關(guān)于我們
書單推薦
新書推薦
|
Interpretation and Implementation of the Bsaeline for Classified Protection of Cybersecurity
本書為針對(duì)國(guó)家市場(chǎng)監(jiān)督管理總局、中國(guó)國(guó)家標(biāo)準(zhǔn)化管理委員會(huì)發(fā)布的國(guó)家標(biāo)準(zhǔn):《信息安全技術(shù) 網(wǎng)絡(luò)安全等級(jí)保護(hù)基本要求》的應(yīng)用指南,為便于讀者循序漸進(jìn)地學(xué)習(xí)、理解該基本要求,本書首先對(duì)該基本要求所涉及的等級(jí)保護(hù)基本概念、應(yīng)用場(chǎng)景等分別進(jìn)行了介紹,使讀者對(duì)其結(jié)構(gòu)、適用范圍等有一個(gè)總體的了解。在此基礎(chǔ)上,本書還對(duì)該基本要求的條款進(jìn)行了詳細(xì)的解讀、說(shuō)明,以幫助讀者更好地理解和掌握并應(yīng)用于實(shí)際工作中。
本書適合計(jì)算機(jī)及相關(guān)專業(yè)人員閱讀。
市面僅有的全面解讀中國(guó)網(wǎng)絡(luò)安全等級(jí)保護(hù)標(biāo)準(zhǔn)體系及等級(jí)保護(hù)實(shí)施的讀本; 業(yè)內(nèi)專家對(duì)中國(guó)網(wǎng)絡(luò)安全等級(jí)保護(hù)制度的深入闡釋; 來(lái)自官方團(tuán)隊(duì)的中國(guó)網(wǎng)絡(luò)安全等級(jí)保護(hù)標(biāo)準(zhǔn)體系全面解讀; 切實(shí)指導(dǎo)中國(guó)網(wǎng)絡(luò)安全等級(jí)保護(hù)落地實(shí)施的指南; 助力一帶一路等國(guó)外組織和公司在中國(guó)做好信息安全合規(guī),確保業(yè)務(wù)平順 Foreword On June 1, 2017, the Cybersecurity Law of the People’s Republic of China was officially implemented. Serving as the basic law in cybersecurity field, it is clearly stipulated that the state should implement the system of classified protection of cybersecurity, and that the critical information infrastructure should be protected on the basis of the system. It is legally established that the system of classified protection of network security is the basic system in the field of network security in China. At present, cybersecurity protection has entered the era of 2.0. In May 2019, the National Standardization Committee officially issued GB/T 22239—2019 the Baseline for Cybersecurity Classified Protection (hereinafter referred to as the Baseline). The Baseline is the core standard to guide operators to carry out cybersecurity classified protection construction rectification, level evaluation and other practices. The correct understanding and application of this standard is the basis for the deep implementation of the national cybersecurity classified protection system. In order to cooperate with the implementation and application of cybersecurity classified protection system in 2.0 Era under the new situation, combined with the cybersecurity practices in recent years, we developed this book for users reference. This book interprets the standard content of general security requirements in basic requirements in detail. We hope that readers can better understand and master the new standard of cybersecurity classified protection system in 2.0 Era through this book. Please refer to other related books for the interpretation of the standard content of the extended security requirements in the basic requirements. The chief editor of this book is Guo Qiquan, the associate editors in chief are Liu Jianwei and Wang Xinjie, and other main contributors are Guo Qiquan, Liu Jianwei, Wang Xinjie, Zhu Guobang, Fan Chunling, Pan Wenbo, Wang Lianqiang, and Yang Yuzhong.
the Author July 10, 2021
Introduction The Cybersecurity Law of the People’s Republic of China was formally implemented on June 1, 2017, which clearly stipulated that the State shall implement the system of classified protection of cybersecurity, and proposed that the critical information infrastructure shall be specifically protected on the basis of the cybersecurity classified protection system. For further promotion of the implementation of the cybersecurity classified protection system, the Cybersecurity Bureau under the Ministry of Public Security has organized the technical support units of cybersecurity classified protection to upgrade and revise the standard system of the multilevel security protection and issued a series of muchneeded national standards related to classified protection of cybersecurity, such as Information Security Technology—Baseline for Classified Protection of Cybersecurity (GB/T 22239—2019) . Among them, GB/T 22239—2019 is the core standard to guide users to carry out security development rectification, classified evaluation of classified protection of cybersecurity. The correct understanding and use of this standard is the basis for the smooth deployment of cybersecurity classified protection work under the new situation. The Cybersecurity Bureau under the Ministry of Public Security organized and formed an application guide drafting group consists of several excellent evaluation agencies and cybersecurity product and solution providers. This set of application guide series is compiled for users reference from standard terms interpretation, related products and services, and application scenarios. This book interprets in detail the content of the extended security requirements in the GB/T 22239—2019 in the hope that readers can better understand and comprehend the new standard content of cybersecurity classified protection 2.0, and carry out the development and rectification work of cybersecurity classified protection. For a detailed interpretation of the general security requirements section in the GB/T 22239—2019, please refer to other relevant books. Due to the limited knowledge of the authors, there are inevitably some inadequacies in this book, please feel free to kindly provide your feedback and correction.
郭啟權(quán),公安部網(wǎng)絡(luò)安全保護(hù)局總工程師。 Part 1 General Security Requirement Chapter 1 Basic Concepts of Cybersecurity Classified Protection3 1.1General Security Requirements3 1.2Objects of Classified Protection4 1.3Security Protection Level5 1.4Security Protection Capability6 1.5Security Control Points and Security Requirements6Chapter 2General Introduction of the Baseline for Classified Protection of Cybersecurity 82.1Frame Structure8 2.2General Security Requirements and Extended Security Requirements8 2.2.1General Security Requirements9 2.2.2Extended Security Requirements10 2.3Differences and Key Points of Each Level11 2.3.1Security Physical Environment11 2.3.2Security Communication Network14 2.3.3Security Area Boundary15 2.3.4Security Computing Environment 17 2.3.5Security Management Center20 2.3.6Security Management System21 2.3.7Security Management Organization22 2.3.8Security Management Personnel24 2.3.9Security Development Management25 2.3.10Security Operation and Maintenance Management28Chapter 3Interpretation on the Security General Requirement of LevelⅠand LevelⅡ34 3.1Security Physical Environment34 3.1.1Physical Location Selection34 3.1.2Physical Access Control34 3.1.3Theft and Vandalism Protection35 3.1.4Lightning Protection35 3.1.5Fire Prevention36 3.1.6Water and Moisture Proof36 3.1.7Antistatic37 3.1.8Temperature and Moisture Control37 3.1.9Power Supply37 3.1.10Electromagnetic Protection38 3.2Security Communication Network38 3.2.1Network Architecture38 3.2.2Communication Transmission39 3.2.3Trusted Verification39 3.3Security Area Boundary40 3.3.1Border Protection40 3.3.2Access Control41 3.3.3Intrusion Prevention42 3.3.4Malicious Code Prevention42 3.3.5Security Audit42 3.3.6Trusted Verification43 3.4Security Computing Environment43 3.4.1Network Equipment43 3.4.2Security Equipment47 3.4.3Servers and Terminals50 3.4.4Business Application System54 3.4.5Data Security57 3.5Security Management Center60 3.5.1System Management60 3.5.2Audit Management60 3.6Security Management System61 3.6.1Security Policy61 3.6.2Management System62 3.6.3Development and Release62 3.6.4Review and Revision62 3.7Security Management Organization63 3.7.1Post Setting63 3.7.2Staffing64 3.7.3Authorization and Approval64 3.7.4Communication and Cooperation64 3.7.5Audit and Inspection65 3.8Security Management Personnel66 3.8.1Personnel Recruitment66 3.8.2Personnel Departure66 3.8.3Security Awareness Education and Training66 3.8.4External Access Management67 3.9Security Construction Management68 3.9.1Classification and Filing68 3.9.2Security Scheme Design68 3.9.3Procurement and Use of Products69 3.9.4Independent Software Development69 3.9.5Outsourcing Software Development70 3.9.6Project Implementation70 3.9.7Acceptance Testing71 3.9.8System Delivery71 3.9.9Level Evaluation72 3.9.10Service Provider Selection72 3.10Security Operation and Maintenance Management73 3.10.1Environmental Management73 3.10.2Asset Management73 3.10.3Media Management74 3.10.4Equipment Maintenance Management74 3.10.5Vulnerability and Risk Management75 3.10.6Network and System Security Management75 3.10.7Prevention and Management of Malicious Code76 3.10.8Configuration Management76 3.10.9Cryptography Management77 3.10.10Change Management77 3.10.11Backup and Recovery Management77 3.10.12Security Incident Handling78 3.10.13Emergency Plan Management78 3.10.14Outsourcing Operation and Maintenance Management79Chapter 4Interpretation on the Security General Requirements of Level Ⅲ and Level Ⅳ80 4.1Security Physical Environment80 4.1.1Physical Location Selection80 4.1.2Physical Access Control80 4.1.3Theft and Vandalism Protection81 4.1.4Lightning Protection81 4.1.5Fire Prevention82 4.1.6Waterproof and Moisture Proof83 4.1.7Antistatic83 4.1.8Temperature and Moisture Control83 4.1.9Power Supply84 4.1.10Electromagnetic Protection84 4.2Security Communication Network85 4.2.1Network Architecture85 4.2.2Communication Transmission87 4.2.3Trusted Verification88 4.3Security Area Boundary89 4.3.1Border Protection89 4.3.2Access Control91 4.3.3Intrusion Prevention92 4.3.4Malicious Code and Spam Prevention93 4.3.5Security Audit93 4.3.6Trusted Verification94 4.4Security Computing Environment95 4.4.1Network Equipment95 4.4.2Security Equipment99 4.4.3Servers and Terminals104 4.4.4Business Application System110 4.5Security Management Center117 4.5.1System Management117 4.5.2Audit Management118 4.5.3Security Management119 4.5.4Centralized Control120 4.6Security Management System121 4.6.1Security Policy121 4.6.2Management System122 4.6.3Development and Release122 4.6.4Review and Revision123 4.7Security Management Organization123 4.7.1Post Setting123 4.7.2Staffing124 4.7.3Authorization and Approval124 4.7.4Communication and Cooperation125 4.7.5Audit and Inspection126 4.8Security Management Personnel127 4.8.1Personnel Recruitment127 4.8.2Personnel Departure127 4.8.3Security Awareness Education and Training128 4.8.4External Access Management128 4.9Security Construction Management129 4.9.1Classification and Filing129 4.9.2Security Scheme Design130 4.9.3Procurement and Use of Products130 4.9.4Independent Software Development131 4.9.5Outsourcing Software Development132 4.9.6Project Implementation132 4.9.7Acceptance Testing133 4.9.8System Delivery133 4.9.9Level Evaluation134 4.9.10Service Provider Selection134 4.10Security Operation and Maintenance Management135 4.10.1Environmental Management135 4.10.2Asset Management135 4.10.3Media Management136 4.10.4Equipment Maintenance Management136 4.10.5Vulnerability and Risk Management137 4.10.6Network and System Security Management137 4.10.7Prevention and Management of Malicious Code139 4.10.8Configuration Management139 4.10.9Cryptography Management140 4.10.10Change Management140 4.10.11Backup and Recovery Management140 4.10.12Security Incident Handling141 4.10.13Emergency Plan Management142 4.10.14Outsourcing Operation and Maintenance Management142 Part 2Extended Security Requirement Chapter 5Extended Requirements for Cloud Computing Security147 5.1Overview of Cloud Computing Security147 5.1.1Introduction of Cloud Computing147 5.1.2Objects of Cloud Computing Classified Protection152 5.1.3Extended Requirements for Cloud Computing Security153 5.1.4Cloud Computing Security Measures and Services156 ...... 9.1O verview of Big Data Security233 9.1.1Big Data233 9.1.2Big Data Deployment Model233 9.1.3Big Data Processing Model234 9.1.4Big Data Related Security Capabilities234 9.1.5Big Data Security240 9.1.6Patterns of Big Data Related Classification Objects241 9.1.7Security Requirements at All Levels243 9.2Interpretation of Security Requirements for Level Ⅰ and Level Ⅱ Big Data Systems 247 9.2.1Security Physical Environment247 9.2.2Security Communications Network248 9.2.3Security Computing Environment248 9.2.4Security Management Center250 9.2.5Security Development Management251 9.2.6Security Operations Management251 9.3Interpretation of Security Requirements for Level Ⅲ and Level Ⅳ Big Data Systems252 9.3.1Security Physical Environment252 9.3.2Security Communication Network252 9.3.3Security Computing Environment254 9.3.4Security Management Center257 9.3.5Security Development Management259 9.3.6Security Operations and Maintenance Management260
你還可能感興趣
我要評(píng)論
|