Information security technology - Cybersecurity requirements for critical information infrastructure protection
1 Scope
This document specifies the cybersecurity requirements for critical information infrastructure protection in terms of such aspects as analysis and identification, security protection, detection and evaluation, monitoring and warning, active defense and incident treatment.
This document is applicable to guiding operators to provide full life cycle security protection for critical information infrastructure, and can also be used as a reference for other parties involved in the security protection of critical information infrastructure.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.
GB/T 20984 Information security technology - Risk assessment method for information security
GB/T 25069 Information security techniques - Terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply.
3.1
critical information infrastructure
important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public service, e-government, defense technology and industry, as well as other important network facilities and information systems that may seriously endanger national security, national economy, people's livelihood, and public interests in case of damaged, lost or data leaked
3.2
supply chain
organization series that links multiple resources and processes together and establishes a continuous supply relationship based on service agreements or other procurement agreements
Note: An organization serves as the demander, supplier or both.
3.3
critical business chain
critical business process composed of one or more interrelated businesses of an organization
4 Basic principles of security protection
The security protection of critical information infrastructure shall be based on the classified protection system of cybersecurity, and key protection shall be provided based on the following basic principles.
——Overall prevention and control centered on critical business. The security protection of critical information infrastructure aims to protect critical businesses, and provides systematical security designs for one or more network(s) and information system(s) involved in the businesses, in order to build an overall security prevention and control system.
——Dynamic protection guided by risk management. Continuously monitor and dynamically adjust security control measures based on the security threat situation faced by critical information infrastructure, form a dynamic security protection mechanism to timely and effectively prevent and respond to security risks.
——Coordinated defense based on information sharing. Actively build a joint protection mechanism for information sharing and collaborative collaboration with extensive participation from relevant parties, and enhance the ability of critical information infrastructure to respond to large-scale network attacks.
5 Main contents and activities
The security protection of critical information infrastructure covers six aspects: analysis and identification, security protection, detection and evaluation, monitoring and warning, active defense and incident treatment.
a) Analysis and identification: carry out activities such as business dependency identification, critical asset identification and risk identification around the critical businesses of critical information infrastructure. This activity is the basis for security protection, detection and evaluation, monitoring and warning, active defense and incident treatment.
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Basic principles of security protection
5 Main contents and activities
6 Analysis and identification
6.1 Business identification
6.2 Asset identification
6.3 Risk identification
6.4 Significant changes
7 Security protection
7.1 Classified protection of cybersecurity
7.2 Security management system
7.3 Security management organization
7.4 Security management personnel
7.5 Communication network security
7.6 Computing environment security
7.7 Construction management security
7.8 Maintenance management security
7.9 Supply chain security protection
7.10 Data security protection
8 Detection and assessment
8.1 System
8.2 Methods and contents
9 Monitoring and warning
9.1 System
9.2 Monitoring
9.3 Warning
10 Active defense
10.1 Converging exposure
10.2 Attack discovery and blocking
10.3 Attack and defense drills
10.4 Threat intelligence
11 Incident treatment
11.1 System
11.2 Emergency plan and drill
11.3 Response and treatment
11.4 Re-identification
Bibliography