Powered by Google www.ChineseStandard.net Database: 189759 (21 Apr 2024)

GB/T 25058-2010 (GBT25058-2010)

GB/T 25058-2010_English: PDF (GBT 25058-2010, GBT25058-2010)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 25058-2010English360 Add to Cart 0--9 seconds. Auto-delivery Information security technology -- Implementation guide for classified protection of information system Obsolete GB/T 25058-2010

BASIC DATA
Standard ID GB/T 25058-2010 (GB/T25058-2010)
Description (Translated English) Information security technology. Implementation guide for classified protection of information system
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.040
Word Count Estimation 34,348
Date of Issue 2010-09-02
Date of Implementation 2011-02-01
Quoted Standard GB/T 5271.8; GB 17859-1999; GB/T 22240-2008
Drafting Organization Ministry of Public Security Information Security Protection Evaluation Center
Administrative Organization Standardization Technical Committee of the National Information Security
Regulation (derived from) Announcement of Newly Approved National Standards No. 4 of 2010 (total 159)
Proposing organization Ministry of Public Security and the National Information Security Standardization Technical Committee
Issuing agency(ies) Administration of Quality Supervision, Inspection and Quarantine of People's Republic of China; Standardization Administration of China
Summary This standard specifies the level of security to protect information systems implementation process, for guidance information system security protection implementation,

Standards related to: GB/T 25058-2010

GB/T 25058-2010
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information Security Technology - Implementation
Guide for Classified Protection of Information System
ISSUED ON: SEPTEMBER 2, 2010
IMPLEMENTED ON: FEBRUARY 1, 2011
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 4 
Introduction ... 5 
1 Scope ... 7 
2 Normative References ... 7 
3 Terms and Definitions ... 7 
4 An Overview of Classified Protection Implementation ... 8 
4.1 Fundamental Principle ... 8
4.2 Roles and Responsibilities ... 8
4.3 Basic Flow of Implementation ... 10
5 Classification of Information System ... 11 
5.1 Workflow of Classification of Information System ... 11
5.2 Information System Analysis ... 12
5.3 Determination of Classified Security Protection ... 15
6 Overall Security Planning ... 17 
6.1 Workflow of Overall Security Planning Stage ... 17
6.2 Analysis of Security Demands ... 18
6.3 Overall Security Design ... 22
6.4 Security Construction Project Planning ... 27
7 Security Design and Implementation ... 30 
7.1 Workflow of Security Design and Implementation Stage ... 30
7.2 Detailed Design of Security Plan ... 30
7.3 Management Measure Implementation ... 33
7.4 Implementation of Technical Measures ... 37
8 Security Operation and Maintenance ... 42 
8.1 Workflow of Security Operation and Maintenance Stage ... 42
8.2 Operation Management and Control ... 45
8.3 Alternation Management and Control ... 46
8.4 Security Status Monitoring ... 48
8.5 Security Incident Handling and Contingency Plan ... 50
8.6 Security Inspection and Continuous Improvement ... 52
8.7 Classification Evaluation ... 55
8.8 System Filing ... 55
8.9 Supervision and Inspection ... 56
9 Termination of Information System ... 57 
9.1 Work Flow of Information System Termination Stage ... 57
9.2 Information Transfer, Temporary Storage and Erasing ... 57
9.3 Equipment Transfer or Abandonment ... 58
9.4 Erasing or Destruction of Storage Medium ... 59
Appendix A (normative) Main Process and Activity Output ... 61 
Information Security Technology - Implementation
Guide for Classified Protection of Information System
1 Scope
This Standard stipulates the implementation process of classified protection of
information system security. It is applicable to the guidance for the implementation of
classified protection of information system security.
2 Normative References
Through the reference in this Standard, the clauses in the following documents
become clauses of this Standard. In terms of references with a specified date, all the
subsequent modification lists (excluding the corrected content) or revised editions are
not applicable to this Standard. However, all parties that reach an agreement in
accordance with this Standard are encouraged to adopt the latest version of these
documents. In terms of references without a specified date, the latest version is
applicable to this Standard.
GB/T 5271.8 Information Technology - Vocabulary - Part 8: Security
GB 17859-1999 Classified Criteria for Security Protection of Computer Information
System
GB/T 22240-2008 Information Security Technology - Classification Guide for Classified
Protection of Information System Security
3 Terms and Definitions
Terms and definitions in GB/T 5271.8 and GB 17859-1999, and the following terms
and definitions are applicable to this Standard.
3.1 Classified Security Testing and Evaluation
Classified security testing and evaluation refers to the process of determining whether
the capability of information system security protection reaches the fundamental
requirements of corresponding level.
a) National administration department:
Public security organ is responsible for the supervision, inspection and
guidance of classified protection of information security. National secrecy
administrative department is responsible for the supervision, inspection and
guidance of relevant confidentiality work in classified protection. National cipher
administrative department is responsible for the supervision, inspection and
guidance of relevant cipher work in classified protection. Matters that involve
the jurisdictional limits of other functional departments shall be under the
administration of relevant functional departments in accordance with the
stipulations in national laws and regulations. The State Council’s
Informatization Office and the administrative body of local informatization
leading groups are responsible for the coordination among departments on
classified protection work.
b) Information system’s competent department
Information system’s competent department is responsible for the supervision,
inspection and guidance of information system operation and application
organizations in classified information security protection work in the industry,
the department, or the locality, in accordance with the national management
specifications and technical standards on classified protection of information
security.
c) Operation and application organization of information system
Operation and application organization of information system is responsibility
for the determination of the level of classified protection of information system
in accordance with national management specifications and technical
standards on classified protection of information security. When there is a
competent department, the determination shall be submitted to the competent
department for verification and approval. In accordance with the previously
determined security protection level, go through filing formalities in a public
security organ. In accordance with the national management specifications and
technical standards on classified protection of information security, plan and
design classified protection of information system security. Utilize information
technology products and information security products that comply with
relevant national stipulations and satisfy the demands of classified protection
of information system; implement the construction or re-construction work of
information system security. Formulate and implement various security
management systems, conduct regular self-inspection of the security status of
information system, and the implementation of security protection systems and
measures; select level evaluation institutions that comply with relevant national
stipulations; conduct regular level evaluation. Formulate response and
treatment plans to different levels of information security events; implement
emergency response to information security events of the information system
a) Identify essential information of information system
Investigate and understand the industrial characteristics, competent
organization, business scope, geographic location and basic condition of
information system; obtain the background information and contact mode of
information system.
b) Identify management framework of information system
Understand the organizational management structure, management strategy
and department setting of information system; department’s role and
responsibilities in business operation. Obtain information of management
characteristics and management framework, which supports the business
operation of information system. Thus, clarify the main body of security
responsibility of information system.
c) Identify network and equipment deployment of information system
Understand the physical environment and network topology of information
system, and deployment of hardware equipment. On this basis, clarify the
boundaries of information system. In other words, determine the target of
classification and its scope.
d) Identify business types and characteristics of information system
Understand the type and quantity of business that mainly relies on information
system in the institution. Respectively understand the social attribute, business
content and business flow of the business. Clarify business characteristics of
information system that supports the institution’s business operation. Consider
information system of business application whose bearing is relatively single,
or business application whose bearing is relatively independent, as an
independent target of classification.
e) Identify information assets processed by business system
Understand the type of information assets processed by business system;
understand the degree of importance of these information assets in
confidentiality, integrity and availability, etc.
f) Identify the scope and the type of users
In accordance with the distribution scope of users or user groups, understand
the scope of services and the functions of business system, and the
requirements of business continuity, etc.
g) Description of information system
Organize and analyze the gathered information; form overall descriptive file of
b) Division of information system
In accordance with the selected principle of system division, divide the large-
scale information system that an institutional framework possesses. Divide it
into relatively independent information systems and consider them as the target
of classification. It shall be guaranteed that each relatively independent
information system possesses the basic characteristics of the classification
target. During the process of information system division, elements of
organizational management shall be considered, then, business type and
physical domain shall be considered.
c) Detailed description of information system
After dividing information system and determining the target of classification,
on the basis of overall descriptive file of information system, further increase
description of information system division information; accurately describe the
number of classification targets included in a large-scale information system.
The further detailed descriptive file of information system shall include the following
content:
1) A list of relatively independent information systems;
2) An overview of each classification target;
3) Boundary of each classification target;
4) Equipment deployment of each classification target;
5) Business application supported by each classification target and the type of
information assets that it processes;
6) The scope of services and the type of users of each classification target;
7) Other content.
Activity output: detailed descriptive file of information system
5.3 Determination of Classified Security Protection
5.3.1 Classification, verification and approval
Activity objective:
The objective of this activity is to determine classified security protection of information
system in accordance with relevant national management specifications and GB/T
22240-2008; verify and approve the result of classification; guarantee the accuracy of
the classification result.
Organize the overall descriptive file of information system, the detailed descriptive file
of information system and the determination result of the level of classified protection
of information system security; form documented reports on the result of information
system classification.
The report of information system classification result may include the following content:
a) An overview of the current situation of informatization in the organization;
b) Management mode;
c) A list of information systems;
d) An overview of each information system;
e) Boundary of each information system;
f) Equipment deployment of each information system;
g) Business application supported by each information system;
h) A combination of a list of information systems, level of classified security
protection and protection requirements;
i) Other content.
Activity output: information system security protection classification report.
6 Overall Security Planning
6.1 Workflow of Overall Security Planning Stage
In the stage of overall security planning, the objective is: base on the division of
information system, the classification of information system and business undertaken
by information system, through the analysis and clarification of the security demands
of information system, design reasonable overall security plans that satisfy the
requirements of classified protection; formulate security implementation plans, so as
to guide the subsequent implementation of information system security construction.
In terms of information system that is already put into operation, demand analysis shall
firstly analyze and judge the gap between the current situation of security protection
and the requirements of classified security protection.
Please refer to Figure 3 for the workflow of the overall security planning stage.
Activity input: information system detailed descriptive file; information system security
protection classification report; other relevant files of information system; basic
requirements of information system classified security protection.
Activity description:
This activity mainly includes the following sub-activity content:
a) Determine the scope of system and the target of analysis
Clarify the scope and the boundary of different levels of information system.
Through the modes of survey and inquiry of documents, understand the
composition of information system, including network topology, business
application, business flow, equipment information and status of security
measures. Preliminarily determine the analysis target of each level of
information system. The target shall include overall target, such as computer
room, office environment and network; it shall also include specific target, such
as boundary equipment, gateway equipment, server equipment, workstation
and application system, etc.
b) Form evaluation indicators and plans
In accordance with the level of security protection of each information system,
select indicators of a corresponding level from the basic requirements of
information system classified security protection; form evaluation indicators. In
accordance with the evaluation indicators, combine the determined specific
target, formulate feasible evaluation plans. The evaluation plans may include
the following content:
1) Table of management status evaluation;
2) Table of network status evaluation;
3) Table of network equipment (including security equipment) evaluation;
4) Table of host computer equipment evaluation;
5) Security testing plan of main equipment;
6) Operation instruction of main operations.
c) Comparison of current situation and evaluation indicators
Through the modes of field observation, personnel inquiry, document inquiry,
record examination, allocation examination, technical test and penetration
attack, conduct evaluation of security technology and security management.
Judge the degree of consistency between the various aspects of security
technology and security management, and the evaluation indicators; reach a
d) Comprehensive risk analysis
Analyze the possible consequences of the threats and the weaknesses; the
possibility or probability of these consequences; the degree of damage or
impact caused by these consequences; the possibility, necessity and economic
efficiency of avoiding the above-mentioned consequences. In accordance with
the sequence of important assets and the sequence of risks, determine the
requirements of security protection.
Activity output: special protection demands of important assets.
6.2.3 Formation of security demand analysis report
Activity objective:
The objective of this activity is to summarize the basic security demands and special
security demands; form a security demand analysis report.
Participating roles: information system operation and application organization;
information security service institution.
Activity input: information system detailed descriptive file; information system security
protection classification report; basic security demands; special protection demands of
important assets.
Activity description:
The main sub-activity of this activity is to complete security security demand analysis
report.
In accordance with the basic security demands and special security protection
demands, form a security demand analysis report.
The security demand analysis report may include the following content:
1) Information system description;
2) Security management status;
3) Security technology status;
4) Existing weaknesses and possible risks;
5) Security demand description.
Activity output: security demand analysis report.
information system.
Participating roles: information system operation and application organization;
information security service institution.
Activity input: information system detailed descriptive file; information system security
protection classification report; security demand analysis report; basic requirements of
information system classified security protection.
Activity description:
This activity mainly includes the following sub-activity content:
a) Stipulate security protection Technical Measures of backbone network or
metropolitan area network
In accordance with institution’s overall security strategy file, the basic
requirements and security demands of classified protection, propose security
protection strategies and security Technical Measures of backbone network or
metropolitan area network. When security protection strategies and security
Technical Measures of backbone network or metropolitan area network are
proposed, the sharing of network lines and network equipment shall be
considered. If different levels of sub-systems transmit data through the same
line and equipment of backbone network or metropolitan area network, the
security protection strategies and security Technical Measures of the line and
equipment shall satisfy the basic requirements of classified protection of the
highest level of sub-system.
b) Stipulate security Technical Measures of interconnection among sub-systems
In accordance with institution’s overall security strategy file, the basic
requirements and security demands of classified protection, propose the
requirements of information transmission protection and the specific security
Technical Measures for trans-LAN interconnection among sub-systems,
including strategies of same-level interconnection and strategies of different-
level interconnection; propose the requirements of information transmission
protection strategies and the specific security Technical Measures for intra-LAN
interconnection among sub-systems, including strategies of same-level
interconnection and strategies of different-level interconnection.
c) Stipulate boundary protection Technical Measures of different levels of sub-
systems
In accordance with institution’s overall security strategy file, the basic
requirements and security demands of classified protection, propose security
protection strategies and security Technical Measures of different levels of sub-
system boundaries. When security protection strategies and security Technical
file, adjust the previous management mode and management strategies. In other
words, from an overall perspective, consider the formulation of uniform security
management strategies for each level of information system; start from the actual
demands of each information system, select and adjust specific security management
measures, and finally, form a uniform overall security management system structure.
Participating roles: information system operation and application organization;
information security service institution.
Activity input: information system detailed descriptive file; information system security
protection classification report; security demand analysis report; basic requirements of
information system classified security protection.
Activity description:
This activity mainly includes the following sub-activity content:
a) Stipulate information security’s organizational management system and
security management responsibility to each information system
In accordance with institution’s overall security strategy file, the basic
requirements and security demands of classified protection, propose
institution’s security organizational management framework; assign security
management responsibilities to each level of information system; stipulate the
security management strategies of each level of information system.
b) Stipulate personnel security management strategies of each level of information
system
In accordance with institution’s overall security strategy file, the basic
requirements and security demands of classified protection, propose
management personnel framework of the various different levels of information
systems; assign management personnel’s responsibilities of the various levels
of information systems; stipulate personnel security management strategies of
various levels of information systems.
c) Stipulate security management strategies of physical environment like
computer rooms and office areas of each level of information system
In accordance with institution’s overall security strategy file, the basic
requirements and security demands of classified protection, propose security
strategy of computer rooms and office environment of various different levels
of information systems.
d) Stipulate security management strategies of medium and equipment of each
level of information system
The overall security plan of information system includes the following content:
a) An overview of information system;
b) Overall security strategy;
c) Security technology system structure of information system;
d) Security management system structure of information system.
Activity output: overall security plan of information system.
6.4 Security Construction Project Planning
6.4.1 Determination of security construction objective
Activity objective:
The objective of this activity is to base on the overall security plan (constituted of one
or multiple files) of information system, institution or organization’s medium-and-long
term development planning of informatization construction, and institution’s status of
funds in security construction, determine the objective of security construction in
different stages.
Participating roles: information system operation and application organization;
information security service institution.
Activity input: overall security plan of information system; institution or organization’s
medium-and-long term development planning of informatization construction.
Activity description:
This activity mainly includes the following sub-activity content:
a) Medium-and-long term development planning and survey of security demands
of informatization construction
Understand and survey organization’s current situation of informatization
construction, objective of medium-and-long term informatization construction,
competent department’s input in informatization; compare the gap between
staged status and security strategy planning during the process of
informatization construction; analyze urgent and critical security issues;
consider the content of security construction that may be synchronously
implemented.
b) Propose staged objectives of information system security construction
Formulate the overall security objective that the system is expected to
implement within the planning period (generally speaking, security planning
projects; describe the main security issues solved by the projects and the
security objectives that the projects are expected to reach. Conduct correlation
analysis of projects, for example, support or dependency. Conduct urgency
analysis of projects. Conduct implementation complexity analysis of projects.
Conduct expected effect analysis of projects. Describe projects’ specific work
content and construction plans; form a list of security construction projects.
Activity output: a list of security construction projects (including security
construction content).
6.4.3 Form security construction project plans
Activity objective:
The objective of this activity is to base on the objective and content of construction,
comprehensively consider the list of security construction projects in time and
expenditure; divide it into different periods and stages; design the sequence of
construction. Conduct investment estimation; form security construction project plans.
Participating roles: information system operation and application organization;
information security service institution.
Activity input: information system overall security plan; staged security construction
objective of information system; security construction content.
Activity description:
Organize staged security construction objective of information system, overall security
plan and security construction content; form a security construction project plan of
information system.
The security construction project plan may include the following content:
a) Plan construction’s basis and principle;
b) Plan construction’s objective and scope;
c) Information system’s current security status;
d) Medium-and-long term development planning of informatization;
e) Overall framework of information system security construction;
f) Security technology system construction planning;
g) Security management and security assurance system construction planning;
h) Investment estimation of security construction;
The objective of this activity is to base on the objective and the content of construction,
implement security strategies, security technological system structure, security
measures and requirements that are requested to be implemented in the overall
security plan of information system on product functions or physical forms; propose
products or components that can be implemented, and their specific specifications;
organize the products’ functional characteristics into files. Thus, there will be a basis
for the stage of information security product purchasing and the stage of security
control development.
Participating roles: information system operation and application organization;
information security service institution; information security product supplier.
Activity input: overall security plan of information system; information system security
construction project plan, various description documents on information technology
products and information security product technology.
Activity description:
This activity mainly includes the following sub-activity content:
a) Structural frame design
In accordance with the construction content of this implementation project and
the practical condition of information system, provide a security implementation
technological framework, which is consistent with the security system structure
of the overall security planning stage. The content might include the hierarchy
of security protection, the utilization of information security products, division of
network sub-system and IP address planning, etc.
b) Functional requirement design
In terms of relevant information security products used in the security
implementation technological framework, such as firewall, VPN, gatekeeper,
authentication gateway, proxy server, network anti-virus and PKI, etc., propose
requirements of functional indicators. In terms of security control components
that need to be developed, propose requirements of functional indicators.
c) Performance requirement design
In terms of relevant information security products used in the security
implementation technological framework, such as firewall, VPN, gatekeeper,
authentication gateway, proxy server, network anti-virus and PKI, etc., propose
requirements of performance indicators. In terms of security control
components that need to be developed, propose requirements of performance
indicators.
d) Deployment plan design
The objective of this activity is to gather technological measure implementation plan
and management measure implementation plan; meanwhile, consider working hours
and cost; finally, form a guidance file that guides the security implementation.
Participating roles: information system operation and application organization;
information security service institution.
Activity input: technological measure implementation plan; management measure
implementation plan.
Activity description:
Organize technology implementation content in technological measure implementation
plan and management implementation content in management measure
implementation plan; form detailed design plan of information system security
construction.
Detailed design plan of security includes the following content:
a) This stage of construction objective and construction content;
b) Technology implementation framework;
c) Functions and performance of information security products or components;
d) Deployment of information security products or components;
e) Security strategy and allocation;
f) Matching security management construction content;
g) Project implementation plan;
h) Project investment estimation.
Activity output: detailed design plan of security.
7.3 Management Measure Implementation
7.3.1 Setting of management institution and personnel
Activity objective:
The objective of this activity is to establish matching security management functional
departments; through position setting, personnel’s work division and allocation of
various resources in management institution, provide organizational guarantee to
security management of information system.
Participating roles: information system operation and application organization;
b) Definition of personnel responsibility
In terms of the establishment of management system, ...
...