|
US$479.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
JR/T 0071.1-2020: Implementation guidelines for classified protection of cybersecurity of the financial industry - Part 1: Fundamentals and vocabulary
Status: Valid JR/T 0071.1: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| JR/T 0071.1-2020 | English | 479 |
Add to Cart
|
4 days [Need to translate]
|
Implementation guidelines for classified protection of cybersecurity of the financial industry - Part 1: Fundamentals and vocabulary
| Valid |
JR/T 0071.1-2020
|
| JR/T 0071-2012 | English | 160 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Implementation guide for classified protection of information system of financial industry
| Obsolete |
JR/T 0071-2012
|
PDF similar to JR/T 0071.1-2020
Basic data | Standard ID | JR/T 0071.1-2020 (JR/T0071.1-2020) | | Description (Translated English) | Implementation guidelines for classified protection of cybersecurity of the financial industry - Part 1: Fundamentals and vocabulary | | Sector / Industry | Finance Industry Standard (Recommended) | | Classification of Chinese Standard | A11 | | Classification of International Standard | 03.060 | | Word Count Estimation | 20,252 | | Date of Issue | 2020 | | Date of Implementation | 2020-11-11 | | Issuing agency(ies) | People's Bank of China | JR/T 0071.1-2020: Implementation guidelines for classified protection of cybersecurity of the financial industry - Part 1: Fundamentals and vocabulary
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Implementation guidelines for classified protection of cybersecurity of financial
industry-Part 1.Fundamentals and vocabulary
People's Republic of China Financial Industry Standards
Guidelines for the Implementation of Levels of Cybersecurity Protection in the Financial Industry
2020-11-11 release
2020-11-11 implementation
Issued by the People's Bank of China
1 Scope...1
2 Normative references...1
3 Terms and definitions...1
4 Fundamentals of Cyber Security Level Protection in the Financial Industry...10
Foreword
JR/T 0071 "Implementation Guidelines for Cyber Security Graded Protection in the Financial Industry" consists of the following 6 parts.
--Part 1.Basics and terminology;
--Part 2.Basic requirements;
--Part 3.Job ability requirements and evaluation guidelines;
--Part 4.Training Guidelines;
--Part 5.Audit requirements;
--Part 6.Audit Guidelines.
This part is part 1 of JR/T 0071.
This part was drafted in accordance with the rules given in GB/T 1.1-2009.
This part was proposed by the People's Bank of China.
This part is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC 180).
Drafting organizations of this section. the Department of Science and Technology of the People’s Bank of China, the Statistical Information and Risk Monitoring Department of China Banking and Insurance Regulatory Commission, China
China Financial Electronics Corporation, Beijing Zhongjin Guosheng Certification Co., Ltd.
The main drafters of this section. Li Wei, Chen Liwu, Shen Xiaoyan, Che Zhen, Zan Xin, Xia Lei, Fang Yi, Zhang Haiyan, Tang Hui, Li Fan, Wang
Haitao, Zhang Lu, Pan Liyang, Deng Hao, Hou Manli, Sun Guodong, Liu Wenjuan, Zhao Fangmeng, Qiao Yuan, Cui Ying, Chen Xuefeng, Ma Chenglong, Du Wei,
Li Ruifeng.
Introduction
The level of cyber security protection is a basic system for the national cyber security assurance work. Important systems in the financial industry are related to the national economy and the people’s livelihood.
It is the key protection object of national network security, so it needs a series of grade protection standard systems suitable for the financial industry as the support to standardize and
Guide the implementation of hierarchical protection in the financial industry. With the widespread application of new technologies such as cloud computing, mobile internet, Internet of Things, and big data, the Golden
Financial institutions are continuing to promote the transformation of IT architecture in accordance with their own development needs. In order to adapt to the new technology, new application and new structure, the financial bank
For the development of industrial network security level protection, JR/T 0071 is now revised. The revised JR/T 0071 is based on the national cyber security level
Protect relevant requirements, provide methodology, specific construction measures and technical guidance for the financial industry’s network security construction, and improve the financial industry’s network
The network security level protection system is better adapted to the application of new technologies in the financial industry.
Guidelines for the Implementation of Levels of Cybersecurity Protection in the Financial Industry
Part 1.Basics and Terminology
1 Scope
This part specifies the basic framework and terminology definitions for the financial industry's cybersecurity level protection work.
This part is applicable to guide financial institutions, evaluation institutions, and financial industry authorities to implement cybersecurity level protection.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document.
For undated reference documents, the latest version (including all amendments) is applicable to this document.
GB 17859-1999 Classification criteria for security protection grades of computer information systems
GB/T 20269-2006 Information Security Technology Information System Security Management Requirements
GB/T 20271-2006 Information Security Technology Information System Security General Technical Requirements
GB/T 20272-2019 Information Security Technology Operating System Security Technical Requirements
GB/T 20279-2015 Information Security Technology Network and Terminal Isolation Product Security Technical Requirements
GB/T 20282-2006 Information Security Technology Information System Security Engineering Management Requirements
GB/T 20984-2007 Information Security Technology Information Security Risk Assessment Specification
GB/T 20988-2007 Information Security Technology Information System Disaster Recovery Specification
GB/T 21052-2007 Information Security Technology Information System Physical Security Technical Requirements
GB/T 22239-2019 Information Security Technology Network Security Level Protection Basic Requirements
GB/T 22240-2020 Information Security Technology Network Security Level Protection Rating Guidelines
GB/T 25070-2019 Information Security Technology, Cyber Security Level Protection Security Design Technical Requirements
GB/T 28448-2019 Information Security Technology Network Security Level Protection Evaluation Requirements
GB/T 31167-2014 Information Security Technology Cloud Computing Service Security Guidelines
JR/T 0071.2-2020 Implementation Guidelines for Graded Cyber Security Protection in the Financial Industry Part 2.Basic Requirements
JR/T 0071.3-2020 Implementation Guidelines for the Level of Cybersecurity Protection in the Financial Industry Part 3.Job Ability Requirements and Evaluation Guidelines
JR/T 0071.4-2020 Implementation Guidelines for Graded Cyber Security Protection in the Financial Industry Part 4.Training Guidelines
JR/T 0071.5-2020 Financial Industry Cybersecurity Graded Protection Implementation Guidelines Part 5.Audit Requirements
JR/T 0071.6-2020 Implementation Guidelines for Graded Cybersecurity Protection in the Financial Industry Part 6.Audit Guidelines
JR/T 0072-2020 Financial Industry Cyber Security Level Protection Evaluation Guide
JR/T 0073-2012 Financial Industry Information Security Level Protection Evaluation Service Security Guidelines
3 Terms and definitions
The following terms and definitions apply to this document.
3.1 Specific level of protection
3.1.1
Target of classified security
The objects directly affected by the network security level protection work.
Note. It mainly includes information systems, communication network facilities and data resources.
[GB/T 22240-2020, definition 3.2]
3.1.2
Testing and evaluation for classified cybersecurity protection
In accordance with the provisions of the national cybersecurity grading protection system, the evaluation agency, in accordance with relevant management norms and technical standards,
The network security level protection status is tested and evaluated.
[GB/T 28448-2019, definition 3.6]
3.1.3
Testing and evaluation intensity
The representation of the actual input power of the evaluation work can be described by the breadth and depth of the evaluation.
3.2 General technology
3.2.1
Security of information system
The characterization of the confidentiality, integrity, and availability of information stored, transmitted, and processed by an information system.
3.2.2
Security assurance
The methods and measures taken to ensure that the safety functions of the safety elements meet the required safety goals.
3.2.3
User authentication
Use specific information to confirm the authenticity of the user's identity. The information used for authentication is generally non-public and difficult to imitate.
[GB/T 20271-2006, definition 3.1.12]
3.2.4
Object
Information carrier.
[GB 17859-1999, definition 3.3]
3.2.5
Subject
The person, process, or device that causes information to flow between objects.
[GB 17859-1999, definition 3.4]
3.2.6
Sensitivity label
A group of information that represents the security level of the object and describes the sensitivity of the object data. The sensitive mark is used as a mandatory access control in the trusted computing base
The basis for decision-making.
[GB 17859-1999, definition 3.5]
3.2.7
Label of subject and object
Designate sensitive marks for subject and object. These sensitive marks are a combination of hierarchical and non-hierarchical categories, which implement mandatory access control
in accordance with.
[GB/T 20271-2006, definition 3.1.14]
3.2.8
Access control
According to certain rules, a security mechanism that controls access activities between entities can prevent unauthorized use of resources.
[GB/T 20269-2006, definition 3.3]
3.2.9
Security attribute
Information related to the subject and object when the security policy is implemented.
Note 1.For autonomous access control, security attributes include relevant information to determine the access relationship between subject and object.
Note 2.For mandatory access control using a multi-level security policy model, the security attributes include the identification information of the subject and the object and the security mark information.
3.2.10
Discrete access control
The method by which the owner-subject of the object autonomously stipulates the access authority of the object owned by it. Subjects with access rights can follow the authorization method
Implement access to designated objects, and transfer access rights based on authorization.
[GB/T 20271-2006, definition 3.1.16]
3.2.11
Mandatory access control
The system determines the method of the subject's access authority to the object according to the sensitive marks contained in the subject and the object and in accordance with the determined rules. There is a visit
The subject of the authority can access the designated object according to the authorization method. Sensitive marks are determined by the system security officer or the system automatically in accordance with the rules
Perform setup and maintenance.
[GB/T 20271-2006, definition 3.1.17]
3.2.12
Weak password
Passwords or passwords that are too simple or very easy to crack.
3.2.13
Trusted path
In order to realize the credible communication between the user and the SSF, the communication data established and maintained between the SSF and the user is protected from modification and leakage.
Communication path.
[GB/T 20271-2006, definition 3.1.20]
3.2.14
Published user data
Data that needs to be disclosed to all users in the information system. This type of data needs to be integrity protected.
[GB/T 20271-2006, definition 3.1.21]
3.2.15
Internal user data
User data that has general use value or degree of confidentiality in the information system and requires certain protection. Leakage or destruction of such data,
Will bring a certain loss.
[GB/T 20271-2006, definition 3.1.22]
3.2.16
Important user data
User data that has important use value or confidentiality in the information system and requires key protection. The leakage or destruction of this type of data,
Will bring greater losses.
[GB/T 20271-2006, definition 3.1.23]
3.2.17
Key user data
The information system has high use value or confidentiality and needs special protection of user data. The leakage or destruction of this type of data,
Will bring heavy losses.
[GB/T 20271-2006, definition 3.1.24]
3.2.18
Nuclear user data
The user data that has the highest use value or degree of confidentiality in the information system and requires absolute protection. The leakage or destruction of this type of data,
Will bring catastrophic losses.
[GB/T 20271-2006, definition 3.1.25]
3.2.19
Facility physical security
In order to ensure the safe and reliable operation of the information system, reduce or prevent the safety brought by man-made or natural factors to the safe and reliable operation of hardware equipment
Risks, appropriate safety measures for hardware equipment and components.
[GB/T 21052-2007, definition 3.3]
3.2.20
Environment physical security
The safe operation environment provided to ensure the safe and reliable operation of the information system enables the information system to be physically tightly protected, thereby
Reduce or avoid various security risks.
[GB/T 21052-2007, definition 3.4]
3.2.21
System physical security
In order to ensure the safe and reliable operation of the information system, reduce or prevent man-made or natural factors from physically protecting the confidentiality and integrity of the information system
Security threats brought about by security and availability, and appropriate security measures taken from the perspective of the system.
[GB/T 21052-2007, definition 3.5]
3.2.22
Fault tolerance
Through a series of internal measures...
|