sihan, Jing Qianyuan, Na Risong, Li Zhipeng, Cai Qingming, Zhu Weiguo and Chen Zhong. This Standard shall be implemented from January 1, 2001. The Ministry of Public Security of the People's Republic of China is responsible for the interpretation of this Standard. Classified Criteria for Security Protection of Computer Information System 1 Scope This Standard specifies five levels for security protection capacity of computer information system, i.e.. Level 1. the user's discretionary protection level; Level 2. system audit protection level; Level 3. security label protection level; Level 4. structured protection level; Level 5. access verification protection level. This Standard is applicable to the classification for technical capability levels for computer information system security protection. With the improving of security protection level, security protection capability of computer information system improves gradually. 2 Normative References The following normative documents contain provisions which, through reference in this text, constitute the provisions of this Standard. At the time of publication, the editions indicated were valid. All the standards will be revised and modified, and all parties using this Standard shall discuss the possibility of using the latest version. GB/T 5271 Data Processing - Vocabulary 3 Definitions Except those defined in this chapter, other definitions not listed are detailed in GB/T 5271. 3.1 Computer information system A man-machine system that is composed of computer and associated and supporting equipment and facility (including network) to collect, process, store, transmit and retrieve the information according to certain application goals and rules. 3.2 Trusted computing base of computer information system The generic term for the protection devices in computer system, which includes hardware, firmware, software, and assembly responsible for the implementation of security policy, establishes a basic protection environment and provides additional user service required by a trusted computing system. 3.3 Object Carrier of the information. 3.4 Subject Person, process or equipment etc. which cause flow of information among objects. 3.5 Sensitivity label A group of information that expresses the objects security level and describes the object data sensitivity; sensitivity label is adopted as the reference for mandatory access control decision in trusted computing base. 3.6 Security policy Laws, specifications and enforcement regulations in management, protection and issuing of sensitive information. 3.7 Channel Path for information transmission in system. 3.8 Covert channel Communication channel which allows the process transmits information in the mode to damage system security strategy. 3.9 Reference monitor Component for monitoring the authorization access relation between subject and object. 4 Level Classification Criteria 4.1 Level 1. the user's discretionary protection level Trusted computing base of computer information system at this level enables the user to be possessed of security protection capability by isolating user from data, and is provided with the controlling capability in multiple forms to perform access control for the user, i.e., provide feasible means to the user to protect information of the user and the user group as well as avoid illegal read/write and destroy concerning data by other users. 4.1.1 Discretionary access control Trusted computing base of computer information system defines and controls the access to named object by named user in the system. Implementation mechanism (for example. access control list) allows the named user, under the identity of user and (or) user group, to specify and control sharing by object as well as prevents unauthorized user reading sensitive information. 4.1.2 Identity authentication In the initial implementation by trusted computing base of computer information system, it is first required the user to label his own identity and authenticate the user's identity by protection mechanism (e.g.. password), then prevent unauthorized user to access user identity authentication data. 4.1.3 Data integrity Trusted computing base of computer information system prevents unauthorized user modifying or destroying sensitive information by way of discretionary integrity policy. 4.2 Level 2. system audit protection level Compared with the user's discretionary protection level, trusted computing base of computer information system at this level implements discretionary access control with finer granularity, and makes the user to be responsible for itself by logging in regulations, auditing security dependent event and isolating resources. 4.2.1 Discretionary access control Trusted computing base of computer information system defines and controls the access to named object by named user in the system. Implementation mechanism (for example. access control list) allows the named user, under identity of user and (or) user group, to specify and control sharing by objects as well as prevents unauthorized user reading sensitive information and controls access authority spreading. Discretionary access control mechanism prevents unauthorized user accessing object according to method designated by user or default mode. The granularity of access control is single user. For the user without access authority, only the authorized user is allowed to designate the access authority to object. 4.2.2 Identity authentication In the initial implementation by trusted computing base of computer information system, it firstly requires the user to label his own identity and authenticates the user's identity by protection mechanism (e.g.. password), then prevents unauthorized user to access user identity authentication data. Trusted computing base of computer information system is capable of making the user to be responsible for itself by providing unique label to the user. Trusted computing base of computer information system is also provided with the capability to correlate identity label with all auditable behaviors of the said user. 4.2.3 Object reusing In the idle space for object storing in trusted computing base of computer information system, before a subject is designated initially, assigned or re-assigned to object, all authorizations of the information contained in such object shall be revoked. In case a subject obtains the authority to access the released object, the current subject cannot obtain any information generated by activities by the original subject. 4.2.4 Auditing Trusted computing base of computer information system can create and maintain the access audit trial records of the object protected, also prevent unauthorized user accessing or destroying the object protected. Trusted computing base of computer information system can record the following events. adopting identity authentication mechanism; introducing the object in the user's address space (for example. file opening and program initialization); deleting object; actions implemented by operator, system administrator or (and) system security administrator, and other events relative to system security. For each event, the audit record includes. date and ... ......
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.