GB/T 28448-2019 PDF English
US$2405.00 · In stock · Download in 9 secondsGB/T 28448-2019: Information security technology - Evaluation requirement for classified protection of cybersecurity Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedureStatus: Valid GB/T 28448: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivery | Name of Chinese Standard | Status |
| GB/T 28448-2019 | English | 2405 |
Add to Cart
|
0-9 seconds. Auto-delivery
|
Information security technology - Evaluation requirement for classified protection of cybersecurity
| Valid |
| GB/T 28448-2012 | English | RFQ |
ASK
|
17 days
|
Information security technology -- Testing and evaluation requirement for classified protection of information system
| Obsolete |
Excerpted PDFs (Download full copy in 9 seconds upon purchase)PDF Preview: GB/T 28448-2019
GB/T 28448-2019: Information security technology - Evaluation requirement for classified protection of cybersecurity
---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT28448-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 28448-2012
Information security technology - Evaluation
requirement for classified protection of cybersecurity
Issued on. MAY 10, 2019
Implemented on. DECEMBER 01, 2019
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword... 4
Introduction... 6
1 Scope... 7
2 Normative references... 7
3 Terms and definitions... 8
4 Abbreviations... 10
5 Overview of testing-evaluation for classified cybersecurity protection... 10
5.1 Method of testing-evaluation for classified cybersecurity protection... 10
5.2 Single item testing-evaluation and overall testing-evaluation... 12
6 Requirements for level 1 testing-evaluation... 12
6.1 General requirements for security testing-evaluation... 12
6.2 Extended requirements for testing-evaluation of cloud computing security.. 40
6.3 Extended requirements for testing-evaluation of mobile internet security... 45
6.4 Extended requirements for testing-evaluation of IoT security... 48
6.5 Extended requirements for testing-evaluation of industrial control system
security... 50
7 Requirements for level 2 testing-evaluation... 55
7.1 General requirements for security testing-evaluation... 55
7.2 Extended requirements for testing-evaluation of cloud computing security 122
7.3 Extended requirements for testing-evaluation of mobile internet security... 137
7.4 Extended requirements for testing-evaluation of IoT security... 143
7.5 Extended requirements for testing-evaluation of industrial control system
security... 147
8 Requirements for level 3 testing-evaluation... 155
8.1 General requirements for security testing-evaluation... 155
8.2 Extended requirements for testing-evaluation of cloud computing security 261
8.3 Extended requirements for testing-evaluation of mobile internet security... 285
8.4 Extended requirements for testing-evaluation of IoT security... 293
Information security technology - Evaluation
requirement for classified protection of cybersecurity
1 Scope
This standard stipulates the general requirements and extended requirements
for testing-evaluation of security of classified protection targets.
This standard is applicable to security evaluation service agencies, operation
and use units of classified protection targets, for competent departments to
conduct security evaluation and provide guidance on the security status of
classified protection targets; it is also applicable to network security functional
departments when conducting supervision and inspection of the classified
protection of cybersecurity.
Note. The level-5 classified protection target is an important supervision and
management target, which has a special management mode and security evaluation
requirements, so it is not described in this standard.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 22239-2019 Information security technology - Baseline for classified
protection of cybersecurity
GB/T 25069 Information security technology - Glossary
GB/T 25070-2019 Information security technology - Technical requirements
of security design for classified protection of cybersecurity
GB/T 28449-2018 Information security technology - Testing-evaluation
process guide for classified protection of cybersecurity
GB/T 31167-2014 Information security technology - Security guide of cloud
computing services
GB/T 31168-2014 Information security technology - Security capability
requirements of cloud computing services
GB/T 32919-2016 Information security - Industrial control systems -
Guidelines for the application of security controls
3 Terms and definitions
The terms and definitions as defined in GB 17859-1999, GB/T 25069, GB/T
22239-2019, GB/T 25070-2019, GB/T 31167-2014, GB/T 31168-2014, GB/T
32919-2016 as well as the following terms and definitions apply to this
document. For ease of use, the following repeatedly lists some terms and
definitions in GB/T 31167-2014 and GB/T 31168-2014.
3.1
Interview
The process that the evaluator helps the evaluator understand, clarify, or
obtain evidence by guiding the relevant personnel of the classified protection
target through purposeful (targeted) communication.
3.2
Examine
The process that the evaluator observes, inspects, analyzes the evaluation
target of testing-evaluation (such as system documents, various types of
device and related security configurations, etc.) to help the evaluator
understand, clarify or obtain evidence.
3.3
Test
The process that the evaluator uses a predetermined method / tool to make
the target of testing-evaluation (various types of device or security
configuration) produce a specific result, meanwhile compare the running
result with the expected result.
4 Abbreviations
The following abbreviations apply to this document.
AP. Wireless Access Point
APT. Advanced Persistent Threat
DDoS. Distributed Denial of Service
SSID. Service Set Identifier
WEP. Wired Equivalent Privacy
WiFi. Wireless Fidelity
WPS. WiFi Protected Setup
5 Overview of testing-evaluation for classified
cybersecurity protection
5.1 Method of testing-evaluation for classified cybersecurity
protection
The basic method of implementation of testing-evaluation for classified
cybersecurity protection is, focusing on specific evaluation targets, to adopt
relevant evaluation methods; follow certain evaluation procedures; obtain
required evidence data; give an evaluation of whether a certain level of security
protection capability is reached. The detailed process and method for the
implementation of testing-evaluation for classified cybersecurity protection are
as shown in GB/T 28449-2018.
The testing-evaluation of each requirement in this standard constitutes a single
item testing-evaluation; all the specific testing-evaluation contents of a specific
requirement constitute the evaluation implementation. Each specific testing-
evaluation implementation requirement item in the single item testing-
evaluation (hereinafter referred to as "testing-evaluation requirement item")
corresponds to the requirement item (testing-evaluation index) included under
the security control point. In the testing-evaluation of each requirement, it may
use three testing-evaluation methods. interview, examine, test; it may also use
one or two of them. The content of the testing-evaluation implementation fully
covers the testing-evaluation requirements of all the requirement items in GB/T
22239-2019 and GB/T 25070-2019.When used, it shall, from the
implementation of the testing-evaluation of single item, choose the testing-
evaluation requirements of each requirement item in GB/T 22239-2019;
meanwhile follow these testing-evaluation requirements to develop the testing-
evaluation guidance, so as to standardize and guide testing-evaluation for
classified cybersecurity protection activities.
According to the survey results, the business process and data flow of the
classified protection targets are analyzed to determine the scope of the testing-
evaluation work. Combined with the security level of the classified protection
target, comprehensively analyze the functions and characteristics of each
device and component in the system; determine the testing-evaluation target at
technical level from the attributes of the importance, security, sharing,
comprehensiveness, appropriateness of the classified protection target
constituting the component; determine the personal and management
documents related to it as the testing-evaluation target of the management level.
The testing-evaluation targets can be described according to categories,
including computer rooms, business application software, host operating
systems, database management systems, network interconnection device,
security device, interviewers, security management documents.
The testing-evaluation activities for classified cybersecurity protection involve
testing-evaluation intensity, including testing-evaluation breadth (coverage) and
testing-evaluation depth (intensity). For the implementation of testing-
evaluations with a higher level of security protection, it shall choose a wider
coverage of testing-evaluation targets and stronger testing-evaluation methods,
to obtain more credible testing-evaluation evidence. For a detailed description
of the testing-evaluation intensity, see Appendix A.
Each level of testing-evaluation requirements includes 5 parts. general
requirements for security testing-evaluation, extended requirements for cloud
computing security testing-evaluation, extended requirements for mobile
internet security testing-evaluation, extended requirements for IoT security
testing-evaluation, extended requirements for industrial control system security
testing-evaluation. For bigdata, please refer to Appendix B for the security
testing-evaluation method.
5.2 Single item testing-evaluation and overall testing-
evaluation
Testing-evaluation for classified cybersecurity protection includes single item
testing-evaluation and overall testing-evaluation.
Single item testing-evaluation is a testing-evaluation of each security
requirement item, which supports the repeatability and reproducibility of the
testing-evaluation results. The single item testing-evaluation in this standard
consists of testing-evaluation index, testing-evaluation targets, testing-
evaluation implementation, unit judgment results. For ease of use, each testing-
evaluation unit is numbered. For a detailed description, see Appendix C.
The overall testing-evaluation is based on a single item testing-evaluation, to
judge the overall security protection ability of the classified protection target.
The overall security protection capability is judged from the perspectives of
depth protection and complementary measures.
6 Requirements for level 1 testing-evaluation
6.1 General requirements for security testing-evaluation
6.1.1 Security physical environment
6.1.1.1 Physical access control
6.1.1.1.1 Testing-evaluation unit (L1-PES1-01)
The testing-evaluation unit includes the following requirements.
a) Testing-evaluation index. The entrance and exit of the computer room
shall be arranged with dedicated personnel on duty or equipped with
electronic access control systems to control, identify and record the
personnel entering.
b) Testing-evaluation targets. Electronic access control system and duty
records of computer room.
c) Testing-evaluation’s implementation. It shall check whether a dedicated
person is on duty or equipped with an electronic access control system.
d) Unit judgment. If the content of the above testing-evaluation is positive, it
meets the index requirements of the testing-evaluation unit; otherwise, it
does not meet the index requirements of the testing-evaluation unit.
6.1.1.2 Anti-theft and anti-vandalism
6.1.1.2.1 Testing-evaluation unit (L1-PES1-02)
The testing-evaluation unit includes the following requirements.
a) Testing-evaluation index. The device or main components shall be fixed
and marked with signs that are not easily removed.
b) Testing-evaluation target. Computer room’s device or main components.
c) The implementation of the testing-evaluation includes the following.
1) It shall check whether the device or main components in the computer
room are fixed;
2) It shall check whether the device or main components in the computer
room are provided with obvious signs that are difficult to remove.
d) Unit judgment. If both 1) and 2) are positive, it meets the index
requirements of this testing-evaluation unit; otherwise, it does not meet or
partially meets the index requirements of this testing-evaluation unit.
7 Requirements for level 2 testing-evaluation
7.1 General requirements for security testing-evaluation
7.1.1 Security physical environment
7.1.1.1 Selection of physical location
7.1.1.1.1 Testing-evaluation unit (L2-PES1-01)
The testing-evaluation unit includes the following requirements.
a) Testing-evaluation index. The computer room site shall be selected in a
construction with the capability of shockproof, windproof and rainproof.
b) Testing-evaluation targets. Record documents and computer room.
c) The implementation of the testing-evaluation includes the following.
1) It shall check whether the construction has seismic approval documents
for construction seismic fortification;
2) It shall check whether there is no rain leakage in the computer room;
3) It shall check whether the doors and windows of the computer room are
free from serious dust caused by wind;
4) It shall check whether the roof, walls, doors, windows and ground are
not damaged or cracked.
d) Unit judgment. If all of 1) ~ 4) are positive, it meets the index requirements
of the testing-evaluation unit; otherwise, it does not meet or partially meets
the index requirements of the testing-evaluation unit.
8 Requirements for level 3 testing-evaluation
8.1 General requirements for security testing-evaluation
8.1.1 Security physical environment
8.1.1.1 Physical location selection
8.1.1.1.1 Testing-evaluation unit (L3-PES1-01)
The testing-evaluation unit includes the following requirements.
a) Testing-evaluation index. The computer room site shall be selected in a
construction with the capability of shockproof, windproof and rainproof.
b) Testing-evaluation targets. Record documents and computer room.
c) The implementation of the testing-evaluation includes the following.
1) It shall check whether the construction has seismic approval documents
for construction seismic fortification;
2) It shall check whether there is no rain leakage in the computer room;
3) It shall check whether doors and windows are free from serious dust
caused by wind;
4) It shall check the roof, walls, doors, windows and ground for damage
and cracking.
d) Unit judgment. If all of 1) to 4) are positive, it meets the index requirements
of the testing-evaluation unit; otherwise, it does not meet or partially meets
the index requirements of the testing-evaluation unit.
8.1.1.1.2 Testing-evaluation unit (L3-PES1-02)
The testing-evaluation unit includes the following requirements.
a) Testing-evaluation index. The computer room site shall be avoided on the
top floor or basement of the construction; otherwise, it shall strengthen the
waterproof and moisture-proof measures.
b) Testing-evaluation target. Computer room.
c) Testing-evaluation’s implementation. It shall check whether the computer
room is not located on the top floor or basement of the construction where
it is located. If not, check whether the computer room takes waterproof
and moisture-proof measures.
d) Unit judgment. If the content of the above testing-evaluation is positive, it
meets the index requirements of the testing-evaluation unit; otherwise, it
does not meet the index requirements of the testing-evaluation unit.
......
Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.
Tips & Frequently Asked QuestionsQuestion 1: How long will the true-PDF of English version of GB/T 28448-2019 be delivered?Answer: The full copy PDF of English version of GB/T 28448-2019 can be downloaded in 9 seconds, and it will also be emailed to you in 9 seconds (double mechanisms to ensure the delivery reliably), with PDF-invoice. Question 2: Can I share the purchased PDF of GB/T 28448-2019_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 28448-2019_English will be deemed to be sold to your employer/organization who actually paid for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. www.ChineseStandard.us -- GB/T 28448-2019 -- Click this link and select your country/currency to pay, the exact amount in your currency will be printed on the invoice. Full PDF will also be downloaded/emailed in 9 seconds. Question 5: Should I purchase the latest version GB/T 28448-2019?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 28448-2019 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically. How to buy and download a true PDF of English version of GB/T 28448-2019?A step-by-step guide to download PDF of GB/T 28448-2019_EnglishStep 1: Visit website https://www.ChineseStandard.net (Pay in USD), or https://www.ChineseStandard.us (Pay in any currencies such as Euro, KRW, JPY, AUD).
Step 2: Search keyword "GB/T 28448-2019".
Step 3: Click "Add to Cart". If multiple PDFs are required, repeat steps 2 and 3 to add up to 12 PDFs to cart.
Step 4: Select payment option (Via payment agents Stripe or PayPal).
Step 5: Customize Tax Invoice -- Fill up your email etc.
Step 6: Click "Checkout".
Step 7: Make payment by credit card, PayPal, Google Pay etc. After the payment is completed and in 9 seconds, you will receive 2 emails attached with the purchased PDFs and PDF-invoice, respectively.
Step 8: Optional -- Go to download PDF.
Step 9: Optional -- Click Open/Download PDF to download PDFs and invoice.
See screenshots for above steps: Steps 1~3 Steps 4~6 Step 7 Step 8 Step 9
|