Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB/T 31168-2023 English PDF

Q: How long will the true-PDF of English version of GB/T 31168-2023 be delivered?

Upon your order, we will start to translate GB/T 31168-2023_English as soon as possible, and keep you informed of the progress. The lead time is typically 6 ~ 9 working days. The lengthier the document the longer the lead time.

Q: Can I share the purchased PDF of GB/T 31168-2023_English with my colleagues?

Yes. The purchased PDF of GB/T 31168-2023_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Q: Does the price include tax/VAT?

Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries). Avoidance of Double Taxation Agreements (DTAs) between Singapore and 100+ Countries: https://www.iras.gov.sg/taxes/international-tax

Q: Do you accept my currency other than USD?

Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.

Q: Should I purchase the latest version GB/T 31168-2023?

Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 31168-2023 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.

US$1579.00 · In stock
Delivery: <= 9 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 31168-2023: Information security technology - Security capability requirements for cloud computing services
Status: Valid

GB/T 31168: Historical versions

Standard ID	USD	BUY PDF	Lead-Days	Standard Title (Description)	Status
GB/T 31168-2023	1579	Add to Cart	9 days	Information security technology - Security capability requirements for cloud computing services	Valid
GB/T 31168-2014	145	Add to Cart	Auto, < 3 mins	Information security technology -- Security capability requirements of cloud computing services	Obsolete

Similar standards

GB/T 31505 GB/T 31509 GB/T 19713 GB/T 31167

Basic data

Standard ID: GB/T 31168-2023 (GB/T31168-2023)
Description (Translated English): Information security technology - Security capability requirements for cloud computing services
Sector / Industry: National Standard (Recommended)
Classification of Chinese Standard: L80
Classification of International Standard: 35.030
Word Count Estimation: 78,771
Date of Issue: 2023-05-23
Date of Implementation: 2023-12-01
Older Standard (superseded by this standard): GB/T 31168-2014
Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration

GB/T 31168-2023: Information security technology - Security capability requirements for cloud computing services

---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
ICS 35:030 CCSL80 National Standards of People's Republic of China Replacing GB/T 31168-2014 Information Security Technology Cloud Computing Service Security Capability Requirements Released on 2023-05-23 2023-12-01 implementation State Administration for Market Regulation Released by the National Standardization Management Committee

Preface V Introduction VI 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Abbreviations 2 5 Expression and Implementation of Cloud Computing Security Requirements 3 5:1 Responsibilities for implementing cloud computing security measures3 5:2 Scope of Cloud Computing Security Measures 4 5:3 Classification of safety requirements 4 5:4 Expression form of safety requirements 5 5:5 Adjustment of safety requirements 6 5:6 Safety plan 7 6 System development and supply chain security 7 6:1 Resource Allocation 7 6:2 System life cycle 8 6:3 Purchasing process 8 6:4 System Documentation 9 6:5 Critical Analysis 9 6:6 External Services 10 6:7 Developer Security Architecture 10 6:8 Development process, standards and tools 11 6:9 Development Process Configuration Management 11 6:10 Developer Security Testing and Evaluation 12 6:11 Training provided by the developer 13 6:12 Component authenticity 14 6:13 Unsupported system components 14 6:14 Supply Chain Protection 14 7 System and communication protection 16 7:1 Boundary protection 16 7:2 Confidentiality and integrity protection of transmissions 17 7:3 Network interruption 17 7:4 Trusted Path 17 7:5 Password usage and management 18 7:6 Device access protection 18 7:7 Mobile Code 18 7:8 Session Authentication 19 7:9 Malicious code protection 19 7:10 Memory Guard 20 7:11 System virtualization security 20 7:12 Network Virtualization Security 21 7:13 Storage virtualization security 21 7:14 Communication protection for security management functions 22 8 Access Control 22 8:1 User identification and authentication 22 8:2 Identifier management 22 8:3 Authentication credential management 23 8:4 Authentication credential feedback 24 8:5 Cryptographic module authentication 24 8:6 Account Management 24 8:7 Implementation of access control 25 8:8 Information flow control 26 8:9 Least privilege 26 8:10 Unsuccessful login attempts 27 8:11 System usage notice 27 8:12 Notification of previous visits 27 8:13 Concurrent Session Control 28 8:14 Session Locking 28 8:15 Actions to be taken in case of failure to identify and authenticate28 8:16 Security properties 29 8:17 Remote access 29 8:18 Wireless Access 30 8:19 Use of external information systems 30 8:20 Publicly accessible content 30 8:21 WEB access security 31 8:22 API Access Security 31 9 Data Protection 32 9:1 General Data Security 32 9:2 Media access and use 32 9:3 Protection of residual information 33 9:4 Data usage protection 33 9:5 Data Sharing Protection 34 9:6 Data Migration Protection 34 10 Configuration Management 35 10:1 Configuration Management Plan 35 10:2 Baseline configuration 35 10:3 Change Control 35 10:4 Setting of Configuration Parameters 36 10:5 Principle of least functionality 37 10:6 List of Information System Components 38 11 Maintenance Management 38 11:1 Controlled maintenance 38 11:2 Maintenance tools 39 11:3 Remote maintenance 39 11:4 Maintenance personnel 40 11:5 Timely maintenance 40 11:6 Bug fixes 40 11:7 Safety function verification 41 11:8 Software and Firmware Integrity 41 12 Emergency Response 42 12:1 Incident handling plan 42 12:2 Event handling 42 12:3 Incident reporting 43 12:4 Event handling support 43 12:5 Security alerts 43 12:6 Error Handling 44 12:7 Emergency response plan 44 12:8 Emergency Response Training 45 12:9 Emergency drills 45 12:10 Information system backup 46 12:11 Supporting the customer's business continuity plan 46 12:12 Telecommunications services 47 13 Audit 47 13:1 Auditable events 47 13:2 Audit record content 48 13:3 Audit record storage capacity 48 13:4 Response when the audit process fails 48 13:5 Audit review, analysis and reporting 48 13:6 Audit processing and report generation 49 13:7 Timestamp 50 13:8 Audit Information Protection 50 13:9 Non-repudiation 50 13:10 Audit record retention 51 14 Risk Assessment and Ongoing Monitoring 51 14:1 Risk assessment 51 14:2 Vulnerability Scanning 51 14:3 Continuous Monitoring 52 14:4 Information system monitoring 53 14:5 Spam Monitoring 54 15 Security Organization and Personnel 54 15:1 Security Policies and Procedures 54 15:2 Security organization 54 15:3 Job Risks and Responsibilities 55 15:4 Personnel screening 55 15:5 Personnel turnover 56 15:6 Staff transfer 56 15:7 Security of third party personnel 56 15:8 Personnel punishment 57 15:9 Safety training 57 16 Physical and Environmental Security 58 16:1 Physical Facilities and Equipment Siting 58 16:2 Physical and environmental planning 58 16:3 Physical Environment Access Authorization 59 16:4 Physical environment access control 59 16:5 Output device access control 60 16:6 Physical access monitoring 60 16:7 Visitor access records 60 16:8 Equipment delivery and removal 61 Appendix A (Informative) Safety Capability Requirements Summary 62 Appendix B (informative) Description of the implementation of this document 68 References 70

foreword

This document is drafted in accordance with the provisions of GB/T 1:1-2020 "Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents": This document replaces GB/T 31168-2014 "Information Security Technology Cloud Computing Service Security Capability Requirements", and GB/T 31168- Compared with:2014, except for structural adjustment and editorial changes, the main technical changes are as follows: a) The scope of application of this document has been changed (see Chapter 1, Chapter 1 of the:2014 edition); b) Added normative references to GB/T 32400-2015 and GB/T 35273-2020 (see Chapter 3, 9:1:1); c) Changed some terms and definitions (see Chapter 3, Chapter 3 of the:2014 edition); d) Added the chapter "Abbreviations" (see Chapter 4); e) Change "cloud service model" to "cloud capability type" (see 5:1); f) Advanced requirements are added, and each type of safety requirement corresponds to general requirements, enhanced requirements and advanced requirements (see 5:4); g) Deleted "Structure of this document" (see 4:7 of the:2014 edition); h) The policies and procedures corresponding to the original various requirements have been deleted and integrated into "Strategies and Procedures" in Chapter 14 (see 14:1,:2014 Versions 5:1, 6:1, 7:1, 8:1, 9:1, 10:1, 11:1, 12:1, 13:1 and 14:1); i) Added "communication protection for security management functions" (see 7:14); j) Added "WEB access security" and "API access security" (see 8:21, 8:22); k) The chapter "Data Protection" has been added to put forward data security requirements to ensure business continuity and data integrity during customer data migration: Integrity (see Chapter 9); l) Changed the title of the chapter "Maintenance" to "Maintenance Management" (see Chapter 11, Chapter 9 of the:2014 edition); m) The content of "Engineering Room Design" has been changed (see Chapter 16, Chapter 14 of the:2014 edition): Please note that some contents of this document may refer to patents: The issuing agency of this document assumes no responsibility for identifying patents: This document is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260): This document is drafted by: China Electronics Data Service Co:, Ltd:, Sichuan University, Hangzhou Anheng Information Technology Co:, Ltd:, China Science and Technology University, China Institute of Electronic Technology Standardization, China Network Security Review Technology and Certification Center, National Information Technology Security Research Center, China Information Security Evaluation Center, China Academy of Information and Communications Technology, Beijing Information Security Evaluation Center, National Industrial Information Security Development Research Center, China Software Evaluation Center, China Mobile Communications Group Co:, Ltd:, China Power Great Wall Internet System Application Co:, Ltd:, Shenzhou Netcom Technology Co:, Ltd:, Shenzhen Sinfu Technology Co:, Ltd:, Ningxia Xiyun Data Technology Co:, Ltd:, 360 Digital Security Technology Group Co:, Ltd:, Ant Technology Group Co:, Ltd:, Hefei Gaowei Data Technology Co:, Ltd:, Shanghai Fangda (Beijing) Law Firm, Beijing Zhongce Anhua Technology Co:, Ltd:, China Power Herui Technology Co:, Ltd:, Alibaba Cloud Computing Co:, Ltd:, Wuhan University of Technology, Sichuan Development Big Data Industry Investment Co:, Ltd:, South Fang Grid Digital Media Technology Co:, Ltd:, Shanghai Guanan Information Technology Co:, Ltd:, Zhongke Ruiyan (Tianjin) Technology Co:, Ltd: The main drafters of this document: Zhou Yachao, Luo Yonggang, Zuo Xiaodong, Chen Xingshu, Li Shifeng, Zhang Jianjun, Min Jinghua, Yang Jianjun, Li Bin, Wu Yang, Wang Huili, Zhang Chi, Shan Boshen, Xu Wanxiu, Cui Zhanhua, Wang Qixu, Yang Miaomiao, Zhang Mingming, Liu Jialiang, Hu Huaming, Ding Xiao, Shi Dawei, Lu Xia, Li Yuan, He Yanzhe, Liu Junhe, Wang Qiang, Chen Xuehong, Yang Shuaifeng, Liu Caiyun, Hu Zhenquan, Geng Guining, Shao Jiangning, Wei Tao, Guo Liang, Jia Yizhen, Ye Runguo, Tian Hui, Yin Yunxia, Du Yuge, An Zhaobin, Wu Fuwei, Zhang Bin, Jiang Weiqiang, Liu Yuheng, Yang Ting, Li Anlun, Xiao Guangdi, Cheng Junjun, Wang Kun, Zhang Feng, Qiu Qin, Ai Qingsong, Long Yihong, Zhang Dajiang, Huang Shaoqing, Guo Jing, Zheng Kexue, Chen Qingming, Wang Yongji, Zheng Jiu, Yang Bo, Wang Chaodong, Zhang Zhaolong, Jiang Tao, Zhao Hongyu: The release status of previous versions of this document and the documents it replaces are as follows: ---GB/T 31168-2014 was released for the first time in:2014; --- This is the first revision:

Introduction

This document and GB/T 31167-2023 "Information Security Technology Cloud Computing Service Security Guidelines" constitute the cloud computing service security management base file: GB/T 31167-2023 proposes the basic principles of security management for customers using cloud computing services, and provides security management and technical measures at each stage of the life cycle of computing services; this document is aimed at cloud service providers, and describes the Prepared security technical capabilities: Referring to GB/T 31167-2023, this document is divided into general requirements, enhanced requirements and advanced requirements: According to the data on the cloud computing platform Depending on the sensitivity and business importance, cloud service providers have different security capabilities: Information Security Technology Cloud Computing Service Security Capability Requirements

1 Scope

This document specifies the security capabilities that cloud service providers should possess when providing cloud computing services: This document is applicable to the construction, supervision, management and evaluation of cloud computing service capabilities:

2 Normative references

The contents of the following documents constitute the essential provisions of this document through normative references in the text: Among them, dated references For documents, only the version corresponding to the date is applicable to this document; for undated reference documents, the latest version (including all amendments) is applicable to this document: GB/T 25069-2022 Information Security Technical Terminology GB/T 31167-2023 Information Security Technology Cloud Computing Service Security Guidelines GB/T 32400-2015 Information Technology Cloud Computing Overview and Vocabulary GB/T 35273-2020 Personal Information Security Specifications for Information Security Technology GB 50174 Data Center Design Code

3 Terms and Definitions

Defined in GB/T 25069-2022, GB/T 31167-2023 and GB/T 32400-2015 and the following terms and definitions apply in this document: 3:1 cloud computing cloudcomputing Access scalable and flexible physical or virtual shared resource pools through the network, and self-service acquisition and management of resources on demand: Note: Examples of resources include servers, operating systems, networks, software, applications and storage devices, etc: 3:2 capability to provide one or more resources by means of cloud computing (3:1) using defined interfaces 3:3 cloud service provider cloudserviceprovider party providing cloud computing services (3:2): 3:4 cloud service customer cloudservicecustomer Parties in a business relationship for the use of cloud computing services: Note 1: A business relationship does not necessarily contain economic terms: Note 2: Cloud service customers are referred to as customers in this document: ......

Image

Tips & Frequently Asked Questions:

Question 1: How long will the true-PDF of GB/T 31168-2023_English be delivered?

Answer: Upon your order, we will start to translate GB/T 31168-2023_English as soon as possible, and keep you informed of the progress. The lead time is typically 6 ~ 9 working days. The lengthier the document the longer the lead time.

Question 2: Can I share the purchased PDF of GB/T 31168-2023_English with my colleagues?

Answer: Yes. The purchased PDF of GB/T 31168-2023_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.

Question 3: Does the price include tax/VAT?

Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countries

Question 4: Do you accept my currency other than USD?

Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.

Question 5: Should I purchase the latest version GB/T 31168-2023?

Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 31168-2023 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.