1 Scope
According to the national standards "Baseline for Classified Protection of Information System Security " and "Technical Requirements of Security Design for Information System Classified Protection" and allowing for the characteristics of financial industry and requirements for information systems security development, this standard has designed the information security system structure in divisions and has specified the application systems depending on the system level, so as to guarantee industrialized and concretized national requirements for classified protection and to improve the protection level of information security for the important networks and information systems of our industry.
This standard is applicable to the use by the departments of financial institution (including its affiliates), e.g. system planning and development (service and technology), application development, system operation, security management, system use, internal supervision and audit. It may be served as the basis for the supervision, inspection and guidance for information security functions. With the supplementing and enrichment of the contents, this standard provides guidance for the practice of classified protection.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 22239-2008 Baseline for Classified Protection of Information System Security
GB/T 25069 Information Security Technology - Glossary
JR/T 0003-2001 Security Specification for the Interoperable Services of Bank Card
JR/T 0013-2004 Specification on the Interconnection Security between Star Networks of Financial Industry
JR/T 0011-2004 Systematic Specification of Centralized Bank Data Center
JR/T 0023-2004 Specification on Information Technology Management of Securities Company
JR/T 0026-2006 Specification for Protection against Lightning of Banking Computer Information System
JR/T 0044-2008 Management Specification of Information System Disaster Recovery for Banks
JR/T 0055.4-2009 Technical Specifications on Bankcard Interoperability – Part 4: Data Secure Transmission Control
PBC Doc. [2002] No. 260 Guidance of the People's Bank of China on Reinforcing Bank Data Concentration Security
YIN KE JI [2006] No. 73 Guidance of the People's Bank of China on the Secure Configuration of Information System
YIN BAN Doc. [2006] No. 154 Guidance of the People's Bank of China on IT Emergency Plan
YIN BAN Doc. [2006] No. 9 Guidance of the People's Bank of China on the Normalization of Computer Room
PBC Doc. [2010] No. 276 Administrative Rules of the People's Bank of China on Computer System Information Security
PBC Doc. [2010] No. 276 Administrative Rules of the People's Bank of China on Computer System Information Security
CBRC Doc. [2008] No. 50 Administrative Regulations on the Commissioning and Modification of Important Information Systems of Banking Financial Institutions
CBRC [2009] No. 19 Guidance on the Information Technology Risk Management for Commercial Banks
YIN JIAN BAN Doc. [2009] No. 437 Guidance on Emergency Handling for Cross-industry Information System of Banking and Securities
YIN JIAN BAN Doc. [2010] No. 112 Guidance on the Supervision of Commercial Bank Data Center
SAC Doc. [2006] Guidance on the Security Management Technology of Centralized Transaction for Securities Companies
CFA Doc. [2009] Guidance on the Online Futures Information System Technology for Futures Companies
SAC Doc. [2009] No. 154 Guidance on the Information Technology for Securities Business Departments
CIRC Decree [2003] No. 3 Regulations on Major Emergency Handling for Insurance Industry
3 Terms and Definitions
For the purpose of this standard, the terms and definitions specified in GB/T 25069 and those given below apply.
3.1 Sensitive data
It refers to the data which, once revealed, possibly cause damage to the user or financial institution, including but not limited to:
a) sensitive data of user, e.g. user password and secret key;
b) sensitive data of system, e.g. system secret key and key system management data;
c) other sensitive business data required to be kept secret;
Foreword i
Introduction ii
1 Scope
2 Normative References
3 Terms and Definitions
4 Guide Preparation Policy
5 Information Security Assurance Framework
6 Protection Requirements
Appendix A (Informative) Implementation Measures for Classified Protection
Appendix B (Informative) Selection of Security Requirements of Financial Industry and the Use Instructions
Bibliography