市面仅有的全面解读中国网络安全等级保护标准体系及等级保护实施的读本;
业内专家对中国网络安全等级保护制度的深入阐释;
来自官方团队的中国网络安全等级保护标准体系全面解读;
切实指导中国网络安全等级保护落地实施的指南;
助力一带一路等国外组织和公司在中国做好信息安全合规,确保业务平顺
为配合《中华人民共和国网络安全法》的实施,指导网络运营者贯彻落实网络安全等级保护制度,国家市场监督管理总局、中国国家标准化管理委员会发布了国家标准:《信息安全技术 网络安全等级保护基本要求》(GB/T 22239-2019)(以下简称《基本要求》)。
《基本要求》是网络安全等级保护制度的重要组成部分,是开展网络安全等级保护建设、等级测评等工作的核心标准。正确理解和使用《基本要求》,是有效开展新网络安全等级保护工作的基础。
为便于读者循序渐进地学习、理解《基本要求》,本书首先对该标准所涉及的等级保护基本概念、应用场景等分别进行了介绍,使读者对《基本要求》的结构、适用范围等有一个总体的了解,在此基础上,对《基本要求》各条款进行了详细的解读、说明,便于读者更好地理解和掌握并应用于实际工作中。
Part 1 General Security Requirement
Chapter 1 Basic Concepts of Cybersecurity Classified Protection3
1.1General Security Requirements3
1.2Objects of Classified Protection4
1.3Security Protection Level5
1.4Security Protection Capability6
1.5Security Control Points and Security Requirements6Chapter 2General Introduction of the Baseline for Classified Protection of Cybersecurity
82.1Frame Structure8
2.2General Security Requirements and Extended Security Requirements8
2.2.1General Security Requirements9
2.2.2Extended Security Requirements10
2.3Differences and Key Points of Each Level11
2.3.1Security Physical Environment11
2.3.2Security Communication Network14
2.3.3Security Area Boundary15
2.3.4Security Computing Environment 17
2.3.5Security Management Center20
2.3.6Security Management System21
2.3.7Security Management Organization22
2.3.8Security Management Personnel24
2.3.9Security Development Management25
2.3.10Security Operation and Maintenance Management28Chapter 3Interpretation on the Security General Requirement of LevelⅠand LevelⅡ34
3.1Security Physical Environment34
3.1.1Physical Location Selection34
3.1.2Physical Access Control34
3.1.3Theft and Vandalism Protection35
3.1.4Lightning Protection35
3.1.5Fire Prevention36
3.1.6Water and Moisture Proof36
3.1.7Antistatic37
3.1.8Temperature and Moisture Control37
3.1.9Power Supply37
3.1.10Electromagnetic Protection38
3.2Security Communication Network38
3.2.1Network Architecture38
3.2.2Communication Transmission39
3.2.3Trusted Verification39
3.3Security Area Boundary40
3.3.1Border Protection40
3.3.2Access Control41
3.3.3Intrusion Prevention42
3.3.4Malicious Code Prevention42
3.3.5Security Audit42
3.3.6Trusted Verification43
3.4Security Computing Environment43
3.4.1Network Equipment43
3.4.2Security Equipment47
3.4.3Servers and Terminals50
3.4.4Business Application System54
3.4.5Data Security57
3.5Security Management Center60
3.5.1System Management60
3.5.2Audit Management60
3.6Security Management System61
3.6.1Security Policy61
3.6.2Management System62
3.6.3Development and Release62
3.6.4Review and Revision62
3.7Security Management Organization63
3.7.1Post Setting63
3.7.2Staffing64
3.7.3Authorization and Approval64
3.7.4Communication and Cooperation64
3.7.5Audit and Inspection65
3.8Security Management Personnel66
3.8.1Personnel Recruitment66
3.8.2Personnel Departure66
3.8.3Security Awareness Education and Training66
3.8.4External Access Management67
3.9Security Construction Management68
3.9.1Classification and Filing68
3.9.2Security Scheme Design68
3.9.3Procurement and Use of Products69
3.9.4Independent Software Development69
3.9.5Outsourcing Software Development70
3.9.6Project Implementation70
3.9.7Acceptance Testing71
3.9.8System Delivery71
3.9.9Level Evaluation72
3.9.10Service Provider Selection72
3.10Security Operation and Maintenance Management73
3.10.1Environmental Management73
3.10.2Asset Management73
3.10.3Media Management74
3.10.4Equipment Maintenance Management74
3.10.5Vulnerability and Risk Management75
3.10.6Network and System Security Management75
3.10.7Prevention and Management of Malicious Code76
3.10.8Configuration Management76
3.10.9Cryptography Management77
3.10.10Change Management77
3.10.11Backup and Recovery Management77
3.10.12Security Incident Handling78
3.10.13Emergency Plan Management78
3.10.14Outsourcing Operation and Maintenance Management79Chapter 4Interpretation on the Security General Requirements of Level Ⅲ and Level Ⅳ80
4.1Security Physical Environment80
4.1.1Physical Location Selection80
4.1.2Physical Access Control80
4.1.3Theft and Vandalism Protection81
4.1.4Lightning Protection81
4.1.5Fire Prevention82
4.1.6Waterproof and Moisture Proof83
4.1.7Antistatic83
4.1.8Temperature and Moisture Control83
4.1.9Power Supply84
4.1.10Electromagnetic Protection84
4.2Security Communication Network85
4.2.1Network Architecture85
4.2.2Communication Transmission87
4.2.3Trusted Verification88
4.3Security Area Boundary89
4.3.1Border Protection89
4.3.2Access Control91
4.3.3Intrusion Prevention92
4.3.4Malicious Code and Spam Prevention93
4.3.5Security Audit93
4.3.6Trusted Verification94
4.4Security Computing Environment95
4.4.1Network Equipment95
4.4.2Security Equipment99
4.4.3Servers and Terminals104
4.4.4Business Application System110
4.5Security Management Center117
4.5.1System Management117
4.5.2Audit Management118
4.5.3Security Management119
4.5.4Centralized Control120
4.6Security Management System121
4.6.1Security Policy121
4.6.2Management System122
4.6.3Development and Release122
4.6.4Review and Revision123
4.7Security Management Organization123
4.7.1Post Setting123
4.7.2Staffing124
4.7.3Authorization and Approval124
4.7.4Communication and Cooperation125
4.7.5Audit and Inspection126
4.8Security Management Personnel127
4.8.1Personnel Recruitment127
4.8.2Personnel Departure127
4.8.3Security Awareness Education and Training128
4.8.4External Access Management128
4.9Security Construction Management129
4.9.1Classification and Filing129
4.9.2Security Scheme Design130
4.9.3Procurement and Use of Products130
4.9.4Independent Software Development131
4.9.5Outsourcing Software Development132
4.9.6Project Implementation132
4.9.7Acceptance Testing133
4.9.8System Delivery133
4.9.9Level Evaluation134
4.9.10Service Provider Selection134
4.10Security Operation and Maintenance Management135
4.10.1Environmental Management135
4.10.2Asset Management135
4.10.3Media Management136
4.10.4Equipment Maintenance Management136
4.10.5Vulnerability and Risk Management137
4.10.6Network and System Security Management137
4.10.7Prevention and Management of Malicious Code139
4.10.8Configuration Management139
4.10.9Cryptography Management140
4.10.10Change Management140
4.10.11Backup and Recovery Management140
4.10.12Security Incident Handling141
4.10.13Emergency Plan Management142
4.10.14Outsourcing Operation and Maintenance Management142
Part 2Extended Security Requirement
Chapter 5Extended Requirements for Cloud Computing Security147
5.1Overview of Cloud Computing Security147
5.1.1Introduction of Cloud Computing147
5.1.2Objects of Cloud Computing Classified Protection152
5.1.3Extended Requirements for Cloud Computing Security153
5.1.4Cloud Computing Security Measures and Services156
......
9.1O verview of Big Data Security233
9.1.1Big Data233
9.1.2Big Data Deployment Model233
9.1.3Big Data Processing Model234
9.1.4Big Data Related Security Capabilities234
9.1.5Big Data Security240
9.1.6Patterns of Big Data Related Classification Objects241
9.1.7Security Requirements at All Levels243
9.2Interpretation of Security Requirements for Level Ⅰ and Level Ⅱ Big Data Systems 247
9.2.1Security Physical Environment247
9.2.2Security Communications Network248
9.2.3Security Computing Environment248
9.2.4Security Management Center250
9.2.5Security Development Management251
9.2.6Security Operations Management251
9.3Interpretation of Security Requirements for Level Ⅲ and Level Ⅳ Big Data Systems252
9.3.1Security Physical Environment252
9.3.2Security Communication Network252
9.3.3Security Computing Environment254
9.3.4Security Management Center257
9.3.5Security Development Management259
9.3.6Security Operations and Maintenance Management260
