1
/
of
12
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GB/T 28448-2019 English PDF (GB/T28448-2019)
GB/T 28448-2019 English PDF (GB/T28448-2019)
Regular price
$2,405.00
Regular price
Sale price
$2,405.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GB/T 28448-2019: Information security technology - Evaluation requirement for classified protection of cybersecurity
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 28448-2019 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 28448-2019
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 28448-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 28448-2012
Information security technology - Evaluation
requirement for classified protection of cybersecurity
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 01, 2019
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 10
5 Overview of testing-evaluation for classified cybersecurity protection ... 10
5.1 Method of testing-evaluation for classified cybersecurity protection ... 10
5.2 Single item testing-evaluation and overall testing-evaluation ... 12
6 Requirements for level 1 testing-evaluation ... 12
6.1 General requirements for security testing-evaluation ... 12
6.2 Extended requirements for testing-evaluation of cloud computing security .. 40
6.3 Extended requirements for testing-evaluation of mobile internet security ... 45
6.4 Extended requirements for testing-evaluation of IoT security ... 48
6.5 Extended requirements for testing-evaluation of industrial control system
security ... 50
7 Requirements for level 2 testing-evaluation ... 55
7.1 General requirements for security testing-evaluation ... 55
7.2 Extended requirements for testing-evaluation of cloud computing security 122
7.3 Extended requirements for testing-evaluation of mobile internet security ... 137
7.4 Extended requirements for testing-evaluation of IoT security ... 143
7.5 Extended requirements for testing-evaluation of industrial control system
security ... 147
8 Requirements for level 3 testing-evaluation ... 155
8.1 General requirements for security testing-evaluation ... 155
8.2 Extended requirements for testing-evaluation of cloud computing security 261
8.3 Extended requirements for testing-evaluation of mobile internet security ... 285
8.4 Extended requirements for testing-evaluation of IoT security ... 293
8.5 Extended requirements for testing-evaluation of industrial control system
security ... 304
9 Requirements for level 4 testing-evaluation ... 315
9.1 General requirements for security testing-evaluation ... 315
9.2 Extended requirements for testing-evaluation of cloud computing security 428
9.3 Extended requirements for testing-evaluation of mobile internet security ... 454
9.4 Extended requirements for testing-evaluation of IoT security ... 463
9.5 Extended requirements for testing-evaluation of industrial control system
security ... 475
10 Requirements for level 5 testing-evaluation ... 485
11 Overall testing-evaluation ... 486
11.1 Overview ... 486
11.2 Testing-evaluation of security control points ... 486
11.3 Testing-evaluation between security control points ... 486
11.4 Inter-area testing-evaluation ... 487
12 Testing-evaluation conclusion ... 487
12.1 Risk analysis and evaluation ... 487
12.2 Conclusion of testing-evaluation for classified cybersecurity protection ... 488
Appendix A (Informative) Testing-evaluation intensity ... 489
Appendix B (Informative) Security evaluation methods can be referred to by
bigdata ... 493
Appendix C (Normative) Descriptions on numbering of testing-evaluation unit
... 531
References ... 533
Information security technology - Evaluation
requirement for classified protection of cybersecurity
1 Scope
This standard stipulates the general requirements and extended requirements
for testing-evaluation of security of classified protection targets.
This standard is applicable to security evaluation service agencies, operation
and use units of classified protection targets, for competent departments to
conduct security evaluation and provide guidance on the security status of
classified protection targets; it is also applicable to network security functional
departments when conducting supervision and inspection of the classified
protection of cybersecurity.
Note: The level-5 classified protection target is an important supervision and
management target, which has a special management mode and security evaluation
requirements, so it is not described in this standard.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 22239-2019 Information security technology - Baseline for classified
protection of cybersecurity
GB/T 25069 Information security technology - Glossary
GB/T 25070-2019 Information security technology - Technical requirements
of security design for classified protection of cybersecurity
GB/T 28449-2018 Information security technology - Testing-evaluation
process guide for classified protection of cybersecurity
GB/T 31167-2014 Information security technology - Security guide of cloud
corresponds to the requirement item (testing-evaluation index) included under
the security control point. In the testing-evaluation of each requirement, it may
use three testing-evaluation methods: interview, examine, test; it may also use
one or two of them. The content of the testing-evaluation implementation fully
covers the testing-evaluation requirements of all the requirement items in GB/T
22239-2019 and GB/T 25070-2019. When used, it shall, from the
implementation of the testing-evaluation of single item, choose the testing-
evaluation requirements of each requirement item in GB/T 22239-2019;
meanwhile follow these testing-evaluation requirements to develop the testing-
evaluation guidance, so as to standardize and guide testing-evaluation for
classified cybersecurity protection activities.
According to the survey results, the business process and data flow of the
classified protection targets are analyzed to determine the scope of the testing-
evaluation work. Combined with the security level of the classified protection
target, comprehensively analyze the functions and characteristics of each
device and component in the system; determine the testing-evaluation target at
technical level from the attributes of the importance, security, sharing,
comprehensiveness, appropriateness of the classified protection target
constituting the component; determine the personal and management
documents related to it as the testing-evaluation target of the management level.
The testing-evaluation targets can be described according to categories,
including computer rooms, business application software, host operating
systems, database management systems, network interconnection device,
security device, interviewers, security management documents.
The testing-evaluation activities for classified cybersecurity protection involve
testing-evaluation intensity, including testing-evaluation breadth (coverage) and
testing-evaluation depth (intensity). For the implementation of testing-
evaluations with a higher level of security protection, it shall choose a wider
coverage of testing-evaluation targets and stronger testing-evaluation methods,
to obtain more credible testing-evaluation evidence. For a detailed description
of the testing-evaluation intensity, see Appendix A.
Each level of testing-evaluation requirements includes 5 parts: general
requirements for security testing-evaluation, extended requirements for cloud
computing security testing-evaluation, extended requirements for mobile
internet security testing-evaluation, extended requirements for IoT security
testing-evaluation, extended requirements for industrial control system security
testing-evaluation. For bigdata, please refer to Appendix B for the security
testing-evaluation method.
does not meet the index requirements of the testing-evaluation unit.
6.1.1.2 Anti-theft and anti-vandalism
6.1.1.2.1 Testing-evaluation unit (L1-PES1-02)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: The device or main components shall be fixed
and marked with signs that are not easily removed.
b) Testing-evaluation target: Computer room’s device or main components.
c) The implementation of the testing-evaluation includes the following:
1) It shall check whether the device or main components in the computer
room are fixed;
2) It shall check whether the device or main components in the computer
room are provided with obvious signs that are difficult to remove.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of this testing-evaluation unit; otherwise, it does not meet or
partially meets the index requirements of this testing-evaluation unit.
6.1.1.3 Lightning protection
6.1.1.3.1 Testing-evaluation unit (L1-PES1-03)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: Various cabinets, facilities and device shall be
securely grounded through the grounding system.
b) Testing-evaluation target: Computer room.
c) Testing-evaluation’s implementation: It shall check whether the cabinets,
facilities and device in the computer room are grounded.
d) Unit judgment: If the content of the above testing-evaluation is positive, it
meets the index requirements of the testing-evaluation unit; otherwise, it
does not meet the index requirements of the testing-evaluation unit.
6.1.1.4 Fire protection
6.1.1.4.1 Testing-evaluation unit (L1-PES1-04)
The testing-evaluation unit includes the following requirements:
2) It shall check whether the temperature and humidity are within the
allowable range of device operation.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of the testing-evaluation unit; otherwise, it does not meet or
partially meets the index requirements of the testing-evaluation unit
6.1.1.7 Electricity supply
6.1.1.7.1 Testing-evaluation unit (L1-PES1-07)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: It shall configure voltage stabilizer and
overvoltage protection device on the power supply line of the computer
room.
b) Testing-evaluation target: Power supply facilities in the computer room.
c) Testing-evaluation’s implementation: It shall check whether the power
supply line is equipped with a voltage regulator and overvoltage protection
device.
d) Unit judgment: If the content of the above testing-evaluation is positive, it
meets the index requirements of the testing-evaluation unit; otherwise, it
does not meet the index requirements of the testing-evaluation unit.
6.1.2 Communication network security
6.1.2.1 Communication transmission
6.1.2.1.1 Testing-evaluation unit (L1-CNS1-01)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: It shall use verification technology to ensure the
integrity of data during the communication process.
b) Testing-evaluation target: Device or components that provide verification
technical functions.
c) Testing-evaluation’s implementation: It shall check whether the verification
technology is used to protect its integrity during data transmission.
d) Unit judgment: If the content of the above testing-evaluation is positive, it
meets the index requirements of the testing-evaluation unit; otherwise, it
does not meet the index requirements of the testing-evaluation unit.
b) Testing-evaluation targets: Device or components that provide trusted
verification.
c) The implementation of the testing-evaluation includes the following:
1) It shall check whether the system boot program, system program, etc.
of the boundary device are subject to trusted verification based on the
root of trust;
2) It shall check whether an alarm is issued when the credibility of the
border device is detected to be compromised.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of this testing-evaluation unit; otherwise, it does not meet or
partially meets the index requirements of this testing-evaluation unit.
6.1.4 Computing environment security
6.1.4.1 Identity authentication
6.1.4.1.1 Testing-evaluation unit (L1-CES1-01)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: It shall identify and authenticate the identity of
the logged-in user. The identification is unique; the identity authentication
information has complexity requirements and is replaced regularly.
b) Testing-evaluation targets: The operating systems (including host and
virtual machine operating systems), network devices (including virtual
network devices), security devices (including virtual security devices),
mobile terminals, mobile terminal management, mobile terminal
management client, sensor node device, gateway node device, control
device, business application system, database management system,
middleware and system management software and system design
documents, etc., in devices such as terminals and servers.
c) The implementation of the testing-evaluation includes the following:
1) It shall check whether the user has adopted identity authentication
measures when logging in;
2) It shall check the user list to confirm whether the user identity is unique;
3) It shall check whether there is no empty password user in the user
configuration information;
4) It shall check the user's authentication information for complexity and
b) Testing-evaluation targets: The operating systems (including host and
virtual machine operating systems), network devices (including virtual
network devices), security devices (including virtual security devices),
mobile terminals, mobile terminal management, mobile terminal
management client, sensor node device, gateway node device, control
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 28448-2019 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 28448-2019
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 28448-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 28448-2012
Information security technology - Evaluation
requirement for classified protection of cybersecurity
ISSUED ON: MAY 10, 2019
IMPLEMENTED ON: DECEMBER 01, 2019
Issued by: General Administration of Quality Supervision, Inspection and
Quarantine;
Standardization Administration of PRC.
Table of Contents
Foreword ... 4
Introduction ... 6
1 Scope ... 7
2 Normative references ... 7
3 Terms and definitions ... 8
4 Abbreviations ... 10
5 Overview of testing-evaluation for classified cybersecurity protection ... 10
5.1 Method of testing-evaluation for classified cybersecurity protection ... 10
5.2 Single item testing-evaluation and overall testing-evaluation ... 12
6 Requirements for level 1 testing-evaluation ... 12
6.1 General requirements for security testing-evaluation ... 12
6.2 Extended requirements for testing-evaluation of cloud computing security .. 40
6.3 Extended requirements for testing-evaluation of mobile internet security ... 45
6.4 Extended requirements for testing-evaluation of IoT security ... 48
6.5 Extended requirements for testing-evaluation of industrial control system
security ... 50
7 Requirements for level 2 testing-evaluation ... 55
7.1 General requirements for security testing-evaluation ... 55
7.2 Extended requirements for testing-evaluation of cloud computing security 122
7.3 Extended requirements for testing-evaluation of mobile internet security ... 137
7.4 Extended requirements for testing-evaluation of IoT security ... 143
7.5 Extended requirements for testing-evaluation of industrial control system
security ... 147
8 Requirements for level 3 testing-evaluation ... 155
8.1 General requirements for security testing-evaluation ... 155
8.2 Extended requirements for testing-evaluation of cloud computing security 261
8.3 Extended requirements for testing-evaluation of mobile internet security ... 285
8.4 Extended requirements for testing-evaluation of IoT security ... 293
8.5 Extended requirements for testing-evaluation of industrial control system
security ... 304
9 Requirements for level 4 testing-evaluation ... 315
9.1 General requirements for security testing-evaluation ... 315
9.2 Extended requirements for testing-evaluation of cloud computing security 428
9.3 Extended requirements for testing-evaluation of mobile internet security ... 454
9.4 Extended requirements for testing-evaluation of IoT security ... 463
9.5 Extended requirements for testing-evaluation of industrial control system
security ... 475
10 Requirements for level 5 testing-evaluation ... 485
11 Overall testing-evaluation ... 486
11.1 Overview ... 486
11.2 Testing-evaluation of security control points ... 486
11.3 Testing-evaluation between security control points ... 486
11.4 Inter-area testing-evaluation ... 487
12 Testing-evaluation conclusion ... 487
12.1 Risk analysis and evaluation ... 487
12.2 Conclusion of testing-evaluation for classified cybersecurity protection ... 488
Appendix A (Informative) Testing-evaluation intensity ... 489
Appendix B (Informative) Security evaluation methods can be referred to by
bigdata ... 493
Appendix C (Normative) Descriptions on numbering of testing-evaluation unit
... 531
References ... 533
Information security technology - Evaluation
requirement for classified protection of cybersecurity
1 Scope
This standard stipulates the general requirements and extended requirements
for testing-evaluation of security of classified protection targets.
This standard is applicable to security evaluation service agencies, operation
and use units of classified protection targets, for competent departments to
conduct security evaluation and provide guidance on the security status of
classified protection targets; it is also applicable to network security functional
departments when conducting supervision and inspection of the classified
protection of cybersecurity.
Note: The level-5 classified protection target is an important supervision and
management target, which has a special management mode and security evaluation
requirements, so it is not described in this standard.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB 17859-1999 Classified criteria for security protection of computer
information system
GB/T 22239-2019 Information security technology - Baseline for classified
protection of cybersecurity
GB/T 25069 Information security technology - Glossary
GB/T 25070-2019 Information security technology - Technical requirements
of security design for classified protection of cybersecurity
GB/T 28449-2018 Information security technology - Testing-evaluation
process guide for classified protection of cybersecurity
GB/T 31167-2014 Information security technology - Security guide of cloud
corresponds to the requirement item (testing-evaluation index) included under
the security control point. In the testing-evaluation of each requirement, it may
use three testing-evaluation methods: interview, examine, test; it may also use
one or two of them. The content of the testing-evaluation implementation fully
covers the testing-evaluation requirements of all the requirement items in GB/T
22239-2019 and GB/T 25070-2019. When used, it shall, from the
implementation of the testing-evaluation of single item, choose the testing-
evaluation requirements of each requirement item in GB/T 22239-2019;
meanwhile follow these testing-evaluation requirements to develop the testing-
evaluation guidance, so as to standardize and guide testing-evaluation for
classified cybersecurity protection activities.
According to the survey results, the business process and data flow of the
classified protection targets are analyzed to determine the scope of the testing-
evaluation work. Combined with the security level of the classified protection
target, comprehensively analyze the functions and characteristics of each
device and component in the system; determine the testing-evaluation target at
technical level from the attributes of the importance, security, sharing,
comprehensiveness, appropriateness of the classified protection target
constituting the component; determine the personal and management
documents related to it as the testing-evaluation target of the management level.
The testing-evaluation targets can be described according to categories,
including computer rooms, business application software, host operating
systems, database management systems, network interconnection device,
security device, interviewers, security management documents.
The testing-evaluation activities for classified cybersecurity protection involve
testing-evaluation intensity, including testing-evaluation breadth (coverage) and
testing-evaluation depth (intensity). For the implementation of testing-
evaluations with a higher level of security protection, it shall choose a wider
coverage of testing-evaluation targets and stronger testing-evaluation methods,
to obtain more credible testing-evaluation evidence. For a detailed description
of the testing-evaluation intensity, see Appendix A.
Each level of testing-evaluation requirements includes 5 parts: general
requirements for security testing-evaluation, extended requirements for cloud
computing security testing-evaluation, extended requirements for mobile
internet security testing-evaluation, extended requirements for IoT security
testing-evaluation, extended requirements for industrial control system security
testing-evaluation. For bigdata, please refer to Appendix B for the security
testing-evaluation method.
does not meet the index requirements of the testing-evaluation unit.
6.1.1.2 Anti-theft and anti-vandalism
6.1.1.2.1 Testing-evaluation unit (L1-PES1-02)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: The device or main components shall be fixed
and marked with signs that are not easily removed.
b) Testing-evaluation target: Computer room’s device or main components.
c) The implementation of the testing-evaluation includes the following:
1) It shall check whether the device or main components in the computer
room are fixed;
2) It shall check whether the device or main components in the computer
room are provided with obvious signs that are difficult to remove.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of this testing-evaluation unit; otherwise, it does not meet or
partially meets the index requirements of this testing-evaluation unit.
6.1.1.3 Lightning protection
6.1.1.3.1 Testing-evaluation unit (L1-PES1-03)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: Various cabinets, facilities and device shall be
securely grounded through the grounding system.
b) Testing-evaluation target: Computer room.
c) Testing-evaluation’s implementation: It shall check whether the cabinets,
facilities and device in the computer room are grounded.
d) Unit judgment: If the content of the above testing-evaluation is positive, it
meets the index requirements of the testing-evaluation unit; otherwise, it
does not meet the index requirements of the testing-evaluation unit.
6.1.1.4 Fire protection
6.1.1.4.1 Testing-evaluation unit (L1-PES1-04)
The testing-evaluation unit includes the following requirements:
2) It shall check whether the temperature and humidity are within the
allowable range of device operation.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of the testing-evaluation unit; otherwise, it does not meet or
partially meets the index requirements of the testing-evaluation unit
6.1.1.7 Electricity supply
6.1.1.7.1 Testing-evaluation unit (L1-PES1-07)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: It shall configure voltage stabilizer and
overvoltage protection device on the power supply line of the computer
room.
b) Testing-evaluation target: Power supply facilities in the computer room.
c) Testing-evaluation’s implementation: It shall check whether the power
supply line is equipped with a voltage regulator and overvoltage protection
device.
d) Unit judgment: If the content of the above testing-evaluation is positive, it
meets the index requirements of the testing-evaluation unit; otherwise, it
does not meet the index requirements of the testing-evaluation unit.
6.1.2 Communication network security
6.1.2.1 Communication transmission
6.1.2.1.1 Testing-evaluation unit (L1-CNS1-01)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: It shall use verification technology to ensure the
integrity of data during the communication process.
b) Testing-evaluation target: Device or components that provide verification
technical functions.
c) Testing-evaluation’s implementation: It shall check whether the verification
technology is used to protect its integrity during data transmission.
d) Unit judgment: If the content of the above testing-evaluation is positive, it
meets the index requirements of the testing-evaluation unit; otherwise, it
does not meet the index requirements of the testing-evaluation unit.
b) Testing-evaluation targets: Device or components that provide trusted
verification.
c) The implementation of the testing-evaluation includes the following:
1) It shall check whether the system boot program, system program, etc.
of the boundary device are subject to trusted verification based on the
root of trust;
2) It shall check whether an alarm is issued when the credibility of the
border device is detected to be compromised.
d) Unit judgment: If both 1) and 2) are positive, it meets the index
requirements of this testing-evaluation unit; otherwise, it does not meet or
partially meets the index requirements of this testing-evaluation unit.
6.1.4 Computing environment security
6.1.4.1 Identity authentication
6.1.4.1.1 Testing-evaluation unit (L1-CES1-01)
The testing-evaluation unit includes the following requirements:
a) Testing-evaluation index: It shall identify and authenticate the identity of
the logged-in user. The identification is unique; the identity authentication
information has complexity requirements and is replaced regularly.
b) Testing-evaluation targets: The operating systems (including host and
virtual machine operating systems), network devices (including virtual
network devices), security devices (including virtual security devices),
mobile terminals, mobile terminal management, mobile terminal
management client, sensor node device, gateway node device, control
device, business application system, database management system,
middleware and system management software and system design
documents, etc., in devices such as terminals and servers.
c) The implementation of the testing-evaluation includes the following:
1) It shall check whether the user has adopted identity authentication
measures when logging in;
2) It shall check the user list to confirm whether the user identity is unique;
3) It shall check whether there is no empty password user in the user
configuration information;
4) It shall check the user's authentication information for complexity and
b) Testing-evaluation targets: The operating systems (including host and
virtual machine operating systems), network devices (including virtual
network devices), security devices (including virtual security devices),
mobile terminals, mobile terminal management, mobile terminal
management client, sensor node device, gateway node device, control
Share
