Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 25058-2010 English PDF (GBT25058-2010)

GB/T 25058-2010 English PDF (GBT25058-2010)

Regular price $360.00 USD
Regular price Sale price $360.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: 24-hr self-service. Click GB/T 25058-2010
See Chinese contents: GB/T 25058-2010

GB/T 25058-2010: Information security technology -- Implementation guide for classified protection of information system

This Standard stipulates the implementation process of classified protection of information system security. It is applicable to the guidance for the implementation of classified protection of information system security.
GB/T 25058-2010
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information Security Technology - Implementation
Guide for Classified Protection of Information System
ISSUED ON: SEPTEMBER 2, 2010
IMPLEMENTED ON: FEBRUARY 1, 2011
Issued by: General Administration of Quality Supervision, Inspection and Quarantine;
Standardization Administration of the PEOPLE Republic of
China.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 7
2 Normative References ... 7
3 Terms and Definitions ... 7
4 An Overview of Classified Protection Implementation ... 8
4.1 Fundamental Principle ... 8
4.2 Roles and Responsibilities ... 8
4.3 Basic Flow of Implementation ... 10
5 Classification of Information System ... 11
5.1 Workflow of Classification of Information System ... 11
5.2 Information System Analysis ... 12
5.3 Determination of Classified Security Protection ... 15
6 Overall Security Planning ... 17
6.1 Workflow of Overall Security Planning Stage ... 17
6.2 Analysis of Security Demands ... 18
6.3 Overall Security Design ... 22
6.4 Security Construction Project Planning ... 27
7 Security Design and Implementation ... 30
7.1 Workflow of Security Design and Implementation Stage ... 30
7.2 Detailed Design of Security Plan ... 30
7.3 Management Measure Implementation ... 33
7.4 Implementation of Technical Measures ... 37
8 Security Operation and Maintenance ... 42
8.1 Workflow of Security Operation and Maintenance Stage ... 42
8.2 Operation Management and Control ... 45
8.3 Alternation Management and Control ... 46
8.4 Security Status Monitoring ... 48
8.5 Security Incident Handling and Contingency Plan ... 50
8.6 Security Inspection and Continuous Improvement ... 52
8.7 Classification Evaluation ... 55
8.8 System Filing ... 55
8.9 Supervision and Inspection ... 56
9 Termination of Information System ... 57
9.1 Work Flow of Information System Termination Stage ... 57
9.2 Information Transfer, Temporary Storage and Erasing ... 57
9.3 Equipment Transfer or Abandonment ... 58
9.4 Erasing or Destruction of Storage Medium ... 59
Appendix A (normative) Main Process and Activity Output ... 61
Information Security Technology - Implementation
Guide for Classified Protection of Information System
1 Scope
This Standard stipulates the implementation process of classified protection of information system security. It is applicable to the guidance for the implementation of classified protection of information system security.
2 Normative References
Through the reference in this Standard, the clauses in the following documents become clauses of this Standard. In terms of references with a specified date, all the subsequent modification lists (excluding the corrected content) or revised editions are not applicable to this Standard. However, all parties that reach an agreement in accordance with this Standard are encouraged to adopt the latest version of these documents. In terms of references without a specified date, the latest version is applicable to this Standard.
GB/T 5271.8 Information Technology - Vocabulary - Part 8: Security
GB 17859-1999 Classified Criteria for Security Protection of Computer Information System
GB/T 22240-2008 Information Security Technology - Classification Guide for Classified Protection of Information System Security
3 Terms and Definitions
Terms and definitions in GB/T 5271.8 and GB 17859-1999, and the following terms and definitions are applicable to this Standard.
3.1 Classified Security Testing and Evaluation
Classified security testing and evaluation refers to the process of determining whether the capability of information system security protection reaches the fundamental requirements of corresponding level.
a) National administration department:
Public security organ is responsible for the supervision, inspection and guidance of classified protection of information security. National secrecy administrative department is responsible for the supervision, inspection and guidance of relevant confidentiality work in classified protection. National cipher administrative department is responsible for the supervision, inspection and guidance of relevant cipher work in classified protection. Matters that involve the jurisdictional limits of other functional departments shall be under the administration of relevant functional departments in accordance with the stipulations in national laws and regulations. The State Council?€?s
Informatization Office and the administrative body of local informatization leading groups are responsible for the coordination among departments on classified protection work.
b) Information system?€?s competent department
Information system?€?s competent department is responsible for the supervision, inspection and guidance of information system operation and application organizations in classified information security protection work in the industry, the department, or the locality, in accordance with the national management specifications and technical standards on classified protection of information security.
c) Operation and application organization of information system
Operation and application organization of information system is responsibility for the determination of the level of classified protection of information system in accordance with national management specifications and technical
standards on classified protection of information security. When there is a competent department, the determination shall be submitted to the competent department for verification and approval. In accordance with the previously determined security protection level, go through filing formalities in a public security organ. In accordance with the national management specifications and technical standards on classified protection of information security, plan and design classified protection of information system security. Utilize information technology products and information security products that comply with
relevant national stipulations and satisfy the demands of classified protection of information system; implement the construction or re-construction work of information system security. Formulate and implement various security
management systems, conduct regular self-inspection of the security status of information system, and the implementation of security protection systems and measures; select level evaluation institutions that comply with relevant national stipulations; conduct regular level evaluation. Formulate response and
treatment plans to different levels of information security events; implement emergency response to information security events of the information system a) Identify essential information of information system
Investigate and understand the industrial characteristics, competent
organization, business scope, geographic location and basic condition of information system; obtain the background information and contact mode of information system.
b) Identify management framework of information system
Understand the organizational management structure, management strategy and department setting of information system; department?€?s role and
responsibilities in business operation. Obtain information of management characteristics and management framework, which supports the business
operation of information system. Thus, clarify the main body of security responsibility of information system.
c) Identify network and equipment deployment of information system
Understand the physical environment and network topology of information system, and deployment of hardware equipment. On this basis, clarify the boundaries of information system. In other words, determine the target of classification and its scope.
d) Identify business types and characteristics of information system
Understand the type and quantity of business that mainly relies on information system in the institution. Respectively understand the social attribute, business content and business flow of the business. Clarify business characteristics of information system that supports the institution?€?s business operation. Consider information system of business application whose bearing is relatively single, or business application whose bearing is relatively independent, as an
independent target of classification.
e) Identify information assets processed by business system
Understand the type of information assets processed by business system; understand the degree of importance of these information assets in
confidentiality, integrity and availability, etc.
f) Identify the scope and the type of users
In accordance with the distribution scope of users or user groups, understand the scope of services and the functions of business system, and the
requirements of business continuity, etc.
g) Description of information system
Organize and analyze the gathered information; form overall descriptive file of b) Division of information system
In accordance with the selected principle of system division, divide the large- scale information system that an institutional framework possesses. Divide it into relatively independent information systems and consider them as the target of classification. It shall be guaranteed that each relatively independent information system possesses the basic characteristics of the classification target. During the process of information system division, elements of
organizational management shall be considered, then, business type and
physical domain shall be considered.
c) Detailed description of information system
After dividing information system and determining the target of classification, on the basis of overall descriptive file of information system, further increase description of information system division information; accurately describe the number of classification targets included in a large-scale information system. The further detailed descriptive file of information system shall include the following content:
1) A list of relatively independent information systems;
2) An overview of each classification target;
3) Boundary of each classification target;
4) Equipment deployment of each classification target;
5) Business application supported by each classification target and the type of information assets that it processes;
6) The scope of services and the type of users of each classification target; 7) Other content.
Activity output: detailed descriptive file of information system
5.3 Determination of Classified Security Protection
5.3.1 Classification, verification and approval
Activity objective:
The objective of this activity is to determine classified security protection of information system in accordance with relevant national management specifications and GB/T 22240-2008; verify and approve the result of classification; guarantee the accuracy of the classification result.
Organize the overall descriptive file of information system, the detailed descriptive file of information system and the determination result of the level of classified protection of information system security; form documented reports on the result of information system classification.
The report of information system classification result may include the following content: a) An overview of the current situation of informatization in the organization; b) Management mode;
c) A list of information systems;
d) An overview of each information system;
e) Boundary of each information system;
f) Equipment deployment of each information system;
g) Business application supported by each information system;
h) A combination of a list of information systems, level of classified security protection and protection requirements;
i) Other content.
Activity output: information system security protection classification report. 6 Overall Security Planning
6.1 Workflow of Overall Security Planning Stage
In the stage of overall security planning, the objective is: base on the division of information system, the classification of information system and business undertaken by information system, through the analysis and clarification of the security demands of information system, design reasonable overall security plans that satisfy the requirements of classified protection; formulate security implementation plans, so as to guide the subsequent implementation of information system security construction. In terms of information system that is already put into operation, demand analysis shall firstly analyze and judge the gap between the current situation of security protection and the requirements of classified security protection.
Please refer to Figure 3 for the workflow of the overall security planning stage. Activity input: information system detailed descriptive file; information system security protection classification report; other relevant files of information system; basic requirements of information system classified security protection.
Activity description:
This activity mainly includes the following sub-activity content:
a) Determine the scope of system and the target of analysis
Clarify the scope and the boundary of different levels of information system. Through the modes of survey and inquiry of documents, understand the
composition of information system, including network topology, business application, business flow, equipment information and status of security measures. Preliminarily determine the analysis target of each level of
information system. The target shall include overall target, such as computer room, office environment and network; it shall also include specific target, such as boundary equipment, gateway equipment, server equipment, workstation and application system, etc.
b) Form evaluation indicators and plans
In accordance with the level of security protection of each information system, select indicators of a corresponding level from the basic requirements of information system classified security protection; form evaluation indicators. In accordance with the evaluation indicators, combine the determined specific target, formulate feasible evaluation plans. The evaluation plans may include the following content:
1) Table of management status evaluation;
2) Table of network status evaluation;
3) Table of network equipment (including security equipment) evaluation; 4) Table of host computer equipment evaluation;
5) Security testing plan of main equipment;
6) Operation instruction of main operations.
c) Comparison of current situation and evaluation indicators
Through the modes of field observation, personnel inquiry, document inquiry, record examination, allocation examination, technical test and penetration attack, conduct evaluation of security technology and security management. Judge the degree of consistency between the various aspects of security technology and security management, and the evaluation indicators; reach a d) Comprehensive risk analysis
Analyze the possible consequences of the threats and the weaknesses; the possibility or probability of these consequences; the degree of damage or impact caused by these consequences; the possibility, necessity and economic efficiency of avoiding the above-mentioned consequences. In accordance with the sequence of important assets and the sequence of risks, determine the requirements of security protection.
Activity output: special protection demands of important assets.
6.2.3 Formation of security demand analysis report
Activity objective:
The objective of this activity is to summarize the basic security demands and special security demands; form a security demand analysis report.
Participating roles: information system operation and application organization; information security service institution.
Activity input: information system detailed descriptive file; information system security protection classification report; basic security demands; special protection demands of important assets.
Activity description:
The main sub-activity of this activity is to complete security security demand analysis report.
In accordance with the basic security demands and special security protection demands, form a security demand analysis report.
The security demand analysis report may include the following content:
1) Information system description;
2) Security management status;
3) Security technology status;
4) Existing weaknesses and possible risks;
5) Security demand description.
Activity output: security demand analysis report.
information system.
Participating roles: information system operation and application organization; information security service institution.
Activity input: information system detailed descriptive file; information system security protection classification report; security demand analysis report; basic requirements of information system classified security protection.
Activity description:
This activity mainly includes the following sub-activity content:
a) Stipulate security protection Technical Measures of backbone network or metropolitan area network
In accordance with institution?€?s overall security strategy file, the basic requirements and security demands of classified protection, propose security protection strategies and security Technical Measures of backbone network or metropolitan area network. When security protection strategies and security Technical Measures of backbone network or metropolitan area network are proposed, the sharing of network lines and network equipment shall be
considered. If different levels of sub-systems transmit data through the same line and equipment of backbone network or metropolitan area network, the security protection strategies and security Technical Measures of the line and equipment shall satisfy the basic requirements of classified protection of the highest level of sub-system.
b) Stipulate security Technical Measures of interconnection among sub-systems In accordance with institution?€?s overall security strategy file, the basic requirements and security demands of classified protection, propose the requirements of information transmission protection and the specific security Technical Measures for trans-LAN interconnection among sub-systems,
including strategies of same-level interconnection and strategies of different- level interconnection; propose the requirements of information transmission protection strategies and the specific security Technical Measures for intra-LAN interconnection among sub-systems, including strategies of same-level
interconnection and strategies of different-level interconnection.
c) Stipulate boundary protection Technical Measures of different levels of sub- systems
In accordance with institution?€?s overall security strategy file, the basic requirements and security demands of classified protection, propose security protection strategies and security Technical Measures of different levels of sub- system boundaries. When security protection strategies and security Technical file, adjust the previous management mode and management strategies. In other words, from an overall perspective, consider the formulation of uniform security management strategies for each level of information system; start from the actua...

View full details