|
US$439.00 ยท In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
SFT0036-2019: (Notary information security technical specifications)
Status: Valid
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| SF/T 0036-2019 | English | 439 |
Add to Cart
|
4 days [Need to translate]
|
(Notary information security technical specifications)
| Valid |
SF/T 0036-2019
|
PDF similar to SFT0036-2019
Basic data | Standard ID | SF/T 0036-2019 (SF/T0036-2019) | | Description (Translated English) | (Notary information security technical specifications) | | Sector / Industry | Chinese Industry Standard (Recommended) | | Classification of Chinese Standard | A16 | | Classification of International Standard | 35.240.01 | | Word Count Estimation | 19,164 | | Date of Issue | 2019 | | Date of Implementation | 2019-05-20 | | Issuing agency(ies) | Ministry of Justice of the People's Republic of China | SFT0036-2019: (Notary information security technical specifications)---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Technical specification for notarization information security
The People's Republic of China Judicial Administration Industry Standard
Notarization Information Security Technical Specifications
2019-5-5 release
2019-5 -20 Implementation
Issued by the Ministry of Justice of the People's Republic of China
1 Scope...1
2 Normative references...1
3 Terms, definitions and abbreviations...1
4 Notarized information security objects and content...3
5 Notarization Information Security Construction...3
6 Physical Security...4
7 Cyber Security...5
8 System Security...5
9 Application Security...7
10 Data Security and Backup and Recovery...9
11 Security Protection Requirements for Notarized PKI System...11
References...16
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
Please note that some of the contents of this document may involve patents. The issuing agency of this document is not responsible for identifying these patents.
This standard was proposed by the Public Legal Service Administration of the Ministry of Justice and the Chinese Notary Association.
This standard is under the jurisdiction of the Information Center of the Ministry of Justice.
Drafting organization of this standard. China Notary Association.
Notarization Information Security Technical Specifications
1 Scope
This standard specifies notarized information security objects and content, information security construction, physical security, network security, system security, application security
Complete, data security and backup recovery and notarization PKI system security protection requirements.
This standard applies to the planning, design, and construction of notarization information security by judicial administrative notarization management departments, notary associations and various notary institutions
And management.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document.
For undated reference documents, the latest version (including all amendments) is applicable to this document.
GB/T 17859 Computer Information System Security Protection Classification Criteria
GB/T 19713 Information Technology Security Technology Public Key Infrastructure Online Certificate Status Protocol
GB/T 20269 Information Security Technology Information System Security Management Requirements
GB/T 20271-2006 Information Security Technology Information System General Security Technical Requirements
GB/T 20518 Information Security Technology Public Key Infrastructure Digital Certificate Format
GB/T 22239-2008 Information Security Technology Information System Security Level Protection Basic Requirements
GB/T 22240-2008 Information Security Technology Information System Security Level Protection Rating Guidelines
GB/T 50052 Code for Design of Power Supply and Distribution System
SF/T 0034-2019 Notarized data requirements and specifications
3 Terms, definitions and abbreviations
3.1 Terms and definitions
The following terms and definitions apply to this document.
3.1.1
Notarization
According to the application of a natural person, legal person or other organization, a notary institution shall, in accordance with legal procedures, deal with civil legal acts and matters of legal significance.
Activities that prove the authenticity and legality of documents and documents.
3.1.2
Notarial institutions
A certification agency established in accordance with the law, not for profit, independently performing notarization functions in accordance with the law, and assuming civil liabilities.
3.1.3
Notarized matters
According to the provisions of Article 11 of the "Notarization Law of the People's Republic of China", the notary institution shall conduct the notarization business in accordance with the notarization certification object
The detailed classification.
3.1.4
Notarial affairs
According to the provisions of Article 12 of the "Notarization Law of the People's Republic of China", non-certification business handled by a notary institution.
3.1.5
Notarization information security
The security of notarized data and information facilities.
3.1.6
Data confidentiality
Unauthorized users, entities, or processes have no access rights to the information, thereby ensuring that confidential information is not stolen or used.
3.1.7
Message-digest algorithm
An encryption process does not require a key, and the encrypted data cannot be decrypted. Only the same plaintext data is entered after the same
The algorithm can get the same ciphertext algorithm.
3.1.8
Block chain
In a peer-to-peer network environment, through transparent and trustworthy rules, a block chain data structure that cannot be forged, tampered and traceable is constructed
Structuring, implementing and managing the transaction processing model.
Note. Transaction processing includes but is not limited to the generation, access and use of trusted data.
[GB/T 37043-2018, definition 2.5.8]
3.1.9
Digital signature
Some data attached to the data unit, or the cryptographic exchange of the data unit (see "cryptography"), this data may change
The change allows the recipient of the data unit to confirm the source of the data unit and the integrity of the data unit, and to protect the data to prevent others (such as receiving
Recipient) forgery.
[GB/T 9387.2-1995, definition 3.3.26]
3.1.10
Asymmetric cryptographic technique
Two cryptographic techniques with related transformations are used.
Note. One is the public transformation defined by the public key, and the other is the private transformation defined by the private key.
3.2 Abbreviations
The following abbreviations apply to this document.
CA certificate certification authority (Certificate Authority)
CRL certificate revocation list (Certificate Revocation List)
IDS Intrusion Detection Systems (Intrusion Detection Systems)
IPSec Internet Protocol Security (Internet Protocol Security)
OCSP Online Certificate Status Protocol (Online Certificate Status Protocol)
PKI Public Key Infrastructure (Public Key Infrastructure)
RA Certificate Registration Authority (Registration Authority)
SSL Secure Sockets Layer (Secure Sockets Layer)
4 Notarized information security objects and content
4.1 Information Security Object
Information security objects include notarization matters, notarization affairs, notarization data and notarization information facilities.
4.2 Information security content
Information security includes technical security and management security. among them.
a) Technical security includes physical security, network security, system security, application security, data security, PKI security, etc.
as follows.
1) Physical security. Notarization data centers and electronic notarization information facilities, including computer rooms, servers, network equipment, storage devices
Protect equipment, PCs, mobile devices, etc. from illegal physical access, natural disasters and environmental disasters;
2) Network security. identity authentication, confidentiality, integrity, availability, controllability, authenticity and availability of data in the communication process
Examination guarantee, etc.;
3) System security. operating system, database, middleware, etc.;
4) Application security. Notarization information related systems, platforms, tools and applications, such as notarization business certification system, notarization business
Management system, notarized electronic file management system, notarized online acceptance system, notarized electronic data storage tool, screen record
Like tools, etc.;
5) Data security. Notarized data storage security, communication security, and authority security (see SF/T 0034-2019 for details),
And the staff data, user data and other data stored in the electronic notarization;
6) PKI security. PKI system security and security management in the notarization industry.
b) Management security should follow the content of GB/T 20269, the specific content is as follows.
1) The formulation of safety rules and regulations;
2) Organization and personnel management content;
3) Risk and emergency management content;
4) Operation and maintenance management content;
5) Supervise and inspect management content;
6) Safety education and training content.
5 Notarization information security construction
5.1 Basic requirements for information security construction
Information security construction requirements are as follows.
a) It shall follow the relevant regulations of GB/T 17859, GB/T 22240, GB/T 22239 and Gongtongzi [2007] No. 43, and comply with the notarization
Other requirements required by the industry;
b) According to the importance and different types of information, different protection measures should be adopted to implement classified protection;
c) According to the importance of the information system and data, storage in different domains shall be carried out, domain protection and security exchange between domains shall be implemented,
control.
5.2 Implementation methods of information security construction
Information security construction should follow the following implementation methods.
a) Determine the security level of electronic notarization information in accordance with the grading rules of information security level protection;
b) According to the information security level protection requirements, determine the basic security requirements corresponding to the electronic notarization information security level;
c) According to the basic security requirements of the information system, and integrate the electronic notarization information security technical requirements, the risks faced by the information system and the implementation
The cost of security protection measures, the formulation of security protection measures, and the determination of security protection measures applicable to electronic notarization information,
And complete the planning, design, implementation, acceptance and operation work in accordance with the relevant requirements of this standard.
5.3 Information security protection level
The information security protection level shall be planned and constructed in accordance with the third level requirements in GB/T 22239-2008.
6 Physical security
6.1 Basic requirements for physical security
It shall follow the relevant regulations in 7.1.1 of GB/T 22240-2008, and meet other requirements required by the notary industry;
6.2 Environmental safety
Environmental safety mainly provides the following requirements for the environment of the computer room.
a) It should meet the requirements of fire prevention, pollution prevention, moisture prevention, lightning prevention, vibration prevention, strong electric field, strong magnetic field, earthquake prevention, waterproof disaster prevention, and
Requirements for public interference;
b) There should be only one entrance and exit, unauthorized personnel are not allowed to enter the computer room;
Magnets, personal computers or electrical equipment, food and other irrelevant items are brought into the computer room. The computer room should be equipped with access control equipment, all entering and leaving the computer room
The personnel should be identified by the access control system;
c) Air-conditioning equipment should be provided to make the temperature of the computer room reach the allowable range of computer operation;
d) The safety of communication lines shall be ensured, and necessary measures shall be taken to prevent the occurrence of line interception incidents;
e) Reliable power supply should be provided. The power supply should meet the requirements of GB/T 50052, adopt a variety of power supply methods, and maintain and inspect regularly.
Check the power supply equipment. If there is a planned power outage, the relevant department should be notified in advance of the power outage plan.
6.3 Equipment safety
The equipment safety requirements are as follows.
a) The computer and network infrastructure should be properly placed. The computer room should be equipped with TV monitoring and dedicated personnel should be on duty to strengthen protection to reduce the damage.
Low risk of damage and prevent illegal intrusion;
b) Reliable operation support should be provided for the equipment, and the information system should be supported to realize uninterrupted operation through measures such as fault tolerance and failure recovery;
c) Strict protection measures should be taken to store various types of recording media for core data to prevent theft, destruction and damage. Core data should be long
Keep it for a period of time and take effective measures to prevent illegal copying.
7 Cybersecurity
7.1 Basic requirements for network security
It shall follow the relevant regulations in 7.1.2 of GB/T 22240-2008 and meet other requirements required by the notary industry;
7.2 Network access control
The network access control requirements are as follows.
a) Authorized network services should be used to prevent insecure network connections from affecting the security of electronic notarization;
b) Strategies for the use of networks and network services should be formulated and consistent with access control strategies. The specific strategy should stipulate the following
Content.
1) The network and network services that users are allowed to access should be clear;
2) Procedures for authorizing users to access the network and network services should be specified;
3) There should be management control measures and procedures to protect network connections and network service access;
4) A log of access to network services should be kept, and the specific content of the log should be determined according to the sensitivity of the information.
c) Should be based on access control strategies and access requirements, according to different businesses, applications and the sensitivity and importance of the information processed,
And in accordance with the national information security level protection requirements, the network and information system are divided into different logical security areas, and key points are adopted.
The method of protection and border isolation focuses on strengthening the security protection and monitoring of the key borders of the security domain. At the same time through isolation measures, over
Filter inter-domain services and control inter-domain communications;
d) Effective port protection measures should be formulated and implemented to protect the ports used for remote operation and management of networks and information systems to prevent
Ports are accessed unauthorized or illegally, and access logs of each port are recorded.
7.3 Network transmission security
The network transmission security requirements are as follows.
a) Encryption control measures such as SSL and IPSec should be adopted to ensure the confidentiality and integrity of data transmitted through public networks;
b) The security status of the network should be continuously monitored, and relevant errors, failures and remedial measures should be recorded.
7.4 Network security audit and monitoring
The network security audit and monitoring requirements are as follows.
a) Audit and monitor network access and usage to detect activities that violate access control policies;
b) Relevant evidence should be recorded.
7.5 Security Management of Network Equipment
The security management requirements for network equipment are as follows.
a) Equipment management authority should be clearly permitted, otherwise it should be prohibited;
b) The change of equipment management authority should be clearly defined...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of SFT0036-2019_English be delivered?Answer: Upon your order, we will start to translate SFT0036-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of SFT0036-2019_English with my colleagues?Answer: Yes. The purchased PDF of SFT0036-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay.
|