MHT0076-2020 English PDFUS$1179.00 · In stock
Delivery: <= 6 days. True-PDF full-copy in English will be manually translated and delivered via email. MHT0076-2020: (Basic requirements for civil aviation network security level protection) Status: Valid
Basic dataStandard ID: MH/T 0076-2020 (MH/T0076-2020)Description (Translated English): (Basic requirements for civil aviation network security level protection) Sector / Industry: Civil Aviation Industry Standard (Recommended) Classification of Chinese Standard: L07 Word Count Estimation: 47,429 Date of Issue: 2020-07-20 Date of Implementation: 2020-10-01 Issuing agency(ies): Civil Aviation Administration of China MHT0076-2020: (Basic requirements for civil aviation network security level protection)---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.Baseline for classified protection of cybersecurity in civil aviation ICS 35.020 Civil Aviation Industry Standard of the People's Republic of China Basic requirements for civil aviation network security grade protection 2020-07 -20 released 2020-10-01 implementation Issued by Civil Aviation Administration of China Table of contentsForeword...II Introduction...III 1 Scope...1 2 Normative references...1 3 Terms and definitions...1 4 Overview of Civil Aviation Network Security Level Protection...1 5 First level safety requirements...2 6 Second level safety requirements...6 7 Level 3 safety requirements...15 8 Level 4 Safety Requirements...26 9 Level 5 Safety Requirements...37 Appendix A (Normative Appendix) About the selection and use of general safety requirements and extended safety requirements...1 Appendix B (Normative Appendix) Requirements for the overall safety protection capability of the graded protection objects...5 References...6ForewordThis standard was drafted in accordance with the rules given in GB/T 1.1-2009. This standard was proposed by the Department of Personnel, Science and Education, Civil Aviation Administration of China. This standard is under the jurisdiction of the China Academy of Civil Aviation Science and Technology. Drafting organizations of this standard. Civil Aviation University of China, Guangdong Airport Baiyun Information Technology Co., Ltd., Nankai University. The main drafters of this standard. Liu Chunbo, Mai Zhaoming, Sui Zhuo, Luo Jun, Liu Zheli, Chen Guangfeng, Wang Zhi, Liu Chao, Zhou Jingxian, Wang Shuang, Zhang Lizhe, Ma Yong, Gu Zhaojun, Lv Zongping.IntroductionAccording to GB/T 1.1-2009 "Guidelines for Standardization Work Part One. Standard Structure and Compilation", "Network of the People's Republic of China" Security Law", "Regulations of the People’s Republic of China on the Protection of Computer Information System Security" (Order No. 147 of the State Council), "Information Security Level Protection Management Measures (Gongtongzi [2007] No. 43), GB/T 22239 "Basic Requirements for Information Security Technology Network Security Level Protection" and "Interim Measures for the Administration of Civil Aviation Network and Information Security" (MD-PE-2013-01), "Regarding Further Strengthening of Civil Aviation Network and Information Security "Notice" (Civil Aviation Renfa [2013] No. 62) requires the formulation of this standard. This standard is based on GB/T 22239 "Basic Requirements for Information Security Technology Network Security Level Protection", and is based on the system characteristics of the civil aviation industry. Levy, put forward and stipulate the basic safety protection requirements of different safety protection levels. This standard is one of a series of standards related to civil aviation network security level protection. The standards related to this standard include. --MH/T 0069 Guidelines for the classification of civil aviation network security protection. In this standard, the parts in bold indicate the increased or enhanced requirements in higher levels. Basic requirements for civil aviation network security grade protection1 ScopeThis standard specifies the general requirements and safety requirements for the protection objects of the first to fourth levels of civil aviation network security protection. Expansion requirements. This standard is applicable to guide the safety construction and supervision and management of hierarchical non-secret civil aviation network security protection objects. Note. The fifth-level protection object is a very important supervision and management object, which has special management mode and safety requirements, so it is not carried out in this standard. description.2 Normative referencesThe following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document. For undated references, the latest version (including all amendments) applies to this document. GB/T 25069 Information Security Technical Terms GB/T 22239 Information Security Technology Network Security Level Protection Basic Requirements MH/T 0069 Guidelines for the Classification of Civil Aviation Network Security Level Protection3 Terms and definitionsThe following terms and definitions established by GB/T 25069, GB/T 22239 and MH/T 0069 apply to this document. For ease of use, Some terms and definitions in GB/T 22239 are repeated below. 3.1 Cybersecurity By taking necessary measures to prevent attacks, intrusions, interference, sabotage, illegal use and accidents on the network, the network is The state of stable and reliable operation, and the ability to ensure the integrity, confidentiality, and availability of network data. [GB/T 22239-2019, Terms and Definitions 3.1] 3.2 Security protection ability The degree to which it can resist threats, detect security incidents, and restore the previous state after damage. [GB/T 22239-2019, Terms and Definitions 3.2] 3.3 (Civil aviation) production network (of civil aviation) Network facilities that carry the production business system of civil aviation transportation. 3.4 Office network Network facilities that carry office automation systems.4 Overview of Civil Aviation Network Security Level Protection4.1 Hierarchical protection objects Hierarchical protection objects refer to objects in the network security hierarchical protection work, usually referring to computers or other information terminals and related equipment. A system that collects, stores, transmits, exchanges, and processes information in accordance with certain rules and procedures, mainly including basic information Networks, cloud computing platforms/systems, big data platforms/systems, Internet of Things, industrial control systems, and systems using mobile internet technology. According to their importance in national security, economic construction, and social life, the objects of hierarchical protection have an impact on national security and social status after being destroyed. Order, public interest, and the degree of harm to the legitimate rights and interests of citizens, legal persons and other organizations, etc., are divided into five security protections from low to high. level. Refer to MH/T 0069 for the method for determining the safety protection level of civil aviation protection objects. 4.2 Different levels of security protection capabilities The basic security protection capabilities that different levels of protection objects should have are as follows. The first level of security protection capability. It should be able to protect against malicious attacks from individual threat sources with few resources, general Damage to key resources caused by natural disasters and other threats of considerable damage. Features. The second level of security protection capability. It should be able to protect against malicious attacks from small external organizations and threat sources with few resources. Damage to important resources caused by attacks, general natural disasters, and other threats of a considerable degree of harm, which can discover important security vulnerabilities And to deal with security incidents, after it is damaged, it can restore some functions within a period of time. The third level of security protection capability. it should be able to protect against organized groups from outside under a unified security strategy, with relatively rich resources The main resource damage caused by malicious attacks, more serious natural disasters, and other threats of considerable damage It can detect and monitor attacks and deal with security incidents in time, and restore most of its functions quickly after it is damaged. The fourth level of security protection capability. It should be able to protect against national-level, hostile organizations, and rich assets under a unified security strategy. Resource damage caused by malicious attacks, severe natural disasters, and other threats of a considerable degree of threat to resources can be It can detect and monitor attacks and security incidents in time, and can quickly restore all functions after it is damaged. The fifth level of security protection capability. omitted. 4.3 Safety general requirements and safety extension requirements Due to different business goals, different technologies used, and different application scenarios, different levels of protection objects will be different The form appears, and the manifestation may be called basic information network, information system (including systems using mobile Internet and other technologies), cloud computing Platform/system, big data platform/system, Internet of Things, industrial control system, etc. The threats faced by different levels of protection objects are different At the same time, security protection requirements will also vary. In order to facilitate the realization of the commonality and individualization of protection objects of different levels and different forms Personalized protection, grade protection requirements are divided into safety general requirements and safety expansion requirements. General requirements for safety are put forward in response to the requirements for common protection. No matter what form the objects of level protection appear in, they must be based on safety protection, etc. Level to achieve the general security requirements of the corresponding level; security extension requirements are proposed for individual protection requirements, which need to be based on the security protection level and use Specific technologies or specific application scenarios used to selectively implement security extension requirements. Safety general requirements and safety extension requirements together constitute a The safety requirements of the object of level protection. See Appendix A for the selection of safety requirements, and Appendix B for the requirements for overall safety protection capabilities. According to the actual situation of the civil aviation industry, this standard refines or enhances the general safety requirements in GB/T 22239, The security expansion requirements of computing, mobile Internet, Internet of Things, and industrial control systems are consistent with GB/T 22239.For the use of other special technologies or For hierarchical protection objects in special application scenarios, special safety measures should be taken for safety risks based on safety risk assessment. supplement.5 First level safety requirements5.1 General safety requirements 5.1.1 Safe physical environment 5.1.1.1 Physical access control At the entrance and exit of the computer room, a dedicated person should be assigned to guard or be equipped with an electronic access control system to control, identify and record the personnel entering. 5.1.1.2 Anti-theft and anti-vandalism The equipment or main components should be fixed, and obvious signs that are not easy to remove should be set. 5.1.1.3 Lightning protection Various cabinets, facilities and equipment should be safely grounded through a grounding system. 5.1.1.4 Fire protection Fire extinguishing equipment should be provided in the machine room. 5.1.1.5 Waterproof and moisture-proof Measures should be taken to prevent rainwater from penetrating through the windows, roof and walls of the computer room. 5.1.1.6 Temperature and humidity control Necessary temperature and humidity adjustment facilities should be installed to keep the temperature and humidity changes in the equipment room within the allowable range of equipment operation. 5.1.1.7 Power supply A voltage stabilizer and overvoltage protection equipment should be configured on the power supply line of the computer room. 5.1.2 Secure communication network 5.1.2.1 Communication transmission Checking technology should be used to ensure the integrity of data in the communication process. 5.1.2.2 Trusted Verification Based on the root of trust, the system boot program, system program, etc. of the communication equipment can be trusted to verify, and when it is detected that its credibility is broken Alarm after failure. 5.1.3 Security zone boundary 5.1.3.1 Border protection It shall be ensured that the access and data flow across the boundary communicate through the controlled interface provided by the boundary device. 5.1.3.2 Access Control include. a) The access control rules should be set according to the access control policy at the network boundary. By default, the controlled interface denies all users except allowing communication. Have communication b) The redundant or invalid access control rules should be deleted, the access control list should be optimized, and the number of access control rules should be minimized; c) The source address, destination address, source port, destination port and protocol should be checked to allow/deny data packets in and out. 5.1.3.3 Trusted verification Based on the root of trust, the system boot program, system program, etc. of the border device can be trusted to verify, and when it is detected that its credibility is broken Alarm after failure. 5.1.4 Secure Computing Environment 5.1.4.1 Identity authentication include. a) The user who logs in should be identified and authenticated, the identification is unique, and the identification information has complexity requirements and Regular replacement b) It shall have the function of handling login failures, and shall be configured and enabled to end the session, limit the number of illegal logins and automatically when the login connection times out Withdrawal and other related measures. 5.1.4.2 Access Control include. a) Accounts and permissions should be assigned to users who log in; b) The default account should be renamed or deleted, and the default password of the default account should be modified; c) Excess and expired accounts should be deleted or disabled in time to avoid the existence of shared accounts. 5.1.4.3 Intrusion Prevention include. a) The principle of minimum installation should be followed, and only the required components and applications should be installed; b) Unnecessary system services, default sharing and high-risk ports should be closed. 5.1.4.4 Malicious code prevention Anti-malware code software should be installed or configured with software with corresponding functions, and the anti-malware code library should be regularly upgraded and updated. 5.1.4.5 Trusted verification Based on the root of trust, the system boot program, system program, etc. of the computing device can be trusted to verify, and when it is detected that its credibility is broken Alarm after failure. 5.1.4.6 Data integrity Checking technology should be used to ensure the integrity of important data during transmission. 5.1.4.7 Data backup and recovery Local data backup and recovery functions for important data should be provided. 5.1.5 Safety management system 5.1.5.1 Management system The safety management system commonly used in daily management activities should be established. 5.1.6 Safety management agency 5.1.6.1 Position setting Positions such as system administrators should be established, and the responsibilities of each job position should be defined. 5.1.6.2 Staffing There should be a certain number of system administrators. 5.1.6.3 Authorization and approval Authorized approval items, approval departments and approvers should be clearly defined according to the responsibilities of each department and position. 5.1.7 Safety management personnel 5.1.7.1 Personnel recruitment Special departments or personnel should be designated or authorized to be responsible for personnel recruitment. 5.1.7.2 Personnel leaving All access rights of employees who leave their posts should be terminated in a timely manner, and various identification documents, keys, badges, etc., as well as the hardware and software provided by the organization should be recovered. Prepared. 5.1.7.3 Safety awareness education and training All types of personnel shall be given safety awareness education and job skill training, and relevant safety responsibilities and disciplinary measures shall be notified. 5.1.7.4 External personnel access management It should be ensured that external personnel are authorized or approved before accessing the controlled area. 5.1.8 Safety construction management 5.1.8.1 Rating and filing According to MH/T 0069, the safety protection level of the protected object and the method and reason for determining the level shall be explained in written form. 5.1.8.2 Security scheme design The basic safety measures should be selected according to the safety protection level, and the safety measures should be supplemented and adjusted according to the results of the risk analysis. 5.1.8.3 Product procurement and use It should be ensured that the purchase and use of cyber security products comply with relevant national regulations; 5.1.8.4 Project implementation A special department or person should be designated or authorized to be responsible for the management of the project implementation process. 5.1.8.5 Test acceptance Safety testing and acceptance shall be carried out. 5.1.8.6 System Delivery include. a) A delivery list should be developed, and the delivered equipment, software and documents should be counted according to the delivery list; b) The technical personnel responsible for operation and maintenance shall be trained in corresponding skills. 5.1.8.7 Service provider selection include. a) It should be ensured that the selection of service providers conforms to relevant national and industry regulations; b) A security-related agreement should be signed with the selected service provider to clearly stipulate related responsibilities. 5.1.9 Security Operation and Maintenance Management 5.1.9.1 Environmental Management include. a) A special department or person should be designated to be responsible for the safety of the computer room, to manage the access to the computer room, and to regularly provide power and distribution, air conditioning, and temperature Maintenance and management of humidity control and fire fighting facilities; b) Provisions should be made for the safety management of the computer room, including physical access, entry and exit of items, and environmental safety. 5.1.9.2 Media Management The media should be stored in a safe environment, all types of media should be controlled and protected, the storage environment should be managed by a dedicated person, and the The inventory of the media is regularly inventoried. 5.1.9.3 Equipment maintenance and management All kinds of equipment (including backup and redundant equipment), lines and other designated special departments or personnel should be regularly maintained and managed. 5.1.9.4 Vulnerability and risk management Necessary measures should be taken to identify security vulnerabilities and hidden dangers, and timely patching of discovered security vulnerabilities and hidden dangers or assess the possible impact Repair afterwards. 5.1.9.5 Network and system security management include. a) Different administrator roles should be divided for network and system operation and maintenance management, and the responsibilities and permissions......Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of MHT0076-2020_English be delivered?Answer: Upon your order, we will start to translate MHT0076-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 4 ~ 6 working days. The lengthier the document the longer the lead time.Question 2: Can I share the purchased PDF of MHT0076-2020_English with my colleagues?Answer: Yes. The purchased PDF of MHT0076-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet.Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to Sales@ChineseStandard.net. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. |
