GB/T 25058-2019 PDF English
Search result: GB/T 25058-2019 English: PDF (GB/T25058-2019)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 25058-2019 | English | 405 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Implementation guide for classified protection of cybersecurity
| Valid |
GB/T 25058-2010 | English | 360 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Implementation guide for classified protection of information system
| Obsolete |
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 25058-2019 Related standards: GB/T 25058-2019
PDF Preview: GB/T 25058-2019
PDF Preview: GB/T 25058-2010
GB/T 25058-2019: PDF in English (GBT 25058-2019) GB/T 25058-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 25058-2010
Information Security Technology - Implementation
Guide for Classified Protection of Cybersecurity
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 1, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 5
1 Scope ... 8
2 Normative References ... 8
3 Terms and Definitions ... 8
4 Overview of Implementation of Classified Protection ... 8
4.1 Fundamental Principles ... 8
4.2 Roles and Responsibilities ... 9
4.3 Basic Procedure of Implementation ... 11
5 Rating and Filing of Classified Protection Object ... 13
5.1 Workflow of Rating and Filing Stage ... 13
5.2 Industry / Domain Rating Work ... 15
5.3 Analysis of Classified Protection Object ... 16
5.3.1 Analysis of object importance ... 16
5.3.2 Determination of rating object ... 18
5.4 Determination of Security Protection Level ... 20
5.4.1 Rating, Review and Approval ... 20
5.4.2 Form rating report ... 21
5.5 Filing of Rating Result... 22
6 Overall Security Planning ... 23
6.1 Workflow of Overall Security Planning Stage ... 23
6.2 Analysis of Security Demands ... 24
6.2.1 Determination of basic security demands ... 24
6.2.2 Determination of special security demands ... 25
6.2.3 Form security demand analysis report ... 26
6.3 Overall Security Design ... 27
6.3.1 Overall security policy design ... 27
6.3.2 Security technology architecture design ... 27
6.3.3 Overall security management architecture design ... 31
6.3.4 Documentation of design result ... 34
6.4 Security Construction Project Planning ... 34
6.4.1 Determination of security construction objective ... 34
6.4.2 Security construction content planning ... 35
6.4.3 Form security construction project planning ... 36
7 Security Design and Implementation ... 37
7.1 Workflow of Security Design and Implementation Stage ... 37
7.2 Detailed Design of Security Scheme ... 39
7.2.1 Design of technological measure implementation content ... 39
7.2.2 Design of management measure implementation content ... 40
7.2.3 Documentation of design result ... 41
7.3 Implementation of Technological Measures ... 42
7.3.1 Procurement of cybersecurity products or services ... 42
7.3.2 Development of security control ... 43
7.3.3 Security control integration ... 45
7.3.4 Acceptance inspection of system ... 46
7.4 Implementation of Management Measures ... 48
7.4.1 Construction and revision of security management system ... 48
7.4.2 Security management institution and personnel setting ... 49
7.4.3 Security implementation process management ... 50
8 Security Operation and Maintenance ... 51
8.1 Workflow of Security Operation and Maintenance Stage ... 51
8.2 Operation Management and Control ... 54
8.2.1 Determination of operation management responsibilities ... 54
8.2.2 Operation management process control ... 54
8.3 Alteration Management and Control ... 55
8.3.1 Alteration demand and influence analysis ... 55
8.3.2 Alteration process control ... 56
8.4 Security Status Monitoring ... 57
8.4.1 Determination of monitoring objects ... 57
8.4.2 Collection of monitoring object status information ... 58
8.4.3 Monitoring status analysis and report ... 58
8.5 Security Self-inspection and Continuous Improvement ... 59
8.5.1 Self-inspection of security status ... 59
8.5.2 Formulation of improvement scheme ... 60
8.5.3 Implementation of security improvement ... 61
8.6 Management and Monitoring of Service Provider ... 62
8.6.1 Selection of service provider ... 62
8.6.2 Management of service provider ... 63
8.6.3 Monitoring of service provider ... 65
8.7 Level Evaluation ... 66
8.8 Supervision and Inspection... 66
8.9 Emergency Response and Guarantee ... 67
8.9.1 Emergency preparation ... 67
8.9.2 Emergency monitoring and response ... 69
8.9.3 Post-mortem evaluation and improvement ... 70
8.9.4 Emergency guarantee ... 71
9 Termination of Rating Objects ... 71
9.1 Workflow of Rating Object Termination Stage ... 71
9.2 Information Transfer, Temporary Storage and Removal ... 72
9.3 Equipment Migration or Abolishment ... 73
9.4 Removal or Destruction of Storage Media ... 74
Appendix A (normative) Main Processes and the Activities, Input and Output
... 76
Information Security Technology - Implementation
Guide for Classified Protection of Cybersecurity
1 Scope
This Standard stipulates the process that classified protection object implements
cybersecurity protection work.
This Standard is applicable to the guidance of the implementation of cybersecurity
classified protection work.
2 Normative References
The following documents are indispensable to the application of this document. In
terms of references with a specified date, only versions with a specified date are
applicable to this document. In terms of references without a specified date, the latest
version (including all the modifications) is applicable to this document.
GB 17859 Classified Criteria for Security Protection of Computer Information System
GB/T 22239 Information Security Technology - Baseline for Classified Protection of
Cybersecurity
GB/T 22240 Information Security Technology - Classification Guide for Classified
Protection of Information System Security
GB/T 25069 Information Security Technology - Glossary
GB/T 28448 Information Security Technology - Evaluation Requirement for Classified
Protection of Cybersecurity
3 Terms and Definitions
Terms and definitions defined in GB 17859, GB/T 22239, GB/T 25069 and GB/T 28448
are applicable to this document.
4 Overview of Implementation of Classified Protection
4.1 Fundamental Principles
The core of classified security protection is to classify classified protection objects, and
carry out construction, management and supervision in accordance with the standards.
protection, take charge of cybersecurity protection and supervision,
management work within the scope of their respective duties.
b) Competent department
Competent department shall, in accordance with national management
specifications and technological standards on classified cybersecurity
protection, take charge of the supervision, inspection and guidance of
classified cybersecurity protection work of the operating and using
organizations of classified protection objects of the industry, the department
or the locality.
c) Operating and using organization
Operating and using organization shall, in accordance with national
management specifications and technological standards on classified
cybersecurity protection, determine the security protection level of its
classified protection objects. If there is a competent department, operating
and using organization shall report to its competent department for review and
approval. In accordance with the security protection level that is already
determined, go through filing procedures at the public security. In accordance
with national management specifications and technological standards on
classified cybersecurity protection, conduct planning and design of security
protection for the classified protection objects. Adopt information technology
products and cybersecurity protects that comply with relevant national
regulations and classified protection objects’ demands for classified security
protection. Carry out security construction or re-construction work; formulate
and implement various security management systems. Conduct regular self-
inspection of the security status, and the implementation of security protection
systems and measures of classified protection objects. Select level evaluation
institutions that comply with relevant national regulations to conduct level
evaluation. Formulate response and disposal schemes for cybersecurity
incidents at different levels. Conduct emergency response to cybersecurity
incidents at different levels.
d) Cybersecurity service institution
Cybersecurity service institution shall, in accordance with national
management specifications and technological standards on classified
cybersecurity protection, under the entrustment of the operating and using
organization, assist the operating and using organization to complete
classified protection-related work, including determination of the security
protection level of the classified protection objects, analysis of security
demands, overall planning of security, implementation of security construction
and transformation, and provision of service supporting platforms, etc.
5.2 Industry / Domain Rating Work
Activity objective:
If necessary, industry / domain competent department may organize the sorting of main
social functions / functions and roles of industry / domain; analyze the main operations
and service scope, on which, the main social functions / functions are performed; finally,
in accordance with the analyzed and sorted content, form overall descriptive
documents of operations in the industry / domain.
Participating roles: competent department; cybersecurity service institution.
Activity input: industry introduction documents, GB/T 22240.
Activity description:
This activity mainly includes the following sub-activity content:
a) Identify, analyze the importance of industry / domain
The competent department may organize the sorting of industrial
characteristics, scope of operations, main social functions / functions and
production output of the industry / domain; analyze the important role that the
main social functions / functions play in guaranteeing national security,
economic development, social order and public services, etc.
b) Identify main operations of industry / domain
The competent department may organize the sorting of operations that mainly
depend on informatization processing in the industry / domain; in accordance
with the importance of the social functions / functions undertaken by the
operations, other industries’ dependency level, determine the main operations
in the industry / domain.
c) Rating guidance
The competent department may organize the analysis of the main operations
in the industry / domain; in accordance with the importance of operational
information and services, analyze the security protection requirements of
various main operations; combine the condition of the industry / domain, form
industry / domain rating instructions for the main operations. The security
protection level of classified protection object of inter-provincial or nationally
unified network operation may be uniformly determined by the competent
department.
d) Deployment of rating work
The competent department may formulate rating instructions for the industry
object.
c) Identify the management framework of classified protection object
Understand the organizational management structure, management policy,
department setting of classified protection object, and department’s roles and
position responsibilities in the operation; obtain information regarding
management characteristics and management framework that support the
operation of the classified protection object. Thus, the subject of security
responsibility of the classified protection object can be clarified.
d) Identify the network and equipment deployment of classified protection object
Understand the physical environment, and the deployment of network
topology and hardware equipment of classified protection object. On this basis,
clarify the boundaries of classified protection object, which means the
determination of the object and scope of classified protection.
e) Identify operational characteristics of classified protection object
Understand the various operations and operational processes that mainly
depend on informatization processing in the organization, from which, clearly
identify the operational characteristics of classified protection object that
support the operation of the organization.
f) Identify information assets processed by classified protection object
Understand the type of information assets processed by classified protection
object, and the importance of these information assets in confidentiality,
integrity and availability, etc.
g) Identify the scope and type of users
In accordance with the distribution scope of users or user groups, understand
the requirements of the service scope, roles and operational continuity of the
classified protection object.
h) Describe classified protection object
Organize and analyze the collected information; form overall descriptive files
of the classified protection object. The overall descriptive files of a typical
classified protection object include the following content:
1) Overview of classified protection object;
2) Importance analysis of classified protection object;
3) Border description of classified protection object;
classified protection objects into relatively independent objects as the rating
objects; ensure that each relatively independently object has the basic
characteristics of rating object. During the classification of classified
protection objects, firstly, consider elements of organizational management,
then, consider factors like the type of operations and physical regions, etc.
Objects that carry relatively single operational application or relatively
independent operations shall be considered as independent rating objects.
In terms of communication network facilities, such as: telecommunication
network, radio and television transmission network, respectively classify them
into different rating objects in accordance with security responsibility body,
service type or service area. Exclusive communication networks of industries
or organizations across provinces may be rated as a whole, or, be classified
into several rating objects in accordance with the regions.
In the environment of cloud computing, classified protection object on the
cloud service customer side, and cloud computing platform / system on the
cloud service provider side shall respectively be considered as independent
rating objects. Furthermore, in accordance with different service modes, cloud
computing platform / system shall be classified into different rating objects. In
terms of large-scale cloud computing platform, cloud computing infrastructure
and relevant auxiliary service system should be classified into different rating
objects.
The Internet of Things mainly includes characteristic elements like perception,
network transmission and processing application. The above elements shall
be rated as a whole, and the various elements shall not be individually rated.
In terms of industrial control system, it generally includes characteristic
elements like on-site acquisition / execution, on-site control, process control
and production management. Specifically speaking, elements like on-site
acquisition / execution, on-site control and process control shall be rated as a
whole, and the various elements shall not be individually rated. The element
of production management should be individually rated. In terms of large-
scale industrial control system, multiple rating objects may be classified in
accordance with system functions, responsibility body, control object and
manufacturer, etc.
Classified protection objects that adopt mobile internet technology mainly
include characteristic elements like mobile terminal, mobile application and
wireless network, which may be rated as a whole, or, be rated together with
associated operation systems, and the various elements shall not be
individually rated.
c) Detailed description of rating objects
for industry / domain rating (if possible) and rating method, the operating and
using organization shall determine the preliminary security protection level for
each rating object.
b) Review of rating result
After preliminarily determining the security protection level, if necessary, the
operating and using organization may organize cybersecurity experts and
operation experts to review the reasonability of the preliminary rating result
and issue experts’ review comments.
c) Examination and approval of rating result
After preliminarily determining the security protection level, the operating and
using organization shall (if there is an explicit competent department) report
the preliminary rating result to the competent department or the higher
competent department of the industry / domain for review and approval. The
competent department or the higher competent department of the industry /
domain shall reasonably review the preliminary rating result and issue review
comments.
The operating and using organization shall regularly conduct self-inspection
of changes in the level of the classified security objects and the rating of newly
established systems; report to the competent department for review and
approval in time.
Activity output: rating result; competent department’s review comments.
5.4.2 Form rating report
Activity objective:
Organize documents generated during the rating process; form a report of rating result
of classified protection object.
Participating roles: competent department; operating and using organization.
Activity input: detailed descriptive files of rating objects; rating result.
Activity description:
Organize the content: overall descriptive documents of classified protection objects,
detailed descriptive files, rating result, etc.; form documented report of rating result.
The report of rating result may include the following content:
a) Overview of current situation of organization informatization;
Activity description:
This activity mainly includes the following sub-activity content:
a) Determine the scope and analysis object of classified protection objects
Clarify the scope and border of classified protection objects at different levels.
Through the mode of survey or information consulting, understand the
operational application and operational procedure of classified protection
objects.
b) Form basic security demands
In accordance with the security protection level of classified protection objects
of different levels, select requirements of corresponding levels from GB/T
22239 and basic industrial requirements; form basic security demands. In
terms of protection objects with an already established level, in accordance
with the level evaluation result, analyze the rectification demands; form basic
security demands.
Activity output: basic security demands.
6.2.2 Determination of special security demands
Activity objective:
Through the analysis of special protection demands of important assets, adopt the
method of demand analysis or risk analysis, determine possible security risks; judge
the necessity of implementing special security measures; put forward special security
protection demands for classified protection objects.
Participating roles: operating and using organization; cybersecurity service institution.
Activity input: detailed descriptive files of classified protection objects; security
protection level rating report; other relevant documents of classified protection objects.
Activity description:
The determination of special security demands may adopt currently mature or
prevailing demand analysis or risk analysis method, or, adopt the activities introduced
below:
a) Analysis of important assets
Clarify important components in classified protection objects, such as: border
equipment, gateway equipment, core network equipment, important server
equipment and important application system, etc.
Activity output: security demand analysis report.
6.3 Overall Security Design
6.3.1 Overall security policy design
Activity objective:
Form institutional programmatic security policy files, including the determination of
security guide and formulation of security policy, so as to combine the series standard
of basic requirements for classified protection, basic industrial requirements and
special security protection requirements, construct security technology architecture
and security management architecture for institution’s classified protection objects. In
terms of newly established classified protection objects, the security protection level
shall be clarified in the approval; in accordance with the requirements of corresponding
protection level, conduct the overall security policy design.
Participating roles: operating and using organization; cybersecurity service institution.
Activity input: detailed descriptive files of classified protection objects; security
protection level rating report; security demand analysis report.
Activity description:
This activity mainly includes the following sub-activity content:
a) Determine security guide
Form institution’s highest level of security guide file; clarify the mission and
aspiration of security work; define the overall objective of cybersecurity;
stipulate responsible institution of cybersecurity and its responsibilities;
establish security work operating mode, etc.
b) Formulate security policy
Form institution’s highest level of security policy file; elaborate main policies
of security work, including security organizational institution’s division policy,
operational system’s classification policy, data information’s classification
policy and classified protection objects’ interconnection policy and information
flow control policy, etc.
Activity output: overall security policy file.
6.3.2 Security technology architecture design
Activity objective:
In accordance with GB/T 22239, basic industrial requirements, security demand
network lines and network equipment shall be considered. If rating objects at
different levels transmit data through the same line and equipment of the
communication network, the security protection policies and security
technological measures of lines and equipment shall satisfy the basic
requirements for classified protection of the highest level of rating objects.
d) Stipulate protection technological measures of borders of rating objects at
different levels
In accordance with institution’s overall security policy files, basic requirements
for classified protection, and security demands, put forward security
protection policies and security technological measures of the borders of
rating objects at different levels. If rating objects at different levels share the
same equipment for border protection, then, the security protection policies
and security technological measures of the border equipment shall satisfy the
basic requirements for classified protection of the highest level of rating
objects.
e) Stipulate security technological measures of interconnection among rating
objects
In accordance with institution’s overall security policy files, basic requirements
for classified protection, and security demands, put forward protection policy
requirements and specific security technological measures of information
transmission among rating objects in inter-LAN interconnection, including
interconnection policy for the same level and different levels, etc. Put forward
protection policy requirements and specific security technological protection
measures of information transmission among rating objects in LAN
interconnection, including interconnection policy for the same level and
different levels, etc.
f) Stipulate security protection technological measures inside rating objects at
different levels
In accordance with institution’s overall security policy files, basic requirements
for classified protection, and security demands, put forward security
protection policies and security technological protection measures of internal
network platform, system platform, operational application and data of rating
objects at different levels. If low-level rating objects are deployed in the
network area of high-level rating objects, then, the security protection policies
and security technological measures of system platform, operation application
and data of low-level rating objects shall satisfy the basic requirements for
classified protection of high-level rating objects.
g) Stipulate security protection technological measures of new technologies,
such as: cloud computing and mobile internet
and security demands, put forward institution’s security organization
management framework; allocate security management responsibilities
towards rating objects at different levels; stipulate security management
policies for rating objects at different levels.
c) Stipulate personnel security management policy of rating objects at different
levels
In accordance with institution’s overall security policy files, the series standard
of basic requirements for classified protection, basic industrial requirements
and security demands, put forward management personnel framework of
rating objects at different levels; allocate management personnel
responsibilities towards rating objects at different levels; stipulate personnel
security management policies of rating objects at different levels.
d) Stipulate security management policy of physical environment (computer
rooms and office areas) of rating objects at different levels
In accordance with institution’s overall security policy files, the series standard
of basic requirements for classified protection, basic industrial requirements
and security demands, put forward security policy of computer rooms and
office environment of rating objects at different levels.
e) Stipulate security management policy for medium and equipment of rating
objects at different levels
In accordance with institution’s overall security policy files, the series standard
of basic requirements for classified protection, basic industrial requirements
and security demands, put forward security policy of medium and equipment
of rating objects at different levels.
f) Stipulate operational security management policy of rating objects at different
levels
In accordance with institution’s overall security policy files, the series standard
of basic requirements for classified protection, basic industrial requirements
and security demands, put forward security operation and maintenance
framework, and operation and maintenance security policy of rating objects
at different levels.
g) Stipulate security incident handling and emergency management policy of
rating objects at different levels
In accordance with institution’s overall security policy files, the series standard
of basic requirements for classified protection, basic industrial requirements
and security demands, put forward security incident handling and emergency
management policy of rating objects at different levels.
determine secu......
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|