Interpretation and Implementation of the Bsaeline for Classified Protection of Cybersecurity

Part 1 General Security Requirement
Chapter 1 Basic Concepts of Cybersecurity Classified Protection3
1.1General Security Requirements3
1.2Objects of Classified Protection4
1.3Security Protection Level5
1.4Security Protection Capability6
1.5Security Control Points and Security Requirements6Chapter 2General Introduction of the Baseline for Classified Protection of Cybersecurity
82.1Frame Structure8
2.2General Security Requirements and Extended Security Requirements8
2.2.1General Security Requirements9
2.2.2Extended Security Requirements10
2.3Differences and Key Points of Each Level11
2.3.1Security Physical Environment11
2.3.2Security Communication Network14
2.3.3Security Area Boundary15
2.3.4Security Computing Environment 17
2.3.5Security Management Center20
2.3.6Security Management System21
2.3.7Security Management Organization22
2.3.8Security Management Personnel24
2.3.9Security Development Management25
2.3.10Security Operation and Maintenance Management28Chapter 3Interpretation on the Security General Requirement of LevelⅠand LevelⅡ
34
3.1Security Physical Environment34
3.1.1Physical Location Selection34
3.1.2Physical Access Control34
3.1.3Theft and Vandalism Protection35
3.1.4Lightning Protection35
3.1.5Fire Prevention36
3.1.6Water and Moisture Proof36
3.1.7Antistatic37
3.1.8Temperature and Moisture Control37
3.1.9Power Supply37
3.1.10Electromagnetic Protection38
3.2Security Communication Network38
3.2.1Network Architecture38
3.2.2Communication Transmission39
3.2.3Trusted Verification39
3.3Security Area Boundary40
3.3.1Border Protection40
3.3.2Access Control41
3.3.3Intrusion Prevention42
3.3.4Malicious Code Prevention42
3.3.5Security Audit42
3.3.6Trusted Verification43
3.4Security Computing Environment43
3.4.1Network Equipment43
3.4.2Security Equipment47
3.4.3Servers and Terminals50
3.4.4Business Application System54
3.4.5Data Security57
3.5Security Management Center60
3.5.1System Management60
3.5.2Audit Management60
3.6Security Management System61
3.6.1Security Policy61
3.6.2Management System62
3.6.3Development and Release62
3.6.4Review and Revision62
3.7Security Management Organization63
3.7.1Post Setting63
3.7.2Staffing64
3.7.3Authorization and Approval64
3.7.4Communication and Cooperation64
3.7.5Audit and Inspection65
3.8Security Management Personnel66
3.8.1Personnel Recruitment66
3.8.2Personnel Departure66
3.8.3Security Awareness Education and Training66
3.8.4External Access Management67
3.9Security Construction Management68
3.9.1Classification and Filing68
3.9.2Security Scheme Design68
3.9.3Procurement and Use of Products69
3.9.4Independent Software Development69
3.9.5Outsourcing Software Development70
3.9.6Project Implementation70
3.9.7Acceptance Testing71
3.9.8System Delivery71
3.9.9Level Evaluation72
3.9.10Service Provider Selection72
3.10Security Operation and Maintenance Management73
3.10.1Environmental Management73
3.10.2Asset Management73
3.10.3Media Management74
3.10.4Equipment Maintenance Management74
3.10.5Vulnerability and Risk Management75
3.10.6Network and System Security Management75
3.10.7Prevention and Management of Malicious Code76
3.10.8Configuration Management76
3.10.9Cryptography Management77
3.10.10Change Management77
3.10.11Backup and Recovery Management77
3.10.12Security Incident Handling78
3.10.13Emergency Plan Management78
3.10.14Outsourcing Operation and Maintenance Management79Chapter 4Interpretation on the Security General Requirements of Level Ⅲ and Level Ⅳ80
4.1Security Physical Environment80
4.1.1Physical Location Selection80
4.1.2Physical Access Control80
4.1.3Theft and Vandalism Protection81
4.1.4Lightning Protection81
4.1.5Fire Prevention82
4.1.6Waterproof and Moisture Proof83
4.1.7Antistatic83
4.1.8Temperature and Moisture Control83
4.1.9Power Supply84
4.1.10Electromagnetic Protection84
4.2Security Communication Network85
4.2.1Network Architecture85
4.2.2Communication Transmission87
4.2.3Trusted Verification88
4.3Security Area Boundary89
4.3.1Border Protection89
4.3.2Access Control91
4.3.3Intrusion Prevention92
4.3.4Malicious Code and Spam Prevention93
4.3.5Security Audit93
4.3.6Trusted Verification94
4.4Security Computing Environment95
4.4.1Network Equipment95
4.4.2Security Equipment99
4.4.3Servers and Terminals104
4.4.4Business Application System110
4.5Security Management Center117
4.5.1System Management117
4.5.2Audit Management118
4.5.3Security Management119
4.5.4Centralized Control120
4.6Security Management System121
4.6.1Security Policy121
4.6.2Management System122
4.6.3Development and Release122
4.6.4Review and Revision123
4.7Security Management Organization123
4.7.1Post Setting123
4.7.2Staffing124
4.7.3Authorization and Approval124
4.7.4Communication and Cooperation125
4.7.5Audit and Inspection126
4.8Security Management Personnel127
4.8.1Personnel Recruitment127
4.8.2Personnel Departure127
4.8.3Security Awareness Education and Training128
4.8.4External Access Management128
4.9Security Construction Management129
4.9.1Classification and Filing129
4.9.2Security Scheme Design130
4.9.3Procurement and Use of Products130
4.9.4Independent Software Development131
4.9.5Outsourcing Software Development132
4.9.6Project Implementation132
4.9.7Acceptance Testing133
4.9.8System Delivery133
4.9.9Level Evaluation134
4.9.10Service Provider Selection134
4.10Security Operation and Maintenance Management135
4.10.1Environmental Management135
4.10.2Asset Management135
4.10.3Media Management136
4.10.4Equipment Maintenance Management136
4.10.5Vulnerability and Risk Management137
4.10.6Network and System Security Management137
4.10.7Prevention and Management of Malicious Code139
4.10.8Configuration Management139
4.10.9Cryptography Management140
4.10.10Change Management140
4.10.11Backup and Recovery Management140
4.10.12Security Incident Handling141
4.10.13Emergency Plan Management142
4.10.14Outsourcing Operation and Maintenance Management142
Part 2Extended Security Requirement
Chapter 5Extended Requirements for Cloud Computing Security147
5.1Overview of Cloud Computing Security147
5.1.1Introduction of Cloud Computing147
5.1.2Objects of Cloud Computing Classified Protection152
5.1.3Extended Requirements for Cloud Computing Security153
5.1.4Cloud Computing Security Measures and Services156
5.2Interpretation of Security Requirements for Level Ⅰ and Level Ⅱ Cloud Computing Systems159
5.2.1Security Physical Environment160
5.2.2Security Communications Network160
5.2.3Security Area Boundary161
5.2.4Security Computing Environment164
5.2.5Security Development Management167
5.2.6Security Operations and Maintenance Management169
5.3Interpretation of Security Requirements for Level Ⅲ and Level Ⅳ Cloud Computing Systems169
5.3.1Security Physical Environment170
5.3.2Security Communication Network170
5.3.3Security Area Boundary172
5.3.4Security Computing Environment175
5.3.5Security Management Center180
5.3.6Security Development Management181
5.3.7Security Operations and Maintenance Management183
Chapter 6 Extended Requirements for Mobile Internet Security184
6.1Overview of Mobile Internet Security184
6.1.1Features of Mobile Internet Systems184
6.1.2Mobile Internet System Framework184
6.1.3Protection Objects of Mobile Internet System185
6.2Interpretation of Security Requirements for Level Ⅰ and Level Ⅱ Mobile Internet Systems186
6.2.1Security Physical Environment186
6.2.2Security Area Boundary187
6.2.3Security Computing Environment190
6.2.4Security Development Management191
6.3Interpretation of Security Requirements for Level Ⅲ and Level Ⅳ Mobile Internet Systems192
6.3.1Security Physical Environment192
6.3.2Security Area Boundary194
6.3.3Security Computing Environment198
6.3.4Security Development Management200
6.3.5Security Operations and Maintenance Management202
Chapter 7 Extended Requirements for Internet of Things Security203
7.1Overview of Internet of Things Security203
7.1.1Features of the Internet of Things System203
7.1.2Internet of Things Security Architecture203
7.1.3Key Technologies for Internet of Things Security205
7.1.4Standard Level Differences in General Security Requirements for Internet of Things 206
7.2Interpretation of Security Requirements for Level Ⅰ and Level Ⅱ Internet of Things Systems209
7.2.1Security Physical Environment209
7.2.2Security Area Boundary210
7.2.3Security Operations and Maintenance Management211
7.3Interpretation of Security Requirements for Level Ⅲ and Level Ⅳ Internet of Things Systems212
7.3.1Security Physical Environment212
7.3.2Security Area Boundary212
7.3.3Security Computing Environment213
7.3.4Security Operations and Maintenance Management215
Chapter 8 Extended Requirements for Industrial Control Systems Security217
8.1Overview of Industrial Control Systems Security217
8.1.1Features of Industrial Control Systems217
8.1.2Functional Hierarchical Model for Industrial Control Systems217
8.1.3Protection Objects of Functional Hierarchy in Industrial Control System219
8.1.4Overview of Extended Requirements for Industrial Control Systems Security220
8.2Interpretation of Security Requirements for Level Ⅰ and Level Ⅱ Industrial Control Systems221
8.2.1Security Physical Environment221
8.2.2Security Communications Network222
8.2.3Security Area Boundary223
8.2.4Security Computing Environment224
8.2.5Security Development Management225
8.3Interpretation of Security Requirements for Level Ⅲ and Level Ⅳ Industrial Control Systems226
8.3.1Security Physical Environment226
8.3.2Security Communications Network226
8.3.3Security Area Boundary228
8.3.4Security Computing Environment230
8.3.5Security Development Management231
Chapter 9 Extended Requirements for Big Data Security233
9.1O verview of Big Data Security233
9.1.1Big Data233
9.1.2Big Data Deployment Model233
9.1.3Big Data Processing Model234
9.1.4Big Data Related Security Capabilities234
9.1.5Big Data Security240
9.1.6Patterns of Big Data Related Classification Objects241
9.1.7Security Requirements at All Levels243
9.2Interpretation of Security Requirements for Level Ⅰ and Level Ⅱ Big Data Systems 247
9.2.1Security Physical Environment247
9.2.2Security Communications Network248
9.2.3Security Computing Environment248
9.2.4Security Management Center250
9.2.5Security Development Management251
9.2.6Security Operations Management251
9.3Interpretation of Security Requirements for Level Ⅲ and Level Ⅳ Big Data Systems252
9.3.1Security Physical Environment252
9.3.2Security Communication Network252
9.3.3Security Computing Environment254
9.3.4Security Management Center257
9.3.5Security Development Management259
9.3.6Security Operations and Maintenance Management260