HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (2 Feb 2025)

GB/T 25058-2019 PDF English


Search result: GB/T 25058-2019 English: PDF (GB/T25058-2019)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 25058-2019English405 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Implementation guide for classified protection of cybersecurity Valid
GB/T 25058-2010English360 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Implementation guide for classified protection of information system Obsolete
BUY with any currencies (Euro, JPY, GBP, KRW etc.): GB/T 25058-2019     Related standards: GB/T 25058-2019

PDF Preview: GB/T 25058-2019


PDF Preview: GB/T 25058-2010


GB/T 25058-2019: PDF in English (GBT 25058-2019)

GB/T 25058-2019 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 25058-2010 Information Security Technology - Implementation Guide for Classified Protection of Cybersecurity ISSUED ON: AUGUST 30, 2019 IMPLEMENTED ON: MARCH 1, 2020 Issued by: State Administration for Market Regulation; Standardization Administration of the People’s Republic of China. Table of Contents Foreword ... 5  1 Scope ... 8  2 Normative References ... 8  3 Terms and Definitions ... 8  4 Overview of Implementation of Classified Protection ... 8  4.1 Fundamental Principles ... 8  4.2 Roles and Responsibilities ... 9  4.3 Basic Procedure of Implementation ... 11  5 Rating and Filing of Classified Protection Object ... 13  5.1 Workflow of Rating and Filing Stage ... 13  5.2 Industry / Domain Rating Work ... 15  5.3 Analysis of Classified Protection Object ... 16  5.3.1 Analysis of object importance ... 16  5.3.2 Determination of rating object ... 18  5.4 Determination of Security Protection Level ... 20  5.4.1 Rating, Review and Approval ... 20  5.4.2 Form rating report ... 21  5.5 Filing of Rating Result... 22  6 Overall Security Planning ... 23  6.1 Workflow of Overall Security Planning Stage ... 23  6.2 Analysis of Security Demands ... 24  6.2.1 Determination of basic security demands ... 24  6.2.2 Determination of special security demands ... 25  6.2.3 Form security demand analysis report ... 26  6.3 Overall Security Design ... 27  6.3.1 Overall security policy design ... 27  6.3.2 Security technology architecture design ... 27  6.3.3 Overall security management architecture design ... 31  6.3.4 Documentation of design result ... 34  6.4 Security Construction Project Planning ... 34  6.4.1 Determination of security construction objective ... 34  6.4.2 Security construction content planning ... 35  6.4.3 Form security construction project planning ... 36  7 Security Design and Implementation ... 37  7.1 Workflow of Security Design and Implementation Stage ... 37  7.2 Detailed Design of Security Scheme ... 39  7.2.1 Design of technological measure implementation content ... 39  7.2.2 Design of management measure implementation content ... 40  7.2.3 Documentation of design result ... 41  7.3 Implementation of Technological Measures ... 42  7.3.1 Procurement of cybersecurity products or services ... 42  7.3.2 Development of security control ... 43  7.3.3 Security control integration ... 45  7.3.4 Acceptance inspection of system ... 46  7.4 Implementation of Management Measures ... 48  7.4.1 Construction and revision of security management system ... 48  7.4.2 Security management institution and personnel setting ... 49  7.4.3 Security implementation process management ... 50  8 Security Operation and Maintenance ... 51  8.1 Workflow of Security Operation and Maintenance Stage ... 51  8.2 Operation Management and Control ... 54  8.2.1 Determination of operation management responsibilities ... 54  8.2.2 Operation management process control ... 54  8.3 Alteration Management and Control ... 55  8.3.1 Alteration demand and influence analysis ... 55  8.3.2 Alteration process control ... 56  8.4 Security Status Monitoring ... 57  8.4.1 Determination of monitoring objects ... 57  8.4.2 Collection of monitoring object status information ... 58  8.4.3 Monitoring status analysis and report ... 58  8.5 Security Self-inspection and Continuous Improvement ... 59  8.5.1 Self-inspection of security status ... 59  8.5.2 Formulation of improvement scheme ... 60  8.5.3 Implementation of security improvement ... 61  8.6 Management and Monitoring of Service Provider ... 62  8.6.1 Selection of service provider ... 62  8.6.2 Management of service provider ... 63  8.6.3 Monitoring of service provider ... 65  8.7 Level Evaluation ... 66  8.8 Supervision and Inspection... 66  8.9 Emergency Response and Guarantee ... 67  8.9.1 Emergency preparation ... 67  8.9.2 Emergency monitoring and response ... 69  8.9.3 Post-mortem evaluation and improvement ... 70  8.9.4 Emergency guarantee ... 71  9 Termination of Rating Objects ... 71  9.1 Workflow of Rating Object Termination Stage ... 71  9.2 Information Transfer, Temporary Storage and Removal ... 72  9.3 Equipment Migration or Abolishment ... 73  9.4 Removal or Destruction of Storage Media ... 74  Appendix A (normative) Main Processes and the Activities, Input and Output ... 76  Information Security Technology - Implementation Guide for Classified Protection of Cybersecurity 1 Scope This Standard stipulates the process that classified protection object implements cybersecurity protection work. This Standard is applicable to the guidance of the implementation of cybersecurity classified protection work. 2 Normative References The following documents are indispensable to the application of this document. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB 17859 Classified Criteria for Security Protection of Computer Information System GB/T 22239 Information Security Technology - Baseline for Classified Protection of Cybersecurity GB/T 22240 Information Security Technology - Classification Guide for Classified Protection of Information System Security GB/T 25069 Information Security Technology - Glossary GB/T 28448 Information Security Technology - Evaluation Requirement for Classified Protection of Cybersecurity 3 Terms and Definitions Terms and definitions defined in GB 17859, GB/T 22239, GB/T 25069 and GB/T 28448 are applicable to this document. 4 Overview of Implementation of Classified Protection 4.1 Fundamental Principles The core of classified security protection is to classify classified protection objects, and carry out construction, management and supervision in accordance with the standards. protection, take charge of cybersecurity protection and supervision, management work within the scope of their respective duties. b) Competent department Competent department shall, in accordance with national management specifications and technological standards on classified cybersecurity protection, take charge of the supervision, inspection and guidance of classified cybersecurity protection work of the operating and using organizations of classified protection objects of the industry, the department or the locality. c) Operating and using organization Operating and using organization shall, in accordance with national management specifications and technological standards on classified cybersecurity protection, determine the security protection level of its classified protection objects. If there is a competent department, operating and using organization shall report to its competent department for review and approval. In accordance with the security protection level that is already determined, go through filing procedures at the public security. In accordance with national management specifications and technological standards on classified cybersecurity protection, conduct planning and design of security protection for the classified protection objects. Adopt information technology products and cybersecurity protects that comply with relevant national regulations and classified protection objects’ demands for classified security protection. Carry out security construction or re-construction work; formulate and implement various security management systems. Conduct regular self- inspection of the security status, and the implementation of security protection systems and measures of classified protection objects. Select level evaluation institutions that comply with relevant national regulations to conduct level evaluation. Formulate response and disposal schemes for cybersecurity incidents at different levels. Conduct emergency response to cybersecurity incidents at different levels. d) Cybersecurity service institution Cybersecurity service institution shall, in accordance with national management specifications and technological standards on classified cybersecurity protection, under the entrustment of the operating and using organization, assist the operating and using organization to complete classified protection-related work, including determination of the security protection level of the classified protection objects, analysis of security demands, overall planning of security, implementation of security construction and transformation, and provision of service supporting platforms, etc. 5.2 Industry / Domain Rating Work Activity objective: If necessary, industry / domain competent department may organize the sorting of main social functions / functions and roles of industry / domain; analyze the main operations and service scope, on which, the main social functions / functions are performed; finally, in accordance with the analyzed and sorted content, form overall descriptive documents of operations in the industry / domain. Participating roles: competent department; cybersecurity service institution. Activity input: industry introduction documents, GB/T 22240. Activity description: This activity mainly includes the following sub-activity content: a) Identify, analyze the importance of industry / domain The competent department may organize the sorting of industrial characteristics, scope of operations, main social functions / functions and production output of the industry / domain; analyze the important role that the main social functions / functions play in guaranteeing national security, economic development, social order and public services, etc. b) Identify main operations of industry / domain The competent department may organize the sorting of operations that mainly depend on informatization processing in the industry / domain; in accordance with the importance of the social functions / functions undertaken by the operations, other industries’ dependency level, determine the main operations in the industry / domain. c) Rating guidance The competent department may organize the analysis of the main operations in the industry / domain; in accordance with the importance of operational information and services, analyze the security protection requirements of various main operations; combine the condition of the industry / domain, form industry / domain rating instructions for the main operations. The security protection level of classified protection object of inter-provincial or nationally unified network operation may be uniformly determined by the competent department. d) Deployment of rating work The competent department may formulate rating instructions for the industry object. c) Identify the management framework of classified protection object Understand the organizational management structure, management policy, department setting of classified protection object, and department’s roles and position responsibilities in the operation; obtain information regarding management characteristics and management framework that support the operation of the classified protection object. Thus, the subject of security responsibility of the classified protection object can be clarified. d) Identify the network and equipment deployment of classified protection object Understand the physical environment, and the deployment of network topology and hardware equipment of classified protection object. On this basis, clarify the boundaries of classified protection object, which means the determination of the object and scope of classified protection. e) Identify operational characteristics of classified protection object Understand the various operations and operational processes that mainly depend on informatization processing in the organization, from which, clearly identify the operational characteristics of classified protection object that support the operation of the organization. f) Identify information assets processed by classified protection object Understand the type of information assets processed by classified protection object, and the importance of these information assets in confidentiality, integrity and availability, etc. g) Identify the scope and type of users In accordance with the distribution scope of users or user groups, understand the requirements of the service scope, roles and operational continuity of the classified protection object. h) Describe classified protection object Organize and analyze the collected information; form overall descriptive files of the classified protection object. The overall descriptive files of a typical classified protection object include the following content: 1) Overview of classified protection object; 2) Importance analysis of classified protection object; 3) Border description of classified protection object; classified protection objects into relatively independent objects as the rating objects; ensure that each relatively independently object has the basic characteristics of rating object. During the classification of classified protection objects, firstly, consider elements of organizational management, then, consider factors like the type of operations and physical regions, etc. Objects that carry relatively single operational application or relatively independent operations shall be considered as independent rating objects. In terms of communication network facilities, such as: telecommunication network, radio and television transmission network, respectively classify them into different rating objects in accordance with security responsibility body, service type or service area. Exclusive communication networks of industries or organizations across provinces may be rated as a whole, or, be classified into several rating objects in accordance with the regions. In the environment of cloud computing, classified protection object on the cloud service customer side, and cloud computing platform / system on the cloud service provider side shall respectively be considered as independent rating objects. Furthermore, in accordance with different service modes, cloud computing platform / system shall be classified into different rating objects. In terms of large-scale cloud computing platform, cloud computing infrastructure and relevant auxiliary service system should be classified into different rating objects. The Internet of Things mainly includes characteristic elements like perception, network transmission and processing application. The above elements shall be rated as a whole, and the various elements shall not be individually rated. In terms of industrial control system, it generally includes characteristic elements like on-site acquisition / execution, on-site control, process control and production management. Specifically speaking, elements like on-site acquisition / execution, on-site control and process control shall be rated as a whole, and the various elements shall not be individually rated. The element of production management should be individually rated. In terms of large- scale industrial control system, multiple rating objects may be classified in accordance with system functions, responsibility body, control object and manufacturer, etc. Classified protection objects that adopt mobile internet technology mainly include characteristic elements like mobile terminal, mobile application and wireless network, which may be rated as a whole, or, be rated together with associated operation systems, and the various elements shall not be individually rated. c) Detailed description of rating objects for industry / domain rating (if possible) and rating method, the operating and using organization shall determine the preliminary security protection level for each rating object. b) Review of rating result After preliminarily determining the security protection level, if necessary, the operating and using organization may organize cybersecurity experts and operation experts to review the reasonability of the preliminary rating result and issue experts’ review comments. c) Examination and approval of rating result After preliminarily determining the security protection level, the operating and using organization shall (if there is an explicit competent department) report the preliminary rating result to the competent department or the higher competent department of the industry / domain for review and approval. The competent department or the higher competent department of the industry / domain shall reasonably review the preliminary rating result and issue review comments. The operating and using organization shall regularly conduct self-inspection of changes in the level of the classified security objects and the rating of newly established systems; report to the competent department for review and approval in time. Activity output: rating result; competent department’s review comments. 5.4.2 Form rating report Activity objective: Organize documents generated during the rating process; form a report of rating result of classified protection object. Participating roles: competent department; operating and using organization. Activity input: detailed descriptive files of rating objects; rating result. Activity description: Organize the content: overall descriptive documents of classified protection objects, detailed descriptive files, rating result, etc.; form documented report of rating result. The report of rating result may include the following content: a) Overview of current situation of organization informatization; Activity description: This activity mainly includes the following sub-activity content: a) Determine the scope and analysis object of classified protection objects Clarify the scope and border of classified protection objects at different levels. Through the mode of survey or information consulting, understand the operational application and operational procedure of classified protection objects. b) Form basic security demands In accordance with the security protection level of classified protection objects of different levels, select requirements of corresponding levels from GB/T 22239 and basic industrial requirements; form basic security demands. In terms of protection objects with an already established level, in accordance with the level evaluation result, analyze the rectification demands; form basic security demands. Activity output: basic security demands. 6.2.2 Determination of special security demands Activity objective: Through the analysis of special protection demands of important assets, adopt the method of demand analysis or risk analysis, determine possible security risks; judge the necessity of implementing special security measures; put forward special security protection demands for classified protection objects. Participating roles: operating and using organization; cybersecurity service institution. Activity input: detailed descriptive files of classified protection objects; security protection level rating report; other relevant documents of classified protection objects. Activity description: The determination of special security demands may adopt currently mature or prevailing demand analysis or risk analysis method, or, adopt the activities introduced below: a) Analysis of important assets Clarify important components in classified protection objects, such as: border equipment, gateway equipment, core network equipment, important server equipment and important application system, etc. Activity output: security demand analysis report. 6.3 Overall Security Design 6.3.1 Overall security policy design Activity objective: Form institutional programmatic security policy files, including the determination of security guide and formulation of security policy, so as to combine the series standard of basic requirements for classified protection, basic industrial requirements and special security protection requirements, construct security technology architecture and security management architecture for institution’s classified protection objects. In terms of newly established classified protection objects, the security protection level shall be clarified in the approval; in accordance with the requirements of corresponding protection level, conduct the overall security policy design. Participating roles: operating and using organization; cybersecurity service institution. Activity input: detailed descriptive files of classified protection objects; security protection level rating report; security demand analysis report. Activity description: This activity mainly includes the following sub-activity content: a) Determine security guide Form institution’s highest level of security guide file; clarify the mission and aspiration of security work; define the overall objective of cybersecurity; stipulate responsible institution of cybersecurity and its responsibilities; establish security work operating mode, etc. b) Formulate security policy Form institution’s highest level of security policy file; elaborate main policies of security work, including security organizational institution’s division policy, operational system’s classification policy, data information’s classification policy and classified protection objects’ interconnection policy and information flow control policy, etc. Activity output: overall security policy file. 6.3.2 Security technology architecture design Activity objective: In accordance with GB/T 22239, basic industrial requirements, security demand network lines and network equipment shall be considered. If rating objects at different levels transmit data through the same line and equipment of the communication network, the security protection policies and security technological measures of lines and equipment shall satisfy the basic requirements for classified protection of the highest level of rating objects. d) Stipulate protection technological measures of borders of rating objects at different levels In accordance with institution’s overall security policy files, basic requirements for classified protection, and security demands, put forward security protection policies and security technological measures of the borders of rating objects at different levels. If rating objects at different levels share the same equipment for border protection, then, the security protection policies and security technological measures of the border equipment shall satisfy the basic requirements for classified protection of the highest level of rating objects. e) Stipulate security technological measures of interconnection among rating objects In accordance with institution’s overall security policy files, basic requirements for classified protection, and security demands, put forward protection policy requirements and specific security technological measures of information transmission among rating objects in inter-LAN interconnection, including interconnection policy for the same level and different levels, etc. Put forward protection policy requirements and specific security technological protection measures of information transmission among rating objects in LAN interconnection, including interconnection policy for the same level and different levels, etc. f) Stipulate security protection technological measures inside rating objects at different levels In accordance with institution’s overall security policy files, basic requirements for classified protection, and security demands, put forward security protection policies and security technological protection measures of internal network platform, system platform, operational application and data of rating objects at different levels. If low-level rating objects are deployed in the network area of high-level rating objects, then, the security protection policies and security technological measures of system platform, operation application and data of low-level rating objects shall satisfy the basic requirements for classified protection of high-level rating objects. g) Stipulate security protection technological measures of new technologies, such as: cloud computing and mobile internet and security demands, put forward institution’s security organization management framework; allocate security management responsibilities towards rating objects at different levels; stipulate security management policies for rating objects at different levels. c) Stipulate personnel security management policy of rating objects at different levels In accordance with institution’s overall security policy files, the series standard of basic requirements for classified protection, basic industrial requirements and security demands, put forward management personnel framework of rating objects at different levels; allocate management personnel responsibilities towards rating objects at different levels; stipulate personnel security management policies of rating objects at different levels. d) Stipulate security management policy of physical environment (computer rooms and office areas) of rating objects at different levels In accordance with institution’s overall security policy files, the series standard of basic requirements for classified protection, basic industrial requirements and security demands, put forward security policy of computer rooms and office environment of rating objects at different levels. e) Stipulate security management policy for medium and equipment of rating objects at different levels In accordance with institution’s overall security policy files, the series standard of basic requirements for classified protection, basic industrial requirements and security demands, put forward security policy of medium and equipment of rating objects at different levels. f) Stipulate operational security management policy of rating objects at different levels In accordance with institution’s overall security policy files, the series standard of basic requirements for classified protection, basic industrial requirements and security demands, put forward security operation and maintenance framework, and operation and maintenance security policy of rating objects at different levels. g) Stipulate security incident handling and emergency management policy of rating objects at different levels In accordance with institution’s overall security policy files, the series standard of basic requirements for classified protection, basic industrial requirements and security demands, put forward security incident handling and emergency management policy of rating objects at different levels. determine secu...... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.