HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (9 Feb 2025)

GB/T 22240-2020 PDF English


Search result: GB/T 22240-2020 English: PDF (GB/T22240-2020)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 22240-2020English195 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Classification guide for classified protection of cybersecurity Valid
GB/T 22240-2008English150 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Classification guide for classified protection of information system security Obsolete
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 22240-2020     Related standards: GB/T 22240-2020

PDF Preview: GB/T 22240-2020


PDF Preview: GB/T 22240-2008


GB/T 22240-2020: PDF in English (GBT 22240-2020)

GB/T 22240-2020 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 22240-2008 Information security technology - Classification guide for classified protection of cybersecurity ISSUED ON: APRIL 28, 2020 IMPLEMENTED ON: NOVEMBER 01, 2020 Issued by: State Administration for Market Regulation; Standardization Administration of PRC. Table of Contents Foreword ... 3  Introduction ... 4  1 Scope ... 5  2 Normative references ... 5  3 Terms and definitions ... 5  4 Rating principle and process ... 7  4.1 Security protection level ... 7  4.2 Rating elements ... 8  4.3 Relationship between rating elements and security protection level ... 9  4.4 Rating process ... 9  5 Determine the rating object ... 10  5.1 Information system ... 10  5.2 Network infrastructure ... 12  5.3 Data resources ... 12  6 Determine the security protection level ... 12  6.1 Overview of rating methods ... 12  6.2 Determine the infringed object ... 14  6.3 Determine the degree of infringement on the object ... 15  6.4 Preliminary determining level ... 17  7 Determine the security protection level ... 17  8 Change of level ... 18  References ... 19  Information security technology - Classification guide for classified protection of cybersecurity 1 Scope This standard gives a method and procedure for rating the security protection level of classified protection target which does not relate to state secret. This standard is applicable to guide the network operators to carry out the rating work of classified protection target which does not relate to state secret. 2 Normative references The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard. GB 17859-1999 Classified criteria for security protection of computer information system GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity GB/T 25069 Information security technology - Glossary GB/T 29246-2017 Information technology - Security techniques - Information security management systems - Overview and vocabulary GB/T 31167-2014 Information security technology - Security guide of cloud computing services GB/T 32919-2016 Information security - Industrial control systems - Guidelines for the application of security controls GB/T 35295-2017 Information technology - Big data - Terminology 3 Terms and definitions The terms and definitions as defined in GB 17859-1999, GB/T 22239-2019, GB/T 25069, GB/T 29246-2017, GB/T 31167-2014, GB/T 32919-2016, GB/T serious damage or particularly serious damage to the legitimate rights and interests of the relevant citizens, legal persons and other organizations, or cause harm to social order and public interests, but does not endanger national security; c) Level 3: After the classified protection object is damaged, it will cause serious damage to social order and public interests, or endanger national security; d) Level 4: After the classified protection object is damaged, it will cause serious damage to social order and public interests, or seriously endanger national security; e) Level 5: After the classified protection object is damaged, it will cause particularly serious damage to national security. 4.2 Rating elements 4.2.1 Overview of rating elements The rating elements of the classified protection objects include: a) Infringed objects; b) The degree of infringement on the object. 4.2.2 Infringed objects The infringed objects when the classified protection object is damaged include the following three aspects: a) The legitimate rights and interests of citizens, legal persons and other organizations; b) Social order and public interest; c) National security. 4.2.3 Degree of infringement on the object The degree of infringement on the object is comprehensively determined by the different external manifestations of objective. Since the infringement on the object is achieved by destroying the object of classified protection, the external manifestation of the infringement on the object is the damage to the object of classified protection, which is described by the method of infringement, the consequences of the infringement, the degree of infringement. Note 1: The main subjects of security responsibility include but are not limited to legal persons such as enterprises, agencies and public institutions, as well as other social organizations and other organizations that do not have legal person qualifications. Note 2: Avoid using a single system component, such as a server, terminal, or network device as a rating object. When determining the rating objects, cloud computing platforms/systems, Internet of Things, industrial control systems, systems using mobile interconnection technologies need to follow the relevant requirements of 5.1.2, 5.1.3, 5.1.4, 5.1.5, respectively, under the conditions of meeting the above basic characteristics. 5.1.2 Cloud computing platform/system In a cloud computing environment, the classified protection objects on the cloud service client side and the cloud computing platform/system on the cloud service provider side must be rated as separate rating objects, meanwhile the cloud computing platform/system is divided into different rating objects according to different service models. For large-scale cloud computing platforms, it should divide the cloud computing infrastructure and related auxiliary service systems into different rating objects. 5.1.3 Internet of Things The Internet of Things mainly includes characteristic elements such as perception, network transmission, processing applications. The above elements need to be rated as a whole object; each element is not rated individually. 5.1.4 Industrial control system The industrial control system mainly includes characteristic elements such as field acquisition/execution, field control, process control, production management. Among them, field acquisition/execution, field control, process control and other elements need to be rated as a whole object; each element is not rated separately; production management elements should be rated separately. For large industrial control systems, they can be divided into multiple rating objects based on factors such as system functions, responsible subjects, control objects, manufacturers. 5.1.5 System using mobile internet technology The system adopting mobile internet technology mainly includes mobile terminals, mobile applications, wireless networks and other characteristic 6.2 Determine the infringed object The infringed objects when the rating object is damaged include national security, social order, public interest, as well as the legitimate rights and interests of citizens, legal persons and other organizations. Matters that infringes national security include the following: - Affect the stability of state power and territorial sovereignty, as well as the integrity of marine rights and interests; - Affect the national unity, national unity and social stability; - Affect the national socialist market economic order and cultural strength; - Other matters affecting national security. Matters infringing the social order include the following: - Affect the production order, operation order, teaching and scientific research order, medical and health order of state organs, enterprises, institutions, social organizations; - Affect the order of activities and public transportation in public places; - Affect the life order of the people; - Other matters affecting social order. Matters infringing public interests include the following: - Affect the use of public facilities by members of society; - Affect the acquisition of public data resources by members of society; - Affect the reception of public services of members of society and so on; - Other matters affecting the public interest. Infringement on the legitimate rights and interests of citizens, legal persons and other organizations refers to the damage to the social rights and interests enjoyed by citizens, legal persons and other organizations protected by law. When determining the infringed object, first determine whether it infringes national security, then determine whether it infringes social order or public interest, finally determine whether it infringes the legitimate rights and interests of citizens, legal persons and other organizations. When judging the degree of infringement on different infringed objects, refer to the following different criteria: - If the infringed object is the legitimate rights and interests of a citizen, legal person or other organization, the overall interests of the person or the organization shall be used as the basis for judging the degree of infringement; - If the infringed object is social order, public interest, or national security, the overall interest of the entire industry or country is used as the basis for judging the degree of infringement. The three degrees of infringement which has different consequences of infringement are described as follows: - General damages: Work functions are partially affected; business capabilities are reduced but do not affect the execution of main functions; lighter legal issues arise; the property loss is low; there is limited adverse social effects; has low damage to other organizations and individuals; - Serious damage: The work function is severely affected; the business capability is significantly reduced and the execution of main function is seriously affected; there are more serious legal problems, higher property losses, a wider range of social adverse effects; has higher damage to other organizations and individuals; - Particularly serious damage: Work functions are particularly severely affected or incapacitated; business capabilities are severely reduced and or functions cannot be performed; there are extremely serious legal problems, extremely high property losses, widespread adverse social effects; has very high damage to other organizations and individuals. The degree of infringement on the object is obtained by a comprehensive evaluation of the degree of infringement on the consequences of different infringements. Because different types of information and system service characteristics handled by the rating objects of various industries are different, the calculation method of the infringement consequence and infringement degree focused when the business information security and system service security are damaged may be different, different industries may, based on the characteristics of the business information and system service of the respective industry, establish the comprehensive evaluation method of the degree of infringement, meanwhile give the specific definition of general damage, serious damage, particularly serious damage. ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.