HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189760 (7 Dec 2024)

GB/T 36958-2018 PDF in English


GB/T 36958-2018 (GB/T36958-2018, GBT 36958-2018, GBT36958-2018)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 36958-2018English370 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Technical requirements of security management center for classified protection of cybersecurity Valid
Standards related to (historical): GB/T 36958-2018
PDF Preview

GB/T 36958-2018: PDF in English (GBT 36958-2018)

GB/T 36958-2018 GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Information security technology - Technical requirements of security management center for classified protection of cybersecurity ISSUED ON: DECEMBER 28, 2018 IMPLEMENTED ON: JULY 01, 2019 Issued by: State Administration for Market Regulation; Standardization Administration of PRC. Table of Contents Foreword ... 3  Introduction ... 4  1 Scope ... 5  2 Normative references ... 5  3 Terms and definitions ... 5  4 Abbreviations ... 6  5 Overview of security management center ... 6  5.1 General description ... 6  5.2 Function description ... 8  6 Technical requirements for the second-level security management center ... 9  6.1 Functional requirements ... 9  6.2 Interface requirements ... 14  6.3 Self-security requirements ... 15  7 Technical requirements for the third-level security management center ... 17  7.1 Functional requirements ... 17  7.2 Interface requirements ... 26  7.3 Self-security requirements ... 26  8 Technical requirements for the fourth-level security management center ... 29  8.1 Functional requirements ... 29  8.2 Interface requirements ... 40  8.3 Self-security requirements ... 41  9 Technical requirements for fifth-level security management center ... 44  10 Technical requirements for security management center of cross-grading system ... 44  Appendix A (Normative) Correspondence between security management center and cybersecurity classified protection object’s level ... 46  Appendix B (Normative) Classification of technical requirements of security management center ... 47  Appendix C (Informative) Normalized security event attributes... 49 Information security technology - Technical requirements of security management center for classified protection of cybersecurity 1 Scope This standard specifies the technical requirements for the cybersecurity classified protection for security management center. This standard is applicable to guide security manufacturers and operating & using organizations to design, construct and operate security management centers in accordance with the requirements of this standard. 2 Normative references The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard. GB/T 5271.8 Information technology - Vocabulary - Part 8: Security GB 17859-1999 Computer information system -- Criteria for classifying security protection level GB/T 25069 Information security technology - Glossary GB/T 25070 Information security technology - Technical requirements of security design for information system classified protection 3 Terms and definitions The terms and definitions as defined in GB 17859-1999, GB/T 5271.8, GB/T 25069, GB/T 25070 as well as the following terms and definitions apply to this document. 3.1 Data acquisition interface corresponding types of security audit mechanisms to be turned on and off according to time periods; performing storage, management, inquiry, etc. of various types of audit records. The security auditor analyzes the audit records and processes them in a timely manner based on the analysis results. 6 Technical requirements for the second-level security management center 6.1 Functional requirements 6.1.1 System management requirements 6.1.1.1 User identity management User identity management shall meet the following requirements: a) Be able to authenticate the system administrator of the managed object; check the complexity of the identity and authentication information; b) In the Internet of Things system, the system administrator of the managed object shall conduct unified identity management on the perception equipment, perception layer gateway, etc. 6.1.1.2 Data protection 6.1.1.2.1 Data confidentiality Data confidentiality shall meet the following requirements: a) Before establishing a connection between the security management center and the managed object, password technology can be used for session initialization verification; b) Cryptographic technology can be used to protect the confidentiality of the entire message or session in the communication process between the security management center and the managed object; c) Encryption or other protection measures can be used to realize the storage confidentiality of the authentication information and configuration management data of the managed object. 6.1.1.2.2 Data integrity Data integrity shall meet the following requirements: Security event alarms shall have an alarm function, which can generate alarms based on preset thresholds when abnormalities are found. 6.1.1.3.3 Security incident response Security incident response shall meet the following requirements: a) It can provide the function of work order management; support the circulation process of creating work orders based on alarm response actions; b) It shall provide security notification function, which can create or import security risk notification, including the content of the notification, description information, CVE number, affected operating system, etc.; c) Provide a list of affected protected assets based on the operating system affected by the security risk indicated in the notification. 6.1.1.3.4 Statistical analysis report The statistical analysis report shall meet the following requirements: a) Be able to query security events according to conditions such as time and event type; b) Can provide statistical analysis and report generation functions. 6.1.1.4 Risk management 6.1.1.4.1 Asset management Asset management shall meet the following requirements: a) Realize the management of the assets of the managed objects; provide asset addition, modification, deletion, query and statistics functions; b) Asset management information shall include asset attributes such as asset name, asset IP address, asset type, asset owner, asset business value, asset confidentiality, integrity, availability assignment; c) Support the customization of asset attributes; d) Support manual entry of asset records or batch asset import based on specified templates. 6.1.1.4.2 Threat management Threat management shall meet the following requirements: b) It can show the operating status of key equipment (including network equipment, security equipment, server host, etc.) and links in the current network environment, such as network traffic, network protocol statistical analysis and other indicators. 6.1.2 Audit management requirements 6.1.2.1 Centralized management of audit policy Centralized management of audit policy shall be able to view the configuration of audit policy of host operating system, database system, network equipment, security equipment, including whether the policy is on, whether the parameter facility complies with the security policy, etc. 6.1.2.2 Centralized management of audit data 6.1.2.2.1 Audit data collection Audit data collection shall meet the following requirements: a) It can realize the normalization of audit data; the content shall cover date, time, subject identification, object identification, type, result, IP address, port and other information; b) Support setting query conditions for audit data query; c) Support filtering and processing various audit data according to rules; d) Support the consolidation of data collection information according to specific rules. 6.1.2.2.2 Audit data collection objects Audit data collection objects shall meet the following requirements: a) Support audit data collection of network equipment (such as switches, routers, traffic management, load balancing and other network infrastructure equipment); b) Support the collection of audit data on host devices (such as server operating systems and other application support platforms and desktop computers, laptops, handheld terminals and other terminal users used to access information systems); c) Support the collection of audit data from the database; d) Support the collection of audit data of security equipment (such as firewalls, intrusion monitoring systems, anti-denial of service attack equipment, anti-virus systems, application security audit systems, access 6.3 Self-security requirements 6.3.1 Identity authentication The administrator identity authentication of the security management center console shall meet the following requirements: a) Provide a dedicated login control module to identify and authenticate the administrator; b) Provide complexity check functions for unique and authentication information of administrator user identity, to ensure that there is no duplicate user identity, meanwhile the identity authentication information is not easy to be fraudulently used; c) Provides login failure processing functions, which can take measures such as ending the session, limiting the number of illegal logins and automatic logout. 6.3.2 Access control The access control of the security management center console shall meet the following requirements: a) Provide independent access control functions; control administrators' access to various functions according to security policies; b) The coverage of autonomous access control shall include all administrators, functions and operations between them; c) The authorized administrator configures the access control policy and prohibits the access of the default account. 6.3.3 Security audit The security audit of the security management center console shall meet the following requirements: a) Provide a security audit function covering each administrator; record all administrators to audit important operations and security events; b) Ensure that the audit process cannot be interrupted alone; that audit records cannot be deleted, modified or overwritten; c) The content of the audit record shall at least include the date, time, initiator information, type, description and results of the event; a) It can detect that the integrity of management data and authentication information is damaged during transmission and storage; b) Use cryptographic technology or other protection measures to realize the confidentiality of data transmission and storage of management data and authentication information. 7 Technical requirements for the third-level security management center 7.1 Functional requirements 7.1.1 System management requirements 7.1.1.1 User identity management User identity management shall meet the following requirements: a) Be able to identify the subject in the environment of the managed object; b) Able to use two or more combinations of authentication technologies to authenticate users; c) Be able to authenticate the system administrator of the managed object; check the complexity of the identity and authentication information; d) In the Internet of Things system, the system administrator of the managed object shall manage the unified identity identification of the sensing device and the sensing layer gateway. 7.1.1.2 Data protection 7.1.1.2.1 Data confidentiality Data confidentiality shall meet the following requirements: a) Before establishing a connection between the security management center and the managed object, it shall use the cryptographic technology for verification of session initialization; b) It shall use the cryptographic technology to protect the confidentiality of the entire message or session in the communication process between the security management center and the managed object; Security event collection shall meet the following requirements: a) Support security event monitoring and collection functions; timely discover and collect security events that occur; b) Able to normalize security events; convert original events composed of different sources, different formats, different contents into a standard event format; c) The content of the security event shall include date, time, subject identification, object identification, type, result, IP address, port and other information; d) The scope of security event collection shall cover host equipment, network equipment, databases, security equipment, various middleware, computer room environmental control systems, etc.; e) Able to centrally store the collected raw data of security events. Note: Refer to Appendix C for the attributes of security events. 7.1.1.3.2 Security event alarm Security event alarms shall meet the following requirements: a) It has an alarm function, which can generate an alarm according to a preset threshold when an abnormality is found; b) When an alarm is generated, it shall be able to trigger the pre-set event analysis rules and execute the predefined alarm response actions, such as: console dialog box alarm, console alarm sound, email alarm, mobile phone SMS alarm, creating work order, publish alarm events through Syslog or SNMP Trap, etc.; c) It has the ability to combine alarms for the same security events that occur frequently to avoid alarm storms. 7.1.1.3.3 Security event response Security event response shall meet the following requirements: a) It can provide the function of work order management; support the circulation process of creating work orders based on alarm response actions; b) It can provide the security notification function; create or import a security risk notification. The notification shall include the content of the notification, description information, CVE number, affected operating system, etc.; damage, scope involved. 7.1.1.4.3 Threat management Threat management shall meet the following requirements: a) Have pre-defined security threat classification; b) Support customized security threat classification, such as setting the threat corresponding to the security incident that has occurred as the threat to the asset. 7.1.1.4.4 Vulnerability management Vulnerability management shall allow the creation and maintenance of asset vulnerability lists; support the merging and updating of vulnerability lists. 7.1.1.4.5 Risk analysis Risk analysis shall meet the following requirements: a) Able to calculate the security risk of the target asset based on the business value of the asset, the current vulnerability of the asset, the security threats the asset faces; b) The calculation cycle and calculation formula of security risks can be adjusted accordingly by modifying the configuration according to the actual needs of the deployment environment; c) The security management system can graphically display the current asset risk level, current risk ranking statistics, etc. 7.1.1.5 Resource monitoring 7.1.1.5.1 Availability monitoring Availability monitoring shall meet the following requirements: a) Support real-time understanding of its availability status by monitoring important performance indicators such as network equipment, security equipment, host operating systems, databases, middleware, application systems, etc.; b) Support setting thresholds for key indicators (such as: CPU usage, memory usage, disk usage, process occupancy resources, swap partitions, network traffic, etc.); generate an alarm when the threshold is triggered; c) On the IoT system platform, the system administrator shall monitor 7.1.2.2 Authorization management Authorization management shall meet the following requirements: a) Achieve unified management of the access range of each mark; b) Realize the unified management of the subject's access authority to the object, including host access authority management, network access authority management, application access authority management; c) Implement access control policies to control the subject's access to the object according to the different security levels of subject mark and object mark. 7.1.2.3 Device policy management 7.1.2.3.1 Security configuration policy Equipment management shall realize the unified query of the security configuration policy of the host operating system, database system, network equipment, security equipment. 7.1.2.3.2 Intrusion prevention Intrusion prevention shall meet the following requirements: a) Provide a unified interface to achieve event collection, receiving, instructions issuing for network intrusion prevention and host intrusion prevention; b) Provide a unified operating system and service component patch update service in the security domain; c) In the cloud computing platform, cloud computing security management shall have the ability to retrospectively analyze attack behavior and predict and warn cybersecurity events; it shall have the ability to perceive, predict and judge the cybersecurity situation. 7.1.2.3.3 Malicious code prevention Malicious code prevention shall meet the following requirements: a) Monitor and manage the unified upgrade of malicious code prevention products; b) Collect and report the data of malicious code prevention. 7.1.2.4 Password guarantee computers, laptops, handheld terminals and other terminal users used to access information systems); c) Support the collection of audit data from the database; d) Support the collection of audit data of security equipment (such as firewalls, intrusion monitoring systems, anti-denial of service attack equipment, anti-virus systems, application security audit systems, access control systems, other systems and equipment related to information system security protection) ; e) Support the collection of audit data of various middleware; f) Support the collection of audit data for the computer room environmental control system (such as air conditioning, temperature, humidity control, firefighting equipment, access control system, etc.); g) Support audit data collection of other application systems or related platforms; h) In the cloud computing platform, it shall audit the creation and deletion of cloud services such as cloud servers, cloud databases, cloud storage; it shall use the operation and maintenance audit system to conduct security audits on the operation and maintenance behavior of the administrator; the tenant isolation mechanism shall be used to ensure the effectiveness of audit data isolation; i) In the industrial control system, it shall carry out centralized management of cybersecurity monitoring and alarming and cybersecurity log information of industrial control field control equipment, cybersecurity equipment, network equipment, servers, operating stations and other equipment. 7.1.3.2.3 Audit data collection method The audit data collection method shall meet the following requirements: a) Support the collection of audit data on various systems or devices through protocols such as Syslog and SNMP; b) Receive security audit data of managed objects through a unified interface. 7.1.3.2.4 Association analysis of audit data Audit data association analysis shall support the analysis of audit data from different collection objects in one analysis rule. 7.3.2 Access control The access control of the security management center console shall meet the following requirements: a) Provide independent access control functions; control administrators' access to various functions according to security policies; b) The coverage of autonomous access control shall include all administrators, functions and operations between them; c) Authorized administrators configure access control policies and prohibit access to default accounts; d) To achieve the separation of authorities of privileged users, different accounts shall be granted the minimum permissions required to complete their respective tasks; a mutual restrictive relationship shall be formed between them. 7.3.3 Security audit The security audit of the security management center console shall meet the following requirements: a) Provide a security audit function covering each administrator; record all administrator’s audit of important operations and security events; b) Ensure that the audit process cannot be interrupted alone; that audit records cannot be deleted, modified or overwritten; c) The content of the audit record shall at least include the date, time, initiator information, type, description and results of the event; d) Provide the functions of statistics, query, analysis and generation of audit reports on audit record data; e) Provide a centralized audit interface according to the unified security policy. 7.3.4 Remaining information protection The remaining information protection of the security management center console shall ensure that the storage space where the administrator's authentication information is located is completely cleared before being released or redistributed to other administrator users, regardless of whether the information is stored on the hard disk or in the memory. 7.3.5 Software fault tolerance The data security of the security management center console shall meet the following requirements: a) It can detect that the integrity of management data and authentication information is damaged during transmission and storage; take necessary recovery measures when integrity errors are detected; b) Use cryptographic technology or other protection measures to realize the confidentiality of data transmission and storage of management data and authentication information. 8 Technical requirements for the fourth-level security management center 8.1 Functional requirements 8.1.1 System management requirements 8.1.1.1 User identity management User identity management shall meet the following requirements: a) Be able to identify the subject in the environment of the managed object; b) Be able to use two or more combination of authentication technologies to authenticate the user; at least one of the identity authentication information is unforgeable and implemented by using cryptographic technology; c) Be able to authenticate the system administrator of the managed object; check the complexity of the identity and authentication information; d) In the Internet of Things system, the system administrator of the managed object shall conduct unified identity management on the perception equipment, perception layer gateway, etc. 8.1.1.2 Data protection 8.1.1.2.1 Data confidentiality Data confidentiality shall meet the following requirements: a) Before establishing a connection between the security management center and the managed object, it shall use the cryptographic technology for session initialization verification; c) Provide remote real-time backup function; use the communication network to back up data to the disaster backup center in real time; d) In the cloud computing platform, it shall provide a way to query cloud service customer data and backup storage locations. The operation and maintenance of the cloud computing platform shall be within the territory of the People's Republic of China; the operation and maintenance of the domestic cloud computing platform from abroad is prohibited. 8.1.1.2.4 Trusted path The trusted path shall meet the following requirements: a) When the subject is authenticated, it shall be able to establish a secure information transmission path; b) When the subject visits the object, it shall ensure that a secure information transmission path can be established between the visited object and the subject. 8.1.1.2.5 Remaining information protection The remaining information protection shall ensure that the storage space where the identification information of the subject and object is located is completely cleared before being released or redistributed to other subjects, regardless of whether the information is stored on the hard disk or in the memory. 8.1.1.3 Security event management 8.1.1.3.1 Security event collection Security event collection shall meet the following requirements: a) Support security event monitoring and collection functions; timely discover and collect security events that occur; b) Be able to provide a data collection interface with third-party systems to send or receive security events; c) Able to normalize security events; convert original events composed of different sources, different formats, different contents into standard event formats; d) The content of the security event shall include date, time, subject identification, object identification, type, result, IP address, port and other information; e) The scope of security event collection shall cover host equipment, network b) Provide corresponding correlation analysis rules for common attack behaviors and illegal access, such as correlation analysis rules for host scanning, port scanning, DDoS attacks, worms, password guessing, springboard attacks; c) Provide multi-event source event correlation, timing correlation, statistical correlation and correlation analysis functions for long- term windows; provide alarms; d) Provide custom association rule editing function. 8.1.1.3.5 Statistical analysis report The statistical analysis report shall meet the following requirements: a) Be able to query security events according to conditions such as time and event type; b) Be able to provide statistical analysis and report generation functions. 8.1.1.4 Risk management 8.1.1.4.1 Asset management Asset management shall meet the following requirements: a) Realize the management of the assets of the managed object; organize the assets in a security domain, etc.; provide the addition, modification, deletion, query and statistics functions of the assets; b) Asset management information shall include asset attributes such as asset name, asset IP address, asset type, asset owner, asset business value, asset confidentiality, integrity, availability assignment; c) Support the customization of asset attributes; d) Support manual entry of asset records or batch asset import based on specified templates; e) Supports automatic discovery of assets and can automatically add them to the asset library. 8.1.1.4.2 Asset business value evaluation Asset business value evaluation shall support a custom asset business value evaluation model, which can form asset business value levels based on parameters such as asset type, asset importance, impact after damage, scope involved. b) Support setting thresholds for key indicators (such as: CPU usage, memory usage, disk usage, process occupancy resources, swap partitions, network traffic, etc.); generate alarms when thresholds are triggered; perform predefined response actions; c) On the IoT system platform, the system administrator shall monitor and process the status of the perceived equipment (power supply status, online status, location, etc.); d) In the industri...... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.