Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 25058-2019 English PDF (GBT25058-2019)

GB/T 25058-2019 English PDF (GBT25058-2019)

Regular price $405.00 USD
Regular price Sale price $405.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 25058-2019 to get it for Purchase Approval, Bank TT...

GB/T 25058-2019: Information security technology -- Implementation guide for classified protection of cybersecurity

This Standard stipulates the process that classified protection object implements cybersecurity protection work. This Standard is applicable to the guidance of the implementation of cybersecurity classified protection work.
GB/T 25058-2019
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 25058-2010
Information Security Technology - Implementation
Guide for Classified Protection of Cybersecurity
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 1, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the PEOPLE Republic of
China.
Table of Contents
Foreword ... 5
1 Scope ... 8
2 Normative References ... 8
3 Terms and Definitions ... 8
4 Overview of Implementation of Classified Protection ... 8
4.1 Fundamental Principles ... 8
4.2 Roles and Responsibilities ... 9
4.3 Basic Procedure of Implementation ... 11
5 Rating and Filing of Classified Protection Object ... 13
5.1 Workflow of Rating and Filing Stage ... 13
5.2 Industry / Domain Rating Work ... 15
5.3 Analysis of Classified Protection Object ... 16
5.3.1 Analysis of object importance ... 16
5.3.2 Determination of rating object ... 18
5.4 Determination of Security Protection Level ... 20
5.4.1 Rating, Review and Approval ... 20
5.4.2 Form rating report ... 21
5.5 Filing of Rating Result... 22
6 Overall Security Planning ... 23
6.1 Workflow of Overall Security Planning Stage ... 23
6.2 Analysis of Security Demands ... 24
6.2.1 Determination of basic security demands ... 24
6.2.2 Determination of special security demands ... 25
6.2.3 Form security demand analysis report ... 26
6.3 Overall Security Design ... 27
6.3.1 Overall security policy design ... 27
6.3.2 Security technology architecture design ... 27
6.3.3 Overall security management architecture design ... 31
6.3.4 Documentation of design result ... 34
6.4 Security Construction Project Planning ... 34
6.4.1 Determination of security construction objective ... 34
6.4.2 Security construction content planning ... 35
6.4.3 Form security construction project planning ... 36
7 Security Design and Implementation ... 37
7.1 Workflow of Security Design and Implementation Stage ... 37
7.2 Detailed Design of Security Scheme ... 39
7.2.1 Design of technological measure implementation content ... 39
7.2.2 Design of management measure implementation content ... 40
7.2.3 Documentation of design result ... 41
7.3 Implementation of Technological Measures ... 42
7.3.1 Procurement of cybersecurity products or services ... 42
7.3.2 Development of security control ... 43
7.3.3 Security control integration ... 45
7.3.4 Acceptance inspection of system ... 46
7.4 Implementation of Management Measures ... 48
7.4.1 Construction and revision of security management system ... 48
7.4.2 Security management institution and personnel setting ... 49
7.4.3 Security implementation process management ... 50
8 Security Operation and Maintenance ... 51
8.1 Workflow of Security Operation and Maintenance Stage ... 51
8.2 Operation Management and Control ... 54
8.2.1 Determination of operation management responsibilities ... 54
8.2.2 Operation management process control ... 54
8.3 Alteration Management and Control ... 55
8.3.1 Alteration demand and influence analysis ... 55
8.3.2 Alteration process control ... 56
8.4 Security Status Monitoring ... 57
8.4.1 Determination of monitoring objects ... 57
8.4.2 Collection of monitoring object status information ... 58
8.4.3 Monitoring status analysis and report ... 58
8.5 Security Self-inspection and Continuous Improvement ... 59
8.5.1 Self-inspection of security status ... 59
8.5.2 Formulation of improvement scheme ... 60
8.5.3 Implementation of security improvement ... 61
8.6 Management and Monitoring of Service Provider ... 62
8.6.1 Selection of service provider ... 62
8.6.2 Management of service provider ... 63
8.6.3 Monitoring of service provider ... 65
8.7 Level Evaluation ... 66
8.8 Supervision and Inspection... 66
8.9 Emergency Response and Guarantee ... 67
8.9.1 Emergency preparation ... 67
8.9.2 Emergency monitoring and response ... 69
8.9.3 Post-mortem evaluation and improvement ... 70
8.9.4 Emergency guarantee ... 71
9 Termination of Rating Objects ... 71
9.1 Workflow of Rating Object Termination Stage ... 71
9.2 Information Transfer, Temporary Storage and Removal ... 72
9.3 Equipment Migration or Abolishment ... 73
9.4 Removal or Destruction of Storage Media ... 74
Appendix A (normative) Main Processes and the Activities, Input and Output ... 76
Information Security Technology - Implementation
Guide for Classified Protection of Cybersecurity
1 Scope
This Standard stipulates the process that classified protection object implements cybersecurity protection work.
This Standard is applicable to the guidance of the implementation of cybersecurity classified protection work.
2 Normative References
The following documents are indispensable to the application of this document. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB 17859 Classified Criteria for Security Protection of Computer Information System GB/T 22239 Information Security Technology - Baseline for Classified Protection of Cybersecurity
GB/T 22240 Information Security Technology - Classification Guide for Classified Protection of Information System Security
GB/T 25069 Information Security Technology - Glossary
GB/T 28448 Information Security Technology - Evaluation Requirement for Classified Protection of Cybersecurity
3 Terms and Definitions
Terms and definitions defined in GB 17859, GB/T 22239, GB/T 25069 and GB/T 28448 are applicable to this document.
4 Overview of Implementation of Classified Protection
4.1 Fundamental Principles
The core of classified security protection is to classify classified protection objects, and carry out construction, management and supervision in accordance with the standards. protection, take charge of cybersecurity protection and supervision,
management work within the scope of their respective duties.
b) Competent department
Competent department shall, in accordance with national management
specifications and technological standards on classified cybersecurity
protection, take charge of the supervision, inspection and guidance of
classified cybersecurity protection work of the operating and using
organizations of classified protection objects of the industry, the department or the locality.
c) Operating and using organization
Operating and using organization shall, in accordance with national
management specifications and technological standards on classified
cybersecurity protection, determine the security protection level of its classified protection objects. If there is a competent department, operating and using organization shall report to its competent department for review and approval. In accordance with the security protection level that is already determined, go through filing procedures at the public security. In accordance with national management specifications and technological standards on
classified cybersecurity protection, conduct planning and design of security protection for the classified protection objects. Adopt information technology products and cybersecurity protects that comply with relevant national
regulations and classified protection objects?€? demands for classified security protection. Carry out security construction or re-construction work; formulate and implement various security management systems. Conduct regular self- inspection of the security status, and the implementation of security protection systems and measures of classified protection objects. Select level evaluation institutions that comply with relevant national regulations to conduct level evaluation. Formulate response and disposal schemes for cybersecurity
incidents at different levels. Conduct emergency response to cybersecurity incidents at different levels.
d) Cybersecurity service institution
Cybersecurity service institution shall, in accordance with national
management specifications and technological standards on classified
cybersecurity protection, under the entrustment of the operating and using organization, assist the operating and using organization to complete
classified protection-related work, including determination of the security protection level of the classified protection objects, analysis of security demands, overall planning of security, implementation of security construction and transformation, and provision of service supporting platforms, etc. 5.2 Industry / Domain Rating Work
Activity objective:
If necessary, industry / domain competent department may organize the sorting of main social functions / functions and roles of industry / domain; analyze the main operations and service scope, on which, the main social functions / functions are performed; finally, in accordance with the analyzed and sorted content, form overall descriptive documents of operations in the industry / domain.
Participating roles: competent department; cybersecurity service institution. Activity input: industry introduction documents, GB/T 22240.
Activity description:
This activity mainly includes the following sub-activity content:
a) Identify, analyze the importance of industry / domain
The competent department may organize the sorting of industrial
characteristics, scope of operations, main social functions / functions and production output of the industry / domain; analyze the important role that the main social functions / functions play in guaranteeing national security, economic development, social order and public services, etc.
b) Identify main operations of industry / domain
The competent department may organize the sorting of operations that mainly depend on informatization processing in the industry / domain; in accordance with the importance of the social functions / functions undertaken by the operations, other industries?€? dependency level, determine the main operations in the industry / domain.
c) Rating guidance
The competent department may organize the analysis of the main operations in the industry / domain; in accordance with the importance of operational information and services, analyze the security protection requirements of various main operations; combine the condition of the industry / domain, form industry / domain rating instructions for the main operations. The security protection level of classified protection object of inter-provincial or nationally unified network operation may be uniformly determined by the competent
department.
d) Deployment of rating work
The competent department may formulate rating instructions for the industry object.
c) Identify the management framework of classified protection object
Understand the organizational management structure, management policy,
department setting of classified protection object, and department?€?s roles and position responsibilities in the operation; obtain information regarding management characteristics and management framework that support the
operation of the classified protection object. Thus, the subject of security responsibility of the classified protection object can be clarified.
d) Identify the network and equipment deployment of classified protection object Understand the physical environment, and the deployment of network
topology and hardware equipment of classified protection object. On this basis, clarify the boundaries of classified protection object, which means the determination of the object and scope of classified protection.
e) Identify operational characteristics of classified protection object Understand the various operations and operational processes that mainly depend on informatization processing in the organization, from which, clearly identify the operational characteristics of classified protection object that support the operation of the organization.
f) Identify information assets processed by classified protection object Understand the type of information assets processed by classified protection object, and the importance of these information assets in confidentiality, integrity and availability, etc.
g) Identify the scope and type of users
In accordance with the distribution scope of users or user groups, understand the requirements of the service scope, roles and operational continuity of the classified protection object.
h) Describe classified protection object
Organize and analyze the collected information; form overall descriptive files of the classified protection object. The overall descriptive files of a typical classified protection object include the following content:
1) Overview of classified protection object;
2) Importance analysis of classified protection object;
3) Border description of classified protection object;
classified protection objects into relatively independent objects as the rating objects; ensure that each relatively independently object has the basic characteristics of rating object. During the classification of classified protection objects, firstly, consider elements of organizational management, then, consider factors like the type of operations and physical regions, etc. Objects that carry relatively single operational application or relatively independent operations shall be considered as independent rating objects. In terms of communication network facilities, such as: telecommunication network, radio and television transmission network, respectively classify them into different rating objects in accordance with security responsibility body, service type or service area. Exclusive communication networks of industries or organizations across provinces may be rated as a whole, or, be classified into several rating objects in accordance with the regions.
In the environment of cloud computing, classified protection object on the cloud service customer side, and cloud computing platform / system on the cloud service provider side shall respectively be considered as independent rating objects. Furthermore, in accordance with different service modes, cloud computing platform / system shall be classified into different rating objects. In terms of large-scale cloud computing platform, cloud computing infrastructure and relevant auxiliary service system should be classified into different rating objects.
The Internet of Things mainly includes characteristic elements like perception, network transmission and processing application. The above elements shall be rated as a whole, and the various elements shall not be individually rated. In terms of industrial control system, it generally includes characteristic elements like on-site acquisition / execution, on-site control, process control and production management. Specifically speaking, elements like on-site acquisition / execution, on-site control and process control shall be rated as a whole, and the various elements shall not be individually rated. The element of production management should be individually rated. In terms of large- scale industrial control system, multiple rating objects may be classified in accordance with system functions, responsibility body, control object and manufacturer, etc.
Classified protection objects that adopt mobile internet technology mainly include characteristic elements like mobile terminal, mobile application and wireless network, which may be rated as a whole, or, be rated together with associated operation systems, and the various elements shall not be
individually rated.
c) Detailed description of rating objects
for industry / domain rating (if possible) and rating method, the operating and using organization shall determine the preliminary security protection level for each rating object.
b) Review of rating result
After preliminarily determining the security protection level, if necessary, the operating and using organization may organize cybersecurity experts and operation experts to review the reasonability of the preliminary rating result and issue experts?€? review comments.
c) Examination and approval of rating result
After preliminarily determining the security protection level, the operating and using organization shall (if there is an explicit competent department) report the preliminary rating result to the competent department or the higher competent department of the industry / domain for review and approval. The competent department or the higher competent department of the industry / domain shall reasonably review the preliminary rating result and issue review comments.
The operating and using organization shall regularly conduct self-inspection of changes in the level of the classified security objects and the rating of newly established systems; report to the competent department for review and
approval in time.
Activity output: rating result; competent department?€?s review comments. 5.4.2 Form rating report
Activity objective:
Organize documents generated during the rating process; form a report of rating result of classified protection object.
Participating roles: competent department; operating and using organization. Activity input: detailed descriptive files of rating objects; rating result. Activity description:
Organize the content: overall descriptive documents of classified protection objects, detailed descriptive files, rating result, etc.; form documented report of rating result. The report of rating result may include the following content:
a) Overview of current situation of organization informatization;
Activity description:
This activity mainly includes the following sub-activity content:
a) Determine the scope and analysis object of classified protection objects Clarify the scope and border of classified protection objects at different levels. Through the mode of survey or information consulting, understand the
operational application and operational procedure of classified protection objects.
b) Form basic security demands
In accordance with the security protection level of classified protection objects of different levels, select requirements of corresponding levels from GB/T 22239 and basic industrial requirements; form basic security demands. In terms of protection objects with an already established level, in accordance with the level evaluation result, analyze the rectification demands; form basic security demands.
Activity output: basic security demands.
6.2.2 Determination of special security demands
Activity objective:
Through the analysis of special protection demands of important assets, adopt the method of demand analysis or risk analysis, determine possible security risks; judge the necessity of implementing special security measures; put forward special security protection demands for classified protection objects.
Participating roles: operating and using organization; cybersecurity service institution. Activity input: detailed descriptive files of classified protection objects; security protection level rating report; other relevant documents of classified protection objects. Activity description:
The determination of special security demands may adopt c...

View full details