GB/T 38660-2020_English: PDF (GB/T38660-2020)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
GB/T 38660-2020 | English | 155 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Identification system for internet of things -- Security mechanism for E-code identification system
| Valid |
GB/T 38660-2020
|
Standard ID | GB/T 38660-2020 (GB/T38660-2020) | Description (Translated English) | Identification system for internet of things -- Security mechanism for E-code identification system | Sector / Industry | National Standard (Recommended) | Classification of Chinese Standard | A24 | Classification of International Standard | 35.040 | Word Count Estimation | 9,948 | Date of Issue | 2020-03-31 | Date of Implementation | 2020-10-01 | Quoted Standard | GB/T 2887; GB/T 17963; GB/T 22239; GB/T 25064; GB/T 31866 | Drafting Organization | China Article Numbering Center, Beijing University of Posts and Telecommunications, Inner Mongolia Autonomous Region Standardization Institute, China Civil Aviation Information Network Co., Ltd., Beijing Oriental Jetma Technology Development Center, Shenzhen Institute of Standards and Technology, Beijing Jiaotong University | Administrative Organization | National Technical Committee on Standardization of Article Coding (SAC/TC 287) | Proposing organization | National Technical Committee on Standardization of Article Coding (SAC/TC 287) | Issuing agency(ies) | State Administration for Market Regulation, National Standardization Administration | Summary | This standard specifies the general requirements, coded data security, authentication and authorization, access control, interaction security, security assessment and management requirements for the Ecode identification system in the IoT identification system. This standard is applicable to the information security assurance in the construction and application of the Ecode identification system in the IoT identification system. |
GB/T 38660-2020
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
A 24
Identification System for Internet of Things - Security
Mechanism for Ecode Identification System
ISSUED ON: MARCH 31, 2020
IMPLEMENTED ON: OCTOBER 1, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 4
2 Normative References ... 4
3 Terms and Definitions ... 4
4 Abbreviations ... 5
5 General Requirements for Security of Ecode Identification System ... 5
6 Security Requirements for Ecode Encoding Data ... 6
7 Identity Authentication and Authorization Requirements for Ecode
Identification System ... 8
8 Access Control Requirements for Ecode Identification System... 9
9 Interaction Security Requirements for Ecode Identification System ... 10
10 Security Assessment Requirements for Ecode Identification System ... 10
11 Management Requirements for Ecode Identification System ... 12
Bibliography ... 13
Identification System for Internet of Things - Security
Mechanism for Ecode Identification System
1 Scope
This Standard specifies the general requirements, encoding data security,
authentication and authorization, access control, interaction security, security
assessment and management requirements for Ecode identification system in the
identification system for Internet of Things.
This Standard is applicable to information security assurance in the construction and
application of Ecode identification system in the identification system for Internet of
Things.
2 Normative References
The following documents are indispensable to the application of this document. In
terms of references with a specified date, only versions with a specified date are
applicable to this document. In terms of references without a specified date, the latest
version (including all the modifications) is applicable to this document.
GB/T 2887 General Specification for Computer Field
GB/T 17963 Information Technology - Open Systems Interconnection - Network Layer
Security Protocol
GB/T 22239 Information Security Technology - Baseline for Classified Protection of
Cybersecurity
GB/T 25064 Information Security Technology - Public Key Infrastructure - Electronic
Signature Formats Specification
GB/T 31866 Identification System for Internet of Things - Entity Code
3 Terms and Definitions
What is defined in GB/T 31866, and the following terms and definitions are applicable
to this document.
3.1 Security Mechanism for Ecode Identification System
Security mechanism for Ecode identification system refers to a collection of
assessment or certification of a nationally approved third-party institution.
5.3 Disaster Recovery Center
The Ecode identification system disaster recovery center should select a location with
good geological conditions. The disaster recovery center shall adopt remote disaster
recovery and should not be in the same earthquake zone as the main center.
5.4 Security Audit
Security audit shall include functions, such as: automatic response, data generation,
audit analysis, review, event selection and event storage, etc. The audit log content
shall include the time, type, subject identity and result of security event.
6 Security Requirements for Ecode Encoding Data
6.1 Ecode Encoding Data Storage
The security of Ecode encoding data storage shall comply with the following
requirements:
a) The medium that stores Ecode encoding data shall be stable and reliable, and
shall not be significantly affected by the physical conditions of the external
environment;
b) Mobile medium shall not be used to store or transfer Ecode encoding data;
c) Technical processing shall be carried out on the medium, from which, Ecode
encoding data has been deleted, so that the deleted data cannot be recovered;
d) Authorization management shall be carried out on the storage medium entry
and exit process, and corresponding records shall be retained.
6.2 Ecode Encoding Data Transmission
The anti-interference, privacy, integrity and correctness of Ecode encoding data during
the transmission process shall be guaranteed. See the specific requirements below:
a) Necessary technical and management measures shall be taken to prevent
interference of Ecode encoding data during the transmission.
b) Necessary technical and management measures shall be taken to ensure the
privacy of Ecode encoding data during the transmission. The network
transmission of the Ecode identification system shall have the capability of
preventing eavesdropping; security protocols, for example, HTTPS, should be
adopted; digital certificates shall be installed. The security protection
mechanism of the transmission protocol shall comply with the requirements
established, which shall be respectively stored on media like disks, so as to
facilitate data recovery when necessary;
d) A regular transferred storage system of the Ecode database shall be
established. In accordance with the Ecode encoding data transaction volume,
the frequency of the transferred storage shall be determined. The strategy of
real-time transferred storage should be adopted.
6.5 Ecode Identification System Sensitive Information Protection
Necessary technical and management measures shall be taken to protect sensitive
information of the Ecode identification system. See the specific requirements below:
a) Sensitive information, such as: ID cards and business licenses, shall be
stored and calculated in the Ecode identification system; data shall not be
locally stored;
b) The application and transferring process of sensitive information storage
media shall be rigorously tracked and monitored, so as to prevent loss and
information leakage;
c) Without permission, the scope of data services must not be exceeded, and
data must not be altered or transmitted. In addition, it is prohibited to display
sensitive information in the Ecode identification system in plain text;
d) Unified medium destruction tools shall be provided, which include, but are not
limited to: physical destruction and degaussing equipment, so as to implement
effective destruction of various media.
6.6 Ecode Encoding Verification
Ecode encoding verification shall comply with the following requirements:
a) In the Ecode encoding structure, the MD encoding method shall be complete
and accurate; necessary verification mechanisms shall be adopted;
b) Ecode encoding resolution system shall establish an Ecode encoding
comparison and verification mechanism to compare and verify the resolved V,
NSI and MD information with the original codewords in the database, so as to
ensure the accuracy and consistency of the encoding.
7 Identity Authentication and Authorization
Requirements for Ecode Identification System
7.1 Ecode Identification System Identity Authentication Management
9 Interaction Security Requirements for Ecode
Identification System
The consistency, integrity and non-repudiation of information during the interaction
process shall be ensured. There shall be mechanisms to prevent attacks, such as:
fraud, replay and counterfeiting, and ensure the privacy of data between the
communicating parties.
10 Security Assessment Requirements for Ecode
Identification System
The security assessment of the Ecode identification system shall comply with the
following requirements:
a) A security assessment mechanism for the Ecode identification system shall
be established;
b) The security assessment mechanism shall be able to analyze the security
risks of the Ecode identification system. Reasonable security function
components shall be selected; a security profile of the Ecode identification
system shall be established;
c) An assessment method model library shall be established for the Ecode
identification system. Appropriate models and methods may be adopted for
the assessment, which include, but are not limited to: formalization, testing
and expert assessment, etc.;
d) In accordance with the security profile and corresponding assessment method
of the Ecode identification system, the Ecode identification system information
security protection and assessment specifications shall be formulated to guide
the development, construction and application of the Ecode identification
system;
e) It shall be ensured that the protection level of the Ecode identification system
complies with the requirements of GB/T 22239.
A security assessment reference model of the Ecode identification system is shown in
Figure 1, which includes the determination of security objectives, the formalization of
security protection profiles, the decomposition of security function components and
other assessment processes. The security objectives include four categories: the
confidentiality, identifiability, controllability and availability of the Ecode identification
system.
11 Management Requirements for Ecode Identification
System
11.1 Registration Approval Mechanism
The Ecode identification system shall add a registration approval mechanism. When
users are applying for codes online, they shall submit corresponding materials to be
used in the internal approval process of the management institution.
11.2 Security Management
11.2.1 Daily security management
In the Ecode identification system, the daily security management shall comply with
the following requirements:
a) Establish a security management system for the daily management activities;
b) Designate or authorize specialized personnel to take charge of the formulation
and assessment of the security management system;
c) Publish the security management system to relevant personnel in various
forms, such as: paper documents and electronic documents, etc.
11.2.2 Software maintenance management
The software maintenance management of the Ecode identification system shall
comply with the following requirements:
a) Store source files of software products on the media, for example, disks;
compile detailed catalogs for the long-term preservation;
b) Make two copies of important software. One shall be archived as the master
copy, and the other shall be used as a backup;
c) It shall be ensured that the modification of relevant software of the Ecode
identification system will not impair the security of the system.
11.3 Personnel Management
The Ecode identification system shall establish necessary personnel recruitment,
assessment, security education and training, and external personnel access
management systems, so as to ensure that the system hardware, software and data
are not altered, leaked or destroyed due to accidental and malicious reasons.
......
|