Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GB/T 36958-2018 English PDF (GBT36958-2018)

GB/T 36958-2018 English PDF (GBT36958-2018)

Regular price $365.00 USD
Regular price Sale price $365.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GB/T 36958-2018 to get it for Purchase Approval, Bank TT...

GB/T 36958-2018: Information security technology -- Technical requirements of security management center for classified protection of cybersecurity

This standard specifies the technical requirements for the cybersecurity classified protection for security management center. This standard is applicable to guide security manufacturers and operating and amp; using organizations to design, construct and operate security management centers in accordance with the requirements of this standard.
GB/T 36958-2018
GB
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology - Technical
requirements of security management center for
classified protection of cybersecurity
ISSUED ON: DECEMBER 28, 2018
IMPLEMENTED ON: JULY 01, 2019
Issued by: State Administration for Market Regulation;
Standardization Administration of PRC.
Table of Contents
Foreword ... 3
Introduction ... 4
1 Scope ... 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Abbreviations ... 6
5 Overview of security management center ... 6
5.1 General description ... 6
5.2 Function description ... 8
6 Technical requirements for the second-level security management center ... 9 6.1 Functional requirements ... 9
6.2 Interface requirements ... 14
6.3 Self-security requirements ... 15
7 Technical requirements for the third-level security management center ... 17 7.1 Functional requirements ... 17
7.2 Interface requirements ... 26
7.3 Self-security requirements ... 26
8 Technical requirements for the fourth-level security management center ... 29 8.1 Functional requirements ... 29
8.2 Interface requirements ... 40
8.3 Self-security requirements ... 41
9 Technical requirements for fifth-level security management center ... 44 10 Technical requirements for security management center of cross-grading system ... 44
Appendix A (Normative) Correspondence between security management
center and cybersecurity classified protection object?€?s level ... 46
Appendix B (Normative) Classification of technical requirements of security management center ... 47
Appendix C (Informative) Normalized security event attributes... 49
Information security technology - Technical
requirements of security management center for
classified protection of cybersecurity
1 Scope
This standard specifies the technical requirements for the cybersecurity classified protection for security management center.
This standard is applicable to guide security manufacturers and operating and using organizations to design, construct and operate security management centers in accordance with the requirements of this standard.
2 Normative references
The following documents are essential to the application of this document. For the dated documents, only the versions with the dates indicated are applicable to this document; for the undated documents, only the latest version (including all the amendments) are applicable to this standard.
GB/T 5271.8 Information technology - Vocabulary - Part 8: Security
GB 17859-1999 Computer information system -- Criteria for classifying
security protection level
GB/T 25069 Information security technology - Glossary
GB/T 25070 Information security technology - Technical requirements of
security design for information system classified protection
3 Terms and definitions
The terms and definitions as defined in GB 17859-1999, GB/T 5271.8, GB/T 25069, GB/T 25070 as well as the following terms and definitions apply to this document.
3.1
Data acquisition interface
corresponding types of security audit mechanisms to be turned on and off according to time periods; performing storage, management, inquiry, etc. of various types of audit records. The security auditor analyzes the audit records and processes them in a timely manner based on the analysis results.
6 Technical requirements for the second-level security
management center
6.1 Functional requirements
6.1.1 System management requirements
6.1.1.1 User identity management
User identity management shall meet the following requirements:
a) Be able to authenticate the system administrator of the managed object; check the complexity of the identity and authentication information;
b) In the Internet of Things system, the system administrator of the managed object shall conduct unified identity management on the perception
equipment, perception layer gateway, etc.
6.1.1.2 Data protection
6.1.1.2.1 Data confidentiality
Data confidentiality shall meet the following requirements:
a) Before establishing a connection between the security management
center and the managed object, password technology can be used for
session initialization verification;
b) Cryptographic technology can be used to protect the confidentiality of the entire message or session in the communication process between the
security management center and the managed object;
c) Encryption or other protection measures can be used to realize the storage confidentiality of the authentication information and configuration
management data of the managed object.
6.1.1.2.2 Data integrity
Data integrity shall meet the following requirements:
Security event alarms shall have an alarm function, which can generate alarms based on preset thresholds when abnormalities are found.
6.1.1.3.3 Security incident response
Security incident response shall meet the following requirements:
a) It can provide the function of work order management; support the
circulation process of creating work orders based on alarm response
actions;
b) It shall provide security notification function, which can create or import security risk notification, including the content of the notification,
description information, CVE number, affected operating system, etc.;
c) Provide a list of affected protected assets based on the operating system affected by the security risk indicated in the notification.
6.1.1.3.4 Statistical analysis report
The statistical analysis report shall meet the following requirements:
a) Be able to query security events according to conditions such as time and event type;
b) Can provide statistical analysis and report generation functions.
6.1.1.4 Risk management
6.1.1.4.1 Asset management
Asset management shall meet the following requirements:
a) Realize the management of the assets of the managed objects; provide asset addition, modification, deletion, query and statistics functions; b) Asset management information shall include asset attributes such as
asset name, asset IP address, asset type, asset owner, asset business
value, asset confidentiality, integrity, availability assignment;
c) Support the customization of asset attributes;
d) Support manual entry of asset records or batch asset import based on specified templates.
6.1.1.4.2 Threat management
Threat management shall meet the following requirements:
b) It can show the operating status of key equipment (including network equipment, security equipment, server host, etc.) and links in the current network environment, such as network traffic, network protocol statistical analysis and other indicators.
6.1.2 Audit management requirements
6.1.2.1 Centralized management of audit policy
Centralized management of audit policy shall be able to view the configuration of audit policy of host operating system, database system, network equipment, security equipment, including whether the policy is on, whether the parameter facility complies with the security policy, etc.
6.1.2.2 Centralized management of audit data
6.1.2.2.1 Audit data collection
Audit data collection shall meet the following requirements:
a) It can realize the normalization of audit data; the content shall cover date, time, subject identification, object identification, type, result, IP address, port and other information;
b) Support setting query conditions for audit data query;
c) Support filtering and processing various audit data according to rules; d) Support the consolidation of data collection information according to specific rules.
6.1.2.2.2 Audit data collection objects
Audit data collection objects shall meet the following requirements:
a) Support audit data collection of network equipment (such as switches, routers, traffic management, load balancing and other network
infrastructure equipment);
b) Support the collection of audit data on host devices (such as server operating systems and other application support platforms and desktop
computers, laptops, handheld terminals and other terminal users used to access information systems);
c) Support the collection of audit data from the database;
d) Support the collection of audit data of security equipment (such as
firewalls, intrusion monitoring systems, anti-denial of service attack
equipment, anti-virus systems, application security audit systems, access 6.3 Self-security requirements
6.3.1 Identity authentication
The administrator identity authentication of the security management center console shall meet the following requirements:
a) Provide a dedicated login control module to identify and authenticate the administrator;
b) Provide complexity check functions for unique and authentication
information of administrator user identity, to ensure that there is no
duplicate user identity, meanwhile the identity authentication information is not easy to be fraudulently used;
c) Provides login failure processing functions, which can take measures such as ending the session, limiting the number of illegal logins and automatic logout.
6.3.2 Access control
The access control of the security management center console shall meet the following requirements:
a) Provide independent access control functions; control administrators' access to various functions according to security policies;
b) The coverage of autonomous access control shall include all
administrators, functions and operations between them;
c) The authorized administrator configures the access control policy and prohibits the access of the default account.
6.3.3 Security audit
The security audit of the security management center console shall meet the following requirements:
a) Provide a security audit function covering each administrator; record all administrators to audit important operations and security events;
b) Ensure that the audit process cannot be interrupted alone; that audit records cannot be deleted, modified or overwritten;
c) The content of the audit record shall at least include the date, time, initiator information, type, description and results of the event;
a) It can detect that the integrity of management data and authentication information is damaged during transmission and storage;
b) Use cryptographic technology or other protection measures to realize the confidentiality of data transmission and storage of management data and authentication information.
7 Technical requirements for the third-level security
management center
7.1 Functional requirements
7.1.1 System management requirements
7.1.1.1 User identity management
User identity management shall meet the following requirements:
a) Be able to identify the subject in the environment of the managed
object;
b) Able to use two or more combinations of authentication technologies
to authenticate users;
c) Be able to authenticate the system administrator of the managed object; check the complexity of the identity and authentication information;
d) In the Internet of Things system, the system administrator of the managed object shall manage the unified identity identification of the sensing device and the sensing layer gateway.
7.1.1.2 Data protection
7.1.1.2.1 Data confidentiality
Data confidentiality shall meet the following requirements:
a) Before establishing a connection between the security management
center and the managed object, it shall use the cryptographic technology for verification of session initialization;
b) It shall use the cryptographic technology to protect the confidentiality of the entire message or session in the communication process between the
security management center and the managed object;
Security event collection shall meet the following requirements:
a) Support security event monitoring and collection functions; timely discover and collect security events that occur;
b) Able to normalize security events; convert original events composed of different sources, different formats, different contents into a standard event format;
c) The content of the security event shall include date, time, subject
identification, object identification, type, result, IP address, port and other information;
d) The scope of security event collection shall cover host equipment, network equipment, databases, security equipment, various middleware, computer
room environmental control systems, etc.;
e) Able to centrally store the collected raw data of security events.
Note: Refer to Appendix C for the attributes of security events.
7.1.1.3.2 Security event alarm
Security event alarms shall meet the following requirements:
a) It has an alarm function, which can generate an alarm according to a preset threshold when an abnormality is found;
b) When an alarm is generated, it shall be able to trigger the pre-set
event analysis rules and execute the predefined alarm response
actions, such as: console dialog box alarm, console alarm sound,
email alarm, mobile phone SMS alarm, creating work order, publish
alarm events through Syslog or SNMP Trap, etc.;
c) It has the ability to combine alarms for the same security events that occur frequently to avoid alarm storms.
7.1.1.3.3 Security event response
Security event response shall meet the following requirements:
a) It can provide the function of work order management; support the
circulation process of creating work orders based on alarm response
actions;
b) It can provide the security notification function; create or import a security risk notification. The notification shall include the content of the notification, description information, CVE number, affected operating system, etc.;
damage, scope involved.
7.1.1.4.3 Threat management
Threat management shall meet the following requirements:
a) Have pre-defined security threat classification;
b) Support customized security threat classification, such as setting the threat corresponding to the security incident that has occurred as the
threat to the asset.
7.1.1.4.4 Vulnerability management
Vulnerability management shall allow the creation and maintenance of asset vulnerability lists; support the merging and updating of vulnerability lists. 7.1.1.4.5 Risk analysis
Risk analysis shall meet the following requirements:
a) Able to calculate the security risk of the target asset based on the business value of the asset, the current vulnerability of the asset, the security threats the asset faces;
b) The calculation cycle and calculation formula of security risks can be adjusted accordingly by modifying the configuration according to the
actual needs of the deployment environment;
c) The security management system can graphically display the current
asset risk level, current risk ranking statistics, etc.
7.1.1.5 Resource monitoring
7.1.1.5.1 Availability monitoring
Availability monitoring shall meet the following requirements:
a) Support real-time understanding of its availability status by monitoring important performance indicators such as network equipment, security
equipment, host operating systems, databases, middleware, application
systems, etc.;
b) Support setting thresholds for key indicators (such as: CPU usage,
memory usage, disk usage, process occupancy resources, swap
partitions, network traffic, etc.); generate an alarm when the threshold is triggered;
c) On the IoT system platform, the system administrator shall monitor
7.1.2.2 Authorization management
Authorization management shall meet the following requirements:
a) Achieve unified management of the access range of each mark;
b) Realize the unified management of the subject's access authority to
the object, including host access authority management, network
access authority management, application access authority
management;
c) Implement access control policies to control the subject's access to the object according to the different security levels of subject mark
and object mark.
7.1.2.3 Device policy management
7.1.2.3.1 Security configuration policy
Equipment management shall realize the unified query of the security
configuration policy of the host operating system, database system,
network equipment, security equipment.
7.1.2.3.2 Intrusion prevention
Intrusion prevention shall meet the following requirements:
a) Provide a unified interface to achieve event collection, receiving,
instructions issuing for network intrusion prevention and host
intrusion prevention;
b) Provide a unified operating system and service component patch
update service in the security domain;
c) In the cloud computing platform, cloud computing security
management shall have the ability to retrospectively analyze attack
behavior and predict and warn cybersecurity events; it shall have the
ability to perceive, predict and judge the cybersecurity situation.
7.1.2.3.3 Malicious code prevention
Malicious code prevention shall meet the following requirements:
a) Monitor and manage the unified upgrade of malicious code
prevention products;
b) Collect and report the data of malicious code prevention.
7.1.2.4 Password guarantee
computers, laptops, handheld terminals and other terminal users used to access information systems);
c) Support the collection of audit data from the database;
d) Support the collection of audit data of security equipment (such as
firewalls, intrusion monitoring systems, anti-denial of service attack
equipment, anti-virus systems, application security audit systems, access control systems, other systems and equipment related to information
system security protection) ;
e) Support the collection of audit data of various middleware;
f) Support the collection of audit data for the computer room environmental control system (such as air conditioning, temperature, humidity control, firefighting equipment, access control system, etc.);
g) Support audit data collection of other application systems or related platforms;
h) In the cloud computing platform, it shall audit the creation and
deletion of cloud services such as cloud servers, cloud databases,
cloud storage; it shall use the operation and maintenance audit
system to conduct security audits on the operation and maintenance
behavior of the administrator; the tenant isolation mechanism shall
be used to ensure the effectiveness of audit data isolation;
i) In the industrial control system, it shall carry out centralized management of cybersecurity monitoring and alarming and cybersecurity log
information of industrial control field control equipment, cybersecurity equipment, network equipment, servers, operating stations and other
equipment.
7.1.3.2.3 Audit data collection method
The audit data collection method shall meet the following requirements: a) Support the collection of audit data on various systems or devices through protocols such as Syslog and SNMP;
b) Receive security audit data of managed objects through a unified interface. 7.1.3.2.4 Association analysis of aud...

View full details