Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 25070-2019 English PDF (GBT25070-2019)

GB/T 25070-2019 English PDF (GBT25070-2019)

Regular price $1,005.00 USD
Regular price Sale price $1,005.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 25070-2019 to get it for Purchase Approval, Bank TT...

GB/T 25070-2019: Information security technology -- Technical requirements of security design for classified protection of cybersecurity

This standard specifies the technical requirements for the security design of the first to fourth-levels of classified protection of cybersecurity. This standard is applicable to the design and implementation of classified protection of cybersecurity and security technology solutions by operating and using organizations, network security enterprises, network security service agencies. It can also be used as the basis for cybersecurity functional departments to conduct supervision, inspection and guidance.
GB/T 25070-2019
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 25070-2010
Information security technology - Technical
requirements of security design for classified
protection of cybersecurity
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 11
5 Design overview of classified protection security technology of cybersecurity ... 12
5.1 Design framework of security technology of general classified protection ... 12 5.2 Design framework of security technology of classified protection for cloud computing ... 13
5.3 Design framework of security technology of classified protection for mobile interconnection ... 15
5.4 Design framework of security technology of classified protection for Internet of Things ... 17
5.5 Design framework of security technology of classified protection of industrial control ... 18
6 Design of the first-level system security protection environment ... 20 6.1 Design targets ... 20
6.2 Design strategy ... 21
6.3 Design technical requirements ... 21
7 Design of second-level system security protection environment ... 26 7.1 Design targets ... 26
7.2 Design strategy ... 26
7.3 Design technical requirements ... 27
8 Design of third-level system security protection environment design ... 36 8.1 Design targets ... 36
8.2 Design strategy ... 36
8.3 Design technical requirements ... 37
9 Design of fourth-level system security protection environment ... 53 9.1 Design targets ... 53
9.2 Design strategy ... 53
9.3 Design technical requirements ... 54
10 Design of fifth-level system security protection environment ... 72 11 Interconnection design of classified system ... 72
11.1 Design targets ... 72
11.2 Design strategy ... 72
11.3 Design technical requirements ... 72
Appendix A (Informative) Design of access control mechanism ... 75
Appendix B (Informative) Design example of third-level system security
protection environment ... 78
Appendix C (Informative) Technical requirements for big data design ... 85 References ... 90
Information security technology - Technical
requirements of security design for classified
protection of cybersecurity
1 Scope
This standard specifies the technical requirements for the security design of the first to fourth-levels of classified protection of cybersecurity.
This standard is applicable to the design and implementation of classified protection of cybersecurity and security technology solutions by operating and using organizations, network security enterprises, network security service agencies. It can also be used as the basis for cybersecurity functional departments to conduct supervision, inspection and guidance.
Note: The fifth-level classified protection object is a very important supervision and management object. It has special management modes and security design technical requirements, so it is not described in this standard.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 22240-2008 Information security technology - Classification guide for classified protection of information systems security
GB/T 25069-2010 Information security technology - Glossary
GB/T 31167-2014 Information security technology - Security guide of
cloud computing services
GB/T 31168-2014 Information security technology - Security capability
requirements of cloud computing services
GB/T 32919-2016 Information security - Industrial control systems -
network layer and the application layer, etc.
c) Security communication network
Include the relevant components of the Internet of Things system?€?s security computing environment and security area for information transmission and implementation of security policies, such as the communication network at the network layer and the communication network between the internal
security computing environment at the sensor layer and the application layer. d) Security management center
Include a platform for the unified management of security policies and
security computing environments, security area boundaries, security
mechanisms on security communication networks for Internet of Things
systems. It includes three parts: system management, security management, audit management. Only the second-level and above security protection
environment is designed with a security management center.
5.5 Design framework of security technology of classified
protection of industrial control
The industrial control system is zoned based on the business nature of the object being protected; the classified protection of cybersecurity design is implemented based on the technical characteristics of the functional level; the design framework of security technology of classified protection of industrial control system is as shown in Figure 5. The triple protection system of computing environment, area boundary, communication network of the
construction of the security technology design of the classified protection of industrial control system, under the support of the security management center, adopts a layered and partitioned architecture. It is designed combining the characteristics of the complex and diverse bus protocols of the industrial control system, strong real-time requirements, limited node computing resources, high device reliability requirements, short fault recovery time, security mechanisms that cannot affect real-time performance, to realize reliable, controllable, manageable system security interconnection, area boundary security
protection, computing environment security.
The industrial control system is divided into 4 layers, that is, the 0 ~ 3 layers are the scope of the industrial control system?€?s classified protection, which is the area covered by the design framework; the security zone of the industrial control system is divided horizontally; according to the importance of the business in the industrial control system, the timeliness, business relevance, degree of impact on field controlled device, functional scope, asset attributes, etc., it forms so that the system users have the ability to protect the object it belongs to. 6.2 Design strategy
The design strategy of the first-level system security protection environment is to follow the relevant requirements in 4.1 of GB 17859-1999, based on identity authentication, to provide users and / or user groups with independent access control of files and database tables, so as to achieve isolation between he user and the data, thereby making the user have the ability of autonomous security protection; provide area boundary protection by means of packet filtering; provide data and system integrity protection by means of data verification and prevention of malicious code.
The design of the first-level system security protection environment is realized through the design of the first-level security computing environment, the security area boundary, the security communication network. Computing nodes shall be based on trusted roots for trusted verification from startup to operating system startup.
6.3 Design technical requirements
6.3.1 Design technical requirements for security computing environment
6.3.1.1 Technical requirements for the design of general security
computing environment
This requirement includes:
a) Authentication of user identity
It shall support user identification and user authentication. When each user registers with the system, use the user name and user identifier to identify the user's identity; each time a user logs in to the system, use a password authentication mechanism to authenticate the user's identity and protect the password data.
b) Autonomous access control
Within the scope of security policy control, make the users / user groups have corresponding access operation permissions on the objects they
create; meanwhile grant some or all of these permissions to other users / user groups. The granularity of the access control subject is the user / user group level; the granularity of the object is the file or database table level. Access operations include creating, reading, writing, modifying, deleting objects.
b) Application control
It shall provide an application signature authentication mechanism, to refuse installation and execution of application software that has not been
authenticated and signed.
6.3.1.4 Technical requirements for design of security computing
environment for Internet of Things systems
This requirement includes:
a) Authentication of sensor layer device
It shall use the conventional authentication mechanisms to identify the identity of the sensor device, to ensure that the data originates from the correct sensor device.
b) Access control of sensor layer device
It is necessary to implement access control on sensor devices by formulating security policies such as access control lists.
6.3.1.5 Technical requirements for design of security computing
environment for industrial control systems
This requirement includes:
a) Authentication of industrial control
Field control layer device and process monitoring layer device shall
implement unique marking, authentication and certification, to ensure that the status of authentication and functional integrity can be verified and confirmed at any time. Programs and corresponding data sets running on
control device and monitoring device shall be managed by unique identifier. b) Access control of field device
It shall implement the role-based access control policies for users who pass the identity authentication. After receiving the operation command, the field device shall check whether the role bound to the user has the authority to perform the operation. The user with authority obtains the permission. If the user does not obtain the permission, it shall issue an alarm message to the upper layer.
c) Protection of control process integrity
It shall complete the specified tasks within the specified time; the data shall be processed in an authorized manner, to ensure that the data is not illegally 7.3 Design technical requirements
7.3.1 Technical requirements for design of security computing
environment
7.3.1.1 Technical requirements for design of general security computing environment
This requirement includes:
a) Authentication of user identity
It shall support the user identification and user authentication. When each user registers with the system, use the user name and user identifier to identify the user, meanwhile ensure the uniqueness of the user identifier throughout the life cycle of the system; each time a user logs in to the system, use a controlled password or other mechanisms of
corresponding security strength for authentication of user identity; use cryptographic technology for confidentiality and integrity protection of authentication data.
b) Autonomous access control
Within the scope of security policy control, users shall be allowed to access the objects they create, and some or all of these permissions can be granted to other users. The granularity of the access control subject is the user level; the granularity of the object is the file or database table level. Access operations include creating, reading, writing, modifying, deleting objects. c) System security audit
It shall provide a security audit mechanism, to record system-related security events. The audit record includes the subject, object, time, type and result of the security incident. The mechanism shall provide audit record query, classification and storage protection, which can be managed by the security management center.
d) Protection of user data integrity
It may use a conventional check mechanism, to check the integrity of the stored user data, to find out whether its integrity has been compromised. e) Protection of user data confidentiality
It may use the confidentiality protection mechanisms supported by
technologies such as passwords to protect the confidentiality of user data as stored and processed in a security computing environment.
It shall be able to detect the abnormal access of the virtual machine to the host's physical resources.
e) Data backup and recovery
It shall adopt redundant architecture or distributed architecture design; it shall support data multi-copy storage; it shall support common interfaces to ensure that cloud tenants can migrate business systems and data to other cloud computing platforms and local systems, to ensure portability.
f) Virtualization security
It shall achieve the security isolation of CPU, memory, storage space
of virtual machines; it shall prohibit the direct access of virtual machines to the host's physical resources; it shall support the security isolation between virtualized networks of different cloud tenants.
g) Prevention of malicious code
Physical machines and host machines shall install a security-hardened
operating system or perform host malicious code prevention; virtual
machines shall install a security-hardened operating system or
perform the host malicious code prevention; they shall support the
ability to detect and protect Web application malicious code.
h) Mirror and snapshot security
It shall support images and snapshots, to provide integrity protection
for virtual machine images and snapshot files; prevent unauthorized
access to sensitive resources that may exist in virtual machine images
and snapshots; provide security-hardened operating system images
for important business systems or support self-hardening of the
operating system images.
7.3.1.3 Technical requirements for design of security computing
environment for mobile internet
This requirement includes:
a) Authentication of user identity
It shall use passwords, unlock patterns, and other mechanisms with
appropriate security strengths for authentication of user identity.
b) Application control
It shall provide an application signature authentication, to refuse installation and execution of application software that has not been authenticated and Field control layer device and process monitoring layer device shall
implement unique marking, authentication and certification, to ensure that the status of authentication, certification and functional integrity can be verified and confirmed at any time. Programs and corresponding data sets running on control device and monitoring device shall be managed by unique identification.
b) Access control of field device
It shall implement the role-based access control policies for users who pass the identity authentication. After receiving the operation command, the field device shall check whether the role bound to the user has the authority to perform the operation. The user who has permission obtains the
authorization. If the user does not obtain the authorization, it shall issue the alarm information to the upper layer.
c) Data confidentiality protection of field device
It may use the confidentiality protection mechanism supported by
cryptographic technology or the physical protection mechanism, to
protect the confidentiality of data, programs, configuration information, etc. which has confidentiality requirements as stored in field device
layer devices and fieldbus devices connected to the field control layer. d) Protection of control process integrity
It shall finish the specified tasks within the specified time; the data shall be processed in an authorized manner, to ensure that the data is not illegally tampered with, lost, or delayed, to ensure timely response and processing of incidents, to protect the system's synchronization mechanism, time
correction mechanism, thereby maintaining the stability of the control
cycle and the stability of the rolling cycle of fieldbus.
7.3.2 Technical requirements for design of security area boundary
7.3.2.1 Technical requirements for design of general security area
boundary
This requirement includes:
a) Packet filtering of area boundary
It shall, according to the area boundary security control strategy, determine whether to allow the data packet to pass through the area boundary by
checking the source address, destination address, transport layer protocol, requested service of the data packet.
b) Security audit of area boundary
It may use the integrity check mechanism supported by the short-
message and short-latency cryptographic technology adapted to the
characteristics of the fieldbus, or the physical protection mechanism,
to achieve the integrity protection of the data transmission of fieldbus network.
b) Protection of data transmission integrity of wireless network
It may use the integrity check mechanism supported by cryptographic
technology, to achieve integrity protection of data transmission of
wireless network.
7.3.4 Technical requirements for design of security management center
7.3.4.1 System management
System administrators can perform configuration, control and trusted
management of the resources and operations of the system, including user identity, trusted certificates, trusted reference library, system resource configuration, system loading and startup, exception handling of system operations, data and device backup and recovery, protection against malicious code.
It shall authenticate the identity of the system administrators. They are only allowed to perform system management operations through specific commands or operation interfaces, and audit these operations.
When performing the security design of a cloud computing platform, the security management shall provide a way to query cloud tenant data and back up
storage locations.
When designing the security of the Internet of Things system, the system administrator shall perform the unified identity management of the sensor devices, sensor layer gateways, etc.
7.3.4.2 Audit management
Security auditors can centrally manage the security audit mechanisms
distributed in various components of the system, including classifying audit records according to security audit policies; providing the corresponding types of security audit mechanisms to be turned on and off by time period; storing, managing, querying various types of audit records.
It shall perform identity authentication of the security auditor. It allows for the auditor to perform security audit operations only through specific commands or operation interfaces.
When performing the security design of a cloud computing platform, the cloud detecting that the credibility is compromised; form the verification results into audit record; send it to the management center.
i) Inspection of configuration credibility
The security configuration information of th...

View full details