|
US$8039.00 · In stock
Delivery: <= 25 days. True-PDF full-copy in English will be manually translated and delivered via email.
JR/T 0072-2020: Testing and evaluation guidelines for classified protection of cybersecurity of financial industry
Status: Valid JR/T 0072: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| JR/T 0072-2020 | English | 8039 |
Add to Cart
|
25 days [Need to translate]
|
Testing and evaluation guidelines for classified protection of cybersecurity of financial industry
| Valid |
JR/T 0072-2020
|
| JR/T 0072-2012 | English | 2520 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Testing and evaluation guide for classified protection of information system of financial industry
| Obsolete |
JR/T 0072-2012
|
PDF similar to JR/T 0072-2020
Basic data | Standard ID | JR/T 0072-2020 (JR/T0072-2020) | | Description (Translated English) | Testing and evaluation guidelines for classified protection of cybersecurity of financial industry | | Sector / Industry | Finance Industry Standard (Recommended) | | Classification of Chinese Standard | A11 | | Word Count Estimation | 335,336 | | Date of Issue | 2020-11-11 | | Date of Implementation | 2020-11-11 | | Older Standard (superseded by this standard) | JR/T 0072-2012 | | Regulation (derived from) | Bank Announcement (2020) No. 275 | | Issuing agency(ies) | People's Bank of China | JR/T 0072-2020: Testing and evaluation guidelines for classified protection of cybersecurity of financial industry
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Testing and evaluation guidelines for classified protection of cybersecurity of financial industry
People's Republic of China Financial Industry Standards
Replace JR/T 0072-2012
Guidelines for the Evaluation of Cyber Security Level Protection in the Financial Industry
2020-11-11 release
2020-11-11 implementation
Issued by the People's Bank of China
1 Scope...1
2 Normative references...1
3 Terms and definitions...1
4 Abbreviations...5
5 Overview of Level Evaluation...5
5.1 Grade evaluation method...5
5.2 Individual assessment and overall assessment...5
6 Requirements for Level 2 Assessment...6
6.1 General requirements for safety evaluation...6
6.2 Cloud Computing Security Evaluation Extension Requirements...54
6.3 Mobile Internet Security Evaluation Extension Requirements...61
6.4 Extended requirements for IoT security evaluation...64
7 Requirements for Level 3 Assessment...70
7.1 General requirements for safety evaluation...70
7.2 Cloud Computing Security Evaluation Extension Requirements...149
7.3 Mobile Internet Security Evaluation Extension Requirements...165
7.4 Expanded requirements for IoT security evaluation...171
8 Level 4 Assessment Requirements...181
8.1 General requirements for safety evaluation...181
8.2 Expansion requirements for cloud computing security evaluation...267
8.3 Mobile Internet Security Evaluation Extension Requirements...288
8.4 Extended requirements for IoT security evaluation...295
9 Overall Evaluation...305
9.1 Overview...305
9.2 Safety control point evaluation...305
9.3 Evaluation between safety control points...305
9.4 Inter-regional evaluation...305
10 Evaluation Conclusion...305
10.1 Risk analysis and evaluation...305
10.2 Level evaluation conclusion...306
Appendix A (Informative Appendix) Evaluation Strength...307
Appendix B (informative appendix) Big data can refer to security assessment methods...309
Appendix C (Normative Appendix) Description of Evaluation Unit Numbers...330
References...331
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard replaces JR/T 0072-2012 "Guidelines for the Evaluation of Information Security Level Protection of Information Systems in the Financial Industry", and is in line with JR/T 0072-2012
In comparison, the main technical changes are as follows.
-Revised the "Overview of Grade Evaluation" (see Chapter 5, Chapter 3 of the.2012 edition);
- Deleted the "level evaluation process" (see Chapter 4 of the.2012 edition);
-Deleted the "assessment preparation" (see Chapter 5 of the.2012 edition);
-Deleted the "evaluation plan" (see Chapter 6 of the.2012 edition);
-Modified the "Safety Physical Environment", "Safety Communication Network", "Safety" in the "General Requirements for Safety Evaluation" of the "Second Level Evaluation Requirements".
All-regional boundary", "secure computing environment", "security management center", "security management system", "security management agency", "security management personnel"
"Safety Construction Management" and "Safety Operation and Maintenance Management" related requirements (see 6.1,.2012 version 7.1.1);
- Added "Cloud Computing Security Evaluation Extension Requirements", "Mobile Internet Security Evaluation Extension Requirements" and "Objects" in the "Second Level Evaluation Requirements".
Expanded requirements for network security assessment" (see Chapter 6);
-Modified the "Safety Physical Environment", "Safety Communication Network", and "Safety" in the "General Requirements for Safety Evaluation" of the "Third Level Evaluation Requirements".
All-regional boundary", "secure computing environment", "security management center", "security management system", "security management agency", "security management personnel"
"Safety Construction Management" and "Safety Operation and Maintenance Management" related requirements (see 7.1,.2012 version 7.1.2);
- Added "Cloud Computing Security Evaluation Extension Requirements", "Mobile Internet Security Evaluation Extension Requirements" and "Objects" in the "Third Level Evaluation Requirements".
Expanded requirements for network security assessment" (see Chapter 7);
--Modified the "Safety Physical Environment", "Safety Communication Network", and "Safety" in the "General Requirements for Safety Evaluation" of the "Level 4 Evaluation Requirements".
All-regional boundary", "secure computing environment", "security management center", "security management system", "security management agency", "security management personnel"
"Safety Construction Management" and "Safety Operation and Maintenance Management" related requirements (see 8.1,.2012 version 7.1.3);
- Added "Cloud Computing Security Evaluation Extension Requirements", "Mobile Internet Security Evaluation Extension Requirements" and "Objects" in the "Level 4 Evaluation Requirements".
Expanded requirements for network security assessment" (see Chapter 8);
-Deleted "Analysis and Report Preparation" (see Chapter 8 of the.2012 edition);
-Deleted the "on-site unit evaluation checklist" (see Appendix A of the.2012 edition);
--- Added "Evaluation Strength" (see Appendix A);
--Added "big data can refer to security assessment methods", and put forward grading requirements for big data platforms in the financial industry (see Appendix B);
--- Added "Explanation of Evaluation Unit Numbers" (see Appendix C).
This standard was proposed by the People's Bank of China.
This standard is under the jurisdiction of the National Financial Standardization Technical Committee (SAC/TC 180).
Drafting organizations of this standard. the Science and Technology Department of the People’s Bank of China, the Statistical Information and Risk Monitoring Department of China Banking and Insurance Regulatory Commission, China
China Financial Electronics Corporation, Beijing Zhongjin Guosheng Certification Co., Ltd., Bank Card Testing Center, China Ping An Insurance (Group) Co., Ltd.
Company, Beijing Tianrongxin Network Security Technology Co., Ltd., and Huawei Technologies Co., Ltd.
The main drafters of this standard. Li Wei, Chen Liwu, Shen Xiaoyan, Che Zhen, Zanxin, Xia Lei, Fang Yi, Zhang Haiyan, Tang Hui, Li Fan, Wang
Haitao, Zhang Lu, Pan Liyang, Deng Hao, Hou Manli, Sun Guodong, Liu Wenjuan, Zhao Fangmeng, Ma Chenglong, Du Wei, Cui Ying, Chen Xuefeng, Qu Shao
Guang, Gao Qiangyi, Li Bowen, Li Jinhua, Jin Dynasty, Ren Yongqiang, Yue Yuan, Zhu Jingcheng, Zhao Jiang, Yu Jingtao, Hu Shan, Xie Hong, Yang Jian, Li
Jianbin, Yu Guoqiang, Xiao Song, Bai Yang, Zhang Yu, Zhao Hua.
The previous editions of the standard replaced by this standard are as follows.
--JR/T 0072-2012.
Introduction
The level of cyber security protection is a basic system for the national cyber security assurance work. Important systems in the financial industry are related to the national economy and the people’s livelihood.
It is the key protection object of national network security, so it needs a series of grade protection standard systems suitable for the financial industry as the support to standardize and
Guide the implementation of hierarchical protection in the financial industry. With the widespread application of new technologies such as cloud computing, mobile internet, Internet of Things, and big data, the Golden
Financial institutions are continuing to promote the transformation of IT architecture in accordance with their own development needs. In order to adapt to the new technology, new application and new structure, the financial bank
For the development of industrial network security level protection, JR/T 0071 was revised, and at the same time, JR/T 0072 was cited as an evaluation index.
The revision work was also initiated. The revised JR/T 0072 is adjusted in accordance with the basic requirements of JR/T 0071, and provides for common safety protection requirements.
Develop general requirements for security evaluation, and propose individual security protection requirements for new technologies and applications such as cloud computing, mobile internet, and the Internet of Things
Security assessment extension requirements.
Guidelines for the Evaluation of Cyber Security Level Protection in the Financial Industry
1 Scope
This standard specifies the general requirements and expansion of security evaluation for the second, third, and fourth-level protection objects of the financial industry.
Exhibition requirements.
This standard is applicable to guide financial institutions, evaluation institutions, and financial industry cybersecurity level protection authorities on the security of level protection objects
The situation is subject to safety assessment.
2 Normative references
The following documents are indispensable for the application of this document. For dated reference documents, only the dated version applies to this document.
For undated documents, the latest version (including all modified versions) applies to this document.
GB/T 22239-2019 Information Security Technology Network Security Level Protection Basic Requirements
GB/T 28448-2019 Information Security Technology Network Security Level Protection Evaluation Requirements
GB/T 28449-2018 Information Security Technology Network Security Level Protection Evaluation Process Guide
GB/T 31167-2014 Information Security Technology Cloud Computing Service Security Guidelines
GB/T 31168-2014 Information Security Technology Cloud Computing Service Security Capability Requirements
GB/T 32400-2015 Cloud Computing Overview and Vocabulary
GM/T 0054-2018 Information system password application basic requirements
JR/T 0071.2-2020 Implementation Guidelines for Graded Cybersecurity Protection in the Financial Industry Part 2.Basic Requirements
JR/T 0171-2020 Personal Financial Information Protection Technical Specification
3 Terms and definitions
The following terms and definitions apply to this document.
3.1
Interview
The assessors help the assessors to understand and clarify by guiding the relevant personnel of the level protection objects to have a purposeful (targeted) communication.
The process of clearing or obtaining evidence.
[GB/T 28448-2019, definition 3.1]
3.2
Check
The evaluation personnel observe, inspect and analyze the evaluation objects (such as system documents, various equipment and related safety configurations, etc.) to help
The process of helping testers understand, clarify, or obtain evidence.
[GB/T 28448-2019, definition 3.2]
3.3
Test
The tester uses a predetermined method/tool to make the test object (all kinds of equipment or safety configuration) produce a specific result, and compare the running result with the expected result.
The process of comparing the results of the period.
[GB/T 28448-2019, definition 3.3]
3.4
Evaluate
The process of comprehensive evaluation and prediction of the possible threats and possible consequences of the evaluation object.
[GB/T 28448-2019, definition 3.4]
3.5
Target of testing and evaluation
In the process of level evaluation, the objects of different evaluation methods mainly involve related supporting system documents, equipment and facilities, and personnel.
[GB/T 28448-2019, definition 3.5]
3.6
Testing and evaluation for classified cybersecurity protection
In accordance with the provisions of the national cybersecurity level protection system, and in accordance with relevant management norms and technical standards, the evaluation agency provides
The activity of detecting and evaluating the network security level protection status.
[GB/T 28448-2019, definition 3.6]
3.7
Cloud computing
Access to a scalable and flexible physical or virtual shared resource pool through the network, and self-service acquisition and management of resources on demand mode.
Note. Examples of resources include servers, operating systems, networks, software, applications, and storage devices.
[GB/T 31167-2014, definition 3.1]
3.8
Cloud service
One or more capabilities provided through the defined interfaces of cloud computing.
[GB/T 32400-2015, definition 3.2.8]
3.9
Cloud service provider
The provider of cloud computing services.
Note. Cloud service providers manage, operate, and support the computing infrastructure and software of cloud computing, and deliver cloud computing resources through the network.
[GB/T 31167-2014, definition 3.3]
3.10
Cloud service customer
Participants who establish business relationships with cloud service providers for the use of cloud computing services.
[GB/T 31168-2014, definition 3.4]
3.11
Cloud computing platform/system
A collection of cloud computing infrastructure and service software provided by cloud service providers.
[GB/T 22239-2019, definition 3.6]
3.12
Community cloud
A cloud deployment and cloud service model that is used and shared by a group of specific cloud service customers, and the resources are controlled by the cloud service provider or user.
3.13
Virtual machine
Through various virtualization technologies, it provides users with the same operating system and application operating environment as the original physical server.
Note. A virtual machine usually uses the resources of a physical server. From the user's point of view, it is used in exactly the same way as a physical server.
3.14
Hypervisor
The middle software layer that runs between the basic physical server and the operating system allows multiple operating systems and applications to share hardware.
[GB/T 22239-2019, definition 3.7]
3.15
Resource pool
A collection of physical resources or virtual resources from which resources can be obtained, released, or recycled according to certain rules.
Note. Resources include physical machines, virtual machines, physical storage resources, virtual storage resources, physical network resources, and virtual network resources.
3.16
Host machine
The physical server running the virtual machine monitor.
[GB/T 22239-2019, definition 3.8]
3.17
Sensitive data...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of JR/T 0072-2020_English be delivered?Answer: Upon your order, we will start to translate JR/T 0072-2020_English as soon as possible, and keep you informed of the progress. The lead time is typically 20 ~ 25 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of JR/T 0072-2020_English with my colleagues?Answer: Yes. The purchased PDF of JR/T 0072-2020_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. Question 5: Should I purchase the latest version JR/T 0072-2020?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version JR/T 0072-2020 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.
|