1
/
of
12
www.ChineseStandard.us -- Field Test Asia Pte. Ltd.
GB/T 31168-2014 English PDF (GB/T31168-2014)
GB/T 31168-2014 English PDF (GB/T31168-2014)
Regular price
$145.00
Regular price
Sale price
$145.00
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
GB/T 31168-2014: Information security technology -- Security capability requirements of cloud computing services
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 31168-2014 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 31168-2014
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 20021-2017
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
GB/T 31168-2014
Information Security Technology - Security Capability
Requirements of Cloud Computing Services
ISSUED ON. SEPTEMBER 3, 2014
IMPLEMENTED ON. APRIL 1, 2015
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine of the People's Republic of China;
Standardization Administration of the People's Republic of China.
Table of Contents
Foreword ... 6
Introduction ... 7
1 Scope ... 8
2 Normative References ... 8
3 Terms and Definitions ... 8
4 Overview ... 9
4.1 Implementation Responsibilities for the Security Measures of Cloud Computing ... 9
4.2 Action Range for the Security Measures of Cloud Computing ... 11
4.3 Classification of Security Requirements ... 11
4.4 Expression Form of Security Requirements ... 13
4.5 Adjustment of Security Requirements ... 13
4.6 Security Plan ... 14
4.7 Structure of This Standard ... 15
5 Security of System Development and Supply Chain ... 15
5.1 Strategies and Procedures ... 15
5.2 Resource Distribution ... 15
5.3 System Life Cycle ... 16
5.4 Procurement Process ... 16
5.5 System Documentation ... 17
5.6 Security Engineering Principle ... 17
5.7 Critical Analysis ... 18
5.8 External Information System Service and Relevant Service ... 18
5.9 Security System Framework of Developer ... 19
5.10 Development Process, Standards and Tools ... 19
5.11 Developer Configuration Management ... 20
5.12 Security Test and Assessment of Developer ... 21
5.13 Training Provided by the Developer ... 22
5.14 Tamper Resistance ... 22
5.15 Module Factuality ... 22
5.16 Unsupported System Module ... 23
5.17 Supply Chain Protection ... 23
6 Protection of System and Communication ... 25
6.1 Strategies and Procedures ... 25
6.2 Boundary Protection ... 25
6.3 Transmission Security and Integrity ... 26
6.4 Network Interruption ... 26
6.5 Trusted Path ... 27
6.6 Password Usage and Management ... 27
6.7 Coordinated Computing Device ... 27
6.8 Mobile Code ... 27
6.9 Session Certification ... 27
6.10 Physical Connection of Mobile Device ... 28
6.11 Malicious Code Protection ... 28
6.12 Memory Protection ... 28
6.13 System Virtualization Security ... 28
6.14 Network Virtualization Security ... 29
6.15 Storage Virtualization Security ... 30
7 Access Control ... 30
7.1 Strategies and Procedures ... 30
7.2 User Identification and Authentication ... 31
7.3 Device Identification and Authentication ... 31
7.4 Identifier Management ... 31
7.5 Authentication Certificate Management ... 32
7.6 Feedback of Authentication Certificate ... 33
7.7 Authentication of Cryptographic Module ... 33
7.8 Account Management ... 33
7.9 Implementation of Access Control ... 34
7.10 Control of Information Flow ... 34
7.11 Minimum Privilege ... 35
7.12 Unsuccessful Log-in Try ... 36
7.13 Notice on Use of System ... 36
7.14 Notice on Last Visit ... 36
7.15 Concurrent Session Control ... 36
7.16 Session Lock-in ... 37
7.17 Actions May be Taken in Case of Lacking Identification and Authentication ... 37
7.18 Security Attribute ... 37
7.19 Remote Access ... 37
7.20 Wireless Access ... 38
7.21 Use of External Information System ... 38
7.22 Information Sharing ... 39
7.23 Content accessible to the Public ... 39
7.24 Data Excavation Protection ... 39
7.25 Medium Access and Use ... 39
7.26 Service Closure and Data Migration ... 40
8 Configuration Management ... 40
8.1 Strategies and Procedures ... 40
8.2 Configuration Management Plan ... 40
8.3 Base Line Configuration ... 41
8.4 Change Control ... 41
8.5 Setting of Configuration Parameters ... 42
8.6 Minimum Functional Principle ... 42
8.7 Information System Module List ... 43
9 Maintenance ... 44
9.1 Strategies and Procedures ... 44
9.2 Controlled Maintenance ... 44
9.3 Maintenance Tool ... 44
9.4 Remote Maintenance ... 45
9.5 Maintenance Personnel ... 45
9.6 Timely Maintenance ... 45
9.7 Defect Repair ... 46
9.8 Security Function Verification ... 46
9.9 Integrity of Software, Firmware and Information ... 46
10 Emergency Response and Disaster Preparation ... 47
10.1 Strategies and Procedures ... 47
10.2 Event Handling Plan ... 47
10.3 Event Handling... 47
10.4 Event Report ... 48
10.5 Event Handling Support ... 48
10.6 Security Alarm ... 48
10.7 Error Handling ... 49
10.8 Emergency Response Plan ... 49
10.9 Emergency Training ... 50
10.10 Emergency Drilling ... 50
10.11 Information System Backup ... 50
10.12 Supporting the Service Continuity Plan of the Customer ... 51
10.13 Telecommunication Service ... 51
11 Audit ... 51
11.1 Strategies and Procedures ... 51
11.2 Auditable Event ... 52
11.3 Audit Record Contents ... 52
11.4 Storage Capacity of Audit Record ... 52
11.5 Response upon Audit Process Failure ... 53
11.6 Examination, Analysis and Report of Audit ... 53
11.7 Audit Treatment and Report Generation ... 53
11.8 Time Stamp ... 54
11.9 Audit Information Protection ... 54
11.10 Non-repudiation ... 54
11.11 Audit Record Retention ... 54
12 Risk Assessment and Persistent Monitoring ... 54
12.1 Strategies and Procedures ... 54
12.2 Risk Assessment ... 55
12.3 Vulnerability Scanning ... 55
12.4 Persistent Monitoring ... 56
12.5 Information System Monitoring ... 56
12.6 Junk Information Monitoring ... 57
13 Security Organization and Personnel ... 57
13.1 Strategies and Procedures ... 57
13.2 Security Organization ... 58
13.3 Security Resource ... 58
13.4 Security Regulations System ... 58
13.5 Post Risks and Responsibilities ... 59
13.6 Personnel Screening ... 59
13.7 Personnel resignation ... 59
13.8 Personnel Deployment ... 60
13.9 Access Protocol ... 60
13.10 Third Party Personnel Security ... 60
13.11 Personnel Punishment ... 61
13.12 Security Training ... 61
14 Physical and Environmental Security ... 61
14.1 Strategies and Procedures ... 61
14.2 Physical Facilities and Devices Site Selection ... 62
14.3 Physical and Environmental Planning ... 62
14.4 Physical Environment Access Authorization ... 62
14.5 Physical Environment Access Control ... 63
14.6 Communication Capacity Protection ... 63
14.7 Output Device Access Control ... 63
14.8 Physical Access Monitoring ... 63
14.9 Visitor Access Record ... 64
14.10 Power Device and Cable Security Assurance ... 64
14.11 Emergency Lighting Capability ... 64
14.12 Fire-fighting Capability ... 65
14.13 Temperature and Humidity Control Capabilities ... 65
14.14 Water-proof Capability ... 65
14.15 Device Transportation and Remove ... 65
Appendix A (Informative) Template for System Security Plan ... 67
Bibliography ... 72
Information Security Technology - Security Capability
Requirements of Cloud Computing Services
1 Scope
This standard specifies the security technology capability which the cloud service
provider shall possess when providing cloud computing service for specific customer in a
socialized method.
This standard is applicable to the security management of cloud computing service used
by government departments, and may also serve as reference for the cloud computing service
used by key industries and other enterprises and institutions. It is also applicable to guide the
cloud service provider to establish secure cloud computing platform and provide secure cloud
computing service.
2 Normative References
The following referenced documents are indispensable for the application of this
document. For dated references, only the edition cited applies. For undated references, the
latest edition of the normative document (including any amendments) applies.
GB/T 9361-2011 Safety Requirements for Computation Center Field
GB/T 25069-2010 Information Security Technology - Glossary
GB 50174-2008 Code for Design of Electronic Information System Room
GB/T 31167-2014 Information Security Technology - Security Guide of Cloud
Computing Services
3 Terms and Definitions
For the purposes of this document, the terms and definitions specified in GB/T
25069-2010 as well as those listed below apply.
3.1
Cloud computing
Access to extensible, flexible physical or virtual sharing resource pool through the
Internet, which may also conform to the self-help acquisition and management resource
modes.
Note. resource examples include the server, operation system, network, software, application and storage device.
3.2
Cloud computing service
The capability to provide one or more kind(s) of resource(s) by using the defined
interface and cloud computing.
3.3
Cloud service provider
The provider of cloud computing service.
Note. the cloud service provider manages, operate and supports the infrastructure and software of cloud computing, and
security requirements are classified into 10 categories and each category includes several
specific requirements.
These 10 categories are.
- Security of system development and supply chain. Cloud service provider shall provide
adequate protection to the cloud computing platform during development, propose
corresponding requirements for the information system, module and service developer,
provide enough resource for the cloud computing platform and take full consideration of
security requirements. In addition to ensure that the lower-level supplier takes necessary
security measures, cloud service provider shall also provide document and information on
relevant security measures to the customer; completing the management of information
system and business together with the customer.
- Protection of system and communication. Cloud service provider shall monitor, control
and protect the network communication on external boundary and critical internal boundary
of cloud computing platform and shall also effectively protect the security of cloud computing
platform through methods like structured design, software development technique and
software engineering.
- Access control. Cloud service provider shall strictly protect the customer data of cloud
computing platform, the personnel, progress and equipment, before accessing the cloud
computing platform, shall be identified and the performable operation and applicable function
shall be restricted.
- Configuration management. Cloud service provider shall provide configuration
management for the cloud computing platform, establish and maintain the baseline
configuration and detailed list of cloud computing platform (including hardware, software and
document, etc.) within system life cycle, set and realize the parameters for security
configuration of various products in cloud computing platform.
- Maintenance. Cloud service provider shall maintain the cloud computing platform
facility and software system, effectively control the maintenance tool, technology, mechanism
and maintenance personnel and keep related record.
- Emergency response and disaster preparation. Cloud service provider shall develop the
emergency response plan for cloud computing platform and ensure the availability of
important information resource in emergency circumstances through periodical drilling. It
shall establish event handling plan including the prevention, inspection, analysis, control to
the event, system reset, etc., and trace and record the event so as to report it to the relevant
personnel. It shall also be provided with disaster recovery capability and ensure the
sustainability of the customer business by establishing necessary backup copy and recovery
facility and mechanism.
- Audit. Cloud service provider shall develop an audit event list according to the security
requirements and customer requirements to define the audit record content, put audit into
force and properly store the audit records. It shall also periodically analyze and check the
audit records and prevent the audit records from being unauthorizedly accessed, modified and
deleted.
- Risk assessment and persistent monitoring. Cloud service provider shall assess the risk
of cloud computing platform periodically or in case of change of threat environment so as to
ensure that the security risk of cloud computing platform is at a status of acceptable level. It
shall also establish monitoring target list to persistently monitor the security of targets and
c) Require the developer of information system, module or service to provide evidence
that [assign. system engineering method, software development method, testing technology
and quality control process defined by the cloud service provider] is used in the system life
cycle.
d) Require the developer of information system, module or service to realize [assign.
security configuration defined by the cloud service provider] in delivering the information
system, module or service; these security configuration shall be adopted as the default
configuration during reinstallation or upgrade of information system, module or service.
e) Require the developer of information system, module or service to make a
continuously monitoring plan on the effectiveness of security measures, which shall meet the
[assign. level of detail defined by the cloud service provider].
f) Require the developer of information system, module or service to describe the
system functions, port, agreement and service in the early stage of system life cycle; the cloud
service provider shall disable unnecessary or high-risk functions, port, agreement or service.
5.5 System Documentation
5.5.1 General requirements
Cloud service provider shall.
a) Require the developer of information system, module or service to develop
administer document, which shall cover the following information.
1) The security configuration of information system, module or servi...
Delivery: 9 seconds. Download (& Email) true-PDF + Invoice.
Get Quotation: Click GB/T 31168-2014 (Self-service in 1-minute)
Historical versions (Master-website): GB/T 31168-2014
Preview True-PDF (Reload/Scroll-down if blank)
GB/T 20021-2017
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
GB/T 31168-2014
Information Security Technology - Security Capability
Requirements of Cloud Computing Services
ISSUED ON. SEPTEMBER 3, 2014
IMPLEMENTED ON. APRIL 1, 2015
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine of the People's Republic of China;
Standardization Administration of the People's Republic of China.
Table of Contents
Foreword ... 6
Introduction ... 7
1 Scope ... 8
2 Normative References ... 8
3 Terms and Definitions ... 8
4 Overview ... 9
4.1 Implementation Responsibilities for the Security Measures of Cloud Computing ... 9
4.2 Action Range for the Security Measures of Cloud Computing ... 11
4.3 Classification of Security Requirements ... 11
4.4 Expression Form of Security Requirements ... 13
4.5 Adjustment of Security Requirements ... 13
4.6 Security Plan ... 14
4.7 Structure of This Standard ... 15
5 Security of System Development and Supply Chain ... 15
5.1 Strategies and Procedures ... 15
5.2 Resource Distribution ... 15
5.3 System Life Cycle ... 16
5.4 Procurement Process ... 16
5.5 System Documentation ... 17
5.6 Security Engineering Principle ... 17
5.7 Critical Analysis ... 18
5.8 External Information System Service and Relevant Service ... 18
5.9 Security System Framework of Developer ... 19
5.10 Development Process, Standards and Tools ... 19
5.11 Developer Configuration Management ... 20
5.12 Security Test and Assessment of Developer ... 21
5.13 Training Provided by the Developer ... 22
5.14 Tamper Resistance ... 22
5.15 Module Factuality ... 22
5.16 Unsupported System Module ... 23
5.17 Supply Chain Protection ... 23
6 Protection of System and Communication ... 25
6.1 Strategies and Procedures ... 25
6.2 Boundary Protection ... 25
6.3 Transmission Security and Integrity ... 26
6.4 Network Interruption ... 26
6.5 Trusted Path ... 27
6.6 Password Usage and Management ... 27
6.7 Coordinated Computing Device ... 27
6.8 Mobile Code ... 27
6.9 Session Certification ... 27
6.10 Physical Connection of Mobile Device ... 28
6.11 Malicious Code Protection ... 28
6.12 Memory Protection ... 28
6.13 System Virtualization Security ... 28
6.14 Network Virtualization Security ... 29
6.15 Storage Virtualization Security ... 30
7 Access Control ... 30
7.1 Strategies and Procedures ... 30
7.2 User Identification and Authentication ... 31
7.3 Device Identification and Authentication ... 31
7.4 Identifier Management ... 31
7.5 Authentication Certificate Management ... 32
7.6 Feedback of Authentication Certificate ... 33
7.7 Authentication of Cryptographic Module ... 33
7.8 Account Management ... 33
7.9 Implementation of Access Control ... 34
7.10 Control of Information Flow ... 34
7.11 Minimum Privilege ... 35
7.12 Unsuccessful Log-in Try ... 36
7.13 Notice on Use of System ... 36
7.14 Notice on Last Visit ... 36
7.15 Concurrent Session Control ... 36
7.16 Session Lock-in ... 37
7.17 Actions May be Taken in Case of Lacking Identification and Authentication ... 37
7.18 Security Attribute ... 37
7.19 Remote Access ... 37
7.20 Wireless Access ... 38
7.21 Use of External Information System ... 38
7.22 Information Sharing ... 39
7.23 Content accessible to the Public ... 39
7.24 Data Excavation Protection ... 39
7.25 Medium Access and Use ... 39
7.26 Service Closure and Data Migration ... 40
8 Configuration Management ... 40
8.1 Strategies and Procedures ... 40
8.2 Configuration Management Plan ... 40
8.3 Base Line Configuration ... 41
8.4 Change Control ... 41
8.5 Setting of Configuration Parameters ... 42
8.6 Minimum Functional Principle ... 42
8.7 Information System Module List ... 43
9 Maintenance ... 44
9.1 Strategies and Procedures ... 44
9.2 Controlled Maintenance ... 44
9.3 Maintenance Tool ... 44
9.4 Remote Maintenance ... 45
9.5 Maintenance Personnel ... 45
9.6 Timely Maintenance ... 45
9.7 Defect Repair ... 46
9.8 Security Function Verification ... 46
9.9 Integrity of Software, Firmware and Information ... 46
10 Emergency Response and Disaster Preparation ... 47
10.1 Strategies and Procedures ... 47
10.2 Event Handling Plan ... 47
10.3 Event Handling... 47
10.4 Event Report ... 48
10.5 Event Handling Support ... 48
10.6 Security Alarm ... 48
10.7 Error Handling ... 49
10.8 Emergency Response Plan ... 49
10.9 Emergency Training ... 50
10.10 Emergency Drilling ... 50
10.11 Information System Backup ... 50
10.12 Supporting the Service Continuity Plan of the Customer ... 51
10.13 Telecommunication Service ... 51
11 Audit ... 51
11.1 Strategies and Procedures ... 51
11.2 Auditable Event ... 52
11.3 Audit Record Contents ... 52
11.4 Storage Capacity of Audit Record ... 52
11.5 Response upon Audit Process Failure ... 53
11.6 Examination, Analysis and Report of Audit ... 53
11.7 Audit Treatment and Report Generation ... 53
11.8 Time Stamp ... 54
11.9 Audit Information Protection ... 54
11.10 Non-repudiation ... 54
11.11 Audit Record Retention ... 54
12 Risk Assessment and Persistent Monitoring ... 54
12.1 Strategies and Procedures ... 54
12.2 Risk Assessment ... 55
12.3 Vulnerability Scanning ... 55
12.4 Persistent Monitoring ... 56
12.5 Information System Monitoring ... 56
12.6 Junk Information Monitoring ... 57
13 Security Organization and Personnel ... 57
13.1 Strategies and Procedures ... 57
13.2 Security Organization ... 58
13.3 Security Resource ... 58
13.4 Security Regulations System ... 58
13.5 Post Risks and Responsibilities ... 59
13.6 Personnel Screening ... 59
13.7 Personnel resignation ... 59
13.8 Personnel Deployment ... 60
13.9 Access Protocol ... 60
13.10 Third Party Personnel Security ... 60
13.11 Personnel Punishment ... 61
13.12 Security Training ... 61
14 Physical and Environmental Security ... 61
14.1 Strategies and Procedures ... 61
14.2 Physical Facilities and Devices Site Selection ... 62
14.3 Physical and Environmental Planning ... 62
14.4 Physical Environment Access Authorization ... 62
14.5 Physical Environment Access Control ... 63
14.6 Communication Capacity Protection ... 63
14.7 Output Device Access Control ... 63
14.8 Physical Access Monitoring ... 63
14.9 Visitor Access Record ... 64
14.10 Power Device and Cable Security Assurance ... 64
14.11 Emergency Lighting Capability ... 64
14.12 Fire-fighting Capability ... 65
14.13 Temperature and Humidity Control Capabilities ... 65
14.14 Water-proof Capability ... 65
14.15 Device Transportation and Remove ... 65
Appendix A (Informative) Template for System Security Plan ... 67
Bibliography ... 72
Information Security Technology - Security Capability
Requirements of Cloud Computing Services
1 Scope
This standard specifies the security technology capability which the cloud service
provider shall possess when providing cloud computing service for specific customer in a
socialized method.
This standard is applicable to the security management of cloud computing service used
by government departments, and may also serve as reference for the cloud computing service
used by key industries and other enterprises and institutions. It is also applicable to guide the
cloud service provider to establish secure cloud computing platform and provide secure cloud
computing service.
2 Normative References
The following referenced documents are indispensable for the application of this
document. For dated references, only the edition cited applies. For undated references, the
latest edition of the normative document (including any amendments) applies.
GB/T 9361-2011 Safety Requirements for Computation Center Field
GB/T 25069-2010 Information Security Technology - Glossary
GB 50174-2008 Code for Design of Electronic Information System Room
GB/T 31167-2014 Information Security Technology - Security Guide of Cloud
Computing Services
3 Terms and Definitions
For the purposes of this document, the terms and definitions specified in GB/T
25069-2010 as well as those listed below apply.
3.1
Cloud computing
Access to extensible, flexible physical or virtual sharing resource pool through the
Internet, which may also conform to the self-help acquisition and management resource
modes.
Note. resource examples include the server, operation system, network, software, application and storage device.
3.2
Cloud computing service
The capability to provide one or more kind(s) of resource(s) by using the defined
interface and cloud computing.
3.3
Cloud service provider
The provider of cloud computing service.
Note. the cloud service provider manages, operate and supports the infrastructure and software of cloud computing, and
security requirements are classified into 10 categories and each category includes several
specific requirements.
These 10 categories are.
- Security of system development and supply chain. Cloud service provider shall provide
adequate protection to the cloud computing platform during development, propose
corresponding requirements for the information system, module and service developer,
provide enough resource for the cloud computing platform and take full consideration of
security requirements. In addition to ensure that the lower-level supplier takes necessary
security measures, cloud service provider shall also provide document and information on
relevant security measures to the customer; completing the management of information
system and business together with the customer.
- Protection of system and communication. Cloud service provider shall monitor, control
and protect the network communication on external boundary and critical internal boundary
of cloud computing platform and shall also effectively protect the security of cloud computing
platform through methods like structured design, software development technique and
software engineering.
- Access control. Cloud service provider shall strictly protect the customer data of cloud
computing platform, the personnel, progress and equipment, before accessing the cloud
computing platform, shall be identified and the performable operation and applicable function
shall be restricted.
- Configuration management. Cloud service provider shall provide configuration
management for the cloud computing platform, establish and maintain the baseline
configuration and detailed list of cloud computing platform (including hardware, software and
document, etc.) within system life cycle, set and realize the parameters for security
configuration of various products in cloud computing platform.
- Maintenance. Cloud service provider shall maintain the cloud computing platform
facility and software system, effectively control the maintenance tool, technology, mechanism
and maintenance personnel and keep related record.
- Emergency response and disaster preparation. Cloud service provider shall develop the
emergency response plan for cloud computing platform and ensure the availability of
important information resource in emergency circumstances through periodical drilling. It
shall establish event handling plan including the prevention, inspection, analysis, control to
the event, system reset, etc., and trace and record the event so as to report it to the relevant
personnel. It shall also be provided with disaster recovery capability and ensure the
sustainability of the customer business by establishing necessary backup copy and recovery
facility and mechanism.
- Audit. Cloud service provider shall develop an audit event list according to the security
requirements and customer requirements to define the audit record content, put audit into
force and properly store the audit records. It shall also periodically analyze and check the
audit records and prevent the audit records from being unauthorizedly accessed, modified and
deleted.
- Risk assessment and persistent monitoring. Cloud service provider shall assess the risk
of cloud computing platform periodically or in case of change of threat environment so as to
ensure that the security risk of cloud computing platform is at a status of acceptable level. It
shall also establish monitoring target list to persistently monitor the security of targets and
c) Require the developer of information system, module or service to provide evidence
that [assign. system engineering method, software development method, testing technology
and quality control process defined by the cloud service provider] is used in the system life
cycle.
d) Require the developer of information system, module or service to realize [assign.
security configuration defined by the cloud service provider] in delivering the information
system, module or service; these security configuration shall be adopted as the default
configuration during reinstallation or upgrade of information system, module or service.
e) Require the developer of information system, module or service to make a
continuously monitoring plan on the effectiveness of security measures, which shall meet the
[assign. level of detail defined by the cloud service provider].
f) Require the developer of information system, module or service to describe the
system functions, port, agreement and service in the early stage of system life cycle; the cloud
service provider shall disable unnecessary or high-risk functions, port, agreement or service.
5.5 System Documentation
5.5.1 General requirements
Cloud service provider shall.
a) Require the developer of information system, module or service to develop
administer document, which shall cover the following information.
1) The security configuration of information system, module or servi...
Share











