1
/
de
12
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 28448-2019 English PDF (GBT28448-2019)
GB/T 28448-2019 English PDF (GBT28448-2019)
Prix habituel
$2,405.00 USD
Prix habituel
Prix promotionnel
$2,405.00 USD
Prix unitaire
/
par
Frais d'expédition calculés à l'étape de paiement.
Impossible de charger la disponibilité du service de retrait
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 28448-2019
Historical versions: GB/T 28448-2019
Preview True-PDF (Reload/Scroll if blank)
GB/T 28448-2019: Information security technology -- Evaluation requirement for classified protection of cybersecurity
GB/T 28448-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 28448-2012
Information security technology - Evaluation
requirement for classified protection of cybersecurity
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 01, 2019
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 10
5 Overview of testing-evaluation for classified cybersecurity protection ... 10
5.1 Method of testing-evaluation for classified cybersecurity protection ... 10
5.2 Single item testing-evaluation and overall testing-evaluation ... 12
6 Requirements for level 1 testing-evaluation ... 12
6.1 General requirements for security testing-evaluation ... 12
6.2 Extended requirements for testing-evaluation of cloud computing security .. 40
6.3 Extended requirements for testing-evaluation of mobile internet security ... 45
6.4 Extended requirements for testing-evaluation of IoT security ... 48
6.5 Extended requirements for testing-evaluation of industrial control system
security ... 50
7 Requirements for level 2 testing-evaluation ... 55
7.1 General requirements for security testing-evaluation ... 55
7.2 Extended requirements for testing-evaluation of cloud computing security 122
7.3 Extended requirements for testing-evaluation of mobile internet security ... 137
7.4 Extended requirements for testing-evaluation of IoT security ... 143
7.5 Extended requirements for testing-evaluation of industrial control system
security ... 147
8 Requirements for level 3 testing-evaluation ... 155
8.1 General requirements for security testing-evaluation ... 155
8.2 Extended requirements for testing-evaluation of cloud computing security 261
8.3 Extended requirements for testing-evaluation of mobile internet security ... 285
8.4 Extended requirements for testing-evaluation of IoT security ... 293
8.5 Extended requirements for testing-evaluation of industrial control system
security ... 304
9 Requirements for level 4 testing-evaluation ... 315
9.1 General requirements for security testing-evaluation ... 315
9.2 Extended requirements for testing-evaluation of cloud computing security 428
9.3 Extended requirements for testing-evaluation of mobile internet security ... 454
9.4 Extended requirements for testing-evaluation of IoT security ... 463
9.5 Extended requirements for testing-evaluation of industrial control system
security ... 475
10 Requirements for level 5 testing-evaluation ... 485
11 Overall testing-evaluation ... 486
11.1 Overview ... 486
11.2 Testing-evaluation of security control points ... 486
11.3 Testing-evaluation between security control points ... 486
11.4 Inter-area testing-evaluation ... 487
12 Testing-evaluation conclusion ... 487
12.1 Risk analysis and evaluation ... 487
12.2 Conclusion of testing-evaluation for classified cybersecurity protection ... 488
Appendix A (Informative) Testing-evaluation intensity ... 489
Appendix B (Informative) Security evaluation methods can be referred to by
bigdata ... 493
Appendix C (Normative) Descriptions on numbering of testing-evaluation unit
... 531
References ... 533
Information security technology - Evaluation
requirement for classified protection of cybersecurity
1 Scope
This standard stipulates the general requirements and extended requirements
for testing-evaluation of security of classified protection targets.
This standard is applicable to security evaluation service agencies, operation
and use units of classified protection targets, for competent departments to
conduct security evaluation and provide guidance on the security status of
classified protection targets; it is also applicable to network security functional
departments when conducting supervision and inspection of the classified
protection of cybersecurity.
Note: The level-5 classified protection target is an important supervision and
management target, which has a special management mode and security evaluation
requirements, so it is not described in this standard.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 22239-2019 Information security technology - Baseline for classified
protection of cybersecurity
GB/T 25069 Information security technology - Glossary
GB/T 25070-2019 Information security technology - Technical requirements
of security design for classified protection of cybersecurity
GB/T 28449-2018 Information security technology - Testing-evaluation
process guide for classified protection of cybersecurity
GB/T 31167-2014 Information security technology - Security guide of cloud
corresponds to the requirement item (testing-evaluation index) included under
the security control point. In the testing-evaluation of each requirement, it may
use three testing-evaluation methods: interview, examine, test; it may also use
one or two of them. The content of the testing-evaluation implementation fully
covers the testing-evaluation requirements of all the requirement items in GB/T
22239-2019 and GB/T 25070-2019. When used, it shall, from the
implementation of the testing-evaluation of single item, choose the testing-
evaluation requirements of each requirement item in GB/T 22239-2019;
meanwhile follow these testing-evaluation requirements to develop the testing-
evaluation guidance, so as to standardize and guide testing-evaluation for
classified cybersecurity protection activities.
According to the survey results, the business process and data flow of the
classified protection targets are analyzed to determine the scope of the testing-
evaluation work. Combined with the security level of the classified protection
target, comprehensively analyze the functions and characteristics of each
device and component in the system; determine the testing-evaluation target at
technical level from the attributes of the importance, security, sharing,
comprehensiveness, appropriateness of the classified protection target
constituting the component; determine the personal and management
documents related to it as the testing-evaluation target of the management level.
The testing-evaluation targets can be described according to categories,
including computer rooms, business application software, host operating
systems, database management systems, network interconnection device,
security device, interviewers, security management documents.
The testing-evaluation activities for classified cybersecurity protection involve
testing-evaluation intensity, including testing-evaluation breadth (coverage) and
testing-evaluation depth (intensity). For the implementation of testing-
evaluations with a higher level of security protection, it shall choose a wider
coverage of testing-evaluation targets and stronger testing-evaluation methods,
to obtain more credible testing-evaluation evidence. For a detailed description
of the testing-evalua...
Get QUOTATION in 1-minute: Click GB/T 28448-2019
Historical versions: GB/T 28448-2019
Preview True-PDF (Reload/Scroll if blank)
GB/T 28448-2019: Information security technology -- Evaluation requirement for classified protection of cybersecurity
GB/T 28448-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 28448-2012
Information security technology - Evaluation
requirement for classified protection of cybersecurity
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 01, 2019
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 10
5 Overview of testing-evaluation for classified cybersecurity protection ... 10
5.1 Method of testing-evaluation for classified cybersecurity protection ... 10
5.2 Single item testing-evaluation and overall testing-evaluation ... 12
6 Requirements for level 1 testing-evaluation ... 12
6.1 General requirements for security testing-evaluation ... 12
6.2 Extended requirements for testing-evaluation of cloud computing security .. 40
6.3 Extended requirements for testing-evaluation of mobile internet security ... 45
6.4 Extended requirements for testing-evaluation of IoT security ... 48
6.5 Extended requirements for testing-evaluation of industrial control system
security ... 50
7 Requirements for level 2 testing-evaluation ... 55
7.1 General requirements for security testing-evaluation ... 55
7.2 Extended requirements for testing-evaluation of cloud computing security 122
7.3 Extended requirements for testing-evaluation of mobile internet security ... 137
7.4 Extended requirements for testing-evaluation of IoT security ... 143
7.5 Extended requirements for testing-evaluation of industrial control system
security ... 147
8 Requirements for level 3 testing-evaluation ... 155
8.1 General requirements for security testing-evaluation ... 155
8.2 Extended requirements for testing-evaluation of cloud computing security 261
8.3 Extended requirements for testing-evaluation of mobile internet security ... 285
8.4 Extended requirements for testing-evaluation of IoT security ... 293
8.5 Extended requirements for testing-evaluation of industrial control system
security ... 304
9 Requirements for level 4 testing-evaluation ... 315
9.1 General requirements for security testing-evaluation ... 315
9.2 Extended requirements for testing-evaluation of cloud computing security 428
9.3 Extended requirements for testing-evaluation of mobile internet security ... 454
9.4 Extended requirements for testing-evaluation of IoT security ... 463
9.5 Extended requirements for testing-evaluation of industrial control system
security ... 475
10 Requirements for level 5 testing-evaluation ... 485
11 Overall testing-evaluation ... 486
11.1 Overview ... 486
11.2 Testing-evaluation of security control points ... 486
11.3 Testing-evaluation between security control points ... 486
11.4 Inter-area testing-evaluation ... 487
12 Testing-evaluation conclusion ... 487
12.1 Risk analysis and evaluation ... 487
12.2 Conclusion of testing-evaluation for classified cybersecurity protection ... 488
Appendix A (Informative) Testing-evaluation intensity ... 489
Appendix B (Informative) Security evaluation methods can be referred to by
bigdata ... 493
Appendix C (Normative) Descriptions on numbering of testing-evaluation unit
... 531
References ... 533
Information security technology - Evaluation
requirement for classified protection of cybersecurity
1 Scope
This standard stipulates the general requirements and extended requirements
for testing-evaluation of security of classified protection targets.
This standard is applicable to security evaluation service agencies, operation
and use units of classified protection targets, for competent departments to
conduct security evaluation and provide guidance on the security status of
classified protection targets; it is also applicable to network security functional
departments when conducting supervision and inspection of the classified
protection of cybersecurity.
Note: The level-5 classified protection target is an important supervision and
management target, which has a special management mode and security evaluation
requirements, so it is not described in this standard.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 22239-2019 Information security technology - Baseline for classified
protection of cybersecurity
GB/T 25069 Information security technology - Glossary
GB/T 25070-2019 Information security technology - Technical requirements
of security design for classified protection of cybersecurity
GB/T 28449-2018 Information security technology - Testing-evaluation
process guide for classified protection of cybersecurity
GB/T 31167-2014 Information security technology - Security guide of cloud
corresponds to the requirement item (testing-evaluation index) included under
the security control point. In the testing-evaluation of each requirement, it may
use three testing-evaluation methods: interview, examine, test; it may also use
one or two of them. The content of the testing-evaluation implementation fully
covers the testing-evaluation requirements of all the requirement items in GB/T
22239-2019 and GB/T 25070-2019. When used, it shall, from the
implementation of the testing-evaluation of single item, choose the testing-
evaluation requirements of each requirement item in GB/T 22239-2019;
meanwhile follow these testing-evaluation requirements to develop the testing-
evaluation guidance, so as to standardize and guide testing-evaluation for
classified cybersecurity protection activities.
According to the survey results, the business process and data flow of the
classified protection targets are analyzed to determine the scope of the testing-
evaluation work. Combined with the security level of the classified protection
target, comprehensively analyze the functions and characteristics of each
device and component in the system; determine the testing-evaluation target at
technical level from the attributes of the importance, security, sharing,
comprehensiveness, appropriateness of the classified protection target
constituting the component; determine the personal and management
documents related to it as the testing-evaluation target of the management level.
The testing-evaluation targets can be described according to categories,
including computer rooms, business application software, host operating
systems, database management systems, network interconnection device,
security device, interviewers, security management documents.
The testing-evaluation activities for classified cybersecurity protection involve
testing-evaluation intensity, including testing-evaluation breadth (coverage) and
testing-evaluation depth (intensity). For the implementation of testing-
evaluations with a higher level of security protection, it shall choose a wider
coverage of testing-evaluation targets and stronger testing-evaluation methods,
to obtain more credible testing-evaluation evidence. For a detailed description
of the testing-evalua...
Share











