Skip to product information
1 of 7

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 22240-2020 English PDF (GBT22240-2020)

GB/T 22240-2020 English PDF (GBT22240-2020)

Regular price $195.00 USD
Regular price Sale price $195.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 22240-2020 to get it for Purchase Approval, Bank TT...

GB/T 22240-2020: Information security technology -- Classification guide for classified protection of cybersecurity

This standard gives a method and procedure for rating the security protection level of classified protection target which does not relate to state secret. This standard is applicable to guide the network operators to carry out the rating work of classified protection target which does not relate to state secret.
GB/T 22240-2020
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 22240-2008
Information security technology - Classification guide
for classified protection of cybersecurity
ISSUED ON: APRIL 28, 2020
IMPLEMENTED ON: NOVEMBER 01, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Rating principle and process ... 7
4.1 Security protection level ... 7
4.2 Rating elements ... 8
4.3 Relationship between rating elements and security protection level ... 9 4.4 Rating process ... 9
5 Determine the rating object ... 10
5.1 Information system ... 10
5.2 Network infrastructure ... 12
5.3 Data resources ... 12
6 Determine the security protection level ... 12
6.1 Overview of rating methods ... 12
6.2 Determine the infringed object ... 14
6.3 Determine the degree of infringement on the object ... 15
6.4 Preliminary determining level ... 17
7 Determine the security protection level ... 17
8 Change of level ... 18
References ... 19
Information security technology - Classification guide
for classified protection of cybersecurity
1 Scope
This standard gives a method and procedure for rating the security protection level of classified protection target which does not relate to state secret. This standard is applicable to guide the network operators to carry out the rating work of classified protection target which does not relate to state secret. 2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity
GB/T 25069 Information security technology - Glossary
GB/T 29246-2017 Information technology - Security techniques -
Information security management systems - Overview and vocabulary
GB/T 31167-2014 Information security technology - Security guide of cloud computing services
GB/T 32919-2016 Information security - Industrial control systems -
Guidelines for the application of security controls
GB/T 35295-2017 Information technology - Big data - Terminology
3 Terms and definitions
The terms and definitions as defined in GB 17859-1999, GB/T 22239-2019, GB/T 25069, GB/T 29246-2017, GB/T 31167-2014, GB/T 32919-2016, GB/T
serious damage or particularly serious damage to the legitimate rights and interests of the relevant citizens, legal persons and other organizations, or cause harm to social order and public interests, but does not endanger
national security;
c) Level 3: After the classified protection object is damaged, it will cause serious damage to social order and public interests, or endanger national security;
d) Level 4: After the classified protection object is damaged, it will cause serious damage to social order and public interests, or seriously endanger national security;
e) Level 5: After the classified protection object is damaged, it will cause particularly serious damage to national security.
4.2 Rating elements
4.2.1 Overview of rating elements
The rating elements of the classified protection objects include:
a) Infringed objects;
b) The degree of infringement on the object.
4.2.2 Infringed objects
The infringed objects when the classified protection object is damaged include the following three aspects:
a) The legitimate rights and interests of citizens, legal persons and other organizations;
b) Social order and public interest;
c) National security.
4.2.3 Degree of infringement on the object
The degree of infringement on the object is comprehensively determined by the different external manifestations of objective. Since the infringement on the object is achieved by destroying the object of classified protection, the external manifestation of the infringement on the object is the damage to the object of classified protection, which is described by the method of infringement, the consequences of the infringement, the degree of infringement.
Note 1: The main subjects of security responsibility include but are not limited to legal persons such as enterprises, agencies and public institutions, as well as other social organizations and other organizations that do not have legal person qualifications. Note 2: Avoid using a single system component, such as a server, terminal, or network device as a rating object.
When determining the rating objects, cloud computing platforms/systems, Internet of Things, industrial control systems, systems using mobile
interconnection technologies need to follow the relevant requirements of 5.1.2, 5.1.3, 5.1.4, 5.1.5, respectively, under the conditions of meeting the above basic characteristics.
5.1.2 Cloud computing platform/system
In a cloud computing environment, the classified protection objects on the cloud service client side and the cloud computing platform/system on the cloud service provider side must be rated as separate rating objects, meanwhile the cloud computing platform/system is divided into different rating objects according to different service models.
For large-scale cloud computing platforms, it should divide the cloud computing infrastructure and related auxiliary service systems into different rating objects. 5.1.3 Internet of Things
The Internet of Things mainly includes characteristic elements such as
perception, network transmission, processing applications. The above
elements need to be rated as a whole object; each element is not rated
individually.
5.1.4 Industrial control system
The industrial control system mainly includes characteristic elements such as field acquisition/execution, field control, process control, production management. Among them, field acquisition/execution, field control, process control and other elements need to be rated as a whole object; each element is not rated separately; production management elements should be rated
separately.
For large industrial control systems, they can be divided into multiple rating objects based on factors such as system functions, responsible subjects, control objects, manufacturers.
5.1.5 System using mobile internet technology
The system adopting mobile internet technology mainly includes mobile
terminals, mobile applications, wireless networks and other characteristic 6.2 Determine the infringed object
The infringed objects when the rating object is damaged include national security, social order, public interest, as well as the legitimate rights and interests of citizens, legal persons and other organizations.
Matters that infringes national security include the following:
- Affect the stability of state power and territorial sovereignty, as well as the integrity of marine rights and interests;
- Affect the national unity, national unity and social stability;
- Affect the national socialist market economic order and cultural strength; - Other matters affecting national security.
Matters infringing the social order include the following:
- Affect the production order, operation order, teaching and scientific research order, medical and health order of state organs, enterprises, institutions, social organizations;
- Affect the order of activities and public transportation in public places; - Affect the life order of the people;
- Other matters affecting social order.
Matters infringing public interests include the following:
- Affect the use of public facilities by members of society;
- Affect the acquisition of public data resources by members of society; - Affect the reception of public services of members of society and so on; - Other matters affecting the public interest.
Infringement on the legitimate rights and interests of citizens, legal persons and other organizations refers to the damage to the social rights and interests enjoyed by citizens, legal persons and other organizations protected by law. When determining the infringed object, first determine whether it infringes national security, then determine whether it infringes social order or public interest, finally determine whether it infringes the legitimate rights and interests of citizens, legal persons and other organizations.
When judging the degree of infringement on different infringed objects, refer to the following different criteria:
- If the infringed object is the legitimate rights and interests of a citizen, legal person or other organization, the overall interests of the person or the organization shall be used as the basis for judging the degree of
infringement;
- If the infringed object is social order, public interest, or national security, the overall interest of the entire industry or country is used as the basis for judging the degree of infringement.
The three degrees of infringement which has different consequences of
infringement are described as follows:
- General damages: Work functions are partially affected; business
capabilities are reduced but do not affect the execution of main functions; lighter legal issues arise; the property loss is low; there is limited adverse social effects; has low damage to other organizations and individuals;
- Serious damage: The work function is severely affected; the business
capability is significantly reduced and the execution of main function is seriously affected; there are more serious legal problems, higher property losses, a wider range of social adverse effects; has higher damage to other organizations and individuals;
- Particularly serious damage: Work functions are particularly severely affected or incapacitated; business capabilities are severely reduced and or functions cannot be performed; there are extremely serious legal
problems, extremely high property losses, widespread adverse social
effects; has very high damage to other organizations and individuals.
The degree of infringement on the object is obtained by a comprehensive evaluation of the degree of infringement on the consequences of different infringements. Because different types of information and system service characteristics handled by the rating objects of various industries are different, the calculation method of the infringement consequence and infringement degree focused when the business information security and system service security are damaged may be different, different industries may, based on the characteristics of the business information and system service of the respective industry, establish the comprehensive evaluation method of the degree of infringement, meanwhile give the specific definition of general damage, serious damage, particularly serious damage.

View full details