Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 22239-2019 English PDF (GBT22239-2019)

GB/T 22239-2019 English PDF (GBT22239-2019)

Regular price $485.00 USD
Regular price Sale price $485.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 22239-2019 to get it for Purchase Approval, Bank TT...

GB/T 22239-2019: Information security technology -- Baseline for classified protection of cybersecurity

This standard specifies the general security requirements and security extension requirements for the project under classified protection from level 1 to level 4 of the classified protection of cybersecurity.
GB/T 22239-2019
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 22239-2008
Information security technology -
Baseline for classified protection of cybersecurity
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 01, 2019
Issued by: State Market Regulatory Administration;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 11
5 Overview of Classified protection of cybersecurity ... 12
5.1 Object under classified protection ... 12
5.2 Different classes of security protection ability ... 12
5.3 General security requirements and security extension requirements ... 13 6 Level 1 security requirements ... 14
6.1 General security requirements ... 14
6.2 Security extension requirements of cloud computing ... 20
6.3 Security extension requirements of mobile internet ... 22
6.4 Security extension requirements for IoT ... 22
6.5 Security extension requirements for industrial control systems ... 23 7 Level 2 security requirements ... 25
7.1 General security requirements ... 25
7.2 Extension requirements for cloud computing security ... 40
7.3 Extension requirements for mobile Internet security ... 43
7.4 Extension requirements for IoT security ... 45
7.5 Security extension requirements for industrial control systems ... 46 8 Level 3 security requirements ... 48
8.1 General security requirements ... 48
8.2 Extension requirements for cloud computing security ... 71
8.3 Extension requirements for mobile Internet security ... 76
8.4 Extension requirements for IoT security ... 78
8.5 Security extension requirements for industrial control systems ... 80 9 Level 4 security requirements ... 83
9.1 General security requirements ... 83
9.2 Extension requirements for cloud computing security ... 106
9.3 Extension requirements for mobile internet security ... 111
9.4 Extension requirements for IoT security ... 113
9.5 Extension requirements for security of industrial control systems ... 116 10 Level 5 security requirements ... 119
Appendix A (Normative) Selection and use of general security requirements and security extension requirements ... 120
Appendix B (Normative) Requirements on overall security protection ability of the object under classified protection ... 124
Appendix C (Normative) Security framework of classified protection and
requirements for key technology use ... 126
Appendix D (Informative) Description of cloud computing application scenarios ... 129
Appendix E (Informative) Description of mobile internet application scenarios ... 130
Appendix F (Informative) Description of IoT application scenario ... 131 Appendix G (Informative) Description of application scenarios of industrial control systems ... 133
Appendix H (Informative) Descriptions on big data application scenarios ... 137 References ... 145
Information security technology -
Baseline for classified protection of cybersecurity
1 Scope
This standard specifies the general security requirements and security
extension requirements for the project under classified protection from level 1 to level 4 of the classified protection of cybersecurity.
This standard is applicable to guide the security construction and supervision administration of non-confidential objects in different classes.
Note: The class-5 protection object is a very important supervision and management object. It has special management modes and security requirements, so it is not described in this standard.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB 17859 Classified criteria for security protection of computer information system
GB/T 22240 Information security technology - Classification guide for
classified protection of information system security
GB/T 25069 Information security technology glossary
GB/T 31167-2014 Information security technology - Security guide of cloud computing services
GB/T 31168-2014 Information security technology - Security ability
requirements of cloud computing services
GB/T 32919-2016 Information security technology - Application guide to
industrial control system security control
3.5
Cloud service customer
Participants who use cloud computing services to establish business
relationships with cloud service providers.
[GB/T 31168-2014, definition 3.4]
3.6
Cloud computing platform / system
A collection of cloud computing infrastructure and service software provided by a cloud service provider.
3.7
Hypervisor
An intermediate software layer that runs between the underlying physical server and the operating system, allowing multiple operating systems and applications to share hardware.
3.8
Host machine
The physical server running the hypervisor.
3.9
Mobile communication
The process of using a wireless communication technology to connect a
mobile device to a wired network.
3.10
Mobile device
Terminal device used in mobile business, including general-purpose
terminals and special-purpose terminal device such as smart phones, tablets, personal computers.
3.11
Wireless access device
A communication device that uses wireless communication technology to
WEP: Wired Equivalent Privacy
WPS: WiFi Protected Setup
5 Overview of Classified protection of cybersecurity
5.1 Object under classified protection
The object under classified protection refers to the objects in the classified protection of cybersecurity. It usually refers to a system consisting of computers or other information terminals and related device that collects, stores, transmits, exchanges, processes information in accordance with certain rules and
procedures. It mainly includes basic information networks, cloud computing platforms / systems, big data applications / platforms / resources, Internet of Things (IoT), industrial control systems, systems using mobile internet technologies. The object under classified protection is, based on the degree of harm to national security, economic construction, and social life, and the degree of harm to national security, social order, public interests, the legitimate rights and interests of citizens, legal persons, and other organizations after damage, divided into five protection classes from low to high.
See GB/T 22240 for the method of determining the security protection level of the protected object.
5.2 Different classes of security protection ability
The basic security protection abilities that different classes of protected objects shall possess are as follows:
Level 1 security protection ability: It shall be able to protect against critical resource damage caused by malicious attacks from individuals, threat sources with few resources, general natural disasters, other threats of a considerable degree of harm. After the damage, it may restore some functions.
Level 2 security protection ability: It shall be able to protect against important resource damage caused by malicious attacks from small external sources, threat sources with a small amount of resources, general natural disasters, other threats of considerable harm. It may find important security loopholes and handle security incidents, restore some functions within a period of time after they are damaged.
Level 3 security protection ability: It shall be able to protect against important resource damage caused by malicious attacks from externally organized
groups, threat sources with richer resources, more severe natural disasters, scenarios of cloud computing are as shown in Appendix D; the application scenarios of mobile Internet are as shown in Appendix E; the IoT application scenarios are as shown in Appendix F; the application scenarios of industrial control system are as shown in Appendix G; the application scenarios of big data are as shown in Appendix H. For the objects under classified protection that use other special technologies or in special application scenarios, it shall take special security measures as a supplement to security risks on the basis of security risk assessment.
6 Level 1 security requirements
6.1 General security requirements
6.1.1 Security physical environment
6.1.1.1 Physical access control
At the entrance and exit of the computer room, it shall assign a special person on duty or equip with an electronic access control system to control, identify and record the entering personnel.
6.1.1.2 Protection against theft and vandalism
Device or main components shall be fixed and identified with obvious signs that are not easy to remove.
6.1.1.3 Lightning protection
All kinds of cabinets, facilities and device shall be safely grounded through the grounding system.
6.1.1.4 Fire prevention
The computer room shall be equipped with fire extinguishing device.
6.1.1.5 Waterproof and moisture-proof
It shall take measures to prevent rainwater from penetrating through the windows, roof and walls of the computer room.
6.1.1.6 Temperature and humidity control
It shall set necessary temperature and humidity adjustment facilities, so that the temperature and humidity changes in the computer room are within the range allowed by the device operation.
This requirement includes:
a) It shall identify and authenticate the identity of the logged-in user. The identity is unique; the identity authentication information has complexity requirements and is replaced regularly;
b) It shall have the function of handling the login failure; it shall be configured and enabled to end the session, limit the number of illegal logins,
automatically log out when the login connection times out.
6.1.4.2 Access control
This requirement includes:
a) It shall assign accounts and permissions to logged-in users;
b) It shall rename or delete the default account; modify the default password of the default account;
c) It shall delete or deactivate the redundant and expired accounts in time, to avoid the existence of shared accounts.
6.1.4.3 Intrusion prevention
This requirement includes:
a) It shall follow the principle of minimum installation, to install only the required components and applications;
b) It shall close the unnecessary system services, default shares and high- risk ports.
6.1.4.4 Prevention of malicious code
It shall install anti-malware software or configure software with corresponding functions; regularly upgrade and update the anti-malware code library.
6.1.4.5 Trusted authentication
It may, based on the trusted root, carry out the trusted authentication of the system boot program, system program, etc. of the boundary device; issue alarm when detecting the damage of the credibility of the device.
6.1.4.6 Data integrity
It shall use the checking techniques to ensure integrity of important data during transmission.
6.1.4.7 Data backup and recovery
6.1.8 Security building management
6.1.8.1 Grading and filing
It shall state the security protection level of the protected object and the method and reason for grading in a written form.
6.1.8.2 Security scheme design
It shall select the basic security measures according to the security protection level; it shall supplement and adjust the security measures according to the results of the risk analysis.
6.1.8.3 Product procurement and use
It shall be ensured that the procurement and use of cyber security products comply with relevant national regulations.
6.1.8.4 Project implementation
It shall designate or authorize a special department or person to manage the project implementation process.
6.1.8.5 Testing and acceptance
It shall perform a security testing and acceptance.
6.1.8.6 System handover
This requirement includes:
a) It shall establish a handover checklist; it shall count the device, software, and documentation as handed over counted according to the handover
checklist;
b) It shall train the technical personnel responsible for operation and maintenance accordingly.
6.1.8.7 Selection of service provider
This requirement includes:
a) It shall be ensured that the selection of service providers conforms to the relevant national regulations;
b) It shall sign a security-related agreement with the selected service provider, clearly stipulating the relevant responsibilities.
6.1.9 Security operation and maintenance management
a) It shall enhance all users' awareness of anti-malicious code; it shall perform malicious code inspection before external computers or storage
devices are connected to the system;
b) It shall make provisions for requirements of malicious code prevention, including the authorized use of anti-malware software, the upgrade of
malicious code libraries, regular killing of malicious code.
6.1.9.7 Management of backup and recovery
This requirement includes:
a) It shall identify the important business information, system data and software systems that need to be regularly backed up;
b) It shall specify the backup method, backup frequency, storage medium, storage period, etc. of backup information.
6.1.9.8 Handling of security incident
This requirement includes:
a) It shall report the security weaknesses and suspicious incidents
discovered to the security management department in a timely manner;
b) It shall clearly define the process of reporting and handling security incidents; specify the management responsibilities for on-site handling of security incidents, incident reporting and subsequent recovery.
6.2 Security extension requirements of cloud computing
6.2.1 Security physical environment
6.2.1.1 Infrastructure location
It shall be ensured that the cloud computing infrastructure is located in China. 6.2.2 Security communication network
6.2.2.1 Network architecture
This requirement includes:
a) It shall be ensured that the cloud computing platform does not carry business application systems higher than its security protection level; b) It shall achieve the isolation of virtual networks of different cloud service customers.
6.3 Security extension requirements of mobile internet
6.3.1 Security physical environment
6.3.1.1 Physical location of wireless access point
It shall choose a reasonable location for the installation of wireless access device, to avoid excessive coverage and electromagnetic interference.
6.3.2 Security area border
6.3.2.1 Border protection
It shall ensure that the access and data flow between the wired and wireless network boundaries are connected into the security gateway device through wireless access.
6.3.2.2 Access control
The wireless access device shall enable the access authentication function; prohibit the use of WEP for authentication; in case of use of passwords, the length is not less than 8 characters.
6.3.3 Security computing environment
6.3.3.1 Mobile application control
It shall have the function of selecting the application software to install and run. 6.3.4 Security building management
6.3.4.1 Procurement of mobile application software
It shall be ensured that the application software installed and running on the mobile device comes from a reliable distribution channel or is signed with a reliable certificate.
6.4 Security extension requirements for IoT
6.4.1 Security physical environment
6.4.1.1 Physical protection of sensor node device
This requirement includes:
a) The physical environment of the sensor node device shall not cause
physical damage to the sensor node device, such as squeezing and
divided into two regions; it shall take technical isolation means between the regions;
b) The interior of the industrial control system shall be divided into different security domains according to business characteristics; it shall take
technical isolation methods between security domains.
6.5.3 Security area border
6.5.3.1 Access control
It shall deploy the access control device between the industrial control system and other systems of the enterprise; configure access control policies; prohibit any universal network services such as E-Mail, Web, Telnet, Rlogin, FTP, etc. that cross the area border.
6.5.3.2 Wireless usage control
This requirement includes:
a) It shall provide all users (personnel, software processes or device) involved in wireless communication with unique identification and
authentication;
b) It shall restrict the authorization, monitoring, enforcement of wireless connections.
6.5.4 Security computing environment
6.5.4.1 Control device security
This requirement includes:
a) The control device itself shall implement the security requirements such as identity authentication, access control, security auditing, as required by the general requirements of the corresponding level of security. If the control device cannot achieve the above requirements due to condition
restrictions, it shall be controlled by its superior level or the management equipment shall achieve the equivalent function or it is controlled by
management means;
b) After sufficient testing and evaluation, it shall update the patch and hardware of the control device without affecting the safe and stable
operation of the system.
7.1.1.6 Waterproof and moisture-proof
This requirement includes:
a) It shall take measures to prevent rainwater from penetrating through the windows, roof and walls of the computer room;
b) It shall take measures to prevent condensation of water vapor in the computer room and the transfer and penetration of underground
water.
7.1.1.7 Anti-static
It shall use antistatic floor slab or floor; take the necessary grounded antistatic measures.
7.1.1.8 Temperature and humidity control
It shall provide temperature and humidity automatic adjustment facilities, so that the temperature and humidity changes in the computer room are within the allowable range of device operation.
7.1.1.9 Power supply
This requirement includes:
a) It shall configure the voltage stabilizers and overvoltage protection device along the power supply lines of the computer room;
b) It shall provide a short-term backup power supply, to at least meet
the normal operating requirements of the device in the event of a
power outage.
7.1.1.10 Electromagnetic protection
Power lines and communication cables shall be laid separately to avoid
mutual interference.
7.1.2 Security communication network
7.1.2.1 Network architecture
This requirement includes:
a) It shall divide different network areas; allocate addresses to each
network area in accordance with the principles of convenient
management and control;
b) It shall avoid deploying important network areas at the borders; it
It shall detect and remove the malicious code at key network nodes; maintain the upgrade and update of malicious code protection mechanisms.
7.1.3.5 Security au...

View full details