Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 28448-2019 English PDF (GBT28448-2019)

GB/T 28448-2019 English PDF (GBT28448-2019)

Regular price $2,405.00 USD
Regular price Sale price $2,405.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 28448-2019 to get it for Purchase Approval, Bank TT...

GB/T 28448-2019: Information security technology -- Evaluation requirement for classified protection of cybersecurity

This standard stipulates the general requirements and extended requirements for testing-evaluation of security of classified protection targets. This standard is applicable to security evaluation service agencies, operation and use units of classified protection targets, for competent departments to conduct security evaluation and provide guidance on the security status of classified protection targets; it is also applicable to network security functional departments when conducting supervision and inspection of the classified protection of cybersecurity.
GB/T 28448-2019
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 28448-2012
Information security technology - Evaluation
requirement for classified protection of cybersecurity
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 01, 2019
Issued by: General Administration of Quality Supervision, Inspection and Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 10
5 Overview of testing-evaluation for classified cybersecurity protection ... 10 5.1 Method of testing-evaluation for classified cybersecurity protection ... 10 5.2 Single item testing-evaluation and overall testing-evaluation ... 12 6 Requirements for level 1 testing-evaluation ... 12
6.1 General requirements for security testing-evaluation ... 12
6.2 Extended requirements for testing-evaluation of cloud computing security .. 40 6.3 Extended requirements for testing-evaluation of mobile internet security ... 45 6.4 Extended requirements for testing-evaluation of IoT security ... 48 6.5 Extended requirements for testing-evaluation of industrial control system security ... 50
7 Requirements for level 2 testing-evaluation ... 55
7.1 General requirements for security testing-evaluation ... 55
7.2 Extended requirements for testing-evaluation of cloud computing security 122 7.3 Extended requirements for testing-evaluation of mobile internet security ... 137 7.4 Extended requirements for testing-evaluation of IoT security ... 143 7.5 Extended requirements for testing-evaluation of industrial control system security ... 147
8 Requirements for level 3 testing-evaluation ... 155
8.1 General requirements for security testing-evaluation ... 155
8.2 Extended requirements for testing-evaluation of cloud computing security 261 8.3 Extended requirements for testing-evaluation of mobile internet security ... 285 8.4 Extended requirements for testing-evaluation of IoT security ... 293 8.5 Extended requirements for testing-evaluation of industrial control system security ... 304
9 Requirements for level 4 testing-evaluation ... 315
9.1 General requirements for security testing-evaluation ... 315
9.2 Extended requirements for testing-evaluation of cloud computing security 428 9.3 Extended requirements for testing-evaluation of mobile internet security ... 454 9.4 Extended requirements for testing-evaluation of IoT security ... 463 9.5 Extended requirements for testing-evaluation of industrial control system security ... 475
10 Requirements for level 5 testing-evaluation ... 485
11 Overall testing-evaluation ... 486
11.1 Overview ... 486
11.2 Testing-evaluation of security control points ... 486
11.3 Testing-evaluation between security control points ... 486
11.4 Inter-area testing-evaluation ... 487
12 Testing-evaluation conclusion ... 487
12.1 Risk analysis and evaluation ... 487
12.2 Conclusion of testing-evaluation for classified cybersecurity protection ... 488 Appendix A (Informative) Testing-evaluation intensity ... 489
Appendix B (Informative) Security evaluation methods can be referred to by bigdata ... 493
Appendix C (Normative) Descriptions on numbering of testing-evaluation unit ... 531
References ... 533
Information security technology - Evaluation
requirement for classified protection of cybersecurity
1 Scope
This standard stipulates the general requirements and extended requirements for testing-evaluation of security of classified protection targets.
This standard is applicable to security evaluation service agencies, operation and use units of classified protection targets, for competent departments to conduct security evaluation and provide guidance on the security status of classified protection targets; it is also applicable to network security functional departments when conducting supervision and inspection of the classified protection of cybersecurity.
Note: The level-5 classified protection target is an important supervision and management target, which has a special management mode and security evaluation requirements, so it is not described in this standard.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity
GB/T 25069 Information security technology - Glossary
GB/T 25070-2019 Information security technology - Technical requirements of security design for classified protection of cybersecurity
GB/T 28449-2018 Information security technology - Testing-evaluation
process guide for classified protection of cybersecurity
GB/T 31167-2014 Information security technology - Security guide of cloud corresponds to the requirement item (testing-evaluation index) included under the security control point. In the testing-evaluation of each requirement, it may use three testing-evaluation methods: interview, examine, test; it may also use one or two of them. The content of the testing-evaluation implementation fully covers the testing-evaluation requirements of all the requirement items in GB/T 22239-2019 and GB/T 25070-2019. When used, it shall, from the
implementation of the testing-evaluation of single item, choose the testing- evaluation requirements of each requirement item in GB/T 22239-2019;
meanwhile follow these testing-evaluation requirements to develop the testing- evaluation guidance, so as to standardize and guide testing-evaluation for classified cybersecurity protection activities.
According to the survey results, the business process and data flow of the classified protection targets are analyzed to determine the scope of the testing- evaluation work. Combined with the security level of the classified protection target, comprehensively analyze the functions and characteristics of each device and component in the system; determine the testing-evaluation target at technical level from the attributes of the importance, security, sharing, comprehensiveness, appropriateness of the classified protection target
constituting the component; determine the personal and management
documents related to it as the testing-evaluation target of the management level. The testing-evaluation targets can be described according to categories, including computer rooms, business application software, host operating systems, database management systems, network interconnection device,
security device, interviewers, security management documents.
The testing-evaluation activities for classified cybersecurity protection involve testing-evaluation intensity, including testing-evaluation breadth (coverage) and testing-evaluation depth (intensity). For the implementation of testing- evaluations with a higher level of security protection, it shall choose a wider coverage of testing-evaluation targets and stronger testing-evaluation methods, to obtain more credible testing-evaluation evidence. For a detailed description of the testing-evaluation intensity, see Appendix A.
Each level of testing-evaluation requirements includes 5 parts: general requirements for security testing-evaluation, extended requirements for cloud computing security testing-evaluation, extended requirements for mobile internet security testing-evaluation, extended requirements for IoT security testing-evaluation, extended requirements for industrial control system security testing-evaluation. For bigdata, please refer to Appendix B for the security testing-evaluation method.
does not meet the index requirements of the testing-evaluation unit.
6.1.1.2 Anti-theft and anti-vandalism
6.1.1.2.1 Testing-evaluation unit (L1-PES1-02)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: The device or main components shall be fixed and marked with signs that are not easily removed.
b) Testing-evaluation target: Computer room?€?s device or main components. c) The implementation of the testing-evaluation includes the following: 1) It shall check whether the device or main components in the computer room are fixed;
2) It shall check whether the device or main components in the computer room are provided with obvious signs that are difficult to remove.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of this testing-evaluation unit; otherwise, it does not meet or partially meets the index requirements of this testing-evaluation unit. 6.1.1.3 Lightning protection
6.1.1.3.1 Testing-evaluation unit (L1-PES1-03)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: Various cabinets, facilities and device shall be securely grounded through the grounding system.
b) Testing-evaluation target: Computer room.
c) Testing-evaluation?€?s implementation: It shall check whether the cabinets, facilities and device in the computer room are grounded.
d) Unit judgment: If the content of the above testing-evaluation is positive, it meets the index requirements of the testing-evaluation unit; otherwise, it does not meet the index requirements of the testing-evaluation unit.
6.1.1.4 Fire protection
6.1.1.4.1 Testing-evaluation unit (L1-PES1-04)
The testing-evaluation unit includes the following requirements:
2) It shall check whether the temperature and humidity are within the
allowable range of device operation.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of the testing-evaluation unit; otherwise, it does not meet or partially meets the index requirements of the testing-evaluation unit
6.1.1.7 Electricity supply
6.1.1.7.1 Testing-evaluation unit (L1-PES1-07)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: It shall configure voltage stabilizer and
overvoltage protection device on the power supply line of the computer
room.
b) Testing-evaluation target: Power supply facilities in the computer room. c) Testing-evaluation?€?s implementation: It shall check whether the power supply line is equipped with a voltage regulator and overvoltage protection device.
d) Unit judgment: If the content of the above testing-evaluation is positive, it meets the index requirements of the testing-evaluation unit; otherwise, it does not meet the index requirements of the testing-evaluation unit.
6.1.2 Communication network security
6.1.2.1 Communication transmission
6.1.2.1.1 Testing-evaluation unit (L1-CNS1-01)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: It shall use verification technology to ensure the integrity of data during the communication process.
b) Testing-evaluation target: Device or components that provide verification technical functions.
c) Testing-evaluation?€?s implementation: It shall check whether the verification technology is used to protect its integrity during data transmission.
d) Unit judgment: If the content of the above testing-evaluation is positive, it meets the index requirements of the testing-evaluation unit; otherwise, it does not meet the index requirements of the testing-evaluation unit.
b) Testing-evaluation targets: Device or components that provide trusted verification.
c) The implementation of the testing-evaluation includes the following: 1) It shall check whether the system boot program, system program, etc. of the boundary device are subject to trusted verification based on the root of trust;
2) It shall check whether an alarm is issued when the credibility of the border device is detected to be compromised.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of this testing-evaluation unit; otherwise, it does not meet or partially meets the index requirements of this testing-evaluation unit. 6.1.4 Computing environment security
6.1.4.1 Identity authentication
6.1.4.1.1 Testing-evaluation unit (L1-CES1-01)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: It shall identify and authenticate the identity of the logged-in user. The identification is unique; the identity authentication information has complexity requirements and is replaced regularly.
b) Testing-evaluation targets: The operating systems (including host and virtual machine operating systems), network devices (including virtual
network devices), security devices (including virtual security devices), mobile terminals, mobile terminal management, mobile terminal
management client, sensor node device, gateway node device, control
device, business application system, database management system,
middleware and system management software and system design
documents, etc., in devices such as terminals and servers.
c) The implementation of the testing-evaluation includes the following: 1) It shall check whether the user has adopted identity authentication
measures when logging in;
2) It shall check the user list to confirm whether the user identity is unique; 3) It shall check whether there is no empty password user in the user
configuration information;
4) It shall check the user's authentication information for complexity and b) Testing-evaluation targets: The operating systems (including host and virtual machine operating systems), network devices (including virtual
network devices), security devices (including virtual security devices), mobile terminals, mobile terminal management, mobile terminal
management client, sensor node device, gateway node device, control
device, business application system, database management system,
middleware and system management software and system design
documents, etc. in devices such as terminals and servers.
c) The implementation of the testing-evaluation includes the following: 1) It shall check the settings of user account and permission;
2) It shall check whether the access rights of anonymous and default
accounts have been disabled or restricted.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of this testing-evaluation unit; otherwise, it does not meet or partially meets the index requirements of this testing-evaluation unit. 6.1.4.2.2 Testing-evaluation unit (L1-CES1-04)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: It shall rename or delete the default account; modify the default password of the default account.
b) Testing-evaluation targets: The operating systems (including host and virtual machine operating systems), network devices (including virtual
network devices), security devices (including virtual security devices), mobile terminals, mobile terminal management, mobile terminal
management client, sensor node device, gateway node device, control
device, business application system, database management system,
middleware and system management software and system design
documents, etc. in devices such as terminals and servers.
c) The implementation of the testing-evaluation includes the following: 1) It shall check whether the default account has been renamed or the
default account has been deleted;
2) It shall check whether the default password of the default account has been modified.
d) Unit judgment: If 1) or 2) is positive, it meets the index requirements of this testing-evaluation unit; otherwise, it does not meet or partially meets the index requirements of this testing-evaluation unit.
1) It shall check whether the minimum installation principle is followed; 2) It shall confirm that unnecessary components and applications are not installed.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of this testing-evaluation unit; otherwise, it does not meet or partially meets the index requirements of this testing-evaluation unit. 6.1.4.3.2 Testing-evaluation unit (L1-CES1-07)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: It shall close the unneeded system services, default sharing and high-risk ports.
b) Testing-evaluation targets: The operating systems (including host and virtual machine operating systems), network devices (including virtual
network devices), security devices (including virtual security devices), mobile terminals, mobile terminal management systems, mobile terminal
management client, sensor node device, gateway node device and control
device, etc. in devices such as terminals and servers.
c) The implementation of the testing-evaluation includes the following: 1) It shall check whether non-essential system services and default
sharing are turned off;
2) It shall check whether there are no unnecessary high-risk ports.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of this testing-evaluation unit; otherwise, it does not meet or partially meets the index requirements of this testing-evaluation unit. 6.1.4.4 Malicious code prevention
6.1.4.4.1 Testing-evaluation unit (L1-CES1-08)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: It shall install the anti-malware code software or the software with corresponding functions; regularly upgrade and update the anti-malicious code library.
b) Testing-evaluation targets: Operating systems (including host and virtual machine operating systems) and mobile terminals in devices such as
terminals and servers.
b) Testing-evaluation targets: The information / network security supervisors and record form documents.
c) The implementation of the testing-evaluation includes the following: 1) It shall be interviewed whether the information / network security
supervisor provides a certain number of system administrators;
2) It shall check whether the staffing documents have the staffing status of each position.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of this testing-evaluation unit; otherwise, it does not meet or partially meets the index requirements of this testing-evaluation unit. 6.1.6.3 Authorization and approval
6.1.6.3.1 Testing-evaluation unit (L1-ORS1-03)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: It shall, according to the responsibilities of various departments and positions, clearly define the authorization items, approval departments and approvers.
b) Testing-evaluation targets: The management system documents and
record form documents.
c) The implementation of the testing-evaluation includes the following: 1) It shall check whether the department's responsibilities documents
clarify the approval items of each department;
2) It shall check whether the job responsibilities document specifies the approval items of each job.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of this testing-evaluat...

View full details