GB/T 37952-2019 English PDFUS$439.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email. GB/T 37952-2019: Information security technology - Technical requirements of mobile terminal security management platform Status: Valid
Basic dataStandard ID: GB/T 37952-2019 (GB/T37952-2019)Description (Translated English): Information security technology - Technical requirements of mobile terminal security management platform Sector / Industry: National Standard (Recommended) Classification of Chinese Standard: L80 Classification of International Standard: 35.040 Word Count Estimation: 22,284 Date of Issue: 2019-08-30 Date of Implementation: 2020-03-01 Issuing agency(ies): State Administration for Market Regulation, China National Standardization Administration GB/T 37952-2019: Information security technology - Technical requirements of mobile terminal security management platform---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order. Information security technology - Technical requirements of mobile terminal security management platform ICS 35.040 L80 National Standards of People's Republic of China Information Security Technology Technical requirements for mobile terminal security management platform 2019-08-30 released 2020-03-01 Implementation State Administration for Market Regulation Issued by China National Standardization Administration Table of contentsPreface Ⅲ 1 Scope 1 2 Normative references 1 3 Terms and definitions 1 4 Abbreviations 1 5 Product description 1 6 Safety technical requirements 2 6.1 Basic level safety technical requirements 2 6.2 Enhanced safety technical requirements 7 Appendix A (informative appendix) Classification requirements 14 Appendix B (informative appendix) Typical application scenarios 16ForewordThis standard was drafted in accordance with the rules given in GB/T 1.1-2009. Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents. This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260). Drafting organizations of this standard. China Academy of Information Security Co., Ltd., the Third Research Institute of the Ministry of Public Security, China Electronics Standardization Institute, National Industrial Information Security Development Research Center, National Information Technology Security Research Center, China Information Security Evaluation Center, China Cyber Security Review Technology and Certification Center, National Information Center, National Computer Virus Emergency Response Center, Shanghai Ideal Information Industry (Group) Co., Ltd. Company, Beijing Beixinyuan Software Co., Ltd., Shanghai Industrial Control Security Innovation Technology Co., Ltd., Beijing Zhongke Zhizi Data Technology Co., Ltd. Company, East China Normal University, Beijing Times Xinwei Information Technology Co., Ltd., CLP Intelligent Information Technology (Shenzhen) Co., Ltd., Xi'an Electronics University of Technology, Beijing University of Aeronautics and Astronautics, Communication University of China, Chongqing University of Posts and Telecommunications, Anhui University of Science and Technology, Beijing Ming Dynasty Wanda Technology Co., Ltd. Company, Beijing Yangpu Weiye Technology Development Co., Ltd. The main drafters of this standard. Yang Chen, Zhang Yan, Zhang Chi, Wang Huilai, Zuo Xiaodong, Zhang Ge, Lu Zhen, Gu Jian, Ru Zongguang, Liu Xiangang, Fan Kefeng, Liang Lulu, Wei Fangfang, Wang Jiajie, Wang Shi, Wang Xinjie, Mao Jian, Ma Wenping, Xiao Rong, Zhong Li, Ding Fuqiang, Jia Xuefei, Du Zhenhua, Zhang Zheyu, Cui Zhanhua, Wang Linjia, Huang Yibin, Zhou Yachao, Hu Yalan, Huang Yonghong, Liu Hong, Wu Qianhong, Jiang Zhengtao, Chen Xiaofeng, Di Xingben, Cao Hao, He Daojing, Liu Yuheng, Lu Zuohua, Yu Bo, Cui Chunxia, Liu Mingjun, Bi Qiang. Information Security Technology Technical requirements for mobile terminal security management platform1 ScopeThis standard specifies the technical requirements for the mobile terminal security management platform, including security function requirements and security assurance requirements. This standard applies to the design, development and testing of mobile terminal security management platform products. It is an organization or institution (hereinafter referred to as the "organization"). Provide a reference for the security protection of mobile internet applications.2 Normative referencesThe following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article Pieces. For undated references, the latest version (including all amendments) applies to this document. GB/T 18336.3-2015 Information Technology Security Technology Information Technology Security Assessment Criteria Part 3.Security Assurance Components GB/T 25069-2010 Information Security Technical Terms3 Terms and definitionsThe following terms and definitions defined in GB/T 18336.3-2015 and GB/T 25069-2010 apply to this document. 3.1 Mobile terminal A mobile communication terminal product that is connected to the public mobile communication network, has an operating system, and can be installed and uninstalled by users by themselves. 3.2 Mobile terminal security management platform In order to enhance the security and controllability of mobile terminals, unified management and security of mobile terminal equipment and applications are carried out through customized security policies. Full access control products.4 AbbreviationsThe following abbreviations apply to this document.5 Product descriptionThis standard is based on the principle of GB/T 18336.3-2015 security assurance requirement level division, based on the mobile terminal security management platform According to the strength of safety function requirements and safety guarantee requirements, the safety level is divided into basic level and enhanced level. Basic level can correspond to support level protection Requirements below level 3.The enhanced level corresponds to the requirements of support level protection level three (inclusive) and above. Refer to Appendix A for classification. Added in enhanced level The requirements will be marked in bold. This standard regulates the security technical requirements of the mobile terminal security management platform from two aspects. security function requirements and security assurance requirements. Refer to Appendix B for typical application scenarios. Security function requirements include terminal management, application management, data security, terminal access control, and security management. There are seven aspects including management, client protection, and security auditing. The security assurance requirements mainly include development, guidance documents, life cycle support, and testing. Try and so on.6 Safety technical requirements6.1 Basic level safety technical requirements 6.1.1 Safety function requirements 6.1.1.1 Terminal management 6.1.1.1.1 Terminal registration The registration function of the mobile terminal shall be provided. The registration information includes the registration date, hardware model, device serial number, system software version, Department etc. 6.1.1.1.2 Remote management The following remote management functions shall be supported. a) Remotely lock the mobile terminal; b) Remotely erase sensitive business data stored in mobile terminals; c) Remotely back up sensitive business data stored in mobile terminals; d) Authorized personnel remotely set function restriction policies, which should at least include disabling the camera, prohibiting screenshots, disabling WiFi, and restricting SD card reading Write permissions, etc. 6.1.1.1.3 Storage media management It should support functions such as the management and monitoring of external storage media of mobile terminals, and alert and block illegal use. 6.1.1.1.4 Safety monitoring The following monitoring functions shall be supported. a) Monitor the installation and operation of malicious program detection software in mobile terminals; b) Monitor the location information of the mobile terminal, operating services, equipment performance, software version (including operating system, etc.) and other information. 6.1.1.1.5 Password or biometric authentication strategy The following functions should be supported. a) Remotely set the terminal power-on password strategy, block the access of the terminal without a password, and support the biometric authentication function; b) Monitor whether a user account password is set, and block access to terminals without a user password; c) Remotely set user password strategy, at least including password type, regular replacement strategy, limit on the number of failures, etc. 6.1.1.2 Application Management Should support the function of authorized personnel to set application whitelist and blacklist, and be able to perform corresponding operations according to the whitelist and blacklist. 6.1.1.3 Data security 6.1.1.3.1 Data secure transmission Security mechanisms such as encryption and data integrity protection should be adopted to ensure the safe and reliable transmission of terminal data. 6.1.1.3.2 Data security storage The following secure storage functions shall be supported. a) Encrypted storage and integrity protection of sensitive data in the server; b) Realize authorization access control based on roles or attributes for sensitive data in the server; c) The sensitive data stored in mobile terminals and external storage devices should be encrypted, and unencrypted sensitive data can be erased; d) Integrity protection of sensitive data stored in mobile terminals and external storage devices. 6.1.1.3.3 Data leakage prevention Should support sensitive data anti-leakage security policy configuration, real-time monitoring of business system data in the terminal, and support for scanning data content Features such as scanning, filtering and blocking sensitive data transmission. 6.1.1.3.4 Personal information protection Necessary measures should be taken to ensure the safety of personal information stored in mobile terminals and servers, and to prevent information leakage, damage, loss, etc. 6.1.1.4 Terminal access control 6.1.1.4.1 Access authentication Should support the function of allowing only mobile terminals registered on the server to access the organization's business system. 6.1.1.4.2 Access Control Strategy The following access control policy configuration functions shall be supported. a) Develop different application resource access control strategies for different terminals. b) Provide the following access restriction capabilities. ---Only allow authorized terminals to access application resources; ---The content of authorized terminals to access application resources cannot exceed the predefined scope; ---Operations that authorize the terminal to access application resources (such as reading, writing, copying, and downloading files and folders) do not Can exceed the predefined range (if applicable); ---The time for authorized terminals to access application resources cannot exceed the predefined range (if applicable); ---When an authorized terminal accesses application resources through the network, the serial number/address of the mobile terminal used by the terminal cannot Out of the predefined range (if applicable); ---The number of authorized terminals to access application resources cannot exceed the predefined range (if applicable). c) The mobile terminal's access to application resources should be restricted by access control policies. 6.1.1.5 Security Management 6.1.1.5.1 Administrator attribute initialization Should support the function of initializing attributes such as the account and password of the authorized administrator. 6.1.1.5.2 Administrator unique identification Should support the unique identification function of authorized administrators, and associate the identification of authorized administrators with all auditable events. 6.1.1.5.3 Administrator attribute modification Should support authorized administrator attributes (including at least the administrator password) to modify the function. 6.1.1.5.4 Administrator authentication When logging in and performing important security functions, users who claim to perform the duties of an authorized administrator shall be authenticated, and the authentication shall be supported. Don’t fail processing function, when the number of times of identity authentication failure reaches the specified threshold, it should be able to block the authentication request. 6.1.1.5.5 Configuration management capabilities It should support authorized administrators to perform security configuration and management functions of the platform, including at least. a) Add, delete and modify related policies such as access control; b) View the current access control policy configuration; c) View and manage audit records. 6.1.1.5.6 Management role Mechanisms such as authorization management based on roles and attributes should be supported to realize the division of management roles such as system management, audit management, and security management. 6.1.1.5.7 Unified terminal management Should support unified terminal management functions, including. a) Unified installation of mobile terminal client software; b) Unified distribution of the whitelist of mobile terminal applications; c) Unified upgrade of mobile terminal operating system, application software, client software, etc. 6.1.1.6 Client protection It should support the function of security protection for the client program installed on the mobile terminal, and prevent the following operations by unauthorized personnel. Line monitoring and warning. a) Forcibly terminate the operation of the client software; b) Forcibly cancel the automatic loading of the client software when the system starts; c) Forcibly uninstall, delete or modify the client software. 6.1.1.7 Security audit 6.1.1.7.1 Audit record generation The audit record includes the date and time of the event, the identity of the event subject, the description of the event, and the signs of success or failure. Event generation audit record. a) Authorized administrator to identify success and failure; b) Terminal authentication success and failure events; c) The number of failed authentication attempts by the authorized administrator exceeds the set limit and the session connection is terminated; d) The number of failed terminal authentication attempts exceeds the set limit and the session connection is terminated; e) Authorize important operations of administrators, such as adding and deleting administrators, terminal user management, remote backup of mobile terminal business data, Remotely lock mobile terminals and remotely erase business data of mobile terminals, etc.; f) All requests from the terminal for application resource access, including successful and failed requests. 6.1.1.7.2 Audit record storage The audit record should be stored in a non-volatile storage medium after power failure. When the storage space reaches the threshold, the authorized administrator should be automatically alerted. 6.1.1.7.3 Audit record management The following audit record management functions shall be supported. a) Only authorized administrators are allowed to access audit records; b) Combined query of audit records by date, time, terminal identification, etc.; c) Back up audit records. 6.1.2 Security requirements 6.1.2.1 Development 6.1.2.1.1 Security Architecture The developer should provide the evaluator with a description of the security architecture of the product's security functions, and the description of the security architecture should meet the following requirements. a) Consistent with the level of abstract description of the safety function implemented in the product design document; b) Describe the safety domain of the product safety function consistent with the safety function requirements; c) Describe why the product safety function initialization process is safe; d) Verify that the product safety function can prevent damage; e) Verify that the product safety function can prevent the safety feature from being bypassed. 6.1.2.1.2 Functional Specification The developer shall provide a complete functional specification to the evaluator, and the functional specification shall meet the following requirements. a) Fully describe the safety function of the product; b) Describe the purpose and usage of all safety function interfaces; c) Identify and describe all parameters related to each safety function interface; d) Describe the safety function implementation behavior related to the safety function interface; e) Describe the direct error messages caused by the behavioral processing of the security function; f) Verify that the safety function requires traceability to the safety function interface. 6.1.2.1.3 Product design The developer shall provide the product design document to the evaluator, and the product design document shall meet the following requirements. a) Describe the product structure according to the subsystem; b) Identify and describe all sub-systems of product safety functions; c) Describe the interaction between all subsystems of the safety function; d) The provided mapping relationship can verify that all behaviors described in the design can be mapped to the security function interface that calls it. 6.1.2.2 Guiding documents 6.1.2.2.1 Operation User Guide The developer shall provide the evaluator with a clear and reasonable operating user guide, operating user guide and all other documents provided for evaluation To be consistent, the description of each user role should meet the following requirements. a) Describe the functions and privileges that are accessible to users controlled in the secure processing environment, including appropriate warning information; b) Describe how to use the available interfaces provided by the product in a safe manner; c) Describe the available functions and interfaces, especially all the safety parameters controlled by the user, and specify the safety values when appropriate; d) Clearly state every security-related event related to the user-accessible function that needs to be performed, including changing the control of the security function The security features of the control entity; e) Identify all possible states of product operation (including failures or operational errors caused by operations), and their relationship with maintaining safety Causality and connection between operations; f) Contain a security strategy that fully achieves the security objectives; g) Follow the principles of lawfulness, fairness and necessity, and not use the software to collect personal information irrelevant to the services it provides. 6.1.2.2.2 Preparation procedures The developer should provide the product and its preparation procedure to the evaluator, and the preparation procedure description should meet the following requirements. a) Describe all the steps necessary to safely receive the delivered product consistent with the developer's delivery procedure; b) Describe all the steps necessary to safely install the product and its operating environment. 6.1.2.3 Life cycle support 6.1.2.3.1 Configuration management capabilities The developer's configuration management capabilities should meet the following requirements. a) Provide unique identification for different versions of the product; b) Use the configuration management system to maintain all configuration items that make up the product, and uniquely identify the configuration items; c) Provide configuration management documents, which describe the methods used to uniquely identify configuration items. 6.1.2.3.2 Configuration management scope The developer shall provide the evaluator with a list of product configuration items that includes the product, safety assurance requirements evaluation evidence and product components, and say Specifies the developer of the configuration item. 6.1.2.3.3 Delivery procedures Developers should use certain delivery proced......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 37952-2019_English be delivered?Answer: Upon your order, we will start to translate GB/T 37952-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of GB/T 37952-2019_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 37952-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
