HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (29 Sep 2024)

GB/T 22239-2019 English PDF

GB/T 22239-2019 (GB/T22239-2019, GBT 22239-2019, GBT22239-2019)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 22239-2019English485 Add to Cart 0--9 seconds. Auto-delivery Information security technology -- Baseline for classified protection of cybersecurity Valid GB/T 22239-2019
Standards related to: GB/T 22239-2019

BASIC DATA
Standard ID GB/T 22239-2019 (GB/T22239-2019)
Description (Translated English) Information security technology -- Baseline for classified protection of cybersecurity
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.040
Word Count Estimation 90,933
Date of Issue 2019-05-10
Date of Implementation 2019-12-01
Older Standard (superseded by this standard) GB/T 22239-2008
Quoted Standard GB 17859; GB/T 22240; GB/T 25069; GB/T 31167-2014; GB/T 31168-2014; GB/T 32919-2016
Drafting Organization The Third Research Institute of the Ministry of Public Security (Information Security Level Protection Evaluation Center of the Ministry of Public Security), Information Center of the National Energy Administration, Alibaba Cloud Computing Co., Ltd., Institute of Information Engineering, Chinese Academy of Sciences (State Key Laboratory of Information Security), Xinhua Three Technology Co., Ltd., Huawei Technologies Co., Ltd., Venus Star Information Technology Group Co., Ltd., Beijing Dingpu Technology Co., Ltd., China Electronics Information Industry Group Co., Ltd. Sixth Research Institute, Ministry of Public Security First Research Institute, State Information Center, Shandong Differential Electronic Technology Co., Ltd. , the 15th Research Institute of China Electronics Technology Group Corporation (Information Industry Information Security Evaluation Center), Zhejiang University, the Computer and Microelectronics Development Research Center of the Ministry of Industry and Information Technology (China Software Evaluation Center), Zhejiang Guoli Xinan Technology Co., Ltd., Mechanical industry instrument
Administrative Organization National Information Security Standardization Technical Committee (SAC/TC 260)
Proposing organization National Information Security Standardization Technical Committee (SAC/TC 260)
Issuing agency(ies) State Administration for Market Regulation, China National Standardization Administration
Summary This standard specifies the general security requirements and security extension requirements for the first-level to fourth-level protection objects of network security level protection. This standard is applicable to guide the security construction and supervision and management of classified non-confidential objects.

GB/T 22239-2019 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 22239-2008 Information security technology - Baseline for classified protection of cybersecurity ISSUED ON: MAY 10, 2019 IMPLEMENTED ON: DECEMBER 01, 2019 Issued by: State Market Regulatory Administration; Standardization Administration of PRC. Table of Contents Foreword ... 4  Introduction ... 6  1 Scope ... 7  2 Normative references ... 7  3 Terms and definitions ... 8  4 Abbreviations ... 11  5 Overview of Classified protection of cybersecurity ... 12  5.1 Object under classified protection ... 12  5.2 Different classes of security protection ability ... 12  5.3 General security requirements and security extension requirements ... 13  6 Level 1 security requirements ... 14  6.1 General security requirements ... 14  6.2 Security extension requirements of cloud computing ... 20  6.3 Security extension requirements of mobile internet ... 22  6.4 Security extension requirements for IoT ... 22  6.5 Security extension requirements for industrial control systems ... 23  7 Level 2 security requirements ... 25  7.1 General security requirements ... 25  7.2 Extension requirements for cloud computing security ... 40  7.3 Extension requirements for mobile Internet security ... 43  7.4 Extension requirements for IoT security ... 45  7.5 Security extension requirements for industrial control systems ... 46  8 Level 3 security requirements ... 48  8.1 General security requirements ... 48  8.2 Extension requirements for cloud computing security ... 71  8.3 Extension requirements for mobile Internet security ... 76  8.4 Extension requirements for IoT security ... 78  8.5 Security extension requirements for industrial control systems ... 80  9 Level 4 security requirements ... 83  9.1 General security requirements ... 83  9.2 Extension requirements for cloud computing security ... 106  9.3 Extension requirements for mobile internet security ... 111  9.4 Extension requirements for IoT security ... 113  9.5 Extension requirements for security of industrial control systems ... 116  10 Level 5 security requirements ... 119  Appendix A (Normative) Selection and use of general security requirements and security extension requirements ... 120  Appendix B (Normative) Requirements on overall security protection ability of the object under classified protection ... 124  Appendix C (Normative) Security framework of classified protection and requirements for key technology use ... 126  Appendix D (Informative) Description of cloud computing application scenarios ... 129  Appendix E (Informative) Description of mobile internet application scenarios ... 130  Appendix F (Informative) Description of IoT application scenario ... 131  Appendix G (Informative) Description of application scenarios of industrial control systems ... 133  Appendix H (Informative) Descriptions on big data application scenarios ... 137  References ... 145  Information security technology - Baseline for classified protection of cybersecurity 1 Scope This standard specifies the general security requirements and security extension requirements for the project under classified protection from level 1 to level 4 of the classified protection of cybersecurity. This standard is applicable to guide the security construction and supervision administration of non-confidential objects in different classes. Note: The class-5 protection object is a very important supervision and management object. It has special management modes and security requirements, so it is not described in this standard. 2 Normative references The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard. GB 17859 Classified criteria for security protection of computer information system GB/T 22240 Information security technology - Classification guide for classified protection of information system security GB/T 25069 Information security technology glossary GB/T 31167-2014 Information security technology - Security guide of cloud computing services GB/T 31168-2014 Information security technology - Security ability requirements of cloud computing services GB/T 32919-2016 Information security technology - Application guide to industrial control system security control 3.5 Cloud service customer Participants who use cloud computing services to establish business relationships with cloud service providers. [GB/T 31168-2014, definition 3.4] 3.6 Cloud computing platform / system A collection of cloud computing infrastructure and service software provided by a cloud service provider. 3.7 Hypervisor An intermediate software layer that runs between the underlying physical server and the operating system, allowing multiple operating systems and applications to share hardware. 3.8 Host machine The physical server running the hypervisor. 3.9 Mobile communication The process of using a wireless communication technology to connect a mobile device to a wired network. 3.10 Mobile device Terminal device used in mobile business, including general-purpose terminals and special-purpose terminal device such as smart phones, tablets, personal computers. 3.11 Wireless access device A communication device that uses wireless communication technology to WEP: Wired Equivalent Privacy WPS: WiFi Protected Setup 5 Overview of Classified protection of cybersecurity 5.1 Object under classified protection The object under classified protection refers to the objects in the classified protection of cybersecurity. It usually refers to a system consisting of computers or other information terminals and related device that collects, stores, transmits, exchanges, processes information in accordance with certain rules and procedures. It mainly includes basic information networks, cloud computing platforms / systems, big data applications / platforms / resources, Internet of Things (IoT), industrial control systems, systems using mobile internet technologies. The object under classified protection is, based on the degree of harm to national security, economic construction, and social life, and the degree of harm to national security, social order, public interests, the legitimate rights and interests of citizens, legal persons, and other organizations after damage, divided into five protection classes from low to high. See GB/T 22240 for the method of determining the security protection level of the protected object. 5.2 Different classes of security protection ability The basic security protection abilities that different classes of protected objects shall possess are as follows: Level 1 security protection ability: It shall be able to protect against critical resource damage caused by malicious attacks from individuals, threat sources with few resources, general natural disasters, other threats of a considerable degree of harm. After the damage, it may restore some functions. Level 2 security protection ability: It shall be able to protect against important resource damage caused by malicious attacks from small external sources, threat sources with a small amount of resources, general natural disasters, other threats of considerable harm. It may find important security loopholes and handle security incidents, restore some functions within a period of time after they are damaged. Level 3 security protection ability: It shall be able to protect against important resource damage caused by malicious attacks from externally organized groups, threat sources with richer resources, more severe natural disasters, scenarios of cloud computing are as shown in Appendix D; the application scenarios of mobile Internet are as shown in Appendix E; the IoT application scenarios are as shown in Appendix F; the application scenarios of industrial control system are as shown in Appendix G; the application scenarios of big data are as shown in Appendix H. For the objects under classified protection that use other special technologies or in special application scenarios, it shall take special security measures as a supplement to security risks on the basis of security risk assessment. 6 Level 1 security requirements 6.1 General security requirements 6.1.1 Security physical environment 6.1.1.1 Physical access control At the entrance and exit of the computer room, it shall assign a special person on duty or equip with an electronic access control system to control, identify and record the entering personnel. 6.1.1.2 Protection against theft and vandalism Device or main components shall be fixed and identified with obvious signs that are not easy to remove. 6.1.1.3 Lightning protection All kinds of cabinets, facilities and device shall be safely grounded through the grounding system. 6.1.1.4 Fire prevention The computer room shall be equipped with fire extinguishing device. 6.1.1.5 Waterproof and moisture-proof It shall take measures to prevent rainwater from penetrating through the windows, roof and walls of the computer room. 6.1.1.6 Temperature and humidity control It shall set necessary temperature and humidity adjustment facilities, so that the temperature and humidity changes in the computer room are within the range allowed by the device operation. This requirement includes: a) It shall identify and authenticate the identity of the logged-in user. The identity is unique; the identity authentication information has complexity requirements and is replaced regularly; b) It shall have the function of handling the login failure; it shall be configured and enabled to end the session, limit the number of illegal logins, automatically log out when the login connection times out. 6.1.4.2 Access control This requirement includes: a) It shall assign accounts and permissions to logged-in users; b) It shall rename or delete the default account; modify the default password of the default account; c) It shall delete or deactivate the redundant and expired accounts in time, to avoid the existence of shared accounts. 6.1.4.3 Intrusion prevention This requirement includes: a) It shall follow the principle of minimum installation, to install only the required components and applications; b) It shall close the unnecessary system services, default shares and high- risk ports. 6.1.4.4 Prevention of malicious code It shall install anti-malware software or configure software with corresponding functions; regularly upgrade and update the anti-malware code library. 6.1.4.5 Trusted authentication It may, based on the trusted root, carry out the trusted authentication of the system boot program, system program, etc. of the boundary device; issue alarm when detecting the damage of the credibility of the device. 6.1.4.6 Data integrity It shall use the checking techniques to ensure integrity of important data during transmission. 6.1.4.7 Data backup and recovery 6.1.8 Security building management 6.1.8.1 Grading and filing It shall state the security protection level of the protected object and the method and reason for grading in a written form. 6.1.8.2 Security scheme design It shall select the basic security measures according to the security protection level; it shall supplement and adjust the security measures according to the results of the risk analysis. 6.1.8.3 Product procurement and use It shall be ensured that the procurement and use of cyber security products comply with relevant national regulations. 6.1.8.4 Project implementation It shall designate or authorize a special department or person to manage the project implementation process. 6.1.8.5 Testing and acceptance It shall perform a security testing and acceptance. 6.1.8.6 System handover This requirement includes: a) It shall establish a handover checklist; it shall count the device, software, and documentation as handed over counted according to the handover checklist; b) It shall train the technical personnel responsible for operation and maintenance accordingly. 6.1.8.7 Selection of service provider This requirement includes: a) It shall be ensured that the selection of service providers conforms to the relevant national regulations; b) It shall sign a security-related agreement with the selected service provider, clearly stipulating the relevant responsibilities. 6.1.9 Security operation and maintenance management a) It shall enhance all users' awareness of anti-malicious code; it shall perform malicious code inspection before external computers or storage devices are connected to the system; b) It shall make provisions for requirements of malicious code prevention, including the authorized use of anti-malware software, the upgrade of malicious code libraries, regular killing of malicious code. 6.1.9.7 Management of backup and recovery This requirement includes: a) It shall identify the important business information, system data and software systems that need to be regularly backed up; b) It shall specify the backup method, backup frequency, storage medium, storage period, etc. of backup information. 6.1.9.8 Handling of security incident This requirement includes: a) It shall report the security weaknesses and suspicious incidents discovered to the security management department in a timely manner; b) It shall clearly define the process of reporting and handling security incidents; specify the management responsibilities for on-site handling of security incidents, incident reporting and subsequent recovery. 6.2 Security extension requirements of cloud computing 6.2.1 Security physical environment 6.2.1.1 Infrastructure location It shall be ensured that the cloud computing infrastructure is located in China. 6.2.2 Security communication network 6.2.2.1 Network architecture This requirement includes: a) It shall be ensured that the cloud computing platform does not carry business application systems higher than its security protection level; b) It shall achieve the isolation of virtual networks of different cloud service customers. 6.3 Security extension requirements of mobile internet 6.3.1 Security physical environment 6.3.1.1 Physical location of wireless access point It shall choose a reasonable location for the installation of wireless access device, to avoid excessive coverage and electromagnetic interference. 6.3.2 Security area border 6.3.2.1 Border protection It shall ensure that the access and data flow between the wired and wireless network boundaries are connected into the security gateway device through wireless access. 6.3.2.2 Access control The wireless access device shall enable the access authentication function; prohibit the use of WEP for authentication; in case of use of passwords, the length is not less than 8 characters. 6.3.3 Security computing environment 6.3.3.1 Mobile application control It shall have the function of selecting the application software to install and run. 6.3.4 Security building management 6.3.4.1 Procurement of mobile application software It shall be ensured that the application software installed and running on the mobile device comes from a reliable distribution channel or is signed with a reliable certificate. 6.4 Security extension requirements for IoT 6.4.1 Security physical environment 6.4.1.1 Physical protection of sensor node device This requirement includes: a) The physical environment of the sensor node device shall not cause physical damage to the sensor node device, such as squeezing and divided into two regions; it shall take technical isolation means between the regions; b) The interior of the industrial control system shall be divided into different security domains according to business characteristics; it shall take technical isolation methods between security domains. 6.5.3 Security area border 6.5.3.1 Access control It shall deploy the access control device between the industrial control system and other systems of the enterprise; configure access control policies; prohibit any universal network services such as E-Mail, Web, Telnet, Rlogin, FTP, etc. that cross the area border. 6.5.3.2 Wireless usage control This requirement includes: a) It shall provide all users (personnel, software processes or device) involved in wireless communication with unique identification and authentication; b) It shall restrict the authorization, monitoring, enforcement of wireless connections. 6.5.4 Security computing environment 6.5.4.1 Control device security This requirement includes: a) The control device itself shall implement the security requirements such as identity authentication, access control, security auditing, as required by the general requirements of the corresponding level of security. If the control device cannot achieve the above requirements due to condition restrictions, it shall be controlled by its superior level or the management equipment shall achieve the equivalent function or it is controlled by management means; b) After sufficient testing and evaluation, it shall update the patch and hardware of the control device without affecting the safe and stable operation of the system. 7.1.1.6 Waterproof and moisture-proof This requirement includes: a) It shall take measures to prevent rainwater from penetrating through the windows, roof and walls of the computer room; b) It shall take measures to prevent condensation of water vapor in the computer room and the transfer and penetration of underground water. 7.1.1.7 Anti-static It shall use antistatic floor slab or floor; take the necessary grounded antistatic measures. 7.1.1.8 Temperature and humidity control It shall provide temperature and humidity automatic adjustment facilities, so that the temperature and humidity changes in the computer room are within the allowable range of device operation. 7.1.1.9 Power supply This requirement includes: a) It shall configure the voltage stabilizers and overvoltage protection device along the power supply lines of the computer room; b) It shall provide a short-term backup power supply, to at least meet the normal operating requirements of the device in the event of a power outage. 7.1.1.10 Electromagnetic protection Power lines and communication cables shall be laid separately to avoid mutual interference. 7.1.2 Security communication network 7.1.2.1 Network architecture This requirement includes: a) It shall divide different network areas; allocate addresses to each network area in accordance with the principles of convenient management and control; b) It shall avoid deploying important network areas at the borders; it It shall detect and remove the malicious code at key network nodes; maintain the upgrade and update of malicious code protection mechanisms. 7.1.3.5 Security audit This requirement includes: a) It shall carry out security audits at network boundaries and important network nodes. The audit covers each user and audits important user behaviors and important security events; b) The audit records shall include the date and time of the event, the user, the type of event, the success or not of the event, other audit- related information; c) It shall protect the audit records and carry out backup regularly, to avoid them from being deleted, modified or overwritten unexpectedly. 7.1.3.6 Trusted authentication It may, based on the trusted root, carry out trusted authentication of the system boot program, system program, important configuration parameters, boundary protection applications of the boundary device; issue an alarm when detecting a damage of credibility; form the verification results into audit record and send it to the security management center. 7.1.4 Security computing environment 7.1.4.1 Identity This requirement includes: a) It shall identify and authenticate the identity of the logged-in user. The identity is unique; the identity authentication information has complexity requirements and is replaced regularly; b) It shall have the function of handling login failure; it shall be configured and enabled to end the session, limit the number of illegal logins, automatically log out when the login connection times out; c) When remote management is performed, it shall take necessary measures to prevent eavesdropping of authentication information during network transmission. 7.1.4.2 Access control 7.1.4.5 Protection of malicious code It shall install anti-malware software or configure software with corresponding functions; regularly upgrade and update the anti-malware code library. 7.1.4.6 Trusted authentication It may, based on the trusted root, carry out trusted authentication of the system boot program, system program, important configuration parameters, boundary protection applications of the boundary device; issue an alarm when detecting a damage of credibility; form the verification results into audit record and send it to the security management center. 7.1.4.7 Data integrity It shall use the checking technology to ensure the integrity of important data during transmission. 7.1.4.8 Data backup and recovery This requirement includes: a) It shall provide the local data backup and recovery functions for important data; b) It shall provide the offsite data backup function; use the communication network to transmit the important data to the standby site in batches regularly. 7.1.4.9 Protection of residual information It shall be ensured that the storage space where the authentication information is located is completely cleared before it is released or reallocated. 7.1.4.10 Personal information protection This requirement includes: a) It shall collect and store only user personal information necessary for business; b) It shall prohibit the unauthorized access and illegal use of user’s personal information. 7.1.5 Security management center 7.1.5.1 System management systems; b) The security management system shall be released in a formal and effective manner and the version shall be controlled. 7.1.6.4 Review and revision It shall regularly demonstrate and audit the rationality and applicability of the security management system; revise the security management system that has deficiencies or needs improvement. 7.1.7 Security management agency 7.1.7.1 Post settings This requirement includes: a) It shall establish a functional department for network security management, with positions of security supervisors and responsible persons in all aspects of security management, defining the responsibilities of each responsible person; b) It shall establish such posts as system administrator, audit administrator, security administrator; define the responsibilities of the department and each post. 7.1.7.2 Staffing There shall be a certain number of system administrators, audit administrators, security administrators. 7.1.7.3 Authorization and approval This requirement includes: a) It shall, based on the obligations of each department and post, clarify the authorization items, departments and approvers; b) It shall implement the approval process based on the matters such as system changes, important operations, physical access, system access. 7.1.7.4 Communication and cooperation This requirement includes: a) It shall enhance the cooperation and communication between various management personnel, internal organizations and network security management departments; regularly hold coordination accesses the controlled network access system. After approval, a special person will open an account, assign permissions, register for reference; c) It shall clear all the access rights of external personnel in a timely manner after leaving. 7.1.9 Security building management 7.1.9.1 Classification and filing This requirement includes: a) It shall describe the security protection level of the protected object and the method and reason for determining the level in written form; b) It shall organize the relevant departments and relevant security technical experts to demonstrate and verify the rationality and correctness of the classification results; c) It shall be ensured that the classification results are approved by relevant departments; d) It shall report the filing materials to the competent authority and the corresponding public security organs for archive. 7.1.9.2 Security scheme design This requirement includes: a) It shall be based on the security protection level to select the basic security measures; be based on the results of the risk analysis to supplement and adjust the security measures; b) It shall design the security scheme based on the security protection level of the protected object; c) It shall organize the relevant departments and relevant security experts to demonstrate and verify the rationality and correctness of the security scheme; it shall be formally implemented only after approval. 7.1.9.3 Product procurement and use This requirement includes: a) It shall be ensured that the procurement and use of cybersecurity products comply with relevant national regulations; This requirement includes: a) It shall establish a handover checklist; count all device, software, and documentation as handed over according to the handover checklist; b) It shall provide corresponding technical training to the technical personnel responsible for operation and maintenance; c) It shall provide the documents of construction process and operation & maintenance. 7.1.9.9 Evaluation of leveling This requirement includes: a) It shall carry out level assessments regularly and timely make rectifications if finding failure to meet the requirements of the corresponding level protection standards; b) It shall carry out level evaluation when there is a major change or a level change; c) It shall be ensured that the selection of the evaluation agency conforms to the relevant national regulations. 7.1.9.10 Selection of service provider This requirement includes: a) It shall be ensured that the selection of service providers conforms to the relevant national regulations; b) It shall sign related agreement with the selected service provider, to clarify the cybersecurity-related obligations to be fulfilled by all parties in the service supply chain. 7.1.10 Security operations management 7.1.10.1 Environmental management This requirement includes: a) It shall appoint a special department or person to be responsible for the security of the computer room, to manage the access to the computer room, to regularly maintain and manage t...... ...