|
US$439.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 37952-2019: Information security technology - Technical requirements of mobile terminal security management platform
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 37952-2019 | English | 439 |
Add to Cart
|
4 days [Need to translate]
|
Information security technology - Technical requirements of mobile terminal security management platform
| Valid |
GB/T 37952-2019
|
PDF similar to GB/T 37952-2019
Basic data | Standard ID | GB/T 37952-2019 (GB/T37952-2019) | | Description (Translated English) | Information security technology - Technical requirements of mobile terminal security management platform | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 22,284 | | Date of Issue | 2019-08-30 | | Date of Implementation | 2020-03-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 37952-2019: Information security technology - Technical requirements of mobile terminal security management platform
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Technical requirements of mobile terminal security management platform
ICS 35.040
L80
National Standards of People's Republic of China
Information Security Technology
Technical requirements for mobile terminal security management platform
2019-08-30 released
2020-03-01 Implementation
State Administration for Market Regulation
Issued by China National Standardization Administration
Table of contents
Preface Ⅲ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 1
5 Product description 1
6 Safety technical requirements 2
6.1 Basic level safety technical requirements 2
6.2 Enhanced safety technical requirements 7
Appendix A (informative appendix) Classification requirements 14
Appendix B (informative appendix) Typical application scenarios 16
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that certain contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents.
This standard was proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260).
Drafting organizations of this standard. China Academy of Information Security Co., Ltd., the Third Research Institute of the Ministry of Public Security, China Electronics Standardization Institute,
National Industrial Information Security Development Research Center, National Information Technology Security Research Center, China Information Security Evaluation Center, China Cyber Security
Review Technology and Certification Center, National Information Center, National Computer Virus Emergency Response Center, Shanghai Ideal Information Industry (Group) Co., Ltd.
Company, Beijing Beixinyuan Software Co., Ltd., Shanghai Industrial Control Security Innovation Technology Co., Ltd., Beijing Zhongke Zhizi Data Technology Co., Ltd.
Company, East China Normal University, Beijing Times Xinwei Information Technology Co., Ltd., CLP Intelligent Information Technology (Shenzhen) Co., Ltd., Xi'an Electronics
University of Technology, Beijing University of Aeronautics and Astronautics, Communication University of China, Chongqing University of Posts and Telecommunications, Anhui University of Science and Technology, Beijing Ming Dynasty Wanda Technology Co., Ltd.
Company, Beijing Yangpu Weiye Technology Development Co., Ltd.
The main drafters of this standard. Yang Chen, Zhang Yan, Zhang Chi, Wang Huilai, Zuo Xiaodong, Zhang Ge, Lu Zhen, Gu Jian, Ru Zongguang, Liu Xiangang, Fan Kefeng,
Liang Lulu, Wei Fangfang, Wang Jiajie, Wang Shi, Wang Xinjie, Mao Jian, Ma Wenping, Xiao Rong, Zhong Li, Ding Fuqiang, Jia Xuefei, Du Zhenhua, Zhang Zheyu,
Cui Zhanhua, Wang Linjia, Huang Yibin, Zhou Yachao, Hu Yalan, Huang Yonghong, Liu Hong, Wu Qianhong, Jiang Zhengtao, Chen Xiaofeng, Di Xingben, Cao Hao, He Daojing,
Liu Yuheng, Lu Zuohua, Yu Bo, Cui Chunxia, Liu Mingjun, Bi Qiang.
Information Security Technology
Technical requirements for mobile terminal security management platform
1 Scope
This standard specifies the technical requirements for the mobile terminal security management platform, including security function requirements and security assurance requirements.
This standard applies to the design, development and testing of mobile terminal security management platform products. It is an organization or institution (hereinafter referred to as the "organization").
Provide a reference for the security protection of mobile internet applications.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 18336.3-2015 Information Technology Security Technology Information Technology Security Assessment Criteria Part 3.Security Assurance Components
GB/T 25069-2010 Information Security Technical Terms
3 Terms and definitions
The following terms and definitions defined in GB/T 18336.3-2015 and GB/T 25069-2010 apply to this document.
3.1
Mobile terminal
A mobile communication terminal product that is connected to the public mobile communication network, has an operating system, and can be installed and uninstalled by users by themselves.
3.2
Mobile terminal security management platform
In order to enhance the security and controllability of mobile terminals, unified management and security of mobile terminal equipment and applications are carried out through customized security policies.
Full access control products.
4 Abbreviations
The following abbreviations apply to this document.
5 Product description
This standard is based on the principle of GB/T 18336.3-2015 security assurance requirement level division, based on the mobile terminal security management platform
According to the strength of safety function requirements and safety guarantee requirements, the safety level is divided into basic level and enhanced level. Basic level can correspond to support level protection
Requirements below level 3.The enhanced level corresponds to the requirements of support level protection level three (inclusive) and above. Refer to Appendix A for classification. Added in enhanced level
The requirements will be marked in bold.
This standard regulates the security technical requirements of the mobile terminal security management platform from two aspects. security function requirements and security assurance requirements.
Refer to Appendix B for typical application scenarios. Security function requirements include terminal management, application management, data security, terminal access control, and security management.
There are seven aspects including management, client protection, and security auditing. The security assurance requirements mainly include development, guidance documents, life cycle support, and testing.
Try and so on.
6 Safety technical requirements
6.1 Basic level safety technical requirements
6.1.1 Safety function requirements
6.1.1.1 Terminal management
6.1.1.1.1 Terminal registration
The registration function of the mobile terminal shall be provided. The registration information includes the registration date, hardware model, device serial number, system software version,
Department etc.
6.1.1.1.2 Remote management
The following remote management functions shall be supported.
a) Remotely lock the mobile terminal;
b) Remotely erase sensitive business data stored in mobile terminals;
c) Remotely back up sensitive business data stored in mobile terminals;
d) Authorized personnel remotely set function restriction policies, which should at least include disabling the camera, prohibiting screenshots, disabling WiFi, and restricting SD card reading
Write permissions, etc.
6.1.1.1.3 Storage media management
It should support functions such as the management and monitoring of external storage media of mobile terminals, and alert and block illegal use.
6.1.1.1.4 Safety monitoring
The following monitoring functions shall be supported.
a) Monitor the installation and operation of malicious program detection software in mobile terminals;
b) Monitor the location information of the mobile terminal, operating services, equipment performance, software version (including operating system, etc.) and other information.
6.1.1.1.5 Password or biometric authentication strategy
The following functions should be supported.
a) Remotely set the terminal power-on password strategy, block the access of the terminal without a password, and support the biometric authentication function;
b) Monitor whether a user account password is set, and block access to terminals without a user password;
c) Remotely set user password strategy, at least including password type, regular replacement strategy, limit on the number of failures, etc.
6.1.1.2 Application Management
Should support the function of authorized personnel to set application whitelist and blacklist, and be able to perform corresponding operations according to the whitelist and blacklist.
6.1.1.3 Data security
6.1.1.3.1 Data secure transmission
Security mechanisms such as encryption and data integrity protection should be adopted to ensure the safe and reliable transmission of terminal data.
6.1.1.3.2 Data security storage
The following secure storage functions shall be supported.
a) Encrypted storage and integrity protection of sensitive data in the server;
b) Realize authorization access control based on roles or attributes for sensitive data in the server;
c) The sensitive data stored in mobile terminals and external storage devices should be encrypted, and unencrypted sensitive data can be erased;
d) Integrity protection of sensitive data stored in mobile terminals and external storage devices.
6.1.1.3.3 Data leakage prevention
Should support sensitive data anti-leakage security policy configuration, real-time monitoring of business system data in the terminal, and support for scanning data content
Features such as scanning, filtering and blocking sensitive data transmission.
6.1.1.3.4 Personal information protection
Necessary measures should be taken to ensure the safety of personal information stored in mobile terminals and servers, and to prevent information leakage, damage, loss, etc.
6.1.1.4 Terminal access control
6.1.1.4.1 Access authentication
Should support the function of allowing only mobile terminals registered on the server to access the organization's business system.
6.1.1.4.2 Access Control Strategy
The following access control policy configuration functions shall be supported.
a) Develop different application resource access control strategies for different terminals.
b) Provide the following access restriction capabilities.
---Only allow authorized terminals to access application resources;
---The content of authorized terminals to access application resources cannot exceed the predefined scope;
---Operations that authorize the terminal to access application resources (such as reading, writing, copying, and downloading files and folders) do not
Can exceed the predefined range (if applicable);
---The time for authorized terminals to access application resources cannot exceed the predefined range (if applicable);
---When an authorized terminal accesses application resources through the network, the serial number/address of the mobile terminal used by the terminal cannot
Out of the predefined range (if applicable);
---The number of authorized terminals to access application resources cannot exceed the predefined range (if applicable).
c) The mobile terminal's access to application resources should be restricted by access control policies.
6.1.1.5 Security Management
6.1.1.5.1 Administrator attribute initialization
Should support the function of initializing attributes such as the account and password of the authorized administrator.
6.1.1.5.2 Administrator unique identification
Should support the unique identification function of authorized administrators, and associate the identification of authorized administrators with all auditable events.
6.1.1.5.3 Administrator attribute modification
Should support authorized administrator attributes (including at least the administrator password) to modify the function.
6.1.1.5.4 Administrator authentication
When logging in and performing important security functions, users who claim to perform the duties of an authorized administrator shall be authenticated, and the authentication shall be supported.
Don’t fail processing function, when the number of times of identity authentication failure reaches the specified threshold, it should be able to block the authentication request.
6.1.1.5.5 Configuration management capabilities
It should support authorized administrators to perform security configuration and management functions of the platform, including at least.
a) Add, delete and modify related policies such as access control;
b) View the current access control policy configuration;
c) View and manage audit records.
6.1.1.5.6 Management role
Mechanisms such as authorization management based on roles and attributes should be supported to realize the division of management roles such as system management, audit management, and security management.
6.1.1.5.7 Unified terminal management
Should support unified terminal management functions, including.
a) Unified installation of mobile terminal client software;
b) Unified distribution of the whitelist of mobile terminal applications;
c) Unified upgrade of mobile terminal operating system, application software, client software, etc.
6.1.1.6 Client protection
It should support the function of security protection for the client program installed on the mobile terminal, and prevent the following operations by unauthorized personnel.
Line monitoring and warning.
a) Forcibly terminate the operation of the client software;
b) Forcibly cancel the automatic loading of the client software when the system starts;
c) Forcibly uninstall, delete or modify the client software.
6.1.1.7 Security audit
6.1.1.7.1 Audit record generation
The audit record includes the date and time of the event, the identity of the event subject, the description of the event, and the signs of success or failure.
Event generation audit record.
a) Authorized administrator to identify success and failure;
b) Terminal authentication success and failure events;
c) The number of failed authentication attempts by the authorized administrator exceeds the set limit and the session connection is terminated;
d) The number of failed terminal authentication attempts exceeds the set limit and the session connection is terminated;
e) Authorize important operations of administrators, such as adding and deleting administrators, terminal user management, remote backup of mobile terminal business data,
Remotely lock mobile terminals and remotely erase business data of mobile terminals, etc.;
f) All requests from the terminal for application resource access, including successful and failed requests.
6.1.1.7.2 Audit record storage
The audit record should be stored in a non-volatile storage medium after power failure. When the storage space reaches the threshold, the authorized administrator should be automatically alerted.
6.1.1.7.3 Audit record management
The following audit record management functions shall be supported.
a) Only authorized administrators are allowed to access audit records;
b) Combined query of audit records by date, time, terminal identification, etc.;
c) Back up audit records.
6.1.2 Security requirements
6.1.2.1 Development
6.1.2.1.1 Security Architecture
The developer should provide the evaluator with a description of the security architecture of the product's security functions, and the description of the security architecture should meet the following requirements.
a) Consistent with the level of abstract description of the safety function implemented in the product design document;
b) Describe the safety domain of the product safety function consistent with the safety function requirements;
c) Describe why the product safety function initialization process is safe;
d) Verify that the product safety function can prevent damage;
e) Verify that the product safety function can prevent the safety feature from being bypassed.
6.1.2.1.2 Functional Specification
The developer shall provide a complete functional specification to the evaluator, and the functional specification shall meet the following requirements.
a) Fully describe the safety function of the product;
b) Describe the purpose and usage of all safety function interfaces;
c) Identify and describe all parameters related to each safety function interface;
d) Describe the safety function implementation behavior related to the safety function interface;
e) Describe the direct error messages caused by the behavioral processing of the security function;
f) Verify that the safety function requires traceability to the safety function interface.
6.1.2.1.3 Product design
The developer shall provide the product design document to the evaluator, and the product design document shall meet the following requirements.
a) Describe the product structure according to the subsystem;
b) Identify and describe all sub-systems of product safety functions;
c) Describe the interaction between all subsystems of the safety function;
d) The provided mapping relationship can verify that all behaviors described in the design can be mapped to the security function interface that calls it.
6.1.2.2 Guiding documents
6.1.2.2.1 Operation User Guide
The developer shall provide the evaluator with a clear and reasonable operating user guide, operating user guide and all other documents provided for evaluation
To be consistent, the description of each user role should meet the following requirements.
a) Describe the functions and privileges that are accessible to users controlled in the secure processing environment, including appropriate warning information;
b) Describe how to use the available interfaces provided by the product in a safe manner;
c) Describe the available functions and interfaces, especially all the safety parameters controlled by the user, and specify the safety values when appropriate;
d) Clearly state every security-related event related to the user-accessible function that needs to be performed, including changing the control of the security function
The security features of the control entity;
e) Identify all possible states of product operation (including failures or operational errors caused by operations), and their relationship with maintaining safety
Causality and connection between operations;
f) Contain a security strategy that fully achieves the security objectives;
g) Follow the principles of lawfulness, fairness and necessity, and not use the software to collect personal information irrelevant to the services it provides.
6.1.2.2.2 Preparation procedures
The developer should provide the product and its preparation procedure to the evaluator, and the preparation procedure description should meet the following requirements.
a) Describe all the steps necessary to safely receive the delivered product consistent with the developer's delivery procedure;
b) Describe all the steps necessary to safely install the product and its operating environment.
6.1.2.3 Life cycle support
6.1.2.3.1 Configuration management capabilities
The developer's configuration management capabilities should meet the following requirements.
a) Provide unique identification for different versions of the product;
b) Use the configuration management system to maintain all configuration items that make up the product, and uniquely identify the configuration items;
c) Provide configuration management documents, which describe the methods used to uniquely identify configuration items.
6.1.2.3.2 Configuration management scope
The developer shall provide the evaluator with a list of product configuration items that includes the product, safety assurance requirements evaluation evidence and product components, and say
Specifies the developer of the configuration item.
6.1.2.3.3 Delivery procedures
Developers should use certain delivery procedures to deliver products and document the delivery process. When delivering each version of the product to the user,
The delivery document should describe all procedures necessary to maintain safety.
6.1.2.4 Test
6.1.2.4.1 Overwrite
The developer should provide the evaluator with a test coverage document, indicating that the test identified in the test document and the product described in the functional specification
Correspondence between the safety functions.
6.1.2.4.2 Function test
Developers should test product safety functions, document the results and provide test documents to the evaluator. The test document should include the following.
a) Test plan, which identifies the tests to be performed, and describes the plan for executing each test. These plans include the results of other tests
Any order dependency of;
b) The expected test result, indicating the expected output after the test is successful;
c) The actual test results are consistent with the expected test results.
6.1.2.4.3 Independent test
The developer should provide the evaluator with a set of equivalent resources used in the self-testing of the safety function for the sampling test of the safety function.
6.1.2.4.4 Vulnerability assessment
Developers should identify potential vulnerabilities and conduct security tests. Based on the potential vulnerability of the logo, verify that the product can resist
Attack by an attacker with this attack potential.
6.2 Enhanced safety technical requirements
6.2.1 Safety function requirements
6.2.1.1 Terminal management
6.2.1.1.1 Terminal registration
The registration function of the mobile terminal should be provided, and the registration information includes the registration date, hardware model, equipment serial number, system software version, department, etc.
6.2.1.1.2 System access control status detection
Should support the function of detecting the authority control status of the mobile terminal system.
6.2.1.1.3 Remote management
The following remote management functions shall be supported.
a) Remotely lock the mobile terminal;
b) Remotely erase sensitive business data stored in mobile terminals;
c) Remotely back up sensitive business data stored in mobile terminals;
d) Authorized personnel remotely set function restriction policies, which should at least include disabling the camera, prohibiting screenshots, disabling WiFi, and restricting SD card read and write permissions, etc.;
e) Remotely uninstall the illegal application software installed on the mobile terminal.
Note. Violating application software refers to the illegal application software listed in the blacklist in 6.1.2.
6.2.1.1.4 Storage media management
It should support functions such as the management and monitoring of external storage media of mobile terminals, and alert and block illegal use.
6.2.1.1.5 Safety monitoring
The following monitoring functions shall be supported.
a) Monitor the installation and operation of malicious program detection software in mobile terminals;
b) Monitor the location information of the mobile terminal, operating services, equipment performance, software version (including operating system, etc.) and other information.
6.2.1.1.6 Password or biometric authentication strategy
The following functions should be supported.
a) Remotely set the terminal power-on password strategy, block the access of the terminal without a password, and support the biometric authentication function;
b) Monitor whether a user account password is set, and block access to terminals without a user password;
c) Remotely set user password strategy, at least including password type, regular replacement strategy, limit on the number of failures, etc.
6.2.1.2 Application Management
Should support authorized personnel to set the function of application whitelist and blacklist, and support the execution of corresponding operations based on the whitelist and blacklist.
6.2.1.3 Data Security
6.2.1.3.1 Data secure transmission
Security mechanisms such as encryption and data integrity protection should be adopted to ensure the safe and reliable transmission of terminal data.
6.2.1.3.2 Data security storage
The following secure storage functions shall be supported.
a) Encrypted storage and integrity protection of sensitive data in the server;
b) Realize authorization access control based on roles or attributes for sensitive data in the server;
c) The sensitive data stored in mobile terminals, external storage devices, etc. should be encrypted, and unencrypted sensitive data can be erased;
d) Integrity protection of sensitive data stored in mobile terminals and external storage devices.
6.2.1.3.3 Data leakage prevention
Should support sensitive data anti-leakage security policy configuration, real-time monitoring of business system data in the terminal, and support for scanning data content
Features such as scanning, filtering and blocking sensitive data transmission.
6.2.1.3.4 Personal information protection
Necessary measures should be taken to ensure the safety of personal information stored on the terminal and the server, and prevent information leakage, damage, loss, etc.
6.2.1.4 Terminal access control
6.2.1.4.1 End user authentication management
6.2.1.4.1.1 Access authentication
Should support the function of allowing only registered mobil...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 37952-2019_English be delivered?Answer: Upon your order, we will start to translate GB/T 37952-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 37952-2019_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 37952-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|