LST1807-2017 English PDFUS$299.00 · In stock
Delivery: <= 3 days. True-PDF full-copy in English will be manually translated and delivered via email. LST1807-2017: Security specification for grain information system Status: Valid
Basic dataStandard ID: LS/T 1807-2017 (LS/T1807-2017)Description (Translated English): Security specification for grain information system Sector / Industry: Food & Beverage Industry Standard (Recommended) Classification of Chinese Standard: B20 Classification of International Standard: 35.240.99 Word Count Estimation: 13,168 Date of Issue: 2017-03-10 Date of Implementation: 2017-06-01 Quoted Standard: GB/T 20518; GB/T 22239; GB/T 22240; GB/T 31167-2014; GB/T 31168-2014 Regulation (derived from): State-Food-Communication No. 1 of 2017 Issuing agency(ies): National Grain Administration Summary: This standard specifies the food information security protection object, food information security technology and safety management of the basic requirements. Deployed in the e-government outside the network of the relevant security construction by the e-government external network protection, deployed in the e-government network within the relevant security construction by the e-government network security. This standard focuses on the security requirements of grain administrative departments at all levels, grain enterprises and other stakeholders in the intranet, Internet interaction. This standard applies to the planning, design, construction, operation and maintenance and evaluation of food informatization projects. LST1807-2017: Security specification for grain information system---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.Security specification for grain information system ICS 35.240.99 B20 People's Republic of China food industry standard Food Information Security Technical Specification Published on.2017-03-10 2017-06-01 implementation National Food Bureau released ContentForeword I 1 Scope 1 2 Normative references 1 3 Terms and Definitions 1 4 Abbreviations 1 5 Information Security Protection Object 2 6 General requirements 2 7 Security Management 3 8 Security Technology 3 9 Food Safety Technology 5 Reference 10ForewordThis standard was drafted in accordance with the rules given in GB/T 1.1-2009. This standard was proposed by the National Grain Administration. This standard is under the jurisdiction of the National Grain and Oil Standardization Technical Committee (SAC/TC270). This standard was drafted. Aerospace Information Co., Ltd., Hubei Grain Bureau, Beijing Tianrongxin Technology Co., Ltd. The main drafters of this standard. Li Qijun, Song Yuling, Luo Xiuchun, Shi Zhan, Wang Qianxi, Zhou Guilai. Food Information Security Technical Specification1 ScopeThis standard specifies the basic requirements for food information security protection, food information security technology and safety management. Deployed in e-government The relevant security construction of the extranet is guaranteed by the e-government external network, and the related security construction deployed in the e-government intranet is protected by the e-government intranet. barrier. This standard focuses on the interaction of food administrative departments at all levels, food enterprises and other grain-related organizations in the internal network of the enterprise and the Internet. Time security requirements. This standard applies to the planning, design, construction, operation and maintenance and evaluation of food informatization projects.2 Normative referencesThe following documents are indispensable for the application of this document. For dated references, only dated versions apply to this article. Pieces. For undated references, the latest edition (including all amendments) applies to this document. GB/T 20518 Information Security Technology Public Key Infrastructure Digital Certificate Format GB/T 22239 Information Security Technology Information System Security Level Protection Basic Requirements GB/T 22240 Information Security Technology Information System Security Level Protection Rating Guide GB/T 31167-2014 Information Security Technology Cloud Computing Service Security Guide GB/T 31168-2014 Information security technology cloud computing service security capability requirements3 Terms and definitionsThe following terms and definitions apply to this document. 3.1 Security domain securitydomain A network with the same security protection requirements, mutual trust, and the same security access control and border control policies in the same environment Or system. 3.2 Grain cloud computing platform graincloudcomputingplatform A collection of cloud computing infrastructure and food informatization software running on it. 3.3 Grain internet of things graininternetofthings A sensor network system that monitors the quantity and quality of grain storage environment and food through dedicated sensors.4 AbbreviationsThe following abbreviations apply to this document. VPN. Virtual Private Network (VirtualPrivateNetwork) PKI/CA. Public Key Infrastructure/Certificate Authority (PublicKeyInfrastructure/CertificateAuthority) 4A. Unified Security Management Identity Authentication, Authorization, Auditing, and Accounts (Authentication, Account, Authorization, Audit)5 Information security protection objectsIt mainly includes food information networks, information systems, food information and its physical environment, supporting infrastructure and safety equipment and facilities. 5.1 Information Network The protected network objects include various information networks within the scope of food business management, which are respectively operated in the e-government intranet and e-government. Network, intranet, and Internet are in four different networks. 5.2 Information System The protected business object is the various food business application systems running in the food information system, and the food information system according to the business application type. It is divided into food enterprise business management application system and food administrative management application system; it is divided into national grain management platform according to the structure (referred to as “National platform”, provincial food management platform (referred to as “provincial platform”), enterprise food management platform. Food Business Management Application Department The system runs on the intranet and the Internet; the food administrative application system runs on the e-government intranet, the e-government extranet and each other. networking. 5.3 Food Information The protected information objects are all kinds of food business information, which can be divided into public information and non-public information. Non-public information includes various types of sensitive information. Feeling information. Different information categories should be set with different levels of security protection. For public information, it is mainly to prevent tampering and loss prevention; for sensitive information, in addition to tampering and loss prevention, it is necessary to increase the protection against unauthorized Disclosure, abuse and destruction. 5.3.1 Public information including but not limited to. Information on food production, food processing, grain and oil markets, food consumption, grain storage environment, and social economy. 5.3.2 Food sensitive information including but not limited to. a) Information that should be made public but not suitable for disclosure before the official release, such as bidding, planning, statistics, budget, etc.; b) unsuitable records generated during the administrative enforcement of food; c) geographical location information of the grain enterprise; d) trade secrets of food enterprises; e) personnel planning and work charter of the food administrative department, personnel capacity evaluation and other information; f) information such as bank card, ID card, settlement funds, etc. g) Information on food stocks, quality, rotation plans, food emergency plans, etc.6 General requirementsThe safety requirements of food information systems are proposed from three aspects. safety management, safety technology and safety technology in the field of food specialties. Figure 1 shows. The food administrative department, food enterprises and other grain-related agencies shall, in accordance with the requirements of the national information security authorities, the Department of Food Information. The system is graded and the corresponding safety requirements are met according to the rating. Food enterprise business management application system should comply with GB/T 22240 National information security protection level 2 or above standards, cross-province or covering the province's food administrative application system, should comply with security Level 3 of protection level. Figure 1 Food Information Security Framework7 Security ManagementThe system, organization, personnel, system construction, operation and maintenance services, etc. of safety management shall comply with the requirements of GB/T 22239 and GB/T 22240.8 Safety technologyThe safety technology of the food information system shall comply with the general requirements of GB/T 22239 and GB/T 22240, and shall also satisfy the following technologies. Claim. 8.1 Physical Security 8.1.1 Computer room for office space renovation For the computer room where the storage enterprise, the central library and other grain enterprises are rebuilt from the office space, at least. a) The equipment room and office space should be designed to be windproof and rainproof; b) The installation of air-conditioning pipes shall not pass under the roof of the machine room or under the raised floor; c) Measures should be taken to prevent rainwater from penetrating through the windows, roof and walls of the machine room; d) Measures should be taken to prevent water vapor condensation and transfer and penetration of underground water in the equipment room; e) lightning protection devices shall be installed in the equipment room building; f) The power supply should have good grounding; g) should have anti-theft, anti-destructive monitoring and alarm devices and safety management measures; h) Fire-fighting equipment should be installed in the equipment room; i) Power cables and communication cables should be laid off to avoid mutual interference; j) The standby power supply of the storage and storage enterprise shall at least meet the normal operation of the acquisition business in the event of power failure; k) The equipment room and office space should be kept clean and hygienic. When the computer equipment is dusty, vacuum cleaning should be adopted and the dust should be less. When using ordinary cleaning methods; l) Patch panels and server racks should have significant markings; m) The independent computer room can be equipped with an electronic access control system to control, identify and record incoming personnel. 8.1.2 Strong electric and weak motor cabinets outside the warehouse including but not limited to. a) should have a good rain protection design; b) should have leakage, overload, short circuit protection devices; c) Significant identification of cables, switches or other control units in the cabinet. Traces can be traced to relevant drawings and maintenance records. Record, responsible person, etc. 8.2 Network Security 8.2.1 Library area network wiring including but not limited to. a) The integrated wiring of the internal network of the grain depot should use reliable network links such as fiber ring networks; b) An information node should be set at the door of each warehouse; c) The information node should be installed in a waterproof and dustproof weak electrical box outside the warehouse. 8.2.2 Structural safety including but not limited to. a) Enterprises connected to the provincial management platform should have a fixed IP address; b) a network topology diagram corresponding to the current operation should be drawn; c) Ensure that the bandwidth of the access network and the core network meets the peak business needs, such as the need for remote video surveillance; d) Different subnets or network segments should be divided according to factors such as the type of business, importance and the level of information involved, and The principle of control is to allocate address segments for each subnet and network segment; e) Important network segments should not be directly connected to external information systems. Reliable technical isolation should be adopted between important network segments and other network segments. 8.2.3 Access Control including but not limited to. a) The external boundaries should be determined by technologies such as gatekeepers, VPNs, and firewalls to achieve secure and reliable external network interconnection; b) Hierarchical management should be implemented using identity authentication technology, and information of internal security domains should be classified and users of low security domains should be prohibited. Unauthorized access to high security domain users/services; c) should have a network performance protection mechanism to prevent abuse of network resources and ensure the rational use of network resources; d) The ability to have network access authentication should be ensured that only authorized terminals can access the network. 8.2.4 Security Audit Audit the network equipment running status, network traffic, and user behavior in the network system. 8.2.5 Intrusion Prevention Protection against port scanning, Trojan backdoor attacks, denial of service attacks, buffer overflow attacks, network worms, etc. at the network perimeter behavior. 8.3 Host Security Should meet the requirements of GB/T 22240. 8.4 Data Security including but not limited to. a) The business data of the grain enterprise shall maintain at least one grain storage period and not less than 5 years; if the relevant policies require it, it shall also satisfy the phase. Relevant policy document requirements; b) When the storage space is insufficient, the video data should be deleted gradually and the business data should be retained; c) should have local data backup, increase the number of backups during the grain rotation period, and the backup media should be stored outside the site; d) The security management of backup media should be strengthened. 8.5 Application Security including but not limited to. a) The food information system should implement user identity authentication based on the PKI/CA digital certificate system of the food industry, and require 4A Application system security system to ensure information security of local application systems; b) According to the job responsibilities of the personnel, the minimum privilege required for the different accounts to be completed for each task shall be granted and formed between them. a mutually restrictive relationship; c) Delete or disable redundant accounts, test accounts, and expired accounts in time to avoid the use of shared accounts and expired accounts.9 Safety technology in the field of food specialties9.1 Food Internet of Things Security The design and implementation of the food IoT should be in addition to general physical security, host security, network security, data security and application security. In addition to the technical requirements, its security should also have. a) The sensing node shall confirm its identity authenticity and correctness through the interface, through identity authentication and authorized access, and access control. After the accuracy, you can access the network; b) Large grain depots, grain and oil processing enterprises or logistics centers can use industrial firewalls, gatekeepers and other equipment for food business management networks and Industrial control network for logical isolation; c) For the change of the data entered in the inbound and outbound data, the database modification cannot be directly operated by the super user or other high-privileged users. The system should provide a complete change process, record the entire process of data entry, review, and change, and form a data change report; d) The principle of objectivity should be followed, and the original collection data of the Food IoT should not be modified or falsified; e) The food IoT system should keep operational logs, access logs, log accounts that pass auditor accounts, access time, and operational content. Track and locate unauthorized access behavior; f) The system log should be able to record the on-site manual operation of the device, combined with the remote operation log to form a complete device operation log; g) When the grain information technology support unit performs system upgrade remotely or locally, a change plan should be formulated to clarify the change time and change. Content, change verification, change of responsibility, etc., should be backed up to physical media by the original version and current version of software and data, and Leave relevant records. 9.2 Food Cloud Security 9.2.1 The scope of use of the cloud computing platform including but not limited to. a) For classified food information systems, the processing, preservation, transmission and utilization of information shall be carried out in accordance with national secrecy regulations and shall not be used. Government cloud or other public cloud service platform [priority determination in GB/T 31167-2014]; b) Information systems or key business systems involving a high degree of sensitive information on food information can be calculated using community or private cloud computing Taiwan can also operate its own system in the traditional way; c) Grassroots storage points with remote traffic and poor network communication conditions, adopt cloud computing platform, and ensure that there is spare technology after network interruption. The means and measures to complete the information collection and business processing of each link will not affect the grain purchase business. 9.2.2 Cloud computing security responsibility After the grain information platform moved into the cloud computing platform, its security responsibility has not been transferred, and it still needs to bear the data and services on the cloud computing platform. Final safety responsibility [Basic requirements for cloud computing service security management in GB/T 31167-2014]. 9.2.3 Choice of cloud service providers including but not limited to. a) For the system to be moved to the cloud computing platform, the information and services should be analyzed, according to the sensitivity of the information and the weight of the business. The degree to which the cloud service provider of the corresponding security capability level should be selected; b) Food cloud computing customers should clarify the responsibilities and obligations of cloud service providers through contracts, emphasizing customer operations on data and business systems The right to know; the cloud computing platform should be required to provide the necessary supervision interface and log query function to establish effective review and inspection. Mechanism to achieve effective supervision of cloud computing services. 9.2.4 Security Requirements for Cloud Computing Platform Clients Food cloud customers should control their own client systems and should. a) must not transmit malicious programs, garbage data, and other data that may affect the normal operation of cloud computing to cloud computing platforms and related systems. Code b) cyber attacks, theft or tampering with data on the cloud computing platform; c) Do not engage in illegal activities that violate national information security through the cloud platform. 9.2.5 Security threats on the cloud platform including but not limited to. a) Under the food cloud service environment, it is necessary to have technical means and measures to deal with traditional information security threats, including host security Threats, cybersecurity threats, and application security threats; b) should address new security threats brought about by virtualization, including virtualization platforms, network management of virtual machines and virtual machines, tenants and leases Safety isolation between households; c) In cloud computing mode, the cloud computing facility layer (physical environment), hardware layer (physical device), resource abstraction layer and control layer are all Under the complete control of the cloud service provider, all security facilities are undertaken by the cloud service provider, and their security requirements should be followed. GB/T 31168-2014 implementation. The security measures of the application software layer and the software platform layer are the same as the traditional information security measures. ......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of LST1807-2017_English be delivered?Answer: Upon your order, we will start to translate LST1807-2017_English as soon as possible, and keep you informed of the progress. The lead time is typically 1 ~ 3 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of LST1807-2017_English with my colleagues?Answer: Yes. The purchased PDF of LST1807-2017_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
