GB/T 22239-2019 (GB/T22239-2019, GBT 22239-2019, GBT22239-2019)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
GB/T 22239-2019 | English | 485 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information security technology -- Baseline for classified protection of cybersecurity
| Valid |
GB/T 22239-2019
|
Standards related to: GB/T 22239-2019
Standard ID | GB/T 22239-2019 (GB/T22239-2019) | Description (Translated English) | Information security technology -- Baseline for classified protection of cybersecurity | Sector / Industry | National Standard (Recommended) | Classification of Chinese Standard | L80 | Classification of International Standard | 35.040 | Word Count Estimation | 90,933 | Date of Issue | 2019-05-10 | Date of Implementation | 2019-12-01 | Older Standard (superseded by this standard) | GB/T 22239-2008 | Quoted Standard | GB 17859; GB/T 22240; GB/T 25069; GB/T 31167-2014; GB/T 31168-2014; GB/T 32919-2016 | Drafting Organization | The Third Research Institute of the Ministry of Public Security (Information Security Level Protection Evaluation Center of the Ministry of Public Security), Information Center of the National Energy Administration, Alibaba Cloud Computing Co., Ltd., Institute of Information Engineering, Chinese Academy of Sciences (State Key Laboratory of Information Security), Xinhua Three Technology Co., Ltd., Huawei Technologies Co., Ltd., Venus Star Information Technology Group Co., Ltd., Beijing Dingpu Technology Co., Ltd., China Electronics Information Industry Group Co., Ltd. Sixth Research Institute, Ministry of Public Security First Research Institute, State Information Center, Shandong Differential Electronic Technology Co., Ltd. , the 15th Research Institute of China Electronics Technology Group Corporation (Information Industry Information Security Evaluation Center), Zhejiang University, the Computer and Microelectronics Development Research Center of the Ministry of Industry and Information Technology (China Software Evaluation Center), Zhejiang Guoli Xinan Technology Co., Ltd., Mechanical industry instrument | Administrative Organization | National Information Security Standardization Technical Committee (SAC/TC 260) | Proposing organization | National Information Security Standardization Technical Committee (SAC/TC 260) | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | Summary | This standard specifies the general security requirements and security extension requirements for the first-level to fourth-level protection objects of network security level protection. This standard is applicable to guide the security construction and supervision and management of classified non-confidential objects. |
GB/T 22239-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 22239-2008
Information security technology -
Baseline for classified protection of cybersecurity
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 01, 2019
Issued by: State Market Regulatory Administration;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 11
5 Overview of Classified protection of cybersecurity ... 12
5.1 Object under classified protection ... 12
5.2 Different classes of security protection ability ... 12
5.3 General security requirements and security extension requirements ... 13
6 Level 1 security requirements ... 14
6.1 General security requirements ... 14
6.2 Security extension requirements of cloud computing ... 20
6.3 Security extension requirements of mobile internet ... 22
6.4 Security extension requirements for IoT ... 22
6.5 Security extension requirements for industrial control systems ... 23
7 Level 2 security requirements ... 25
7.1 General security requirements ... 25
7.2 Extension requirements for cloud computing security ... 40
7.3 Extension requirements for mobile Internet security ... 43
7.4 Extension requirements for IoT security ... 45
7.5 Security extension requirements for industrial control systems ... 46
8 Level 3 security requirements ... 48
8.1 General security requirements ... 48
8.2 Extension requirements for cloud computing security ... 71
8.3 Extension requirements for mobile Internet security ... 76
8.4 Extension requirements for IoT security ... 78
8.5 Security extension requirements for industrial control systems ... 80
9 Level 4 security requirements ... 83
9.1 General security requirements ... 83
9.2 Extension requirements for cloud computing security ... 106
9.3 Extension requirements for mobile internet security ... 111
9.4 Extension requirements for IoT security ... 113
9.5 Extension requirements for security of industrial control systems ... 116
10 Level 5 security requirements ... 119
Appendix A (Normative) Selection and use of general security requirements and
security extension requirements ... 120
Appendix B (Normative) Requirements on overall security protection ability of
the object under classified protection ... 124
Appendix C (Normative) Security framework of classified protection and
requirements for key technology use ... 126
Appendix D (Informative) Description of cloud computing application scenarios
... 129
Appendix E (Informative) Description of mobile internet application scenarios
... 130
Appendix F (Informative) Description of IoT application scenario ... 131
Appendix G (Informative) Description of application scenarios of industrial
control systems ... 133
Appendix H (Informative) Descriptions on big data application scenarios ... 137
References ... 145
Information security technology -
Baseline for classified protection of cybersecurity
1 Scope
This standard specifies the general security requirements and security
extension requirements for the project under classified protection from level 1
to level 4 of the classified protection of cybersecurity.
This standard is applicable to guide the security construction and supervision
administration of non-confidential objects in different classes.
Note: The class-5 protection object is a very important supervision and management
object. It has special management modes and security requirements, so it is not
described in this standard.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB 17859 Classified criteria for security protection of computer information
system
GB/T 22240 Information security technology - Classification guide for
classified protection of information system security
GB/T 25069 Information security technology glossary
GB/T 31167-2014 Information security technology - Security guide of cloud
computing services
GB/T 31168-2014 Information security technology - Security ability
requirements of cloud computing services
GB/T 32919-2016 Information security technology - Application guide to
industrial control system security control
3.5
Cloud service customer
Participants who use cloud computing services to establish business
relationships with cloud service providers.
[GB/T 31168-2014, definition 3.4]
3.6
Cloud computing platform / system
A collection of cloud computing infrastructure and service software provided
by a cloud service provider.
3.7
Hypervisor
An intermediate software layer that runs between the underlying physical
server and the operating system, allowing multiple operating systems and
applications to share hardware.
3.8
Host machine
The physical server running the hypervisor.
3.9
Mobile communication
The process of using a wireless communication technology to connect a
mobile device to a wired network.
3.10
Mobile device
Terminal device used in mobile business, including general-purpose
terminals and special-purpose terminal device such as smart phones, tablets,
personal computers.
3.11
Wireless access device
A communication device that uses wireless communication technology to
WEP: Wired Equivalent Privacy
WPS: WiFi Protected Setup
5 Overview of Classified protection of cybersecurity
5.1 Object under classified protection
The object under classified protection refers to the objects in the classified
protection of cybersecurity. It usually refers to a system consisting of computers
or other information terminals and related device that collects, stores, transmits,
exchanges, processes information in accordance with certain rules and
procedures. It mainly includes basic information networks, cloud computing
platforms / systems, big data applications / platforms / resources, Internet of
Things (IoT), industrial control systems, systems using mobile internet
technologies. The object under classified protection is, based on the degree of
harm to national security, economic construction, and social life, and the degree
of harm to national security, social order, public interests, the legitimate rights
and interests of citizens, legal persons, and other organizations after damage,
divided into five protection classes from low to high.
See GB/T 22240 for the method of determining the security protection level of
the protected object.
5.2 Different classes of security protection ability
The basic security protection abilities that different classes of protected objects
shall possess are as follows:
Level 1 security protection ability: It shall be able to protect against critical
resource damage caused by malicious attacks from individuals, threat sources
with few resources, general natural disasters, other threats of a considerable
degree of harm. After the damage, it may restore some functions.
Level 2 security protection ability: It shall be able to protect against important
resource damage caused by malicious attacks from small external sources,
threat sources with a small amount of resources, general natural disasters,
other threats of considerable harm. It may find important security loopholes and
handle security incidents, restore some functions within a period of time after
they are damaged.
Level 3 security protection ability: It shall be able to protect against important
resource damage caused by malicious attacks from externally organized
groups, threat sources with richer resources, more severe natural disasters,
scenarios of cloud computing are as shown in Appendix D; the application
scenarios of mobile Internet are as shown in Appendix E; the IoT application
scenarios are as shown in Appendix F; the application scenarios of industrial
control system are as shown in Appendix G; the application scenarios of big
data are as shown in Appendix H. For the objects under classified protection
that use other special technologies or in special application scenarios, it shall
take special security measures as a supplement to security risks on the basis
of security risk assessment.
6 Level 1 security requirements
6.1 General security requirements
6.1.1 Security physical environment
6.1.1.1 Physical access control
At the entrance and exit of the computer room, it shall assign a special person
on duty or equip with an electronic access control system to control, identify
and record the entering personnel.
6.1.1.2 Protection against theft and vandalism
Device or main components shall be fixed and identified with obvious signs that
are not easy to remove.
6.1.1.3 Lightning protection
All kinds of cabinets, facilities and device shall be safely grounded through the
grounding system.
6.1.1.4 Fire prevention
The computer room shall be equipped with fire extinguishing device.
6.1.1.5 Waterproof and moisture-proof
It shall take measures to prevent rainwater from penetrating through the
windows, roof and walls of the computer room.
6.1.1.6 Temperature and humidity control
It shall set necessary temperature and humidity adjustment facilities, so that the
temperature and humidity changes in the computer room are within the range
allowed by the device operation.
This requirement includes:
a) It shall identify and authenticate the identity of the logged-in user. The
identity is unique; the identity authentication information has complexity
requirements and is replaced regularly;
b) It shall have the function of handling the login failure; it shall be configured
and enabled to end the session, limit the number of illegal logins,
automatically log out when the login connection times out.
6.1.4.2 Access control
This requirement includes:
a) It shall assign accounts and permissions to logged-in users;
b) It shall rename or delete the default account; modify the default password
of the default account;
c) It shall delete or deactivate the redundant and expired accounts in time,
to avoid the existence of shared accounts.
6.1.4.3 Intrusion prevention
This requirement includes:
a) It shall follow the principle of minimum installation, to install only the
required components and applications;
b) It shall close the unnecessary system services, default shares and high-
risk ports.
6.1.4.4 Prevention of malicious code
It shall install anti-malware software or configure software with corresponding
functions; regularly upgrade and update the anti-malware code library.
6.1.4.5 Trusted authentication
It may, based on the trusted root, carry out the trusted authentication of the
system boot program, system program, etc. of the boundary device; issue alarm
when detecting the damage of the credibility of the device.
6.1.4.6 Data integrity
It shall use the checking techniques to ensure integrity of important data during
transmission.
6.1.4.7 Data backup and recovery
6.1.8 Security building management
6.1.8.1 Grading and filing
It shall state the security protection level of the protected object and the method
and reason for grading in a written form.
6.1.8.2 Security scheme design
It shall select the basic security measures according to the security protection
level; it shall supplement and adjust the security measures according to the
results of the risk analysis.
6.1.8.3 Product procurement and use
It shall be ensured that the procurement and use of cyber security products
comply with relevant national regulations.
6.1.8.4 Project implementation
It shall designate or authorize a special department or person to manage the
project implementation process.
6.1.8.5 Testing and acceptance
It shall perform a security testing and acceptance.
6.1.8.6 System handover
This requirement includes:
a) It shall establish a handover checklist; it shall count the device, software,
and documentation as handed over counted according to the handover
checklist;
b) It shall train the technical personnel responsible for operation and
maintenance accordingly.
6.1.8.7 Selection of service provider
This requirement includes:
a) It shall be ensured that the selection of service providers conforms to the
relevant national regulations;
b) It shall sign a security-related agreement with the selected service provider,
clearly stipulating the relevant responsibilities.
6.1.9 Security operation and maintenance management
a) It shall enhance all users' awareness of anti-malicious code; it shall
perform malicious code inspection before external computers or storage
devices are connected to the system;
b) It shall make provisions for requirements of malicious code prevention,
including the authorized use of anti-malware software, the upgrade of
malicious code libraries, regular killing of malicious code.
6.1.9.7 Management of backup and recovery
This requirement includes:
a) It shall identify the important business information, system data and
software systems that need to be regularly backed up;
b) It shall specify the backup method, backup frequency, storage medium,
storage period, etc. of backup information.
6.1.9.8 Handling of security incident
This requirement includes:
a) It shall report the security weaknesses and suspicious incidents
discovered to the security management department in a timely manner;
b) It shall clearly define the process of reporting and handling security
incidents; specify the management responsibilities for on-site handling of
security incidents, incident reporting and subsequent recovery.
6.2 Security extension requirements of cloud computing
6.2.1 Security physical environment
6.2.1.1 Infrastructure location
It shall be ensured that the cloud computing infrastructure is located in China.
6.2.2 Security communication network
6.2.2.1 Network architecture
This requirement includes:
a) It shall be ensured that the cloud computing platform does not carry
business application systems higher than its security protection level;
b) It shall achieve the isolation of virtual networks of different cloud service
customers.
6.3 Security extension requirements of mobile internet
6.3.1 Security physical environment
6.3.1.1 Physical location of wireless access point
It shall choose a reasonable location for the installation of wireless access
device, to avoid excessive coverage and electromagnetic interference.
6.3.2 Security area border
6.3.2.1 Border protection
It shall ensure that the access and data flow between the wired and wireless
network boundaries are connected into the security gateway device through
wireless access.
6.3.2.2 Access control
The wireless access device shall enable the access authentication function;
prohibit the use of WEP for authentication; in case of use of passwords, the
length is not less than 8 characters.
6.3.3 Security computing environment
6.3.3.1 Mobile application control
It shall have the function of selecting the application software to install and run.
6.3.4 Security building management
6.3.4.1 Procurement of mobile application software
It shall be ensured that the application software installed and running on the
mobile device comes from a reliable distribution channel or is signed with a
reliable certificate.
6.4 Security extension requirements for IoT
6.4.1 Security physical environment
6.4.1.1 Physical protection of sensor node device
This requirement includes:
a) The physical environment of the sensor node device shall not cause
physical damage to the sensor node device, such as squeezing and
divided into two regions; it shall take technical isolation means between
the regions;
b) The interior of the industrial control system shall be divided into different
security domains according to business characteristics; it shall take
technical isolation methods between security domains.
6.5.3 Security area border
6.5.3.1 Access control
It shall deploy the access control device between the industrial control system
and other systems of the enterprise; configure access control policies; prohibit
any universal network services such as E-Mail, Web, Telnet, Rlogin, FTP, etc.
that cross the area border.
6.5.3.2 Wireless usage control
This requirement includes:
a) It shall provide all users (personnel, software processes or device)
involved in wireless communication with unique identification and
authentication;
b) It shall restrict the authorization, monitoring, enforcement of wireless
connections.
6.5.4 Security computing environment
6.5.4.1 Control device security
This requirement includes:
a) The control device itself shall implement the security requirements such
as identity authentication, access control, security auditing, as required by
the general requirements of the corresponding level of security. If the
control device cannot achieve the above requirements due to condition
restrictions, it shall be controlled by its superior level or the management
equipment shall achieve the equivalent function or it is controlled by
management means;
b) After sufficient testing and evaluation, it shall update the patch and
hardware of the control device without affecting the safe and stable
operation of the system.
7.1.1.6 Waterproof and moisture-proof
This requirement includes:
a) It shall take measures to prevent rainwater from penetrating through the
windows, roof and walls of the computer room;
b) It shall take measures to prevent condensation of water vapor in the
computer room and the transfer and penetration of underground
water.
7.1.1.7 Anti-static
It shall use antistatic floor slab or floor; take the necessary grounded
antistatic measures.
7.1.1.8 Temperature and humidity control
It shall provide temperature and humidity automatic adjustment facilities,
so that the temperature and humidity changes in the computer room are within
the allowable range of device operation.
7.1.1.9 Power supply
This requirement includes:
a) It shall configure the voltage stabilizers and overvoltage protection device
along the power supply lines of the computer room;
b) It shall provide a short-term backup power supply, to at least meet
the normal operating requirements of the device in the event of a
power outage.
7.1.1.10 Electromagnetic protection
Power lines and communication cables shall be laid separately to avoid
mutual interference.
7.1.2 Security communication network
7.1.2.1 Network architecture
This requirement includes:
a) It shall divide different network areas; allocate addresses to each
network area in accordance with the principles of convenient
management and control;
b) It shall avoid deploying important network areas at the borders; it
It shall detect and remove the malicious code at key network nodes; maintain
the upgrade and update of malicious code protection mechanisms.
7.1.3.5 Security audit
This requirement includes:
a) It shall carry out security audits at network boundaries and important
network nodes. The audit covers each user and audits important
user behaviors and important security events;
b) The audit records shall include the date and time of the event, the
user, the type of event, the success or not of the event, other audit-
related information;
c) It shall protect the audit records and carry out backup regularly, to
avoid them from being deleted, modified or overwritten
unexpectedly.
7.1.3.6 Trusted authentication
It may, based on the trusted root, carry out trusted authentication of the
system boot program, system program, important configuration
parameters, boundary protection applications of the boundary device;
issue an alarm when detecting a damage of credibility; form the
verification results into audit record and send it to the security
management center.
7.1.4 Security computing environment
7.1.4.1 Identity
This requirement includes:
a) It shall identify and authenticate the identity of the logged-in user. The
identity is unique; the identity authentication information has complexity
requirements and is replaced regularly;
b) It shall have the function of handling login failure; it shall be configured
and enabled to end the session, limit the number of illegal logins,
automatically log out when the login connection times out;
c) When remote management is performed, it shall take necessary measures
to prevent eavesdropping of authentication information during network
transmission.
7.1.4.2 Access control
7.1.4.5 Protection of malicious code
It shall install anti-malware software or configure software with corresponding
functions; regularly upgrade and update the anti-malware code library.
7.1.4.6 Trusted authentication
It may, based on the trusted root, carry out trusted authentication of the
system boot program, system program, important configuration
parameters, boundary protection applications of the boundary device;
issue an alarm when detecting a damage of credibility; form the
verification results into audit record and send it to the security
management center.
7.1.4.7 Data integrity
It shall use the checking technology to ensure the integrity of important data
during transmission.
7.1.4.8 Data backup and recovery
This requirement includes:
a) It shall provide the local data backup and recovery functions for important
data;
b) It shall provide the offsite data backup function; use the
communication network to transmit the important data to the
standby site in batches regularly.
7.1.4.9 Protection of residual information
It shall be ensured that the storage space where the authentication information
is located is completely cleared before it is released or reallocated.
7.1.4.10 Personal information protection
This requirement includes:
a) It shall collect and store only user personal information necessary
for business;
b) It shall prohibit the unauthorized access and illegal use of user’s
personal information.
7.1.5 Security management center
7.1.5.1 System management
systems;
b) The security management system shall be released in a formal and
effective manner and the version shall be controlled.
7.1.6.4 Review and revision
It shall regularly demonstrate and audit the rationality and applicability of
the security management system; revise the security management
system that has deficiencies or needs improvement.
7.1.7 Security management agency
7.1.7.1 Post settings
This requirement includes:
a) It shall establish a functional department for network security
management, with positions of security supervisors and responsible
persons in all aspects of security management, defining the
responsibilities of each responsible person;
b) It shall establish such posts as system administrator, audit administrator,
security administrator; define the responsibilities of the department and
each post.
7.1.7.2 Staffing
There shall be a certain number of system administrators, audit administrators,
security administrators.
7.1.7.3 Authorization and approval
This requirement includes:
a) It shall, based on the obligations of each department and post, clarify the
authorization items, departments and approvers;
b) It shall implement the approval process based on the matters such
as system changes, important operations, physical access, system
access.
7.1.7.4 Communication and cooperation
This requirement includes:
a) It shall enhance the cooperation and communication between
various management personnel, internal organizations and network
security management departments; regularly hold coordination
accesses the controlled network access system. After approval, a
special person will open an account, assign permissions, register for
reference;
c) It shall clear all the access rights of external personnel in a timely
manner after leaving.
7.1.9 Security building management
7.1.9.1 Classification and filing
This requirement includes:
a) It shall describe the security protection level of the protected object and
the method and reason for determining the level in written form;
b) It shall organize the relevant departments and relevant security
technical experts to demonstrate and verify the rationality and
correctness of the classification results;
c) It shall be ensured that the classification results are approved by
relevant departments;
d) It shall report the filing materials to the competent authority and the
corresponding public security organs for archive.
7.1.9.2 Security scheme design
This requirement includes:
a) It shall be based on the security protection level to select the basic security
measures; be based on the results of the risk analysis to supplement and
adjust the security measures;
b) It shall design the security scheme based on the security protection
level of the protected object;
c) It shall organize the relevant departments and relevant security
experts to demonstrate and verify the rationality and correctness of
the security scheme; it shall be formally implemented only after
approval.
7.1.9.3 Product procurement and use
This requirement includes:
a) It shall be ensured that the procurement and use of cybersecurity products
comply with relevant national regulations;
This requirement includes:
a) It shall establish a handover checklist; count all device, software, and
documentation as handed over according to the handover checklist;
b) It shall provide corresponding technical training to the technical personnel
responsible for operation and maintenance;
c) It shall provide the documents of construction process and operation &
maintenance.
7.1.9.9 Evaluation of leveling
This requirement includes:
a) It shall carry out level assessments regularly and timely make
rectifications if finding failure to meet the requirements of the
corresponding level protection standards;
b) It shall carry out level evaluation when there is a major change or a
level change;
c) It shall be ensured that the selection of the evaluation agency
conforms to the relevant national regulations.
7.1.9.10 Selection of service provider
This requirement includes:
a) It shall be ensured that the selection of service providers conforms to the
relevant national regulations;
b) It shall sign related agreement with the selected service provider, to
clarify the cybersecurity-related obligations to be fulfilled by all
parties in the service supply chain.
7.1.10 Security operations management
7.1.10.1 Environmental management
This requirement includes:
a) It shall appoint a special department or person to be responsible for the
security of the computer room, to manage the access to the computer
room, to regularly maintain and manage t......
...
|