|
US$259.00 · In stock
Delivery: <= 3 days. True-PDF full-copy in English will be manually translated and delivered via email.
GB/T 38632-2020: Information security technology - Security requirements for application of intelligent audio-video recording device
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 38632-2020 | English | 259 |
Add to Cart
|
3 days [Need to translate]
|
Information security technology - Security requirements for application of intelligent audio-video recording device
| Valid |
GB/T 38632-2020
|
PDF similar to GB/T 38632-2020
Basic data | Standard ID | GB/T 38632-2020 (GB/T38632-2020) | | Description (Translated English) | Information security technology - Security requirements for application of intelligent audio-video recording device | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.040 | | Word Count Estimation | 14,139 | | Date of Issue | 2020-04-28 | | Date of Implementation | 2020-11-01 | | Issuing agency(ies) | State Administration for Market Regulation, China National Standardization Administration | GB/T 38632-2020: Information security technology - Security requirements for application of intelligent audio-video recording device
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology - Security requirements for application of intelligent audio-video recording device
ICS 35.040
L80
National Standards of People's Republic of China
Information Security Technology
Application safety requirements for intelligent audio and video capture equipment
2020-04-28 released
2020-11-01 implementation
State Administration for Market Regulation
Issued by the National Standardization Management Committee
Table of contents
Foreword Ⅰ
1 Scope 1
2 Normative references 1
3 Terms and definitions 1
4 Abbreviations 2
5 Overview 2
6 Safety technical requirements 2
6.1 Equipment safety technical requirements 2
6.1.1 Equipment identification and authentication 2
6.1.2 Access Control 2
6.1.3 Network connection and port 3
6.1.4 Data Security 3
6.1.5 Software installation 3
6.1.6 Pre-built software security 3
6.1.7 Security Audit 3
6.1.8 Supply Chain Security 3
6.1.9 Service Guarantee Security 4
6.2 Server-side security technical requirements 4
6.2.1 Identification 4
6.2.2 Access Control 4
6.2.3 Data Security 4
6.2.4 Security Audit 4
7 Safety management requirements 5
7.1 Safety management system 5
7.2 Procurement Management 5
7.3 Installation and commissioning management 5
7.4 Operation and maintenance management 5
7.5 Retirement and decommissioning management 6
Appendix A (informative appendix) System overview 7
Appendix B (informative appendix) Typical information security threats 8
Reference 10
Information Security Technology
Application safety requirements for intelligent audio and video capture equipment
1 Scope
This standard specifies the safety technical requirements and safety management requirements for intelligent audio and video capture equipment.
This standard applies to users' application security management of smart audio and video acquisition equipment deployed in key locations, and can be used to guide design
Equipment and service providers carry out product information security design and production, and can also serve as relevant departments to improve the security of intelligent audio and video acquisition equipment.
The basis for supervision, inspection and guidance.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this article
Pieces. For undated references, the latest version (including all amendments) applies to this document.
GB/T 25069-2010 Information Security Technical Terms
3 Terms and definitions
The following terms and definitions defined in GB/T 25069-2010 apply to this document.
3.1
Intelligent audio and video capture equipment
Electronic equipment that can collect and process audio or video information, and realize automatic or interactive functions through the network and server linkage.
Note 1.It mainly includes network cameras, audio and video conference equipment, smart TVs with audio and video capture functions, and smart speakers.
Note 2.Smart mobile terminals, personal computers, smart wearable devices and other devices with audio and video capture functions are not within the scope of this standard.
3.2
Intelligent audio and video capture equipment server
Connect with intelligent audio and video acquisition equipment through the network to provide equipment management, user management, and
Software and hardware equipment or systems with service functions such as authority management, data storage, and data forwarding.
Note. usually includes application server, web server, streaming media server, data storage server and other components.
3.3
Malicious code
Specially designed code with malicious purposes has features and capabilities that can directly or indirectly harm users and their computer systems.
Note. It mainly includes viruses, worms, Trojan horses, ransomware, logic bombs, rogue software, etc.
3.4
Prebuilt software
Software pre-installed when the device is delivered to the user.
Note 1.Mainly includes firmware, system software and application software.
Note 2.If the device software is different from the original equipment manufacturer's version at the time of delivery, the terminal software at the time of delivery is regarded as the preset software.
3.5
Original equipment manufacturer
Enterprises that manufacture equipment according to certain technical specifications and sell equipment under specific brands and models.
Note. When the equipment purchased by the user is not directly from the original equipment manufacturer, its function may be changed in the intermediate circulation link.
3.6
supplier
Organizations that provide smart audio and video products or services.
Note. Rewrite GB/T 36637-2018, definition 3.2.
3.7
User data
Data generated by users or serving users, including data generated locally by users, data generated locally for users, in-use
After the user’s permission, enter the data in the user data area from outside
[GB/T 32927-2016, definition 3.1.12]
4 Abbreviations
The following abbreviations apply to this document.
5 overview
This standard proposes safety technical requirements and safety management requirements for intelligent audio and video acquisition equipment deployed in key locations. appendix
A presents the system architecture composed of intelligent audio and video capture equipment and its server. Appendix B shows the smart audio and video capture equipment
The typical information security threats faced include collecting and accessing user audio and video data without user consent, and attacking public networks by implanting malicious code.
This standard involves the use of cryptographic technology to solve the requirements of confidentiality, integrity, authenticity, and non-repudiation.
Standards and industry standards.
6 Safety technical requirements
6.1 Equipment safety technical requirements
6.1.1 Equipment identification and authentication
Smart audio and video capture equipment should.
a) Have a unique identification code as the identification of the device to protect the identification code to prevent tampering;
b) Equipped with a mechanism for identifying the identity of the device, protecting the relevant authentication information and preventing the leakage of the authentication information.
6.1.2 Access Control
Smart audio and video capture equipment should.
a) Support the configuration of access control strategies for important resources such as network, storage, and files;
b) Have mechanisms to prevent unauthorized access and use of sensors such as cameras and microphones, such as prompt dialog boxes, status indicators, physical switches, etc.;
c) Clarify the implementation conditions of remote access and have a secure remote access mechanism.
6.1.3 Network connection and port
Smart audio and video capture equipment should.
a) Have a mechanism to turn on, turn off, disable or monitor the WLAN, Bluetooth, mobile communication, USB, SD, DVB-T and other wireless or wired interfaces of the device;
b) Have a mechanism to close, prohibit or restrict the use of ports, protocols, and services on the device that are irrelevant to the actual application.
6.1.4 Data Security
Smart audio and video capture equipment should.
a) Through data encryption and other technologies, important user data (such as user account, password, location, document, picture, audio
(Video, video, etc.) integrity and confidentiality;
b) Protect the integrity and confidentiality of important user data stored on the device through technologies such as data encryption;
c) No user data may be collected or modified without the user's consent.
6.1.5 Software installation
Smart audio and video capture equipment should.
a) Have a mechanism to enable or prohibit users from installing third-party software;
b) No third-party software can be installed without the user's consent;
c) When users install third-party software by themselves, verify the source and integrity of the software; when an unknown source or integrity is identified
When it comes to the damaged software, remind the user to deal with it.
6.1.6 Pre-built software security
Smart audio and video capture equipment should.
a) The preset software must not contain other functions outside the function list;
b) Have a security upgrade mechanism for the preset software, and obtain the user's consent when the software is upgraded;
c) Protect the integrity of the firmware and prevent the firmware from being modified by means other than suppliers and authorized third parties.
6.1.7 Security Audit
Smart audio and video capture equipment should.
a) Able to switch machine, create user, change configuration, install and uninstall software, software upgrade, modify password, login failure, privilege use
User login and other events, the audit record should include event type, event occurrence time, subject that triggered the event, and event processing
Results and other information;
b) Protect audit information to prevent unauthorized access, modification and deletion;
c) Support the server to obtain the function of local related audit information.
6.1.8 Supply chain security
Intelligent audio and video capture equipment.
a) The key chips, key modules, operating systems and other components used should have a clear supply chain of manufacturers, origins, and suppliers
information;
b) When the product is delivered to the user, there should be no chips, modules, software, etc. that have been disclosed that have high-risk security defects and vulnerabilities
Components.
6.1.9 Service guarantee security
Smart audio and video capture equipment should.
a) Before delivery to the user, after sufficient security testing, as far as possible to repair the discovered security defects, to ensure that the high-risk defects
To repair; for security defects and vulnerabilities that have not been repaired in the development stage, implement security management for emergency repairs on the user side
Process;
b) After delivery to users, establish a continuous security assurance mechanism, and notify users in time when information security defects occur and provide repairs.
Recovery method or emergency response plan.
6.2 Server security technical requirements
6.2.1 Identity authentication
The server of intelligent audio and video capture equipment should.
a) Support the identification and authentication of different users, and the user identification should be unique;
b) Support the identification of smart audio and video capture equipment;
c) When using a username/password authentication mechanism, ensure that the generation, management and use of passwords meet the requirements of relevant national standards;
d) Confidentiality and integrity protection of user and device authentication information;
e) When using security protocols for remote management, authentication mechanisms such as digital certificates or multi-factor authentication should be used.
6.2.2 Access Control
The server of intelligent audio and video capture equipment should.
a) On the basis of user identification, authorize management and access control of users;
b) Set a period for the use of special access rights;
c) Control the access rights of other applications.
6.2.3 Data Security
Intelligent audio and video capture equipment server.
a) Data encryption and other technologies should be used to protect the integrity and confidentiality of important user data during transmission;
b) Data encryption and other technologies should be used to protect the integrity and confidentiality of important user data during storage;
c) It should have disaster recovery and backup functions to ensure the availability of the system;
d) It should be able to back up important data such as application data, system data, configuration data and audit logs.
6.2.4 Security Audit
The server of intelligent audio and video capture equipment should.
a) Have a security audit function to record important user behaviors and important security events;
b) Include the date of the event, user, type of event, and whether the event was successful in the audit record;
c) The time when the audit record is generated by the clock uniquely determined by the server system;
d) Protect audit records to prevent unauthorized access, modification and deletion;
e) It has the function of obtaining relevant audit information of intelligent audio and video acquisition equipment.
7 Safety management requirements
7.1 Safety management system
In the process of applying intelligent audio and video capture equipment and server products, users should.
a) Incorporate related products into the daily information security management system;
b) Formulate corresponding security strategies and security management systems for standardizing procurement, delivery, operation and maintenance, and scrapping;
c) Identify the person responsible for the safety of each product.
7.2 Procurement management
When users purchase smart audio and video capture equipment and server products.
a) Products that meet actual needs should be selected according to the principle of minimization of functions;
b) It is advisable to purchase products that have passed the information security testing of a third-party testing agency authorized by the relevant state departments;
c) Suppliers should be required to provide product function lists and function descriptions;
d) The supplier shall be required to explain the information security design of the product;
e) The supplier shall be required to explain the information security risks that may be encountered during the use of the product and the corresponding avoidance methods;
f) Equipment suppliers, original equipment manufacturers and service providers should be distinguished, and their respective information security responsibilities and obligations should be clarified.
7.3 Installation and commissioning management
When installing and debugging smart audio and video acquisition equipment and server products, users should.
a) The supplier arranges professionals or authorized practitioners with relevant qualifications to carry out;
b) Install and configure in strict accordance with the safety configuration manual provided by the supplier;
c) Different passwords should be set for each device, and weak passwords or default user name passwords should not be set;
d) Designate a person to supervise the entire installation and commissioning process;
e) Designate a dedicated person for acceptance, record whether each indicator meets the requirements, form an acceptance test report, and require personnel involved in installation
Confirmed by the staff;
f) The supplier is required to explain the network deployment of the server.
7.4 Operation and maintenance management
When operating and maintaining smart audio and video acquisition equipment and server products, users should.
a) Establish a safe use guide in accordance with the operating specifications or instructions provided by the supplier, and operate the equipment according to the safe use guide
Operation and maintenance to avoid excessive or incorrect use of equipment;
b) Provide necessary safety training for operation and maintenance management personnel;
c) Close unnecessary ports, protocols and services in accordance with the principle of minimum functionality, and close or disable unnecessary wireless and wired interfaces;
d) When the network environment, personnel, system configuration and other elements change, recheck and update the access control strategy;
e) Monitor the operating status of the system and the operating status of terminal equipment;
f) Deploy intrusion detection and protection systems on important nodes and equipment to detect and respond to various network attacks in real time;
g) Implement malicious code protection mechanisms on network entrances and exits and system hosts, and update malicious code protection software in a timely manner;
h) Update the product according to the software upgrade version provided by the supplier, and back up the existing important files before the update;
i) Establish an evaluation and review mechanism for third-party software installation;
j) Regularly conduct safety inspections, safety audits and safety assessments on products;
k) Establish an information security incident response mechanism, timely assess the impact of the situation, analyze the cause, and collect evidence;
l) Include equipment and application environment into the scope of the organization's risk assessment.
7.5 Retirement and decommissioning management
When scrapping or disabling smart audio and video capture equipment and server products, users should.
a) First archive the information stored in the equipment used, and then completely remove all user-related information;
b) If the intelligent audio and video capture equipment server is provided by a third party in the form of cloud services, the cloud service provider shall be required
Clear all user-related information.
Appendix A
(Informative appendix)
System Overview
The intelligent audio and video acquisition equipment, user terminal, and intelligent audio and video acquisition equipment server form an application system through network connection, such as
As shown in Figure A.1.
Intelligent audio and video collection equipment is mainly responsible for the collection and processing of audio or video information, and conduct business data through the network and the server
Exchange, typical smart audio and video capture equipment includes network cameras, video conferencing terminals, smart TVs with audio and video capture functions, and
Smart speakers, etc.
The user realizes the access to intelligent audio and video acquisition equipment and server resources through the user terminal. Typical user terminals include PC and
Smart phones, in smart TV and video conferencing applications, smart audio and video capture devices themselves are also user terminals.
The intelligent audio and video acquisition equipment server is to provide equipment management, user management, and authority management for the application business of intelligent audio and video acquisition equipment.
Software and hardware devices and systems with service functions such as management, data storage, and data forwarding, usually including application servers, web servers, and streaming media services.
Server, database server and other components.
According to different application scenarios, the implementation of the intelligent audio and video capture device server can be a single device (such as a small video security device).
In the defense system, a digital video recording device can be used as a server to realize the management of multiple video capture devices), which can be multiple servers
Independent coexistence (for example, smart TV equipment can be connected to terrestrial broadcasting, Internet on-demand, somatosensory games,
Multiple different servers, such as online music, etc.), or a structure where multiple servers coexist in a cascade (for example, in a large video security system,
The server can be divided into two or three levels, and different levels of service are given different permissions according to different responsibilities), and cloud services can also be used
The way.
Appendix B
(Informative appendix)
Typical information security threats
B.1 Overview
It is necessary to protect important user information collected, stored or processed during the application of intelligent audio and video capture equipment, otherwise the information will be
Confidentiality, integrity and availability may be compromised. The information that needs to be protected mainly includes. taking pictures and recordings in the working environment
Information obtained; staff's identity, location, work content and other information; peripheral personnel, vehicles, incidents and other information collected by the device; communication
Important user data transmitted over the network; user information stored in lost or scrapped equipment, etc.
The threats that cause the above information security risks may come from technical aspects such as malicious code, unauthorized access, and denial of service attacks.
From the user's daily operation level.
B.2 Malicious code
Smart audio and video capture devices may be infected with malicious code through various means, including but not limited to.
a) There is malicious code in the preset software;
b) There is malicious code in the software installed by the user or installed by the operation and maintenance personnel;
c) Unsafe software upgrade process introduces malicious code;
d) Access to external devices and networks through uncontrolled WLAN, Bluetooth, mobile communications and other links to infect malicious code;
e) Infecting malicious code by receiving wireless broadcast signals such as DVB-T and DTMB.
B.3 Unauthorized access
Smart audio and video capture equipment and its server may have the following unauthorized access threats, including but not limited to.
a) Unauthorized users access smart audio and video capture equipment and servers through physical or network means;
b) Intelligent audio and video capture equipment unauthorized access to other networks or other equipment;
c) Unauthorized smart audio and video capture equipment accesses the server.
B.4 Denial of service attack
Intelligent audio and video capture equipment and its server.
a) When subjected to a DoS attack, it will threaten the availability of the system's data and services;
b) When it is maliciously used or illegally controlled, it can launch DoS attacks on the equipment of other systems.
B.5 User factors
In the process of using smart audio and video capture equipment, the security threats caused by non-standard operations include but not limited to.
a) No effective safety management system has been established;
b) Failure to regularly evaluate the information security risks brought by smart audio and video acquisition equipment;
c) Failure to purchase and install equipment and its server in accordance with established regulations;
d) Failure to perform configuration management, change management, software updates, security audits, etc. on equipment and its servers in accordance with established procedures;
e) The equipment and its server are not scrapped or disabled in accordance with established procedures.
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GB/T 38632-2020_English be delivered?Answer: Upon your order, we will start to translate GB/T 38632-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 1 ~ 3 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GB/T 38632-2020_English with my colleagues?Answer: Yes. The purchased PDF of GB/T 38632-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|