GB/T 36958-2018 PDF in English
GB/T 36958-2018 (GB/T36958-2018, GBT 36958-2018, GBT36958-2018)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 36958-2018 | English | 370 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Technical requirements of security management center for classified protection of cybersecurity
| Valid |
Standards related to (historical): GB/T 36958-2018
PDF Preview
GB/T 36958-2018: PDF in English (GBT 36958-2018) GB/T 36958-2018
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Technical
requirements of security management center for
classified protection of cybersecurity
ISSUED ON: DECEMBER 28, 2018
IMPLEMENTED ON: JULY 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations ... 6
5 Overview of security management center ... 6
5.1 General description ... 6
5.2 Function description ... 8
6 Technical requirements for the second-level security management center ... 9
6.1 Functional requirements ... 9
6.2 Interface requirements ... 14
6.3 Self-security requirements ... 15
7 Technical requirements for the third-level security management center ... 17
7.1 Functional requirements ... 17
7.2 Interface requirements ... 26
7.3 Self-security requirements ... 26
8 Technical requirements for the fourth-level security management center ... 29
8.1 Functional requirements ... 29
8.2 Interface requirements ... 40
8.3 Self-security requirements ... 41
9 Technical requirements for fifth-level security management center ... 44
10 Technical requirements for security management center of cross-grading
system ... 44
Appendix A (Normative) Correspondence between security management
center and cybersecurity classified protection object’s level ... 46
Appendix B (Normative) Classification of technical requirements of security
management center ... 47
Appendix C (Informative) Normalized security event attributes... 49
Information security technology - Technical
requirements of security management center for
classified protection of cybersecurity
1 Scope
This standard specifies the technical requirements for the cybersecurity
classified protection for security management center.
This standard is applicable to guide security manufacturers and operating &
using organizations to design, construct and operate security management
centers in accordance with the requirements of this standard.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 5271.8 Information technology - Vocabulary - Part 8: Security
GB 17859-1999 Computer information system -- Criteria for classifying
security protection level
GB/T 25069 Information security technology - Glossary
GB/T 25070 Information security technology - Technical requirements of
security design for information system classified protection
3 Terms and definitions
The terms and definitions as defined in GB 17859-1999, GB/T 5271.8, GB/T
25069, GB/T 25070 as well as the following terms and definitions apply to this
document.
3.1
Data acquisition interface
corresponding types of security audit mechanisms to be turned on and off
according to time periods; performing storage, management, inquiry, etc. of
various types of audit records. The security auditor analyzes the audit records
and processes them in a timely manner based on the analysis results.
6 Technical requirements for the second-level security
management center
6.1 Functional requirements
6.1.1 System management requirements
6.1.1.1 User identity management
User identity management shall meet the following requirements:
a) Be able to authenticate the system administrator of the managed object;
check the complexity of the identity and authentication information;
b) In the Internet of Things system, the system administrator of the managed
object shall conduct unified identity management on the perception
equipment, perception layer gateway, etc.
6.1.1.2 Data protection
6.1.1.2.1 Data confidentiality
Data confidentiality shall meet the following requirements:
a) Before establishing a connection between the security management
center and the managed object, password technology can be used for
session initialization verification;
b) Cryptographic technology can be used to protect the confidentiality of the
entire message or session in the communication process between the
security management center and the managed object;
c) Encryption or other protection measures can be used to realize the storage
confidentiality of the authentication information and configuration
management data of the managed object.
6.1.1.2.2 Data integrity
Data integrity shall meet the following requirements:
Security event alarms shall have an alarm function, which can generate alarms
based on preset thresholds when abnormalities are found.
6.1.1.3.3 Security incident response
Security incident response shall meet the following requirements:
a) It can provide the function of work order management; support the
circulation process of creating work orders based on alarm response
actions;
b) It shall provide security notification function, which can create or import
security risk notification, including the content of the notification,
description information, CVE number, affected operating system, etc.;
c) Provide a list of affected protected assets based on the operating system
affected by the security risk indicated in the notification.
6.1.1.3.4 Statistical analysis report
The statistical analysis report shall meet the following requirements:
a) Be able to query security events according to conditions such as time and
event type;
b) Can provide statistical analysis and report generation functions.
6.1.1.4 Risk management
6.1.1.4.1 Asset management
Asset management shall meet the following requirements:
a) Realize the management of the assets of the managed objects; provide
asset addition, modification, deletion, query and statistics functions;
b) Asset management information shall include asset attributes such as
asset name, asset IP address, asset type, asset owner, asset business
value, asset confidentiality, integrity, availability assignment;
c) Support the customization of asset attributes;
d) Support manual entry of asset records or batch asset import based on
specified templates.
6.1.1.4.2 Threat management
Threat management shall meet the following requirements:
b) It can show the operating status of key equipment (including network
equipment, security equipment, server host, etc.) and links in the current
network environment, such as network traffic, network protocol statistical
analysis and other indicators.
6.1.2 Audit management requirements
6.1.2.1 Centralized management of audit policy
Centralized management of audit policy shall be able to view the configuration
of audit policy of host operating system, database system, network equipment,
security equipment, including whether the policy is on, whether the parameter
facility complies with the security policy, etc.
6.1.2.2 Centralized management of audit data
6.1.2.2.1 Audit data collection
Audit data collection shall meet the following requirements:
a) It can realize the normalization of audit data; the content shall cover date,
time, subject identification, object identification, type, result, IP address,
port and other information;
b) Support setting query conditions for audit data query;
c) Support filtering and processing various audit data according to rules;
d) Support the consolidation of data collection information according to
specific rules.
6.1.2.2.2 Audit data collection objects
Audit data collection objects shall meet the following requirements:
a) Support audit data collection of network equipment (such as switches,
routers, traffic management, load balancing and other network
infrastructure equipment);
b) Support the collection of audit data on host devices (such as server
operating systems and other application support platforms and desktop
computers, laptops, handheld terminals and other terminal users used to
access information systems);
c) Support the collection of audit data from the database;
d) Support the collection of audit data of security equipment (such as
firewalls, intrusion monitoring systems, anti-denial of service attack
equipment, anti-virus systems, application security audit systems, access
6.3 Self-security requirements
6.3.1 Identity authentication
The administrator identity authentication of the security management center
console shall meet the following requirements:
a) Provide a dedicated login control module to identify and authenticate the
administrator;
b) Provide complexity check functions for unique and authentication
information of administrator user identity, to ensure that there is no
duplicate user identity, meanwhile the identity authentication information
is not easy to be fraudulently used;
c) Provides login failure processing functions, which can take measures such
as ending the session, limiting the number of illegal logins and automatic
logout.
6.3.2 Access control
The access control of the security management center console shall meet the
following requirements:
a) Provide independent access control functions; control administrators'
access to various functions according to security policies;
b) The coverage of autonomous access control shall include all
administrators, functions and operations between them;
c) The authorized administrator configures the access control policy and
prohibits the access of the default account.
6.3.3 Security audit
The security audit of the security management center console shall meet the
following requirements:
a) Provide a security audit function covering each administrator; record all
administrators to audit important operations and security events;
b) Ensure that the audit process cannot be interrupted alone; that audit
records cannot be deleted, modified or overwritten;
c) The content of the audit record shall at least include the date, time, initiator
information, type, description and results of the event;
a) It can detect that the integrity of management data and authentication
information is damaged during transmission and storage;
b) Use cryptographic technology or other protection measures to realize the
confidentiality of data transmission and storage of management data and
authentication information.
7 Technical requirements for the third-level security
management center
7.1 Functional requirements
7.1.1 System management requirements
7.1.1.1 User identity management
User identity management shall meet the following requirements:
a) Be able to identify the subject in the environment of the managed
object;
b) Able to use two or more combinations of authentication technologies
to authenticate users;
c) Be able to authenticate the system administrator of the managed object;
check the complexity of the identity and authentication information;
d) In the Internet of Things system, the system administrator of the managed
object shall manage the unified identity identification of the sensing device
and the sensing layer gateway.
7.1.1.2 Data protection
7.1.1.2.1 Data confidentiality
Data confidentiality shall meet the following requirements:
a) Before establishing a connection between the security management
center and the managed object, it shall use the cryptographic technology
for verification of session initialization;
b) It shall use the cryptographic technology to protect the confidentiality of
the entire message or session in the communication process between the
security management center and the managed object;
Security event collection shall meet the following requirements:
a) Support security event monitoring and collection functions; timely discover
and collect security events that occur;
b) Able to normalize security events; convert original events composed of
different sources, different formats, different contents into a standard
event format;
c) The content of the security event shall include date, time, subject
identification, object identification, type, result, IP address, port and other
information;
d) The scope of security event collection shall cover host equipment, network
equipment, databases, security equipment, various middleware, computer
room environmental control systems, etc.;
e) Able to centrally store the collected raw data of security events.
Note: Refer to Appendix C for the attributes of security events.
7.1.1.3.2 Security event alarm
Security event alarms shall meet the following requirements:
a) It has an alarm function, which can generate an alarm according to a
preset threshold when an abnormality is found;
b) When an alarm is generated, it shall be able to trigger the pre-set
event analysis rules and execute the predefined alarm response
actions, such as: console dialog box alarm, console alarm sound,
email alarm, mobile phone SMS alarm, creating work order, publish
alarm events through Syslog or SNMP Trap, etc.;
c) It has the ability to combine alarms for the same security events that
occur frequently to avoid alarm storms.
7.1.1.3.3 Security event response
Security event response shall meet the following requirements:
a) It can provide the function of work order management; support the
circulation process of creating work orders based on alarm response
actions;
b) It can provide the security notification function; create or import a security
risk notification. The notification shall include the content of the notification,
description information, CVE number, affected operating system, etc.;
damage, scope involved.
7.1.1.4.3 Threat management
Threat management shall meet the following requirements:
a) Have pre-defined security threat classification;
b) Support customized security threat classification, such as setting the
threat corresponding to the security incident that has occurred as the
threat to the asset.
7.1.1.4.4 Vulnerability management
Vulnerability management shall allow the creation and maintenance of asset
vulnerability lists; support the merging and updating of vulnerability lists.
7.1.1.4.5 Risk analysis
Risk analysis shall meet the following requirements:
a) Able to calculate the security risk of the target asset based on the business
value of the asset, the current vulnerability of the asset, the security
threats the asset faces;
b) The calculation cycle and calculation formula of security risks can be
adjusted accordingly by modifying the configuration according to the
actual needs of the deployment environment;
c) The security management system can graphically display the current
asset risk level, current risk ranking statistics, etc.
7.1.1.5 Resource monitoring
7.1.1.5.1 Availability monitoring
Availability monitoring shall meet the following requirements:
a) Support real-time understanding of its availability status by monitoring
important performance indicators such as network equipment, security
equipment, host operating systems, databases, middleware, application
systems, etc.;
b) Support setting thresholds for key indicators (such as: CPU usage,
memory usage, disk usage, process occupancy resources, swap
partitions, network traffic, etc.); generate an alarm when the threshold is
triggered;
c) On the IoT system platform, the system administrator shall monitor
7.1.2.2 Authorization management
Authorization management shall meet the following requirements:
a) Achieve unified management of the access range of each mark;
b) Realize the unified management of the subject's access authority to
the object, including host access authority management, network
access authority management, application access authority
management;
c) Implement access control policies to control the subject's access to
the object according to the different security levels of subject mark
and object mark.
7.1.2.3 Device policy management
7.1.2.3.1 Security configuration policy
Equipment management shall realize the unified query of the security
configuration policy of the host operating system, database system,
network equipment, security equipment.
7.1.2.3.2 Intrusion prevention
Intrusion prevention shall meet the following requirements:
a) Provide a unified interface to achieve event collection, receiving,
instructions issuing for network intrusion prevention and host
intrusion prevention;
b) Provide a unified operating system and service component patch
update service in the security domain;
c) In the cloud computing platform, cloud computing security
management shall have the ability to retrospectively analyze attack
behavior and predict and warn cybersecurity events; it shall have the
ability to perceive, predict and judge the cybersecurity situation.
7.1.2.3.3 Malicious code prevention
Malicious code prevention shall meet the following requirements:
a) Monitor and manage the unified upgrade of malicious code
prevention products;
b) Collect and report the data of malicious code prevention.
7.1.2.4 Password guarantee
computers, laptops, handheld terminals and other terminal users used to
access information systems);
c) Support the collection of audit data from the database;
d) Support the collection of audit data of security equipment (such as
firewalls, intrusion monitoring systems, anti-denial of service attack
equipment, anti-virus systems, application security audit systems, access
control systems, other systems and equipment related to information
system security protection) ;
e) Support the collection of audit data of various middleware;
f) Support the collection of audit data for the computer room environmental
control system (such as air conditioning, temperature, humidity control,
firefighting equipment, access control system, etc.);
g) Support audit data collection of other application systems or related
platforms;
h) In the cloud computing platform, it shall audit the creation and
deletion of cloud services such as cloud servers, cloud databases,
cloud storage; it shall use the operation and maintenance audit
system to conduct security audits on the operation and maintenance
behavior of the administrator; the tenant isolation mechanism shall
be used to ensure the effectiveness of audit data isolation;
i) In the industrial control system, it shall carry out centralized management
of cybersecurity monitoring and alarming and cybersecurity log
information of industrial control field control equipment, cybersecurity
equipment, network equipment, servers, operating stations and other
equipment.
7.1.3.2.3 Audit data collection method
The audit data collection method shall meet the following requirements:
a) Support the collection of audit data on various systems or devices through
protocols such as Syslog and SNMP;
b) Receive security audit data of managed objects through a unified interface.
7.1.3.2.4 Association analysis of audit data
Audit data association analysis shall support the analysis of audit data
from different collection objects in one analysis rule.
7.3.2 Access control
The access control of the security management center console shall meet the
following requirements:
a) Provide independent access control functions; control administrators'
access to various functions according to security policies;
b) The coverage of autonomous access control shall include all
administrators, functions and operations between them;
c) Authorized administrators configure access control policies and prohibit
access to default accounts;
d) To achieve the separation of authorities of privileged users, different
accounts shall be granted the minimum permissions required to
complete their respective tasks; a mutual restrictive relationship
shall be formed between them.
7.3.3 Security audit
The security audit of the security management center console shall meet the
following requirements:
a) Provide a security audit function covering each administrator; record all
administrator’s audit of important operations and security events;
b) Ensure that the audit process cannot be interrupted alone; that audit
records cannot be deleted, modified or overwritten;
c) The content of the audit record shall at least include the date, time, initiator
information, type, description and results of the event;
d) Provide the functions of statistics, query, analysis and generation of
audit reports on audit record data;
e) Provide a centralized audit interface according to the unified security
policy.
7.3.4 Remaining information protection
The remaining information protection of the security management center
console shall ensure that the storage space where the administrator's
authentication information is located is completely cleared before being
released or redistributed to other administrator users, regardless of
whether the information is stored on the hard disk or in the memory.
7.3.5 Software fault tolerance
The data security of the security management center console shall meet the
following requirements:
a) It can detect that the integrity of management data and authentication
information is damaged during transmission and storage; take necessary
recovery measures when integrity errors are detected;
b) Use cryptographic technology or other protection measures to realize the
confidentiality of data transmission and storage of management data and
authentication information.
8 Technical requirements for the fourth-level security
management center
8.1 Functional requirements
8.1.1 System management requirements
8.1.1.1 User identity management
User identity management shall meet the following requirements:
a) Be able to identify the subject in the environment of the managed object;
b) Be able to use two or more combination of authentication technologies to
authenticate the user; at least one of the identity authentication
information is unforgeable and implemented by using cryptographic
technology;
c) Be able to authenticate the system administrator of the managed object;
check the complexity of the identity and authentication information;
d) In the Internet of Things system, the system administrator of the managed
object shall conduct unified identity management on the perception
equipment, perception layer gateway, etc.
8.1.1.2 Data protection
8.1.1.2.1 Data confidentiality
Data confidentiality shall meet the following requirements:
a) Before establishing a connection between the security management
center and the managed object, it shall use the cryptographic technology
for session initialization verification;
c) Provide remote real-time backup function; use the communication
network to back up data to the disaster backup center in real time;
d) In the cloud computing platform, it shall provide a way to query cloud
service customer data and backup storage locations. The operation and
maintenance of the cloud computing platform shall be within the territory
of the People's Republic of China; the operation and maintenance of the
domestic cloud computing platform from abroad is prohibited.
8.1.1.2.4 Trusted path
The trusted path shall meet the following requirements:
a) When the subject is authenticated, it shall be able to establish a secure
information transmission path;
b) When the subject visits the object, it shall ensure that a secure information
transmission path can be established between the visited object and the
subject.
8.1.1.2.5 Remaining information protection
The remaining information protection shall ensure that the storage space where
the identification information of the subject and object is located is completely
cleared before being released or redistributed to other subjects, regardless of
whether the information is stored on the hard disk or in the memory.
8.1.1.3 Security event management
8.1.1.3.1 Security event collection
Security event collection shall meet the following requirements:
a) Support security event monitoring and collection functions; timely discover
and collect security events that occur;
b) Be able to provide a data collection interface with third-party
systems to send or receive security events;
c) Able to normalize security events; convert original events composed of
different sources, different formats, different contents into standard event
formats;
d) The content of the security event shall include date, time, subject
identification, object identification, type, result, IP address, port and other
information;
e) The scope of security event collection shall cover host equipment, network
b) Provide corresponding correlation analysis rules for common attack
behaviors and illegal access, such as correlation analysis rules for host
scanning, port scanning, DDoS attacks, worms, password guessing,
springboard attacks;
c) Provide multi-event source event correlation, timing correlation,
statistical correlation and correlation analysis functions for long-
term windows; provide alarms;
d) Provide custom association rule editing function.
8.1.1.3.5 Statistical analysis report
The statistical analysis report shall meet the following requirements:
a) Be able to query security events according to conditions such as time and
event type;
b) Be able to provide statistical analysis and report generation functions.
8.1.1.4 Risk management
8.1.1.4.1 Asset management
Asset management shall meet the following requirements:
a) Realize the management of the assets of the managed object; organize
the assets in a security domain, etc.; provide the addition, modification,
deletion, query and statistics functions of the assets;
b) Asset management information shall include asset attributes such as
asset name, asset IP address, asset type, asset owner, asset business
value, asset confidentiality, integrity, availability assignment;
c) Support the customization of asset attributes;
d) Support manual entry of asset records or batch asset import based on
specified templates;
e) Supports automatic discovery of assets and can automatically add
them to the asset library.
8.1.1.4.2 Asset business value evaluation
Asset business value evaluation shall support a custom asset business value
evaluation model, which can form asset business value levels based on
parameters such as asset type, asset importance, impact after damage, scope
involved.
b) Support setting thresholds for key indicators (such as: CPU usage,
memory usage, disk usage, process occupancy resources, swap
partitions, network traffic, etc.); generate alarms when thresholds are
triggered; perform predefined response actions;
c) On the IoT system platform, the system administrator shall monitor and
process the status of the perceived equipment (power supply status,
online status, location, etc.);
d) In the industri......
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|