HOME   Cart(1)   Quotation   About-Us Tax PDFs Standard-List
Powered by Google-Search & Google-Books www.ChineseStandard.net Database: 189760 (24 Feb 2024)

GB/T 22239-2019 (GB/T22239-2019)

Chinese standards (related to): 'GB/T 22239-2019'
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)See DetailStatusGoogle Book
GB/T 22239-2019English485 Add to Cart 0-9 seconds. Auto delivery. Information security technology -- Baseline for classified protection of cybersecurity GB/T 22239-2019 Valid GBT 22239-2019
GB/T 22239-2008English150 Add to Cart 0-9 seconds. Auto delivery. Information security technology -- Baseline for classified protection of information system security GB/T 22239-2008 Obsolete GBT 22239-2008


   
BASIC DATA
Standard ID GB/T 22239-2019 (GB/T22239-2019)
Description (Translated English) Information security technology -- Baseline for classified protection of cybersecurity
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.040
Word Count Estimation 90,933
Date of Issue 2019-05-10
Date of Implementation 2019-12-01
Older Standard (superseded by this standard) GB/T 22239-2008
Quoted Standard GB 17859; GB/T 22240; GB/T 25069; GB/T 31167-2014; GB/T 31168-2014; GB/T 32919-2016
Drafting Organization The Third Research Institute of the Ministry of Public Security (Information Security Level Protection Evaluation Center of the Ministry of Public Security), Information Center of the National Energy Administration, Alibaba Cloud Computing Co., Ltd., Institute of Information Engineering, Chinese Academy of Sciences (State Key Laboratory of Information Security), Xinhua Three Technology Co., Ltd., Huawei Technologies Co., Ltd., Venus Star Information Technology Group Co., Ltd., Beijing Dingpu Technology Co., Ltd., China Electronics Information Industry Group Co., Ltd. Sixth Research Institute, Ministry of Public Security First Research Institute, State Information Center, Shandong Differential Electronic Technology Co., Ltd. , the 15th Research Institute of China Electronics Technology Group Corporation (Information Industry Information Security Evaluation Center), Zhejiang University, the Computer and Microelectronics Development Research Center of the Ministry of Industry and Information Technology (China Software Evaluation Center), Zhejiang Guoli Xinan Technology Co., Ltd., Mechanical industry instrument
Administrative Organization National Information Security Standardization Technical Committee (SAC/TC 260)
Proposing organization National Information Security Standardization Technical Committee (SAC/TC 260)
Issuing agency(ies) State Administration for Market Regulation, China National Standardization Administration
Summary This standard specifies the general security requirements and security extension requirements for the first-level to fourth-level protection objects of network security level protection. This standard is applicable to guide the security construction and supervision and management of classified non-confidential objects.


GB/T 22239-2019: PDF in English (GBT 22239-2019)
GB/T 22239-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 22239-2008
Information security technology -
Baseline for classified protection of cybersecurity
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 01, 2019
Issued by: State Market Regulatory Administration;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4 
Introduction ... 6 
1 Scope ... 7 
2 Normative references ... 7 
3 Terms and definitions ... 8 
4 Abbreviations ... 11 
5 Overview of Classified protection of cybersecurity ... 12 
5.1 Object under classified protection ... 12 
5.2 Different classes of security protection ability ... 12 
5.3 General security requirements and security extension requirements ... 13 
6 Level 1 security requirements ... 14 
6.1 General security requirements ... 14 
6.2 Security extension requirements of cloud computing ... 20 
6.3 Security extension requirements of mobile internet ... 22 
6.4 Security extension requirements for IoT ... 22 
6.5 Security extension requirements for industrial control systems ... 23 
7 Level 2 security requirements ... 25 
7.1 General security requirements ... 25 
7.2 Extension requirements for cloud computing security ... 40 
7.3 Extension requirements for mobile Internet security ... 43 
7.4 Extension requirements for IoT security ... 45 
7.5 Security extension requirements for industrial control systems ... 46 
8 Level 3 security requirements ... 48 
8.1 General security requirements ... 48 
8.2 Extension requirements for cloud computing security ... 71 
8.3 Extension requirements for mobile Internet security ... 76 
8.4 Extension requirements for IoT security ... 78 
8.5 Security extension requirements for industrial control systems ... 80 
9 Level 4 security requirements ... 83 
9.1 General security requirements ... 83 
9.2 Extension requirements for cloud computing security ... 106 
9.3 Extension requirements for mobile internet security ... 111 
9.4 Extension requirements for IoT security ... 113 
9.5 Extension requirements for security of industrial control systems ... 116 
10 Level 5 security requirements ... 119 
Appendix A (Normative) Selection and use of general security requirements and
security extension requirements ... 120 
Appendix B (Normative) Requirements on overall security protection ability of
the object under classified protection ... 124 
Appendix C (Normative) Security framework of classified protection and
requirements for key technology use ... 126 
Appendix D (Informative) Description of cloud computing application scenarios
... 129 
Appendix E (Informative) Description of mobile internet application scenarios
... 130 
Appendix F (Informative) Description of IoT application scenario ... 131 
Appendix G (Informative) Description of application scenarios of industrial
control systems ... 133 
Appendix H (Informative) Descriptions on big data application scenarios ... 137 
References ... 145 
Information security technology -
Baseline for classified protection of cybersecurity
1 Scope
This standard specifies the general security requirements and security
extension requirements for the project under classified protection from level 1
to level 4 of the classified protection of cybersecurity.
This standard is applicable to guide the security construction and supervision
administration of non-confidential objects in different classes.
Note: The class-5 protection object is a very important supervision and management
object. It has special management modes and security requirements, so it is not
described in this standard.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB 17859 Classified criteria for security protection of computer information
system
GB/T 22240 Information security technology - Classification guide for
classified protection of information system security
GB/T 25069 Information security technology glossary
GB/T 31167-2014 Information security technology - Security guide of cloud
computing services
GB/T 31168-2014 Information security technology - Security ability
requirements of cloud computing services
GB/T 32919-2016 Information security technology - Application guide to
industrial control system security control
3.5
Cloud service customer
Participants who use cloud computing services to establish business
relationships with cloud service providers.
[GB/T 31168-2014, definition 3.4]
3.6
Cloud computing platform / system
A collection of cloud computing infrastructure and service software provided
by a cloud service provider.
3.7
Hypervisor
An intermediate software layer that runs between the underlying physical
server and the operating system, allowing multiple operating systems and
applications to share hardware.
3.8
Host machine
The physical server running the hypervisor.
3.9
Mobile communication
The process of using a wireless communication technology to connect a
mobile device to a wired network.
3.10
Mobile device
Terminal device used in mobile business, including general-purpose
terminals and special-purpose terminal device such as smart phones, tablets,
personal computers.
3.11
Wireless access device
A communication device that uses wireless communication technology to
WEP: Wired Equivalent Privacy
WPS: WiFi Protected Setup
5 Overview of Classified protection of cybersecurity
5.1 Object under classified protection
The object under classified protection refers to the objects in the classified
protection of cybersecurity. It usually refers to a system consisting of computers
or other information terminals and related device that collects, stores, transmits,
exchanges, processes information in accordance with certain rules and
procedures. It mainly includes basic information networks, cloud computing
platforms / systems, big data applications / platforms / resources, Internet of
Things (IoT), industrial control systems, systems using mobile internet
technologies. The object under classified protection is, based on the degree of
harm to national security, economic construction, and social life, and the degree
of harm to national security, social order, public interests, the legitimate rights
and interests of citizens, legal persons, and other organizations after damage,
divided into five protection classes from low to high.
See GB/T 22240 for the method of determining the security protection level of
the protected object.
5.2 Different classes of security protection ability
The basic security protection abilities that different classes of protected objects
shall possess are as follows:
Level 1 security protection ability: It shall be able to protect against critical
resource damage caused by malicious attacks from individuals, threat sources
with few resources, general natural disasters, other threats of a considerable
degree of harm. After the damage, it may restore some functions.
Level 2 security protection ability: It shall be able to protect against important
resource damage caused by malicious attacks from small external sources,
threat sources with a small amount of resources, general natural disasters,
other threats of considerable harm. It may find important security loopholes and
handle security incidents, restore some functions within a period of time after
they are damaged.
Level 3 security protection ability: It shall be able to protect against important
resource damage caused by malicious attacks from externally organized
groups, threat sources with richer resources, more severe natural disasters,
scenarios of cloud computing are as shown in Appendix D; the application
scenarios of mobile Internet are as shown in Appendix E; the IoT application
scenarios are as shown in Appendix F; the application scenarios of industrial
control system are as shown in Appendix G; the application scenarios of big
data are as shown in Appendix H. For the objects under classified protection
that use other special technologies or in special application scenarios, it shall
take special security measures as a supplement to security risks on the basis
of security risk assessment.
6 Level 1 security requirements
6.1 General security requirements
6.1.1 Security physical environment
6.1.1.1 Physical access control
At the entrance and exit of the computer room, it shall assign a special person
on duty or equip with an electronic access control system to control, identify
and record the entering personnel.
6.1.1.2 Protection against theft and vandalism
Device or main components shall be fixed and identified with obvious signs that
are not easy to remove.
6.1.1.3 Lightning protection
All kinds of cabinets, facilities and device shall be safely grounded through the
grounding system.
6.1.1.4 Fire prevention
The computer room shall be equipped with fire extinguishing device.
6.1.1.5 Waterproof and moisture-proof
It shall take measures to prevent rainwater from penetrating through the
windows, roof and walls of the computer room.
6.1.1.6 Temperature and humidity control
It shall set necessary temperature and humidity adjustment facilities, so that the
temperature and humidity changes in the computer room are within the range
allowed by the device operation.
This requirement includes:
a) It shall identify and authenticate the identity of the logged-in user. The
identity is unique; the identity authentication information has complexity
requirements and is replaced regularly;
b) It shall have the function of handling the login failure; it shall be configured
and enabled to end the session, limit the number of illegal logins,
automatically log out when the login connection times out.
6.1.4.2 Access control
This requirement includes:
a) It shall assign accounts and permissions to logged-in users;
b) It shall rename or delete the default account; modify the default password
of the default account;
c) It shall delete or deactivate the redundant and expired accounts in time,
to avoid the existence of shared accounts.
6.1.4.3 Intrusion prevention
This requirement includes:
a) It shall follow the principle of minimum installation, to install only the
required components and applications;
b) It shall close the unnecessary system services, default shares and high-
risk ports.
6.1.4.4 Prevention of malicious code
It shall install anti-malware software or configure software with corresponding
functions; regularly upgrade and update the anti-malware code library.
6.1.4.5 Trusted authentication
It may, based on the trusted root, carry out the trusted authentication of the
system boot program, system program, etc. of the boundary device; issue alarm
when detecting the damage of the credibility of the device.
6.1.4.6 Data integrity
It shall use the checking techniques to ensure integrity of important data during
transmission.
6.1.4.7 Data backup and recovery
6.1.8 Security building management
6.1.8.1 Grading and filing
It shall state the security protection level of the protected object and the method
and reason for grading in a written form.
6.1.8.2 Security scheme design
It shall select the basic security measures according to the security protection
level; it shall supplement and adjust the security measures according to the
results of the risk analysis.
6.1.8.3 Product procurement and use
It shall be ensured that the procurement and use of cyber security products
comply with relevant national regulations.
6.1.8.4 Project implementation
It shall designate or authorize a special department or person to manage the
project implementation process.
6.1.8.5 Testing and acceptance
It shall perform a security testing and acceptance.
6.1.8.6 System handover
This requirement includes:
a) It shall establish a handover checklist; it shall count the device, software,
and documentation as handed over counted according to the handover
checklist;
b) It shall train the technical personnel responsible for operation and
maintenance accordingly.
6.1.8.7 Selection of service provider
This requirement includes:
a) It shall be ensured that the selection of service providers conforms to the
relevant national regulations;
b) It shall sign a security-related agreement with the selected service provider,
clearly stipulating the relevant responsibilities.
6.1.9 Security operation and maintenance management
a) It shall enhance all users' awareness of anti-malicious code; it shall
perform malicious code inspection before external computers or storage
devices are connected to the system;
b) It shall make provisions for requirements of malicious code prevention,
including the authorized use of anti-malware software, the upgrade of
malicious code libraries, regular killing of malicious code.
6.1.9.7 Management of backup and recovery
This requirement includes:
a) It shall identify the important business information, system data and
software systems that need to be regularly backed up;
b) It shall specify the backup method, backup frequency, storage medium,
storage period, etc. of backup information.
6.1.9.8 Handling of security incident
This requirement includes:
a) It shall report the security weaknesses and suspicious incidents
discovered to the security management department in a timely manner;
b) It shall clearly define the process of reporting and handling security
incidents; specify the management responsibilities for on-site handling of
security incidents, incident reporting and subsequent recovery.
6.2 Security extension requirements of cloud computing
6.2.1 Security physical environment
6.2.1.1 Infrastructure location
It shall be ensured that the cloud computing infrastructure is located in China.
6.2.2 Security communication network
6.2.2.1 Network architecture
This requirement includes:
a) It shall be ensured that the cloud computing platform does not carry
business application systems higher than its security protection level;
b) It shall achieve the isolation of virtual networks of different cloud service
customers.
6.3 Security extension requirements of mobile internet
6.3.1 Security physical environment
6.3.1.1 Physical location of wireless access point
It shall choose a reasonable location for the installation of wireless access
device, to avoid excessive coverage and electromagnetic interference.
6.3.2 Security area border
6.3.2.1 Border protection
It shall ensure that the access and data flow between the wired and wireless
network boundaries are connected into the security gateway device through
wireless access.
6.3.2.2 Access control
The wireless access device shall enable the access authentication function;
prohibit the use of WEP for authentication; in case of use of passwords, the
length is not less than 8 characters.
6.3.3 Security computing environment
6.3.3.1 Mobile application control
It shall have the function of selecting the application software to install and run.
6.3.4 Security building management
6.3.4.1 Procurement of mobile application software
It shall be ensured that the application software installed and running on the
mobile device comes from a reliable distribution channel or is signed with a
reliable certificate.
6.4 Security extension requirements for IoT
6.4.1 Security physical environment
6.4.1.1 Physical protection of sensor node device
This requirement includes:
a) The physical environment of the sensor node device shall not cause
physical damage to the sensor node device, such as squeezing and
divided into two regions; it shall take technical isolation means between
the regions;
b) The interior of the industrial control system shall be divided into different
security domains according to business characteristics; it shall take
technical isolation methods between security domains.
6.5.3 Security area border
6.5.3.1 Access control
It shall deploy the access control device between the industrial control system
and other systems of the enterprise; configure access control policies; prohibit
any universal network services such as E-Mail, Web, Telnet, Rlogin, FTP, etc.
that cross the area border.
6.5.3.2 Wireless usage control
This requirement includes:
a) It shall provide all users (personnel, software processes or device)
involved in wireless communication with unique identification and
authentication;
b) It shall restrict the authorization, monitoring, enforcement of wireless
connections.
6.5.4 Security computing environment
6.5.4.1 Control device security
This requirement includes:
a) The control device itself shall implement the security requirements such
as identity authentication, access control, security auditing, as required by
the general requirements of the corresponding level of security. If the
control device cannot achieve the above requirements due to condition
restrictions, it shall be controlled by its superior level or the management
equipment shall achieve the equivalent function or it is controlled by
management means;
b) After sufficient testing and evaluation, it shall update the patch and
hardware of the control device without affecting the safe and stable
operation of the system.
7.1.1.6 Waterproof and moisture-proof
This requirement includes:
a) It shall take measures to prevent rainwater from penetrating through the
windows, roof and walls of the computer room;
b) It shall take measures to prevent condensation of water vapor in the
computer room and the transfer and penetration of underground
water.
7.1.1.7 Anti-static
It shall use antistatic floor slab or floor; take the necessary grounded
antistatic measures.
7.1.1.8 Temperature and humidity control
It shall provide temperature and humidity automatic adjustment facilities,
so that the temperature and humidity changes in the computer room are within
the allowable range of device operation.
7.1.1.9 Power supply
This requirement includes......