|
US$1579.00 ยท In stock
Delivery: <= 9 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 31168-2023: Information security technology - Security capability requirements for cloud computing services
Status: Valid GB/T 31168: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 31168-2023 | English | 1579 |
Add to Cart
|
9 days [Need to translate]
|
Information security technology - Security capability requirements for cloud computing services
| Valid |
GB/T 31168-2023
|
| GB/T 31168-2014 | English | 145 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information security technology -- Security capability requirements of cloud computing services
| Obsolete |
GB/T 31168-2014
|
PDF similar to GB/T 31168-2023
Basic data | Standard ID | GB/T 31168-2023 (GB/T31168-2023) | | Description (Translated English) | Information security technology - Security capability requirements for cloud computing services | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.030 | | Word Count Estimation | 78,771 | | Date of Issue | 2023-05-23 | | Date of Implementation | 2023-12-01 | | Older Standard (superseded by this standard) | GB/T 31168-2014 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 31168-2023: Information security technology - Security capability requirements for cloud computing services
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
ICS 35:030
CCSL80
National Standards of People's Republic of China
Replacing GB/T 31168-2014
Information Security Technology
Cloud Computing Service Security Capability Requirements
Released on 2023-05-23
2023-12-01 implementation
State Administration for Market Regulation
Released by the National Standardization Management Committee
table of contents
Preface V
Introduction VI
1 Scope 1
2 Normative references 1
3 Terms and Definitions 1
4 Abbreviations 2
5 Expression and Implementation of Cloud Computing Security Requirements 3
5:1 Responsibilities for implementing cloud computing security measures3
5:2 Scope of Cloud Computing Security Measures 4
5:3 Classification of safety requirements 4
5:4 Expression form of safety requirements 5
5:5 Adjustment of safety requirements 6
5:6 Safety plan 7
6 System development and supply chain security 7
6:1 Resource Allocation 7
6:2 System life cycle 8
6:3 Purchasing process 8
6:4 System Documentation 9
6:5 Critical Analysis 9
6:6 External Services 10
6:7 Developer Security Architecture 10
6:8 Development process, standards and tools 11
6:9 Development Process Configuration Management 11
6:10 Developer Security Testing and Evaluation 12
6:11 Training provided by the developer 13
6:12 Component authenticity 14
6:13 Unsupported system components 14
6:14 Supply Chain Protection 14
7 System and communication protection 16
7:1 Boundary protection 16
7:2 Confidentiality and integrity protection of transmissions 17
7:3 Network interruption 17
7:4 Trusted Path 17
7:5 Password usage and management 18
7:6 Device access protection 18
7:7 Mobile Code 18
7:8 Session Authentication 19
7:9 Malicious code protection 19
7:10 Memory Guard 20
7:11 System virtualization security 20
7:12 Network Virtualization Security 21
7:13 Storage virtualization security 21
7:14 Communication protection for security management functions 22
8 Access Control 22
8:1 User identification and authentication 22
8:2 Identifier management 22
8:3 Authentication credential management 23
8:4 Authentication credential feedback 24
8:5 Cryptographic module authentication 24
8:6 Account Management 24
8:7 Implementation of access control 25
8:8 Information flow control 26
8:9 Least privilege 26
8:10 Unsuccessful login attempts 27
8:11 System usage notice 27
8:12 Notification of previous visits 27
8:13 Concurrent Session Control 28
8:14 Session Locking 28
8:15 Actions to be taken in case of failure to identify and authenticate28
8:16 Security properties 29
8:17 Remote access 29
8:18 Wireless Access 30
8:19 Use of external information systems 30
8:20 Publicly accessible content 30
8:21 WEB access security 31
8:22 API Access Security 31
9 Data Protection 32
9:1 General Data Security 32
9:2 Media access and use 32
9:3 Protection of residual information 33
9:4 Data usage protection 33
9:5 Data Sharing Protection 34
9:6 Data Migration Protection 34
10 Configuration Management 35
10:1 Configuration Management Plan 35
10:2 Baseline configuration 35
10:3 Change Control 35
10:4 Setting of Configuration Parameters 36
10:5 Principle of least functionality 37
10:6 List of Information System Components 38
11 Maintenance Management 38
11:1 Controlled maintenance 38
11:2 Maintenance tools 39
11:3 Remote maintenance 39
11:4 Maintenance personnel 40
11:5 Timely maintenance 40
11:6 Bug fixes 40
11:7 Safety function verification 41
11:8 Software and Firmware Integrity 41
12 Emergency Response 42
12:1 Incident handling plan 42
12:2 Event handling 42
12:3 Incident reporting 43
12:4 Event handling support 43
12:5 Security alerts 43
12:6 Error Handling 44
12:7 Emergency response plan 44
12:8 Emergency Response Training 45
12:9 Emergency drills 45
12:10 Information system backup 46
12:11 Supporting the customer's business continuity plan 46
12:12 Telecommunications services 47
13 Audit 47
13:1 Auditable events 47
13:2 Audit record content 48
13:3 Audit record storage capacity 48
13:4 Response when the audit process fails 48
13:5 Audit review, analysis and reporting 48
13:6 Audit processing and report generation 49
13:7 Timestamp 50
13:8 Audit Information Protection 50
13:9 Non-repudiation 50
13:10 Audit record retention 51
14 Risk Assessment and Ongoing Monitoring 51
14:1 Risk assessment 51
14:2 Vulnerability Scanning 51
14:3 Continuous Monitoring 52
14:4 Information system monitoring 53
14:5 Spam Monitoring 54
15 Security Organization and Personnel 54
15:1 Security Policies and Procedures 54
15:2 Security organization 54
15:3 Job Risks and Responsibilities 55
15:4 Personnel screening 55
15:5 Personnel turnover 56
15:6 Staff transfer 56
15:7 Security of third party personnel 56
15:8 Personnel punishment 57
15:9 Safety training 57
16 Physical and Environmental Security 58
16:1 Physical Facilities and Equipment Siting 58
16:2 Physical and environmental planning 58
16:3 Physical Environment Access Authorization 59
16:4 Physical environment access control 59
16:5 Output device access control 60
16:6 Physical access monitoring 60
16:7 Visitor access records 60
16:8 Equipment delivery and removal 61
Appendix A (Informative) Safety Capability Requirements Summary 62
Appendix B (informative) Description of the implementation of this document 68
References 70
foreword
This document is drafted in accordance with the provisions of GB/T 1:1-2020 "Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents":
This document replaces GB/T 31168-2014 "Information Security Technology Cloud Computing Service Security Capability Requirements", and GB/T 31168-
Compared with:2014, except for structural adjustment and editorial changes, the main technical changes are as follows:
a) The scope of application of this document has been changed (see Chapter 1, Chapter 1 of the:2014 edition);
b) Added normative references to GB/T 32400-2015 and GB/T 35273-2020 (see Chapter 3, 9:1:1);
c) Changed some terms and definitions (see Chapter 3, Chapter 3 of the:2014 edition);
d) Added the chapter "Abbreviations" (see Chapter 4);
e) Change "cloud service model" to "cloud capability type" (see 5:1);
f) Advanced requirements are added, and each type of safety requirement corresponds to general requirements, enhanced requirements and advanced requirements (see 5:4);
g) Deleted "Structure of this document" (see 4:7 of the:2014 edition);
h) The policies and procedures corresponding to the original various requirements have been deleted and integrated into "Strategies and Procedures" in Chapter 14 (see 14:1,:2014
Versions 5:1, 6:1, 7:1, 8:1, 9:1, 10:1, 11:1, 12:1, 13:1 and 14:1);
i) Added "communication protection for security management functions" (see 7:14);
j) Added "WEB access security" and "API access security" (see 8:21, 8:22);
k) The chapter "Data Protection" has been added to put forward data security requirements to ensure business continuity and data integrity during customer data migration:
Integrity (see Chapter 9);
l) Changed the title of the chapter "Maintenance" to "Maintenance Management" (see Chapter 11, Chapter 9 of the:2014 edition);
m) The content of "Engineering Room Design" has been changed (see Chapter 16, Chapter 14 of the:2014 edition):
Please note that some contents of this document may refer to patents: The issuing agency of this document assumes no responsibility for identifying patents:
This document is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260):
This document is drafted by: China Electronics Data Service Co:, Ltd:, Sichuan University, Hangzhou Anheng Information Technology Co:, Ltd:, China Science and Technology
University, China Institute of Electronic Technology Standardization, China Network Security Review Technology and Certification Center, National Information Technology Security Research Center, China
Information Security Evaluation Center, China Academy of Information and Communications Technology, Beijing Information Security Evaluation Center, National Industrial Information Security Development Research Center, China
Software Evaluation Center, China Mobile Communications Group Co:, Ltd:, China Power Great Wall Internet System Application Co:, Ltd:, Shenzhou Netcom Technology Co:, Ltd:, Shenzhen
Sinfu Technology Co:, Ltd:, Ningxia Xiyun Data Technology Co:, Ltd:, 360 Digital Security Technology Group Co:, Ltd:, Ant Technology Group
Co:, Ltd:, Hefei Gaowei Data Technology Co:, Ltd:, Shanghai Fangda (Beijing) Law Firm, Beijing Zhongce Anhua Technology Co:, Ltd:,
China Power Herui Technology Co:, Ltd:, Alibaba Cloud Computing Co:, Ltd:, Wuhan University of Technology, Sichuan Development Big Data Industry Investment Co:, Ltd:, South
Fang Grid Digital Media Technology Co:, Ltd:, Shanghai Guanan Information Technology Co:, Ltd:, Zhongke Ruiyan (Tianjin) Technology Co:, Ltd:
The main drafters of this document: Zhou Yachao, Luo Yonggang, Zuo Xiaodong, Chen Xingshu, Li Shifeng, Zhang Jianjun, Min Jinghua, Yang Jianjun, Li Bin, Wu Yang,
Wang Huili, Zhang Chi, Shan Boshen, Xu Wanxiu, Cui Zhanhua, Wang Qixu, Yang Miaomiao, Zhang Mingming, Liu Jialiang, Hu Huaming, Ding Xiao, Shi Dawei, Lu Xia,
Li Yuan, He Yanzhe, Liu Junhe, Wang Qiang, Chen Xuehong, Yang Shuaifeng, Liu Caiyun, Hu Zhenquan, Geng Guining, Shao Jiangning, Wei Tao, Guo Liang, Jia Yizhen,
Ye Runguo, Tian Hui, Yin Yunxia, Du Yuge, An Zhaobin, Wu Fuwei, Zhang Bin, Jiang Weiqiang, Liu Yuheng, Yang Ting, Li Anlun, Xiao Guangdi, Cheng Junjun,
Wang Kun, Zhang Feng, Qiu Qin, Ai Qingsong, Long Yihong, Zhang Dajiang, Huang Shaoqing, Guo Jing, Zheng Kexue, Chen Qingming, Wang Yongji, Zheng Jiu, Yang Bo, Wang Chaodong,
Zhang Zhaolong, Jiang Tao, Zhao Hongyu:
The release status of previous versions of this document and the documents it replaces are as follows:
---GB/T 31168-2014 was released for the first time in:2014;
--- This is the first revision:
Introduction
This document and GB/T 31167-2023 "Information Security Technology Cloud Computing Service Security Guidelines" constitute the cloud computing service security management
base file: GB/T 31167-2023 proposes the basic principles of security management for customers using cloud computing services, and provides
security management and technical measures at each stage of the life cycle of computing services; this document is aimed at cloud service providers, and describes the
Prepared security technical capabilities:
Referring to GB/T 31167-2023, this document is divided into general requirements, enhanced requirements and advanced requirements: According to the data on the cloud computing platform
Depending on the sensitivity and business importance, cloud service providers have different security capabilities:
Information Security Technology
Cloud Computing Service Security Capability Requirements
1 Scope
This document specifies the security capabilities that cloud service providers should possess when providing cloud computing services:
This document is applicable to the construction, supervision, management and evaluation of cloud computing service capabilities:
2 Normative references
The contents of the following documents constitute the essential provisions of this document through normative references in the text: Among them, dated references
For documents, only the version corresponding to the date is applicable to this document; for undated reference documents, the latest version (including all amendments) is applicable to
this document:
GB/T 25069-2022 Information Security Technical Terminology
GB/T 31167-2023 Information Security Technology Cloud Computing Service Security Guidelines
GB/T 32400-2015 Information Technology Cloud Computing Overview and Vocabulary
GB/T 35273-2020 Personal Information Security Specifications for Information Security Technology
GB 50174 Data Center Design Code
3 Terms and Definitions
Defined in GB/T 25069-2022, GB/T 31167-2023 and GB/T 32400-2015 and the following terms and definitions apply
in this document:
3:1
cloud computing cloudcomputing
Access scalable and flexible physical or virtual shared resource pools through the network, and self-service acquisition and management of resources on demand:
Note: Examples of resources include servers, operating systems, networks, software, applications and storage devices, etc:
3:2
capability to provide one or more resources by means of cloud computing (3:1) using defined interfaces
3:3
cloud service provider cloudserviceprovider
party providing cloud computing services (3:2):
3:4
cloud service customer cloudservicecustomer
Parties in a business relationship for the use of cloud computing services:
Note 1: A business relationship does not necessarily contain economic terms:
Note 2: Cloud service customers are referred to as customers in this document:
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 31168-2023_English be delivered?Answer: Upon your order, we will start to translate GB/T 31168-2023_English as soon as possible, and keep you informed of the progress. The lead time is typically 6 ~ 9 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 31168-2023_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 31168-2023_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. Question 5: Should I purchase the latest version GB/T 31168-2023?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GB/T 31168-2023 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.
|