Powered by Google www.ChineseStandard.net Database: 189760 (20 Apr 2024)

GB/T 22240-2008 (GBT22240-2008)

GB/T 22240-2008_English: PDF (GBT 22240-2008, GBT22240-2008)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 22240-2008English150 Add to Cart 0--9 seconds. Auto-delivery Information security technology -- Classification guide for classified protection of information system security Obsolete GB/T 22240-2008

BASIC DATA
Standard ID GB/T 22240-2008 (GB/T22240-2008)
Description (Translated English) Information security technology. Classification guide for classified protection of information system security
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.040
Word Count Estimation 11,162
Date of Issue 2008-06-19
Date of Implementation 2008-11-01
Quoted Standard GB/T 5271.8; GB 17859
Drafting Organization Ministry of Public Security Information Security Protection Evaluation Center
Administrative Organization Standardization Technical Committee of the National Information Security
Regulation (derived from) Announcement of Newly Approved National Standards No. 10 of 2008 (total 123)
Proposing organization Ministry of Public Security and the National Information Security Standardization Technical Committee
Issuing agency(ies) Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China; Standardization Administration of China
Summary This standard specifies the information system security classification level of protection methods applied to information system security classification level of protection to provide guidance.

Standards related to: GB/T 22240-2008

GB/T 22240-2008
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information Security Technology - Classification Guide
for Classified Protection of Information System Security
ISSUED ON: JUNE 19, 2008
IMPLEMENTED ON: NOVEMBER 1, 2008
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3 
Introduction ... 4 
1 Scope ... 5 
2 Normative References ... 5 
3 Terms and Definitions ... 5 
4 Principle of Classification ... 6 
5 Classification Method ... 7 
6 Level Alternation ... 14 
Information Security Technology - Classification Guide
for Classified Protection of Information System Security
1 Scope
This Standard stipulates the classification method of classified protection of
information system security. It is applicable to the guidance for the classification of
classified protection of information system security.
2 Normative References
Through the reference in this Standard, the clauses in the following documents
become clauses of this Standard. In terms of references with a specified date, all the
subsequent modification lists (excluding the corrected content) or revised editions are
not applicable to this Standard. However, all parties that reach an agreement in
accordance with this Standard are encouraged to adopt the latest version of these
documents. In terms of references without a specified date, the latest version is
applicable to this Standard.
GB/T 5271.8 Information Technology - Vocabulary - Part 8: Security (GB/T 5271.8-
2001, idt ISO/IEC 2382-8: 1998)
GB 17859 Classified Criteria for Security Protection of Computer Information System
3 Terms and Definitions
Terms and definitions in GB/T 5271.8 and GB 17859, and the following terms and
definitions are applicable to this Standard.
3.1 Target of Classified Security
Target of classified security refers to the specific information and information system
that the classified protection of information security directly acts on.
3.2 Object
Object refers to the social relations which are violated when the law-protected target
of classified security is being destroyed. Social relations like: national security, social
order, public interest, and legitimate interest of citizens, juridical persons or other
organizations.
two aspects: business information security and system service security.
Classified protection of information system security, which is reflected from the
perspective of business information security, is known as classified protection of
business information security.
Classified protection of information system security, which is reflected from the
perspective of system service security, is known as classified protection of system
service security.
Please see the general process of determining classified protection of information
system security below:
a) Determine information system, which is deemed as the target of classification;
b) Determine the object being violated when business information security is
destroyed;
c) In accordance with different objects being violated, from multiple aspects,
comprehensively evaluate the degree of violation of the object caused by the
destroyed business information security;
d) In accordance with Table 2, obtain classified protection of business information
security;
e) Determine the object being violated when system service security is destroyed;
f) In accordance with different objects being violated, from multiple aspects,
comprehensively evaluate the degree of violation of the object caused by the
destroyed system service security;
g) In accordance with Table 3, obtain classified protection of system service
security;
h) Determine the higher level between the classified protection of business
information security and the classified protection of system service security;
consider it as the classified security protection of the target.
The above-mentioned steps and general process of determining classified protection
are shown in Figure 1.
b) Have essential elements of information system. The information system, which
is the target of classification, shall be a tangible entity constituted of relevant
and matching equipment and facilities in accordance with certain application
objectives and rules. Avoid considering a certain individual system component,
for example, server, terminal or network equipment, as the target of
classification.
c) Undertake individual or relatively independent business application. “Individual”
business application undertaken by the target of classification means the
business flow of the business application is independent, and there is no data
exchange with other business applications, and it exclusively enjoys all the
information processing equipment. “Relatively independent” business
application undertaken by the target of classification means the main business
flow of the business application is independent, meanwhile, there is a little data
exchange with other business applications; the target of classification might
share some equipment with other business applications, especially network
transmission equipment.
5.3 Determination of Violated Object
When the target of classification is destroyed, the object being violated includes
national security, social order, public interest, and legitimate interest of citizens,
juridical persons and other organizations.
Matters that violate national security include the following aspects:
---Affect the stability of state power and national defense capability;
---Affect national unity, ethnic solidarity and social stability;
---Affect the state’s political and economic interest in foreign activities;
---Affect the state’s important safety and security work;
---Affect national economic competitiveness and scientific and technological
strength;
---Other matters that affect national security.
Matters that violate social order include the following aspects:
---Affect national government offices’ working order in social management and
public services;
---Affect the order of various types of economic activities;
---Affect the order of scientific research and production in various industries;
---Lead to decreased business capability;
---Cause legal disputes;
---Cause financial loss;
---Cause adverse social influence;
---Cause loss on other organizations and individuals;
---Other influence.
5.4.2 Comprehensive determination of violation degree
The degree of violation is comprehensive reflection of different outward manifestations
in the objective aspect. Hence, firstly, in accordance with different violated objects and
different consequences of violation, respectively determine the degree of violation. In
terms of different violation consequences, the method adopted to determine violation
degree and the perspective being taken into consideration might differ. For example,
in terms of the decrease of business capabilities caused by impaired system service
security, it may be determined through different aspects like the area coverage of
information system service, the number of users or the volume of business. In terms
of financial loss caused by impaired information security, it may be determined through
aspects like direct capital loss and indirect information recovery fee.
When determining the violation degree of different violated objects, the following
different determination criteria may be used as a reference:
---If the violated object is legitimate interest of citizens, juridical persons or other
organizations, then, the overall interest of citizens and juridical persons
themselves, or organizations themselves, shall be considered as the criterion
of determining the violation degree;
---If the violated object is social order, public interest or national security, then, the
overall interest of the whole industry or nation shall be considered as the
criterion of determining the violation degree.
Please see the description of three violation degrees of different violation
consequences below:
---General violation: job functions are partially affected, business capability is
decreased to a certain extent, but the execution of main functions is not affected.
There are slight legal problems, low financial loss, limited adverse influence on
the society, and relatively low violation of other organizations and individuals.
---Severe violation: job functions are severely affected, business capability is
significantly decreased, and the execution of main functions is severely affected.
There are relatively severe legal problems, high financial loss, a relatively wide
...