Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This standard is developed in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GB/T 25058-2010 Information security technology — Implementation guide for classified protection of information system and has the following main changes with respect to GB/T 25058-2010:
——The standard name is changed to Information security technology — Implementation guide for classified protection of cybersecurity.
——In the full text, "information system" has been adjusted to "classified protection object" or "classified object", and in the national standard, "basic requirements for classified protection of information system" has been adjusted to "basic requirements for classified protection of cybersecurity".
——Considering the special treatment of new technologies and applications such as cloud computing in the implementation process, cloud computing, mobile internet, big data and other related content have been added to relevant clauses as needed (see 5.3.2, 6.3.2, 7.2.1 and 7.3.2).
——The existing content of each part has been further refined so as to guide the classified protection of the newly-built classified protection objects for units (see 6.3.2 and 7.4.3).
——In the classification stage of classified protection objects, the working process of industry/field competent units has been added (see 5.2); special concerns of classification the cloud computing, mobile internet, Internet of Things, industrial control and big data have been added (see 5.3; 5.2 in 2010 edition).
——In the overall security planning stage, the relevant content of industry classified protection management norms and technical standards have been added, that is, to define the basic security requirements include both the requirements put forward by national classified protection management norms and technical standards as well as the requirements put forward by industry classified protection management norms and technical standards (see 6.2.1; 6.2.1 in 2010 edition).
——In the overall security planning stage, the content of "design of the security technology architecture of classified protection objects" has been added, and it is required that the security technology architecture shall be designed according to the overall security policy file of the organization, GB/T 22239 and the security requirements of the organization, with the security technology architecture diagram provided. In addition, technical measures for security protection of new technologies such as cloud computing and mobile internet have been added (see 6.3.2; 6.3.2 in 2010 edition).
——In the overall security planning stage, the content of "design of the security management system framework for classified protection objects" has been added, and it is required that the security management system framework shall be designed according to GB/T 22239, security requirement analysis report, etc., with the security management system framework provided (see 6.3.3; 6.3.3 in 2010 edition).
——In the stage of security design and implementation, the order of "technical measures realization" and "management measures realization" has been switched (see 7.3 and 7.4; 7.3 and 7.4 in 2010 edition); "personnel security skills training" has been merged into "security management organization and personnel setting" (see 7.4.2; 7.3.1 and 7.3.3 in 2010 edition); and the order of "construction and revision of security management system" and "setting of security management organizations and personnel" has been switched (see 7.4.1 and 7.4.2; 7.4.1 and 7.4.2 in 2010 edition).
——In the stage of security design and implementation, the requirements for risk analysis of new technologies such as cloud computing and mobile internet as well as the realization of technical protection measures have been added for the realization of technical measures (see 7.2.1; 7.2.1 in 2010 edition); in the testing process, more emphasis has been placed on security testing content such as security vulnerability scanning and penetration testing (see 7.3.2; 7.3.2 in 2010 edition).
——In the stage of security design and implementation, on the basis of the original information security product suppliers, the evaluation and selection requirements of cybersecurity service organizations has been added (see 7.3.1); in the integration of security control, the integration of security measures such as security situational awareness, monitoring, notification and early warning, and emergency response tracing has been added (see 7.3.3); in the requirements for the construction and revision of the security management system, the consistency of the four-tier system files of the overall security policy, security management system, security operation procedures, security operation and maintenance records and forms is added (see 7.4.1); and in the security implementation process management, the activity content description of the overall management process has been added (see 7.4.3).
——In the security operation and maintenance stage, "service provider management and monitoring" has been added (see 8.6); "security incident handling and emergency plan" has been deleted (8.5 of 2010 edition); "system filing" has been deleted (8.8 of 2010 edition); the content of "supervision and inspection" has been revised (8.8; 8.9 in 2012 edition) has been revised; and "emergency response and assurance" (see 8.9) has been added.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This standard was proposed by and is under the jurisdiction of the National Technical Committee on Information Security of Standardization Administration of China (SAC/TC 260).
The previous edition of this standard is as follows:
——GB/T 25058-2010.
Information security technology — Implementation guide for classified protection of cybersecurity
1 Scope
This standard specifies the process of implementing classified protection of cybersecurity for classified protection objects.
This standard is applicable to guide the implementation of classified protection of cybersecurity.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.
GB 17859 Classified criteria for security protection of computer information system
GB/T 22239 Information security technology — Baseline for classified protection of information system security
GB/T 22240 Information security technology — Classification guide for classified protection of information system security
GB/T 25069 Information security technology — Glossary
GB/T 28448 Information security technology — Evaluation requirement for classified protection of cybersecurity
3 Terms and definitions
For the purpose of this document, the terms and definitions given in GB 17859, GB/T 22239, GB/T 25069 and GB/T 28448 apply.
4 Overview on classified protection implementation
4.1 Basic principles
The core of security classified protection is to classify the classified protection objects, and to carry out construction, management and supervision according to standards. The following basic principles shall be followed in the implementation of security classified protection:
a) Autonomous protection
The operation and use units of classified protection objects and their competent departments shall independently determine the security protection level of classified protection objects and organize the implementation of security protection by themselves in accordance with relevant national laws and standards.
b) Priority protection
According to the importance and business characteristics of classified protection objects, different security protection intensities are realized by dividing classified protection objects with different security protection levels, and resources are centralized to give priority to protecting classified protection objects involving core business or key information assets.
c) Simultaneous construction
For classified protection objects in new construction, reconstruction and expansion, security schemes shall be simultaneously planed and designed, and a certain proportion of funds shall be invested to build cybersecurity facilities, so as to ensure that cybersecurity is compatible with informatization construction.
d) Dynamic adjustment
The security protection measures shall be adjusted by tracking the changes of classified objected. If the security protection level is required to be changed due to changes in the application type, scope and other conditions of the classified object as well as other reasons, the security protection level of the classified object shall be re-determined according to the requirements of the management specifications and technical standards for information security protection, and the security protection shall be re-implemented according to the adjustment of the security protection level of classified object.
4.2 Participants and their responsibilities
The various participants and their responsibilities involved in the implementation of classified protection of cybersecurity for classified protection objects are as follows:
a) Classified protection management departments
The classified protection management departments shall be responsible for cybersecurity protection, supervision and management within the scope of their respective duties in accordance with the provisions of relevant laws and administrative regulations on classified protection.
b) Competent departments
They shall be responsible for supervising, inspecting and guiding the classified protection of cybersecurity of the industry, department or local classified protection object operation and use units in accordance with the management norms and technical standards for national classified protection of cybersecurity.
c) Operation and use units
They shall be responsible for 1) determining the security protection level of their classified protection objects in accordance with the national classified protection of cybersecurity management norms and technical standards, and if a competent department is available for a certain operation and use unit, the security protection level shall be reported to this competent department for examination and approval; 2) going through the filing formalities with the public security organ according to the determined security protection level; 3) planning and designing the security protection of classified protection objects according to the national classified protection of cybersecurity management norms and technical standards; 4) using information technology products and cybersecurity products that meet the relevant provisions of the state and meet the security protection level requirements of classified protection objects to carry out security construction or reconstruction work; 5) formulating and implementing various security management systems, regularly conducting self-examination on the security status of classified protection objects, the implementation of security protection systems and measures, selecting level evaluation organizations that meet relevant national regulations, and conducting regular level evaluation; and 6) formulating response and disposal schemes for different levels of cybersecurity incidents, and carry out emergency disposal for cybersecurity incidents at different levels.
d) Cybersecurity services
According to the entrustment of the operation and use units and in accordance with the national classified protection of cybersecurity management norms and technical standards, they shall be responsible for assisting operation and use units to complete the related work of classified protection, including determining the security level of their classified protection objects, conducting security requirement analysis and overall security planning, implementing security construction and security transformation, and providing service support platform.
e) Evaluation organization of classified cybersecurity protection
They shall be responsible for assisting the operation and use units or the classified protection management departments according to the entrustment of the operation and use units or the authorization of the classified protection management departments, and evaluating the classified protection objects that have completed the classified protection construction according to the national classified protection of cybersecurity management norms and technical standards; and evaluating the security of cybersecurity products provided by cybersecurity product suppliers.
f) Cybersecurity product suppliers
They shall be responsible for developing cybersecurity products that meet the relevant requirements of classified protection in accordance with the management norms and technical standards of national classified protection of cybersecurity, and accepting security evaluation; and selling cybersecurity products and providing related services according to the relevant requirements of classified protection.
4.3 Implemented basic process
The basic process of implementing classified protection for classified protection objects includes classification and filing stage for classified protection objects, overall security planning stage, security design and implementation stage, security operation and maintenance stage and classified object closure stage, as shown in Figure 1.
Figure 1 Basic flow of implementing security classified protection
In the stage of security operation and maintenance, the classified protection object is partially adjusted due to changes in demand and other reasons, without changing its security protection level. It shall enter the stage of security design and implementation from the stage of security operation and maintenance, and it shall be redesigned, adjusted and subjected to security measures to ensure that the requirements of classified protection are met; if there is a major change in the classified protection objects, which leads to the change of the security protection level, it is necessary to enter the classification and filing stage for classified protection objects from the stage of security operation and maintenance, and the implementation process of classified protection of cybersecurity shall be restarted. In the process of operation and maintenance of the classified protection objects, a security incident may trigger the emergency response and assurance.
The main processes, activities, inputs and outputs of each stage in the basic process of implementing classified protection for classified protection objects are shown in Annex A.
Foreword i
1 Scope
2 Normative references
3 Terms and definitions
4 Overview on classified protection implementation
4.1 Basic principles
4.2 Participants and their responsibilities
4.3 Implemented basic process
5 Classification and filing for classified protection objects
5.1 Workflow in classification and filing stage
5.2 Industry/field classification
5.3 Analysis of classified protection objects
5.3.1 Importance analysis for objects
5.3.2 Determination of classified objects
5.4 Determination of security protection level
5.4.1 Classification, audit and approval
5.4.2 Formation of classification report
5.5 Filing of classification results
6 Overall security planning
6.1 Workflow in overall security planning stage
6.2 Analysis on security requirements
6.2.1 Identification of basic security requirements
6.2.2 Determination of special security requirements
6.2.3 Forming of security requirements analysis report
6.3 Overall security design
6.3.1 Overall security policy design
6.3.2 Design of security technology architecture
6.3.3 Design of overall security management system architecture
6.3.4 Documentation of design results
6.4 Security construction project planning
6.4.1 Determination of security construction objectives
6.4.2 Security construction content planning
6.4.3 Forming of security construction project planning
7 Security design and implementation
7.1 Workflow in the stage of security design and implementation
7.2 Detailed design of security scheme
7.2.1 Design of technical measure implementations
7.2.2 Design of management measure implementation content
7.2.3 Documentation of design results
7.3 Implementation of technical measures
7.3.1 Procurement of cybersecurity products or services
7.3.2 Development of security control
7.3.3 Security control integration
7.3.4 System acceptance
7.4 Implementation of management measures
7.4.1 Establishment and revision of security management system
7.4.2 Setting of security management organization and personnel
7.4.3 Management during security implementation
8 Security operation and maintenance
8.1 Workflow in the stage of security operation and maintenance
8.2 Operation management and control
8.2.1 Determination of operation management responsibility
8.2.2 Operation management process control
8.3 Change management and control
8.3.1 Change demands and impact analysis
8.3.2 Change process control
8.4 Secure state monitoring
8.4.1 Determination of monitored object
8.4.2 Monitored object state collection
8.4.3 Monitoring state analysis and report
8.5 Security self-inspection and continuous improvement
8.5.1 Secure state self-inspection
8.5.2 Development of improvement scheme
8.5.3 Security improvement implementation
8.6 Service provider management and monitoring
8.6.1 Selection of service provider
8.6.2 Service provider management
8.6.3 Service provider monitoring
8.7 Testing and evaluation for classified cybersecurity protection
8.8 Supervision and inspection
8.9 Emergency response and security
8.9.1 Emergency preparation
8.9.2 Emergency monitoring and response
8.9.3 Post-evaluation and improvement
8.9.4 Emergency security
9 Closure of classified object
9.1 Workflow in the closure stage of classified object
9.2 Information transfer, temporary storage and clearing
9.3 Equipment migration or abandonment
9.4 Storage media removal or destruction
Annex A (Normative) Main process and its activities, input and output