Home Cart Quotation About-Us
www.ChineseStandard.net
SEARCH

GB/T 31168-2023 (GB/T 31168-2014) PDF English

US$145.00 · In stock · Download in 9 seconds
GB/T 31168-2014: Information security technology -- Security capability requirements of cloud computing services
Delivery: 9 seconds. True-PDF full-copy in English & invoice will be downloaded + auto-delivered via email. See step-by-step procedure
Status: Obsolete

GB/T 31168: Historical versions

Standard IDUSDBUY PDFDeliveryStandard Title (Description)Status
GB/T 31168-20231579 Add to Cart 9 days Information security technology - Security capability requirements for cloud computing services Valid
GB/T 31168-2014145 Add to Cart Auto, 9 seconds. Information security technology -- Security capability requirements of cloud computing services Obsolete

Similar standards

GB/T 31505   GB/T 31722   GB/T 31509   GB/T 19713   

GB/T 31168-2014: Information security technology -- Security capability requirements of cloud computing services


---This is an excerpt. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.), auto-downloaded/delivered in 9 seconds, can be purchased online: https://www.ChineseStandard.net/PDF.aspx/GBT31168-2014
GB NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 GB/T 31168-2014 Information Security Technology - Security Capability Requirements of Cloud Computing Services Issued on: SEPTEMBER 3, 2014 Implemented on: APRIL 1, 2015 Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China; Standardization Administration of the People's Republic of China.

Table of Contents

Foreword... 6 Introduction... 7 1 Scope... 8 2 Normative References... 8 3 Terms and Definitions... 8 4 Overview... 9 4.1 Implementation Responsibilities for the Security Measures of Cloud Computing... 9 4.2 Action Range for the Security Measures of Cloud Computing... 11 4.3 Classification of Security Requirements... 11 4.4 Expression Form of Security Requirements... 13 4.5 Adjustment of Security Requirements... 13 4.6 Security Plan... 14 4.7 Structure of This Standard... 15 5 Security of System Development and Supply Chain... 15 5.1 Strategies and Procedures... 15 5.2 Resource Distribution... 15 5.3 System Life Cycle... 16 5.4 Procurement Process... 16 5.5 System Documentation... 17 5.6 Security Engineering Principle... 17 5.7 Critical Analysis... 18 5.8 External Information System Service and Relevant Service... 18 5.9 Security System Framework of Developer... 19 5.10 Development Process, Standards and Tools... 19 5.11 Developer Configuration Management... 20 5.12 Security Test and Assessment of Developer... 21 5.13 Training Provided by the Developer... 22 5.14 Tamper Resistance... 22 5.15 Module Factuality... 22 5.16 Unsupported System Module... 23 5.17 Supply Chain Protection... 23 6 Protection of System and Communication... 25 6.1 Strategies and Procedures... 25 6.2 Boundary Protection... 25 6.3 Transmission Security and Integrity... 26 6.4 Network Interruption... 26 6.5 Trusted Path... 27 6.6 Password Usage and Management... 27 6.7 Coordinated Computing Device... 27 6.8 Mobile Code... 27 6.9 Session Certification... 27 6.10 Physical Connection of Mobile Device... 28 6.11 Malicious Code Protection... 28 6.12 Memory Protection... 28 6.13 System Virtualization Security... 28 6.14 Network Virtualization Security... 29 6.15 Storage Virtualization Security... 30 7 Access Control... 30 7.1 Strategies and Procedures... 30 7.2 User Identification and Authentication... 31 7.3 Device Identification and Authentication... 31 7.4 Identifier Management... 31 7.5 Authentication Certificate Management... 32 7.6 Feedback of Authentication Certificate... 33 7.7 Authentication of Cryptographic Module... 33 7.8 Account Management... 33 7.9 Implementation of Access Control... 34 7.10 Control of Information Flow... 34 7.11 Minimum Privilege... 35 7.12 Unsuccessful Log-in Try... 36 7.13 Notice on Use of System... 36 7.14 Notice on Last Visit... 36 7.15 Concurrent Session Control... 36 7.16 Session Lock-in... 37 7.17 Actions May be Taken in Case of Lacking Identification and Authentication... 37 7.18 Security Attribute... 37 7.19 Remote Access... 37 7.20 Wireless Access... 38 7.21 Use of External Information System... 38 7.22 Information Sharing... 39 7.23 Content accessible to the Public... 39 7.24 Data Excavation Protection... 39 7.25 Medium Access and Use... 39 7.26 Service Closure and Data Migration... 40 8 Configuration Management... 40 8.1 Strategies and Procedures... 40 8.2 Configuration Management Plan... 40 8.3 Base Line Configuration... 41 8.4 Change Control... 41 8.5 Setting of Configuration Parameters... 42 8.6 Minimum Functional Principle... 42 8.7 Information System Module List... 43 9 Maintenance... 44 9.1 Strategies and Procedures... 44 9.2 Controlled Maintenance... 44 9.3 Maintenance Tool... 44 9.4 Remote Maintenance... 45 9.5 Maintenance Personnel... 45 9.6 Timely Maintenance... 45 9.7 Defect Repair... 46 9.8 Security Function Verification... 46 9.9 Integrity of Software, Firmware and Information... 46 10 Emergency Response and Disaster Preparation... 47 10.1 Strategies and Procedures... 47 10.2 Event Handling Plan... 47 10.3 Event Handling... 47 10.4 Event Report... 48 10.5 Event Handling Support... 48 10.6 Security Alarm... 48 10.7 Error Handling... 49 10.8 Emergency Response Plan... 49 10.9 Emergency Training... 50 10.10 Emergency Drilling... 50 10.11 Information System Backup... 50 10.12 Supporting the Service Continuity Plan of the Customer... 51 10.13 Telecommunication Service... 51 11 Audit... 51 11.1 Strategies and Procedures... 51 11.2 Auditable Event... 52 11.3 Audit Record Contents... 52 11.4 Storage Capacity of Audit Record... 52 11.5 Response upon Audit Process Failure... 53 11.6 Examination, Analysis and Report of Audit... 53 11.7 Audit Treatment and Report Generation... 53 11.8 Time Stamp... 54 11.9 Audit Information Protection... 54 11.10 Non-repudiation... 54 11.11 Audit Record Retention... 54 12 Risk Assessment and Persistent Monitoring... 54 12.1 Strategies and Procedures... 54 12.2 Risk Assessment... 55 12.3 Vulnerability Scanning... 55 12.4 Persistent Monitoring... 56 12.5 Information System Monitoring... 56 12.6 Junk Information Monitoring... 57 13 Security Organization and Personnel... 57 13.1 Strategies and Procedures... 57 13.2 Security Organization... 58 13.3 Security Resource... 58 13.4 Security Regulations System... 58 13.5 Post Risks and Responsibilities... 59 13.6 Personnel Screening... 59 13.7 Personnel resignation... 59 13.8 Personnel Deployment... 60 13.9 Access Protocol... 60 13.10 Third Party Personnel Security... 60 13.11 Personnel Punishment... 61 13.12 Security Training... 61 14 Physical and Environmental Security... 61 14.1 Strategies and Procedures... 61 14.2 Physical Facilities and Devices Site Selection... 62 14.3 Physical and Environmental Planning... 62 14.4 Physical Environment Access Authorization... 62 14.5 Physical Environment Access Control... 63 14.6 Communication Capacity Protection... 63 14.7 Output Device Access Control... 63 14.8 Physical Access Monitoring... 63 14.9 Visitor Access Record... 64 14.10 Power Device and Cable Security Assurance... 64 14.11 Emergency Lighting Capability... 64 14.12 Fire-fighting Capability... 65 14.13 Temperature and Humidity Control Capabilities... 65 14.14 Water-proof Capability... 65 14.15 Device Transportation and Remove... 65 Appendix A (Informative) Template for System Security Plan... 67 Bibliography... 72 Information Security Technology - Security Capability Requirements of Cloud Computing Services

1 Scope

This standard specifies the security technology capability which the cloud service provider shall possess when providing cloud computing service for specific customer in a socialized method. This standard is applicable to the security management of cloud computing service used by government departments, and may also serve as reference for the cloud computing service used by key industries and other enterprises and institutions. It is also applicable to guide the cloud service provider to establish secure cloud computing platform and provide secure cloud computing service.

2 Normative References

The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the normative document (including any amendments) applies. GB/T 9361-2011 Safety Requirements for Computation Center Field GB/T 25069-2010 Information Security Technology - Glossary GB 50174-2008 Code for Design of Electronic Information System Room GB/T 31167-2014 Information Security Technology - Security Guide of Cloud Computing Services

3 Terms and Definitions

For the purposes of this document, the terms and definitions specified in GB/T 25069-2010 as well as those listed below apply. 3.1 Cloud computing Access to extensible, flexible physical or virtual sharing resource pool through the Internet, which may also conform to the self-help acquisition and management resource modes. Note. resource examples include the server, operation system, network, software, application and storage device. 3.2 Cloud computing service The capability to provide one or more kind(s) of resource(s) by using the defined interface and cloud computing. 3.3 Cloud service provider The provider of cloud computing service. Note. the cloud service provider manages, operate and supports the infrastructure and software of cloud computing, and security requirements are classified into 10 categories and each category includes several specific requirements. These 10 categories are. - Security of system development and supply chain. Cloud service provider shall provide adequate protection to the cloud computing platform during development, propose corresponding requirements for the information system, module and service developer, provide enough resource for the cloud computing platform and take full consideration of security requirements. In addition to ensure that the lower-level supplier takes necessary security measures, cloud service provider shall also provide document and information on relevant security measures to the customer; completing the management of information system and business together with the customer. - Protection of system and communication. Cloud service provider shall monitor, control and protect the network communication on external boundary and critical internal boundary of cloud computing platform and shall also effectively protect the security of cloud computing platform through methods like structured design, software development technique and software engineering. - Access control. Cloud service provider shall strictly protect the customer data of cloud computing platform, the personnel, progress and equipment, before accessing the cloud computing platform, shall be identified and the performable operation and applicable function shall be restricted. - Configuration management. Cloud service provider shall provide configuration management for the cloud computing platform, establish and maintain the baseline configuration and detailed list of cloud computing platform (including hardware, software and document, etc.) within system life cycle, set and realize the parameters for security configuration of various products in cloud computing platform. - Maintenance. Cloud service provider shall maintain the cloud computing platform facility and software system, effectively control the maintenance tool, technology, mechanism and maintenance personnel and keep related record. - Emergency response and disaster preparation. Cloud service provider shall develop the emergency response plan for cloud computing platform and ensure the availability of important information resource in emergency circumstances through periodical drilling. It shall establish event handling plan including the prevention, inspection, analysis, control to the event, system reset, etc., and trace and record the event so as to report it to the relevant personnel. It shall also be provided with disaster recovery capability and ensure the sustainability of the customer business by establishing necessary backup copy and recovery facility and mechanism. - Audit. Cloud service provider shall develop an audit event list according to the security requirements and customer requirements to define the audit record content, put audit into force and properly store the audit records. It shall also periodically analyze and check the audit records and prevent the audit records from being unauthorizedly accessed, modified and deleted. - Risk assessment and persistent monitoring. Cloud service provider shall assess the risk of cloud computing platform periodically or in case of change of threat environment so as to ensure that the security risk of cloud computing platform is at a status of acceptable level. It shall also establish monitoring target list to persistently monitor the security of targets and c) Require the developer of information system, module or service to provide evidence that [assign. system engineering method, software development method, testing technology and quality control process defined by the cloud service provider] is used in the system life cycle. d) Require the developer of information system, module or service to realize [assign. security configuration defined by the cloud service provider] in delivering the information system, module or service; these security configuration shall be adopted as the default configuration during reinstallation or upgrade of information system, module or service. e) Require the developer of information system, module or service to make a continuously monitoring plan on the effectiveness of security measures, which shall meet the [assign. level of detail defined by the cloud service provider]. f) Require the developer of information system, module or service to describe the system functions, port, agreement and service in the early stage of system life cycle; the cloud service provider shall disable unnecessary or high-risk functions, port, agreement or service. 5.5 System Documentation 5.5.1 General requirements Cloud service provider shall. a) Require the developer of information system, module or service to develop administer document, which shall cover the following information. 1) The security configuration of information system, module or service as well as the description of installation and operation; 2) The application maintenance description of security features and functions; 3) Precautions on the application and configuration related to management function. b) Require the developer of information system, module or service to develop user documentation, which shall cover the following information. 1) Security functions or mechanisms accessible to the user as well as the description on how to use these security functions or mechanisms effectively; 2) Method or description which may help the user to use the information system, module or service more safely; 3) Description on user security responsibility and precautions. c) Protect the aforesaid documentations as required based on the risk management strategy; d) Distribute aforesaid documentations to [assign. personnel or role defined by the cloud service provider]. 5.5.2 Enhancement requirements None. 5.6 Security Engineering Principle 5.6.1 General requirements Cloud service provider shall apply the security engineering principle in the process of standardization, design, development, implementation and modification of information system; according to the actual situation, the following aspects may be considered. a) Carry out layered protection; b) Establish perfect security policy, framework and measure served as design basis; c) Delimit physical and logic security boundary; d) Ensure the system developers have accepted software development security training; frequency defined by the cloud service provider]. 5.16 Unsupported System Module 5.16.1 General requirements None. 5.16.2 Enhancement requirements Where the developer, supplier or manufacturer doesn't provide support to the system module any more, the cloud service provider shall. a) Replace this system module; b) Provide right reasons approved by the organizational leader where the unsupported system module is needed for further use due to business necessity, and provide [internal support; [assign. support from other external provider defined by the cloud service provider]]. 5.17 Supply Chain Protection 5.17.1 General requirements Cloud service provider shall. a) Indicate which outsourced service or purchased product has important influence on the security of cloud computing service; b) Ensure the security inspection of [assign. important device defined by the cloud service provider] through [assign. information security assessment or review mechanism established by relevant governmental departments]; c) Implement [assign. supply chain protection measures defined by the cloud service provider] for important information system, module or service; the supply chain protection measure according to actual situation may be. 1) Implement security control for the development environment and development device of products and external connection of development environment; 2) Carry out screening, examination and verification to the developer, personnel screening criteria include. no negligence, reliable or governmental certification of professional title, favorable background examination, citizen hood and nationality; the developer credibility also includes review and analysis of corporate ownership and its relationship with other entities; 3) Use tamper resistance package during transportation or storage. 5.17.2 Enhancement requirements Cloud service provider shall. a) Implement [assign. procurement strategy, contract tool and purchasing method defined by the cloud service provider]. The following factors may be considered during this process. 1) Give preference to suppliers meeting the following conditions. i) Protection measures meeting the security requirements of laws and regulations, policy, standard and cloud service provider; ii) Relative transparent enterprise operation process and security measures; iii) Further verification is provided to the security of lower-level supplier, critical module and service; iv) Declare not to use vicious code product or fake product in the Contract. 2) Shorten the time interval between purchasing determination and delivery; 3) Use credible or controllable distributing, delivery and storage measures; 4) Limit to purchase product or service from specific supplier or country. device. 6.2.2 Enhancement requirements Cloud service provider shall. a) Construct physically independent computing platform, storage platform, internal network environment and relevant maintenance and security facilities for the cloud computing service, and then connect them with the external network or information system through controlled boundary; b) Restrict the number of external access points of the information system so as to effectively monitor the ingoing and outgoing communication and network flow; c) Take the following measures. 1) Manage each external telecommunication service interface; 2) Prepare communication flow strategy for each interface; 3) Take relevant measures to carry out necessary confidentiality and integrity protection for the transmitted information flow; 4) Record the business demand and communication duration in the exception clauses of the communication flow strategy where exceptional case of communication flow strategy appears according to the business demand; 5) Examine the exception clauses in the network communication flow strategy according to the [assign. frequency defined by the cloud service provider], and delete the exception clause no longer required in the communication flow strategy. d) Ensure that the external communication interface of information system can only transmit data after being authorized; e) Avoid the remote management device from being directly connected to other network resources when carrying out remote maintenance and management for the cloud computing platform; f) Support the customer to use independent proxy server to realize the information introduction and export; g) Construct the physically independent management network, and connect the management tool and the managed device or resource to manage the cloud computing platform; h) Ensure that the operation of the [assign. affected part defined by the cloud service provider] on the cloud computing platform can be terminated safely where the [assign. boundary protection defined by the cloud service provider is ineffective]; i) Take relevant measures to satisfy the information system isolation requirements among different customers or different businesses of the same customer. 6.3 Transmission Security and Integrity 6.3.1 General requirements None. 6.3.2 Enhancement requirements Cloud service provider shall provide communication encryption and signature examination facilities which satisfy the national password administration laws and regulations. 6.4 Network Interruption 6.4.1 General requirements None. Cloud service provider shall. a) Carry out further identification for the [assign. personnel type defined by the cloud service provider], such as contractor or overseas citizen for the convenience of understanding the identity of the communication party (for example, the email receiver is identified as the contractor to be convenient for distinguishing it from the personnel of this organization); b) Ensure the coordination with relevant organizations when identifying the cross-organization or cross-platform user to satisfy the identifier management strategies of multiple organizations and platforms. 7.5 Authentication Certificate Management 7.5.1 General requirements Cloud service provider shall. a) Manage the authentication certificate according to the following procedures. 1) Verify the identity of the receiving object (individual, group, role or device) of authentication certificate; 2) Determine the initial content of authentication certificate; 3) Ensure that the authentication certificate can effectively avoid forging and tampering; d) Establish and implement management regulations in allusion to the initial distribution, losing disposal and withdraw of authentication certificate; 5) Forcibly require the user to change the default content of authentication certificate; 6) Define the minimum and maximum survival time limits and reuse condition of the authentication certificate; 7) Forcibly require updating the authentication certificate after the [assign. time quantum defined by the cloud service provider] for [assign. authentication certificate defined by the cloud service provider]; 8) Protect the content of authentication certificate and avoid divulging and tampering; 9) Take specific security precautions realized by the device to protect the authentication certificate; 10) Change the authentication certificate of the account of a group or role when the membership of this account is changed. b) For authentication based on password. 1) Establish relevant mechanism, and forcibly implement the minimum password complexity which meets the [assign. password complexity rule defined by the cloud service provider]; 2) Establish relevant mechanism to forcibly change the [assign. number defined by the cloud service provider] characters when the user updates the password so as to ensure the difference between the new and old passwords; 3) Encrypt the storage and transmission passwords; 4) Forcibly implement the minimum and maximum survival time limits to satisfy the [assign. minimum and maximum survival time defined by the cloud service provider]. c) For authentication based on hardware token, define the security quality requirements of the token and arrange relevant mechanism, such as the token based on PKI. 7.5.2 Enhancement requirements Cloud service provider shall. a) Authentication based on PKI. 1) Regard [assign. data attribute (like data content and data structure), source and destination object defined by the cloud service provider] as the basis of control strategy for information flow; 2) Control the dynamic information flow, such as being provided with the ability for dynamic adjustment of control strategy for information flow according to the change of condition or operation environment; 3) Implement [assign. restrictive measures defined by the cloud service provider] for other categorical data (e.g. executable file embedded in word processing document and polytype document contained in compressed files) embedded in [assign. data type defined by the cloud service provider]; 4) Control the information flow based on [assign. metadata for the description of data characteristic defined by the cloud service provider], e.g. data format, syntax, semantics, etc.; 5) Realize [assign. information uniflow defined by the cloud service provider] through hardware; 6) Regard [assign. security strategy filter defined by the cloud service provider] as the basis of control strategy for [assign. information flow defined by the cloud service provider] such as the maximum length of document and the type of document and data, etc. Provide ability of opening, forbidding and arranging [assign. security strategy filter defined by the cloud service provider] for privileged account. b) Implement manual examination to [assign. information flow defined by the cloud service provider] under [assign. condition defined by the cloud service provider]; c) Where the information is transmitted between different security fields, inspect whether [assign. forbidden information defined by the cloud service provider] exists in information and forbid the transmission of such information according to the [assign. security strategy defined by the cloud service provider]; d) Identify [select. organization; system; application and individual] as the source and destination address for implementation of information flow strategy, such as forbid the information to flow to destination address aboard; e) Bind the information and its security attribute through [assign. binding technology defined by the cloud service provider] for implementation of information flow strategy; f) Where the computing platform, application or data on multiple security fields are accessed through the same equipment, prevent the information between different security fields from flowing with a method of violating information flow strategy. 7.11 Minimum Privilege 7.11.1 General requirements The user's access authority provided by cloud service provider shall be essential for completing the assigned task and it shall meet the business requirements of this organization. 7.11.2 Enhancement requirements Cloud service provider shall. a) Definitely authorize the access of [assign. security function and security-related information defined by the cloud service provider]; b) Incorporate the implementation of privileged function into the event needed to be audited in information system; c) Ensure to be provided with privileged account or role user for accessing system security or security-related information. Where non-security f... ......

Source: Above contents are excerpted from the full-copy PDF -- translated/reviewed by: www.ChineseStandard.net / Wayne Zheng et al.
Image 1     Image 2     Image 3