GB/T 22240-2020 PDF English
Search result: GB/T 22240-2020 English: PDF (GB/T22240-2020)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 22240-2020 | English | 195 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Classification guide for classified protection of cybersecurity
| Valid |
GB/T 22240-2008 | English | 150 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Classification guide for classified protection of information system security
| Obsolete |
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 22240-2020 Related standards: GB/T 22240-2020
PDF Preview: GB/T 22240-2020
PDF Preview: GB/T 22240-2008
GB/T 22240-2020: PDF in English (GBT 22240-2020) GB/T 22240-2020
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 22240-2008
Information security technology - Classification guide
for classified protection of cybersecurity
ISSUED ON: APRIL 28, 2020
IMPLEMENTED ON: NOVEMBER 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Rating principle and process ... 7
4.1 Security protection level ... 7
4.2 Rating elements ... 8
4.3 Relationship between rating elements and security protection level ... 9
4.4 Rating process ... 9
5 Determine the rating object ... 10
5.1 Information system ... 10
5.2 Network infrastructure ... 12
5.3 Data resources ... 12
6 Determine the security protection level ... 12
6.1 Overview of rating methods ... 12
6.2 Determine the infringed object ... 14
6.3 Determine the degree of infringement on the object ... 15
6.4 Preliminary determining level ... 17
7 Determine the security protection level ... 17
8 Change of level ... 18
References ... 19
Information security technology - Classification guide
for classified protection of cybersecurity
1 Scope
This standard gives a method and procedure for rating the security protection
level of classified protection target which does not relate to state secret.
This standard is applicable to guide the network operators to carry out the rating
work of classified protection target which does not relate to state secret.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 22239-2019 Information security technology - Baseline for classified
protection of cybersecurity
GB/T 25069 Information security technology - Glossary
GB/T 29246-2017 Information technology - Security techniques -
Information security management systems - Overview and vocabulary
GB/T 31167-2014 Information security technology - Security guide of cloud
computing services
GB/T 32919-2016 Information security - Industrial control systems -
Guidelines for the application of security controls
GB/T 35295-2017 Information technology - Big data - Terminology
3 Terms and definitions
The terms and definitions as defined in GB 17859-1999, GB/T 22239-2019,
GB/T 25069, GB/T 29246-2017, GB/T 31167-2014, GB/T 32919-2016, GB/T
serious damage or particularly serious damage to the legitimate rights and
interests of the relevant citizens, legal persons and other organizations, or
cause harm to social order and public interests, but does not endanger
national security;
c) Level 3: After the classified protection object is damaged, it will cause
serious damage to social order and public interests, or endanger national
security;
d) Level 4: After the classified protection object is damaged, it will cause
serious damage to social order and public interests, or seriously endanger
national security;
e) Level 5: After the classified protection object is damaged, it will cause
particularly serious damage to national security.
4.2 Rating elements
4.2.1 Overview of rating elements
The rating elements of the classified protection objects include:
a) Infringed objects;
b) The degree of infringement on the object.
4.2.2 Infringed objects
The infringed objects when the classified protection object is damaged include
the following three aspects:
a) The legitimate rights and interests of citizens, legal persons and other
organizations;
b) Social order and public interest;
c) National security.
4.2.3 Degree of infringement on the object
The degree of infringement on the object is comprehensively determined by the
different external manifestations of objective. Since the infringement on the
object is achieved by destroying the object of classified protection, the external
manifestation of the infringement on the object is the damage to the object of
classified protection, which is described by the method of infringement, the
consequences of the infringement, the degree of infringement.
Note 1: The main subjects of security responsibility include but are not limited to legal
persons such as enterprises, agencies and public institutions, as well as other social
organizations and other organizations that do not have legal person qualifications.
Note 2: Avoid using a single system component, such as a server, terminal, or network
device as a rating object.
When determining the rating objects, cloud computing platforms/systems,
Internet of Things, industrial control systems, systems using mobile
interconnection technologies need to follow the relevant requirements of 5.1.2,
5.1.3, 5.1.4, 5.1.5, respectively, under the conditions of meeting the above basic
characteristics.
5.1.2 Cloud computing platform/system
In a cloud computing environment, the classified protection objects on the cloud
service client side and the cloud computing platform/system on the cloud
service provider side must be rated as separate rating objects, meanwhile the
cloud computing platform/system is divided into different rating objects
according to different service models.
For large-scale cloud computing platforms, it should divide the cloud computing
infrastructure and related auxiliary service systems into different rating objects.
5.1.3 Internet of Things
The Internet of Things mainly includes characteristic elements such as
perception, network transmission, processing applications. The above
elements need to be rated as a whole object; each element is not rated
individually.
5.1.4 Industrial control system
The industrial control system mainly includes characteristic elements such as
field acquisition/execution, field control, process control, production
management. Among them, field acquisition/execution, field control, process
control and other elements need to be rated as a whole object; each element is
not rated separately; production management elements should be rated
separately.
For large industrial control systems, they can be divided into multiple rating
objects based on factors such as system functions, responsible subjects,
control objects, manufacturers.
5.1.5 System using mobile internet technology
The system adopting mobile internet technology mainly includes mobile
terminals, mobile applications, wireless networks and other characteristic
6.2 Determine the infringed object
The infringed objects when the rating object is damaged include national
security, social order, public interest, as well as the legitimate rights and
interests of citizens, legal persons and other organizations.
Matters that infringes national security include the following:
- Affect the stability of state power and territorial sovereignty, as well as the
integrity of marine rights and interests;
- Affect the national unity, national unity and social stability;
- Affect the national socialist market economic order and cultural strength;
- Other matters affecting national security.
Matters infringing the social order include the following:
- Affect the production order, operation order, teaching and scientific research
order, medical and health order of state organs, enterprises, institutions,
social organizations;
- Affect the order of activities and public transportation in public places;
- Affect the life order of the people;
- Other matters affecting social order.
Matters infringing public interests include the following:
- Affect the use of public facilities by members of society;
- Affect the acquisition of public data resources by members of society;
- Affect the reception of public services of members of society and so on;
- Other matters affecting the public interest.
Infringement on the legitimate rights and interests of citizens, legal persons and
other organizations refers to the damage to the social rights and interests
enjoyed by citizens, legal persons and other organizations protected by law.
When determining the infringed object, first determine whether it infringes
national security, then determine whether it infringes social order or public
interest, finally determine whether it infringes the legitimate rights and interests
of citizens, legal persons and other organizations.
When judging the degree of infringement on different infringed objects, refer to
the following different criteria:
- If the infringed object is the legitimate rights and interests of a citizen, legal
person or other organization, the overall interests of the person or the
organization shall be used as the basis for judging the degree of
infringement;
- If the infringed object is social order, public interest, or national security, the
overall interest of the entire industry or country is used as the basis for
judging the degree of infringement.
The three degrees of infringement which has different consequences of
infringement are described as follows:
- General damages: Work functions are partially affected; business
capabilities are reduced but do not affect the execution of main functions;
lighter legal issues arise; the property loss is low; there is limited adverse
social effects; has low damage to other organizations and individuals;
- Serious damage: The work function is severely affected; the business
capability is significantly reduced and the execution of main function is
seriously affected; there are more serious legal problems, higher property
losses, a wider range of social adverse effects; has higher damage to other
organizations and individuals;
- Particularly serious damage: Work functions are particularly severely
affected or incapacitated; business capabilities are severely reduced and
or functions cannot be performed; there are extremely serious legal
problems, extremely high property losses, widespread adverse social
effects; has very high damage to other organizations and individuals.
The degree of infringement on the object is obtained by a comprehensive
evaluation of the degree of infringement on the consequences of different
infringements. Because different types of information and system service
characteristics handled by the rating objects of various industries are different,
the calculation method of the infringement consequence and infringement
degree focused when the business information security and system service
security are damaged may be different, different industries may, based on the
characteristics of the business information and system service of the respective
industry, establish the comprehensive evaluation method of the degree of
infringement, meanwhile give the specific definition of general damage, serious
damage, particularly serious damage.
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|