HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (29 Sep 2024)

GB/T 25070-2019 English PDF

GB/T 25070-2019 (GB/T25070-2019, GBT 25070-2019, GBT25070-2019)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 25070-2019English1005 Add to Cart 0--9 seconds. Auto-delivery Information security technology -- Technical requirements of security design for classified protection of cybersecurity Valid GB/T 25070-2019
Standards related to: GB/T 25070-2019

BASIC DATA
Standard ID GB/T 25070-2019 (GB/T25070-2019)
Description (Translated English) Information security technology -- Technical requirements of security design for classified protection of cybersecurity
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.040
Word Count Estimation 50,530
Date of Issue 2019-05-10
Date of Implementation 2019-12-01
Drafting Organization The First Research Institute of the Ministry of Public Security, Beijing University of Technology, Beijing Chinasoft Huatai Information Technology Co., Ltd., the Sixth Research Institute of China Electronics Information Industry Group Co., Ltd., China Academy of Information and Communications Technology, Alibaba Cloud Computing Technology Co., Ltd., Bank of China Co., Ltd. Software Center, The Third Research Institute of the Ministry of Public Security, Information Center of the National Energy Administration, China Electric Power Research Institute Co., Ltd., Software Research Institute of the Chinese Academy of Sciences, Computer and Microelectronics Development Research Center of the Ministry of Industry and Information Technology (China Software Evaluation Center), China Institute of Information Engineering, Academy of Sciences, Venus Star Information Technology Group Co., Ltd., Zhejiang China Tobacco Industry Co., Ltd., CCTV, Beijing Jiangnan Tianan Technology Co., Ltd., Huawei Technologies Co., Ltd., Beijing University of Aeronautics and Astronautics, Beijing Institute of Technology, Beijing Tianan
Administrative Organization National Information Security Standardization Technical Committee (SAC/TC 260)
Proposing organization National Information Security Standardization Technical Committee (SAC/TC 260)
Issuing agency(ies) State Administration for Market Regulation, China National Standardization Administration

GB/T 25070-2019 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 25070-2010 Information security technology - Technical requirements of security design for classified protection of cybersecurity ISSUED ON: MAY 10, 2019 IMPLEMENTED ON: DECEMBER 01, 2019 Issued by: State Administration for Market Regulation; Standardization Administration of PRC. Table of Contents Foreword ... 4  Introduction ... 6  1 Scope ... 7  2 Normative references ... 7  3 Terms and definitions ... 8  4 Abbreviations ... 11  5 Design overview of classified protection security technology of cybersecurity ... 12  5.1 Design framework of security technology of general classified protection ... 12  5.2 Design framework of security technology of classified protection for cloud computing ... 13  5.3 Design framework of security technology of classified protection for mobile interconnection ... 15  5.4 Design framework of security technology of classified protection for Internet of Things ... 17  5.5 Design framework of security technology of classified protection of industrial control ... 18  6 Design of the first-level system security protection environment ... 20  6.1 Design targets ... 20  6.2 Design strategy ... 21  6.3 Design technical requirements ... 21  7 Design of second-level system security protection environment ... 26  7.1 Design targets ... 26  7.2 Design strategy ... 26  7.3 Design technical requirements ... 27  8 Design of third-level system security protection environment design ... 36  8.1 Design targets ... 36  8.2 Design strategy ... 36  8.3 Design technical requirements ... 37  9 Design of fourth-level system security protection environment ... 53  9.1 Design targets ... 53  9.2 Design strategy ... 53  9.3 Design technical requirements ... 54  10 Design of fifth-level system security protection environment ... 72  11 Interconnection design of classified system ... 72  11.1 Design targets ... 72  11.2 Design strategy ... 72  11.3 Design technical requirements ... 72  Appendix A (Informative) Design of access control mechanism ... 75  Appendix B (Informative) Design example of third-level system security protection environment ... 78  Appendix C (Informative) Technical requirements for big data design ... 85  References ... 90  Information security technology - Technical requirements of security design for classified protection of cybersecurity 1 Scope This standard specifies the technical requirements for the security design of the first to fourth-levels of classified protection of cybersecurity. This standard is applicable to the design and implementation of classified protection of cybersecurity and security technology solutions by operating and using organizations, network security enterprises, network security service agencies. It can also be used as the basis for cybersecurity functional departments to conduct supervision, inspection and guidance. Note: The fifth-level classified protection object is a very important supervision and management object. It has special management modes and security design technical requirements, so it is not described in this standard. 2 Normative references The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard. GB 17859-1999 Classified criteria for security protection of computer information system GB/T 22240-2008 Information security technology - Classification guide for classified protection of information systems security GB/T 25069-2010 Information security technology - Glossary GB/T 31167-2014 Information security technology - Security guide of cloud computing services GB/T 31168-2014 Information security technology - Security capability requirements of cloud computing services GB/T 32919-2016 Information security - Industrial control systems - network layer and the application layer, etc. c) Security communication network Include the relevant components of the Internet of Things system’s security computing environment and security area for information transmission and implementation of security policies, such as the communication network at the network layer and the communication network between the internal security computing environment at the sensor layer and the application layer. d) Security management center Include a platform for the unified management of security policies and security computing environments, security area boundaries, security mechanisms on security communication networks for Internet of Things systems. It includes three parts: system management, security management, audit management. Only the second-level and above security protection environment is designed with a security management center. 5.5 Design framework of security technology of classified protection of industrial control The industrial control system is zoned based on the business nature of the object being protected; the classified protection of cybersecurity design is implemented based on the technical characteristics of the functional level; the design framework of security technology of classified protection of industrial control system is as shown in Figure 5. The triple protection system of computing environment, area boundary, communication network of the construction of the security technology design of the classified protection of industrial control system, under the support of the security management center, adopts a layered and partitioned architecture. It is designed combining the characteristics of the complex and diverse bus protocols of the industrial control system, strong real-time requirements, limited node computing resources, high device reliability requirements, short fault recovery time, security mechanisms that cannot affect real-time performance, to realize reliable, controllable, manageable system security interconnection, area boundary security protection, computing environment security. The industrial control system is divided into 4 layers, that is, the 0 ~ 3 layers are the scope of the industrial control system’s classified protection, which is the area covered by the design framework; the security zone of the industrial control system is divided horizontally; according to the importance of the business in the industrial control system, the timeliness, business relevance, degree of impact on field controlled device, functional scope, asset attributes, etc., it forms so that the system users have the ability to protect the object it belongs to. 6.2 Design strategy The design strategy of the first-level system security protection environment is to follow the relevant requirements in 4.1 of GB 17859-1999, based on identity authentication, to provide users and / or user groups with independent access control of files and database tables, so as to achieve isolation between he user and the data, thereby making the user have the ability of autonomous security protection; provide area boundary protection by means of packet filtering; provide data and system integrity protection by means of data verification and prevention of malicious code. The design of the first-level system security protection environment is realized through the design of the first-level security computing environment, the security area boundary, the security communication network. Computing nodes shall be based on trusted roots for trusted verification from startup to operating system startup. 6.3 Design technical requirements 6.3.1 Design technical requirements for security computing environment 6.3.1.1 Technical requirements for the design of general security computing environment This requirement includes: a) Authentication of user identity It shall support user identification and user authentication. When each user registers with the system, use the user name and user identifier to identify the user's identity; each time a user logs in to the system, use a password authentication mechanism to authenticate the user's identity and protect the password data. b) Autonomous access control Within the scope of security policy control, make the users / user groups have corresponding access operation permissions on the objects they create; meanwhile grant some or all of these permissions to other users / user groups. The granularity of the access control subject is the user / user group level; the granularity of the object is the file or database table level. Access operations include creating, reading, writing, modifying, deleting objects. b) Application control It shall provide an application signature authentication mechanism, to refuse installation and execution of application software that has not been authenticated and signed. 6.3.1.4 Technical requirements for design of security computing environment for Internet of Things systems This requirement includes: a) Authentication of sensor layer device It shall use the conventional authentication mechanisms to identify the identity of the sensor device, to ensure that the data originates from the correct sensor device. b) Access control of sensor layer device It is necessary to implement access control on sensor devices by formulating security policies such as access control lists. 6.3.1.5 Technical requirements for design of security computing environment for industrial control systems This requirement includes: a) Authentication of industrial control Field control layer device and process monitoring layer device shall implement unique marking, authentication and certification, to ensure that the status of authentication and functional integrity can be verified and confirmed at any time. Programs and corresponding data sets running on control device and monitoring device shall be managed by unique identifier. b) Access control of field device It shall implement the role-based access control policies for users who pass the identity authentication. After receiving the operation command, the field device shall check whether the role bound to the user has the authority to perform the operation. The user with authority obtains the permission. If the user does not obtain the permission, it shall issue an alarm message to the upper layer. c) Protection of control process integrity It shall complete the specified tasks within the specified time; the data shall be processed in an authorized manner, to ensure that the data is not illegally 7.3 Design technical requirements 7.3.1 Technical requirements for design of security computing environment 7.3.1.1 Technical requirements for design of general security computing environment This requirement includes: a) Authentication of user identity It shall support the user identification and user authentication. When each user registers with the system, use the user name and user identifier to identify the user, meanwhile ensure the uniqueness of the user identifier throughout the life cycle of the system; each time a user logs in to the system, use a controlled password or other mechanisms of corresponding security strength for authentication of user identity; use cryptographic technology for confidentiality and integrity protection of authentication data. b) Autonomous access control Within the scope of security policy control, users shall be allowed to access the objects they create, and some or all of these permissions can be granted to other users. The granularity of the access control subject is the user level; the granularity of the object is the file or database table level. Access operations include creating, reading, writing, modifying, deleting objects. c) System security audit It shall provide a security audit mechanism, to record system-related security events. The audit record includes the subject, object, time, type and result of the security incident. The mechanism shall provide audit record query, classification and storage protection, which can be managed by the security management center. d) Protection of user data integrity It may use a conventional check mechanism, to check the integrity of the stored user data, to find out whether its integrity has been compromised. e) Protection of user data confidentiality It may use the confidentiality protection mechanisms supported by technologies such as passwords to protect the confidentiality of user data as stored and processed in a security computing environment. It shall be able to detect the abnormal access of the virtual machine to the host's physical resources. e) Data backup and recovery It shall adopt redundant architecture or distributed architecture design; it shall support data multi-copy storage; it shall support common interfaces to ensure that cloud tenants can migrate business systems and data to other cloud computing platforms and local systems, to ensure portability. f) Virtualization security It shall achieve the security isolation of CPU, memory, storage space of virtual machines; it shall prohibit the direct access of virtual machines to the host's physical resources; it shall support the security isolation between virtualized networks of different cloud tenants. g) Prevention of malicious code Physical machines and host machines shall install a security-hardened operating system or perform host malicious code prevention; virtual machines shall install a security-hardened operating system or perform the host malicious code prevention; they shall support the ability to detect and protect Web application malicious code. h) Mirror and snapshot security It shall support images and snapshots, to provide integrity protection for virtual machine images and snapshot files; prevent unauthorized access to sensitive resources that may exist in virtual machine images and snapshots; provide security-hardened operating system images for important business systems or support self-hardening of the operating system images. 7.3.1.3 Technical requirements for design of security computing environment for mobile internet This requirement includes: a) Authentication of user identity It shall use passwords, unlock patterns, and other mechanisms with appropriate security strengths for authentication of user identity. b) Application control It shall provide an application signature authentication, to refuse installation and execution of application software that has not been authenticated and Field control layer device and process monitoring layer device shall implement unique marking, authentication and certification, to ensure that the status of authentication, certification and functional integrity can be verified and confirmed at any time. Programs and corresponding data sets running on control device and monitoring device shall be managed by unique identification. b) Access control of field device It shall implement the role-based access control policies for users who pass the identity authentication. After receiving the operation command, the field device shall check whether the role bound to the user has the authority to perform the operation. The user who has permission obtains the authorization. If the user does not obtain the authorization, it shall issue the alarm information to the upper layer. c) Data confidentiality protection of field device It may use the confidentiality protection mechanism supported by cryptographic technology or the physical protection mechanism, to protect the confidentiality of data, programs, configuration information, etc. which has confidentiality requirements as stored in field device layer devices and fieldbus devices connected to the field control layer. d) Protection of control process integrity It shall finish the specified tasks within the specified time; the data shall be processed in an authorized manner, to ensure that the data is not illegally tampered with, lost, or delayed, to ensure timely response and processing of incidents, to protect the system's synchronization mechanism, time correction mechanism, thereby maintaining the stability of the control cycle and the stability of the rolling cycle of fieldbus. 7.3.2 Technical requirements for design of security area boundary 7.3.2.1 Technical requirements for design of general security area boundary This requirement includes: a) Packet filtering of area boundary It shall, according to the area boundary security control strategy, determine whether to allow the data packet to pass through the area boundary by checking the source address, destination address, transport layer protocol, requested service of the data packet. b) Security audit of area boundary It may use the integrity check mechanism supported by the short- message and short-latency cryptographic technology adapted to the characteristics of the fieldbus, or the physical protection mechanism, to achieve the integrity protection of the data transmission of fieldbus network. b) Protection of data transmission integrity of wireless network It may use the integrity check mechanism supported by cryptographic technology, to achieve integrity protection of data transmission of wireless network. 7.3.4 Technical requirements for design of security management center 7.3.4.1 System management System administrators can perform configuration, control and trusted management of the resources and operations of the system, including user identity, trusted certificates, trusted reference library, system resource configuration, system loading and startup, exception handling of system operations, data and device backup and recovery, protection against malicious code. It shall authenticate the identity of the system administrators. They are only allowed to perform system management operations through specific commands or operation interfaces, and audit these operations. When performing the security design of a cloud computing platform, the security management shall provide a way to query cloud tenant data and back up storage locations. When designing the security of the Internet of Things system, the system administrator shall perform the unified identity management of the sensor devices, sensor layer gateways, etc. 7.3.4.2 Audit management Security auditors can centrally manage the security audit mechanisms distributed in various components of the system, including classifying audit records according to security audit policies; providing the corresponding types of security audit mechanisms to be turned on and off by time period; storing, managing, querying various types of audit records. It shall perform identity authentication of the security auditor. It allows for the auditor to perform security audit operations only through specific commands or operation interfaces. When performing the security design of a cloud computing platform, the cloud detecting that the credibility is compromised; form the verification results into audit record; send it to the management center. i) Inspection of configuration credibility The security configuration information of the system shall be formed into a reference library, to monitor in real-time and regularly inspect the modification behavior of the configuration information, to timely repair the configuration information which is inconsistent with the contents in the reference library. j) Intrusion detection and malicious code prevention It shall use the active immune trusted computing check mechanism to timely identify the intrusion and virus behavior, meanwhile effectively block it. 8.3.1.2 Technical requirements for design of cloud security computing environment This requirement includes: a) Authentication of use identity It shall support the cloud tenants registered to the cloud computing service to establish a master and sub account; use the user name and user identifier to identify the user identity of the master and sub account. b) Protection of user account It shall support the establishment of a cloud tenant account system, to achieve the subject's access authorization to virtual machines, cloud databases, cloud networks, cloud storage and other objects. c) Security audit It shall support the audit of privileged commands as executed by cloud service providers and cloud tenants during remote management. It shall support the tenant to collect and view audit information related to the resources of the tenant, to ensure that cloud service providers' access to cloud tenant systems and data can be audited by the tenant. d) Intrusion prevention It shall be able to detect the abnormal access of virtual machine to the host's physical resources. It shall support the behavior monitoring of cloud tenants, detect and alert to malicious attacks or malicious external a) Authentication of user identity It shall achieve the authentication of user identity for the mobile terminal user based on the combination mechanism of two or more methods of passwords or unlock patterns, digital certificates or dynamic passwords, biometrics, etc. b) Marking and mandatory access control It shall ensure that the user or process’s minimum use permissions of the mobile terminal system resources. It shall control mobile terminal access to access peripherals according to security policies; the type of peripherals shall at least include expansion memory cards, GPS and other positioning devices, Bluetooth, NFC and other communication peripherals. Record the log. c) Application control It shall have a software whitelist function, which can control the installation and operation of application software according to the whitelist; it shall provide an application signature authentication mechanism, to refuse the installation and execution of application software that has not been authenticated and signed. d) Isolation of security domain It shall be able to provide container-based, virtualized, and other system- level isolated operating environments for important applications, to ensure that application input, output, storage information is not obtained illegally. e) Control of mobile device It shall, based on mobile device management software, implement the entire life cycle control of mobile devices, to ensure that after the mobile device is lost or stolen, the location of the device is searched through the network, the device is remotely locked, the data on the device is remotely erased, the device emits an alarm tone, to ensure maximum protection of data while being able to locate and retrieve. f) Protection of data confidentiality It shall use the measures such as encryption, obfuscation, to protect the confidentiality of mobile applications, to prevent de-compilation; it shall achieve the encryption function of extended storage devices, to ensure the security of data storage. g) Trusted verification It shall ensure that the virtual machine can only receive messages with a destination address that includes its own address or broadcast messages with business needs, whilst limiting the broadcast attacks; it shall achieve the isolation between the virtual network resources of different tenants, avoid excessive occupation of network resources. It shall ensure that cloud computing platform’s management traffic is separated from cloud tenant’s business traffic. It shall be able to identify and monitor network traffic between virtual machines and between virtual machines and physical machines; provide open interfaces or open security services; allow cloud tenants to access third-party security products or select third-party security services on cloud platforms. b) Access control of area boundary It shall ensure that when the virtual machine is migrated, the access control policies are also migrated. It shall allow the cloud tenants to set access control policies between different virtual machines. It shall establish the tenant private networks to achieve the security isolation between different tenants. It shall deploy a monitoring mechanism at the network boundary, to implement effective monitoring of the traffic entering and leaving the network. c) Prevention of area boundary intrusion When the virtual machine migrates, the intrusion prevention mechanism can be applied to the new boundary; it shall include the intrusion prevention mechanism at the area boundary into the security management center for unified management. It shall provide the cloud tenants with Internet content security monitoring functions, to detect and alert harmful information in real time. d) Requirements for area boundary audit According to the division of responsibilities of cloud service providers and cloud tenants, collect audit data of their respective control parts. According to the division of responsibilities of cloud service providers and cloud tenants, achieve centralized audit of their respective control parts. When virtual machine migration or virtual resource changes occur, the security audit mechanism can be applied to new boundaries. Provide an interface for the collection of security audit data; it can also be audited by third parties. 8.3.2.3 Technical requirements for design of security area boundaries of This requirement includes: a) Communication protocol data filtering of industrial control For industrial control communication protocols that pass through the security area boundary, it shall be able to identify whether the data carried by it will cause attacks or damage to the industrial control system. It shall control the communication traffic, the frequency of frame numbers, the frequency of reading variables to be stable and within the normal range; protect the working rhythm of the controller; identify and filter data with variable parameters outside the normal range. The control filtering processing component can be configured on the network device at the area boundary; it may also be configured on the endpoint device of the industrial control communication protocol in this security area or the only communication link device. b) Information leakage protection of industrial control communication protocol It shall avoid user name and login password of the endpoint device of the industrial control communication protocol in this area from being exposed; use the filtering and transforming technology to hide the key information such as the username and login password. The endpoint device shall be separately partitioned and filtered; use the combination mechanism of one or more types of corresponding protection functions to implement protection. c) Security audit of industrial area boundary ...... ...