Information Security Technology—Evaluation Requirement for Classified Protection of Cybersecurity(GB/T 28448-2019) Standard Interpretation

doi:10.3969/j.issn.1671-1122.2019.07.001

Abstract

Abstract:

Evaluation requirements for classified protection of cybersecurity(GB/T 28448-2019) will be formally implemented soon. This paper introduces the revision background and process of this standard, the main changes in comparison with GB/T 28448-2012, the main contents of security general requirements and security special requirements, etc., so that to the main contents can be understood better.

Key words: classified protection, classified protection object, evaluation for classified protection, security general requirements, security special requirements

CLC Number:

TP309

Guangyong CHEN, Guobang ZHU, Chunling FAN. Information Security Technology—Evaluation Requirement for Classified Protection of Cybersecurity(GB/T 28448-2019) Standard Interpretation[J]. Netinfo Security, 2019, 19(7): 1-8.

Figures/Tables 2

References 9

[1]	QU Jie, FAN Chunling, CHEN Guangyong, et al.Research on Establishment of Network Security Service Ability System for A New Era[J]. Netinfo Security, 2019, 19(1): 83-87.
	曲洁,范春玲,陈广勇,等.新时代下网络安全服务能力体系建设思路[J].信息网络安全,2019,19(1):83-87.
[2]	GB/T 22239-200822239-2008. Information Security Technology-Baseline for Classified Protection of Information System Security [S].Beijing: Standards Press of China, 2008.
	GB/T 22239-2008 22239-2008.信息安全技术信息系统安全等级保护基本要求[S].北京:中国标准出版社,2008.
[3]	GB/T 28448-2012B/T 28448-2012.Information Security Technology—Testing and Evaluation Requirement for Classified Protection of Information System[S]. Beijing: Standards Press of China, 2012.
	GB/T 28448-2012B/T 28448-2012.信息安全技术信息系统安全等级保护测评要求[S].北京:中国标准出版社,2012.
[4]	Cybersecurity Law of the People’s Republic of China[EB/OL]. , 2016-11-7.
	中华人民共和国网络安全法[EB/OL]. , 2016-11-7.
[5]	GUO Qiquan.Training Course on Cybersecurity Law and Classified Protection of Cybersecurity[M]. Beijing: Publishing House of Electronics Industry, 2018.
	郭启全. 网络安全法与网络安全等级保护制度培训教程[M].北京:电子工业出版社,2018.
[6]	MA Li, ZHU Guobang, LU Lei, et al.Baseline for Classified Protection of Cybersecurity(GB/T 22239-2019) Standard Interpretation[J]. Netinfo Security, 2019, 19(2): 77-84.
	马力,祝国邦,陆磊,等.《网络安全等级保护基本要求》(GB/T 22239-2019)标准解读[J].信息网络安全,2019,19(2):77-84.
[7]	GB/T 22239-2019B/T 22239-2019. Information Security Technology—Baseline for Classified Protection of Cybersecurity[S].Beijing: Standards Press of China, 2019.
	GB/T 22239-2019B/T 22239-2019.信息安全技术网络安全等级保护基本要求[S].北京:中国标准出版社,2019.
[8]	National Information Security Standardization Technical Committee.Information Security Technology—Baseline for Classified Protection of Cybersecurity(Draft)[EB/OL]., 2018-10-31.
	全国信息安全标准化技术委员会.信息安全技术网络安全等级保护基本要求(征求意见稿)[EB/OL]., 2018-10-31.
[9]	National Information Security Standardization Technical Committee.Information Security Technology—Evaluation Requirement for Classified Protection of Cybersecurity(Draft)[EB/OL]., 2018-10-31.
	全国信息安全标准化技术委员会.信息安全技术网络安全等级保护测评要求(征求意见稿)[EB/OL]., 2018-10-31.

测评力度	测评方法	第一级	第二级	第三级	第四级
广度	访谈	测评对象在种类和数量上抽样,种类和数量都较少	测评对象在种类和数量上抽样,种类和数量都较多	测评对象在数量上抽样,在种类上基本覆盖	测评对象在数量上抽样,在种类上全部覆盖
	核查
	测试
深度	访谈	简要	充分	较全面	全面
	核查	简要	充分	较全面	全面
	测试	功能测试	功能测试	功能测试和测试验证	功能测试和测试验证

安全类或层面	云计算平台测评对象	传统测评对象
安全物理环境	机房及基础设施	机房及基础设施
安全通信网络	网络结构、通信传输设备、可信验证设备、虚拟化网络结构	传统网络设备、传统安全设备、传统网络结构
安全区域边界	网络设备、安全设备、虚拟网络设备、虚拟安全设备	传统网络设备、传统安全设备、传统网络结构
安全计算环境	网络设备、安全设备、虚拟网络设备、虚拟安全设备、物理机、宿主机、虚拟机、虚拟机监视器、云管理平台、数据库管理系统、终端、应用系统、云应用开发平台、中间件、云业务管理系统、配置文件、镜像文件、快照、业务数据、用户隐私、鉴别信息等	传统主机、数据库管理系统、终端、应用系统、中间件、配置文件、业务数据、用户隐私、鉴别信息等

[1]	Li MA. Research on the Quantitative Calculation Method Resulting from the Conclusions in the Assessment of Classified Protection of Cybersecurity [J]. Netinfo Security, 2020, 20(3): 1-8.
[2]	Yuan TAO, Tao HUANG, Moyan LI, Wei HU. Research on Log Audit Analysis Model of Cyberspace Security Classified Protection Driven by Knowledge Map [J]. Netinfo Security, 2020, 20(1): 46-51.
[3]	ZHENG Guogang. Implementation Methods and Technical Measures for Security Inspection of Important Information Systems [J]. Netinfo Security, 2019, 19(9): 16-20.
[4]	Li MA, Guobang ZHU, Lei LU. Baseline for Classified Protection of Cybersecurity (GB/T 22239-2019) Standard Interpretation [J]. Netinfo Security, 2019, 19(2): 77-84.
[5]	Zhenfeng ZHANG, Zhiwen ZHANG, Ruichao WANG. Model of Cloud Computing Security and Compliance Capability for Classified Protection of Cybersecurity 2.0 [J]. Netinfo Security, 2019, 19(11): 1-7.
[6]	Jie QU, Chunling FAN, Guangyong CHEN, Jintao ZHAO. Research on Establishment of Network Security Service Ability System for A New Era [J]. Netinfo Security, 2019, 19(1): 83-87.
[7]	ZENG Yu, GUO Jinquan. Research of the Security Situation about Industrial Control Information System [J]. 信息网络安全, 2016, 16(9): 169-172.
[8]	LI Tao, ZHANG Chi. Research on Network Security Risk Model Based on the Information Security Level Protection Standards [J]. 信息网络安全, 2016, 16(9): 177-183.
[9]	WANG Qun. Research on Information Security Protection System Based on Security Domain [J]. 信息网络安全, 2015, 15(9): 206-210.
[10]	YUAN Hui-ping. Research and Practice of the Classified Protection System of the Bank Data Center [J]. 信息网络安全, 2015, 15(4): 86-89.
[11]	FENG Rui. Design of Auto-start Control System of Information System Contingency Plan [J]. 信息网络安全, 2014, 14(9): 223-225.
[12]	WEI Feng, JIANG Fan. Assets Recognition and Importance Assessment Based on Information Flow [J]. 信息网络安全, 2014, 14(12): 83-87.