GA/T 391-2002 Requirements for the management of security level protection of computer information systems
Some standard content:
ICS35.020
People's Republic of China Public Security Industry Standard GA/T391——2002
Management Requirements for Computer Information System Classified Security Protection2002-07-18 Issued
Implementation on 2002-07-18
Issued by the Ministry of Public Security of the People's Republic of China
1 Scope
2 Normative Reference Documents
3 Terms and Definitions
4 Overview of Information System Security Management
4.1 Connotation of Information System Security Management
4.2 Main Security Elements...
4.3 Basic Principles of Information System Security Management.4.4 Process of Security Management
4.5 Security Management Organization.
4.6 Personnel Security,
4.7 Security Management System| |tt||5 Security level Information system management requirements
5.1 First level
5.2 Second level
5.3 Third level
5.4 Fourth level
5.5 Fifth level
(User autonomy protection level) Implement basic management (System audit protection level) Implement operating procedures management (Security label protection level) Implement label institutionalization management (Structured protection level) Implement standardized management: (Access verification protection level) Implement security culture management Appendix A Security management level elements
A.1 Management objectives and scope
A.2 Personnel and responsibility requirements
A.3 Physical security management Management requirements
A.4 System security requirements,
A.5 Network security management requirements
A.6 Application system security management requirements
A.7 Operational security management requirements
A.7.1 Risk management requirements..
A.7.2 Life cycle management requirements,
A.7.3 Security awareness education and training requirements, A.7.4 Virus protection management requirements.
A.7.5 Security management requirements for third-party access A.7.6 Emergency plan and disaster recovery plan security management requirements A.7.7 Change control management requirements
A.8 Personnel security management requirements|| tt||References
Figure 1 Main security elements and relationships.
Figure 2 Computer information system security management process model
GA/T391—2002
Figure 3 Security management organizational structure
Table 1 Security objectives and scope level requirements
Table 2 Personnel and responsibility level requirements,
Table 3 Physical security management level requirements
Table 4 System security management level requirements.
Table 5 Network security management level requirements
Table 6 Application system security management level requirements, Table 7 Operational security management level requirements.
Table 8 Risk management level requirements.
Table 9 Lifecycle management level requirements
Table 10 Security awareness education and training level requirementsTable 11 Virus protection management level requirements
Table 12 Security management level requirements for third-party accessTable 13 Security management level requirements for emergency plans and disaster recovery plansTable 14 Change control management level requirements
Table 15 Personnel security management level requirements
GA/T391—2002
a) Foreword
GA/T391—2002
This standard is the management requirement of GB17859-1999 "Guidelines for the Classification of Security Protection Levels of Computer Information Systems" and is compiled in accordance with the provisions of the "Regulations of the People's Republic of China on the Security Protection of Computer Information Systems" (promulgated by Order No. 147 of the State Council of the People's Republic of China on February 18, 1994).
This standard is one of the important standards in the GB17859-1999 series of supporting standards. The general technical requirements, operating system requirements, network requirements, database requirements, engineering requirements, and evaluation requirements related to GB17859-1999 together constitute the security level protection system of computer information systems. The security level protection system of computer information systems implements protection for computer information system resources from the management level, physical level, system level, network level, application level, and operation level of computer information systems. As a supporting service for computer information system security protection, the management level runs through the other five levels and is the guarantee for the implementation of security level protection at the other five levels. This standard absorbs the management concept of IS0/IECTR13335[1]][2]][3]][4]][5], and proposes more detailed process requirements than IS0/IECTR13335 in combination with the computer information system security process. It refines the relevant contents of IS0/IEC17799[6| and discusses the overall requirements of security process and security administration. This standard clearly puts forward the security management requirements for the management layer, physical layer, network layer, system layer, application layer and operation layer, and implements the management requirements to the five levels of GB17859-1999, which is more conducive to the inheritance, understanding, division of labor and implementation of security management, and more conducive to the evaluation and inspection of security management. Since the division of protection levels in GB17859-1999 is formulated with full consideration of the relationship between security technology and security risk control, the higher the security level, the higher the cost of security technology and management costs, so as to resist greater security threats, effectively establish security confidence and reduce IT use risks. In this standard, unless otherwise specified, information system refers to computer information system, and security management refers to computer information system security management. This standard is proposed by the Public Information Network Security Supervision Bureau of the Ministry of Public Security. This standard is under the jurisdiction of the Information System Security Standardization Technical Committee of the Ministry of Public Security. Drafting unit of this standard: Beijing Jiangnan Keyou Technology Co., Ltd. The main drafters of this standard are: Wang Zhiqiang, Yan Jiyi, Zhao Zhansheng, Huang Yunfei, Zhou Siyuan, Fu Jinsong, Wenfang m
b) Introduction
GA/T391-2002
GB17859-1999 is an important standard for information security level management of computer information systems in my country. It was issued on September 13, 1999. Its supporting related standards include:
a) Computer information system security level protection technical requirements series standards; Computer information system security level protection evaluation criteria series standards; b)
Computer information system security level protection engineering requirements series standards c)
Computer information system security level protection management requirements. d)
If this standard has any content that conflicts, is inconsistent or incompatible with relevant national laws and regulations, it shall be implemented in accordance with relevant national laws and regulations. Computer information systems involving state secrets shall be implemented in accordance with the regulations of relevant national departments. This standard proposes requirements for computer information system security management for computer information systems and provides a benchmark for selecting security protection levels. Each unit shall select the security protection level of the computer information system according to the security requirements for the computer information system, and establish a specific computer information system security management system and security standards based on the corresponding benchmarks of this standard, implement effective security management, and ensure the security of the computer information system.
a) Scope
Requirements for the management of computer information system security level protection This standard specifies the management requirements for computer information system security level protection in accordance with GB17859-1999. GA/T3912002
This standard applies to the security management of computer information system security level protection implemented by relevant departments in accordance with relevant national regulations. b) Normative references
The clauses in the following documents become the clauses of this standard through reference in this standard. For all dated referenced documents, all subsequent amendments (excluding errata) or revisions are not applicable to this standard. However, the parties to the agreement based on this standard are encouraged to study whether the latest versions of these documents can be used. For all undated referenced documents, the latest versions shall apply to this standard. GB17859-1999 Computer Information System Security Level Classification Criteria GA/TXX1-XXXX Computer Information System Security Level Protection General Technical Requirements GA/TXX2-XXXX Computer Information System Security Level Protection Operating System Requirements GA/TXX3-XXXX Computer Information System Security Level Protection Database Requirements GA/TXX4-XXXX Computer Information System Security Level Protection Network Requirements GA/TXXX-XXXX Computer Information System Security Level Protection Engineering Requirements GA/TXXX-XXXX Computer Information System Security Level Protection Assessment Requirements Regulations of the People's Republic of China on Computer Information System Security Protection (Promulgated by Order No. 147 of the State Council of the People's Republic of China on February 18, 1994)
c) Terms and Definitions
The terms and definitions established in GB17859-1999 and the following apply to this standard. Confidentiality This property prevents information from being disclosed to unauthorized individuals, entities or processes, and from being used by them. [GB/T9387.2-19953.3.16]ii.
Data integritydataintegrity
This property indicates that data has not been tampered with or destroyed in an unauthorized manner. [GB/T9387.2-19953.3.21]iii.
Availabilityavailability
Can be accessed and used according to the request of the authorized entity. [GB/T9387.2-19953.3.11]iv.
Accountability
A property that ensures that the role of an entity can be uniquely traced to that entity. [GB/T9387.2-19953.3.3]
Access controlaccesscontrol
Prevent unauthorized use of resources, including preventing the use of a resource in an unauthorized manner. [GB/T9387.2-19953.3.1]vi.
Security auditsecurityaudit
GA/T3912002
Independent observation and assessment of system records and activities to test the adequacy of system controls, to ensure compliance with established policies and operational stacks, to discover security gaps, and to recommend any specified changes in controls, policies, and stacks. GB/T9387.2-19953.3.47
Audit trailsecurityaudittrail
Data collected and used to facilitate security audits. [GB/T9387.2-19953.3.48]]viii.
Threatthreat
A potential violation of security. [GB/T9387.2-19953.3.55]ix.
Authentication information authenticationinformation Information used to establish the validity of an identity. [GB/T9387.2—19953.3.8]x.
Authorization authorization
Granting authority, including allowing access based on access rights. [GB/T9387.2—19953.3.10]xi.
Sensitivity sensitivity
A characteristic of a resource, which means the value or importance of the resource, and may also include the vulnerability of the resource. [GB/T9387.2—1995 3.3.53
Password password
Confidential authentication information, usually consisting of a string of characters. [GB/T9387.2—19953.3.39] xiii.
Information system security management system information system security management architecture A collection of a series of interrelated or interacting supporting service elements that achieve the security goals of an organization or institution's computer information system through planning, organization, leadership, control and other measures. These elements include computer information system security organizations or institutions, computer information system security management system documents, control measures, operating processes and procedures and other related resources. xiv.
Risk assessment risk assessment
Asset value assessment of the possibility and consequences of risk factors such as threats to information, information processing facilities, information processing processes and information system management, and improper protection of system weaknesses. xv.
Security policy security policy
Regulations and implementation details for the management, protection, control and release of security-related resources in computer information systems, especially sensitive information. A computer information system can have one or more security policies. d) Overview of information system security management
Connotation of information system security management
Information system security management is the scientific management of the entire life cycle of the information system in an organization or institution in accordance with the security level responsibility requirements. It includes:
e) Implement security organization and security management personnel, clarify roles and responsibilities, and formulate security plansf) Develop security strategies:
Implement risk management:
Formulate business continuity plans and disaster recovery plans: 2
Select and implement security measures;
Ensure the correctness and security of configuration and changes: Conduct security audits:
Ensure maintenance support:
Monitor, inspect, and handle security incidents; Security awareness and security education:
Personnel safety management, etc.
Main security elements
Asset owner
Vulnerability angle)
Protection measures
May be reduced
May be aware
(manual exploit)
Threat subject
(cause)wwW.bzxz.Net
Hope to minimize
Used to reduce
Combined potential
Vulnerability
(increase
, hope to abuse or destroy "
Main security elements and relationships
Mainly include:
Support facilities (for example, buildings, power supply, water supply, air conditioning, etc.): yuan)
(needle double)
GA/T391—2002
Hardware Assets (e.g., computer equipment such as processors, monitors, laptops, modems, communication facilities such as routers, digital program-controlled switches, fax machines, answering machines, storage media such as disks, CDs, etc.); information assets (e.g., databases and data files, system files, user manuals, training materials, operating and support procedures, continuity plans, backup system arrangements, access information, etc.); software assets (e.g., application software, system software, development tools and utilities, etc.); production capacity or service capacity;
personnel;
intangible assets (e.g., reputation, image): etc.
mainly includes natural threats and man-made threats. Natural threats include earthquakes, lightning strikes, floods, fires, static electricity, rodent infestation, and power failures. Human threats are divided into
x) Theft threats, such as stealing equipment, stealing data, misappropriating computing resources, etc.; Destruction threats, such as destroying equipment, destroying data files, introducing malicious code, etc.; y)
GA/T391—2002
Processing threats, such as inserting false inputs, concealing certain outputs, electronic deception, unauthorized changes to files, modifying programs, and z)
Change equipment configuration, etc.:
aa) Operational errors and negligence threats, such as accidental deletion, storage and modification of data files, disk misoperation, etc. bb) Management threats, such as weak security awareness, incomplete security system, confusion of job responsibilities, poor auditing, improper equipment selection, personnel management loopholes, etc.:
cc) and so on.
3. Vulnerability
Vulnerabilities related to assets include weaknesses in physical layout, organization, procedures, personnel, management, administration, hardware, software or information; system-related vulnerabilities include the vulnerable characteristics of distributed systems. 4. Impact of unexpected events
Events that affect asset security, whether intentional or sudden, may destroy assets, damage information systems, and affect confidentiality, integrity, availability and controllability. Possible indirect consequences include endangering national security, social stability, causing economic losses, and damaging the social image of environmental organizations or institutions.
Risk is the potential possibility that a threat will use the vulnerability of the exposed system to cause losses to the assets of an organization or institution. Risk is assessed by two indicators: the probability of an unexpected event and the possible impact after it occurs. Due to the limitations of protection measures, information systems will always face more or less residual risks, and organizations or institutions should consider the degree of acceptance of residual risks.
6. Safeguards
Safeguards are practices, procedures, and mechanisms implemented to counter threats, reduce vulnerabilities, limit the impact of incidents, detect incidents, and facilitate disaster recovery. Safeguards should be considered to achieve one or more of the following functions: prevention, delay, block, detection limitation, correction, recovery, monitoring, and awareness or reinforcement. Areas of action for safeguards may include the physical environment, technical environment (such as hardware, software, and communications), personnel, and administration. Safeguards may include: access control mechanisms, anti-virus software, encryption, digital signatures, firewalls, monitoring and analysis tools, backup power, and information backup. When selecting safeguards, consider factors that affect security that are determined by the operating environment of the organization or institution, such as organizational, business, financial, environmental, personnel, time, legal, and technical boundary conditions, as well as cultural or social factors. iii.
Basic principles of information system security management
1. General principles of information system security management
a) Principle of main leaders' responsibility
Information security protection is related to the overall situation and affects the overall situation of organizations and institutions. The main leaders of organizations and institutions should list information security as one of their most important tasks, and be responsible for improving and strengthening the security awareness of department personnel, organizing effective teams, mobilizing and optimizing the allocation of necessary resources and funds, coordinating the relationship between security management work and the work of various departments, and ensuring implementation and effectiveness. b) Principle of standardization and classification
Organizations and institutions should determine the corresponding computer information system security protection level based on the importance and sensitivity of their computer information systems and applications and the objective conditions of their own resources. After completing the corresponding approval procedures, they should strictly comply with the normative requirements of the corresponding level, formulate corresponding security strategies, and implement them conscientiously. c) Principle of administration according to law
Information security management is mainly reflected in administrative behavior. Therefore, it is necessary to ensure that the administrative subject of information system security is legal, the administrative behavior is legal, the administrative content is legal, and the administrative procedure is legal. 4
d) Principle of people-oriented
GA/T391—2002
Threat and protection are the themes of security management work, and they are largely subject to human factors. Strengthening information security education, training and management, strengthening security awareness and legal concepts, improving professional ethics, mastering security technology, and ensuring the implementation of measures are important guarantees for good information security management.
e) Principle of moderate security
The continuous increase in security needs and the limitations of actual resources put security decisions in a dilemma. Properly balancing security investment and effect is the starting point for handling security management work from a global perspective. f) Principle of comprehensive prevention and highlighting key points
Comprehensive prevention is the key to ensuring the security of computer information systems. It requires the use of multiple technologies in multiple links such as early warning, protection detection, response, recovery and tracking from the perspectives of personnel, management and technology. At the same time, we should start from the actual situation of the organization and institution and highlight the focus of our own security management.
g) System and dynamic principle
The system characteristics of security management work should be highlighted. According to the requirements of system engineering, attention should be paid to the mutual coordination, matching and connection of various aspects, levels and periods, so as to reflect the system integration effect and the benefits of the initial investment. At the same time, security is also a state and dynamic feedback process. With the changes in the spatial and temporal distribution of security interests and system vulnerabilities, the increase in the degree of threat, the changes in the system environment and the deepening of personnel's understanding of system security, the existing security strategies, risk acceptance levels and protection measures should be reviewed, modified, adjusted and even the security management level should be upgraded in a timely manner.
h) Principle of controlling social impact
The handling of security incidents should be timely disclosed and released by the authorized person with accurate and consistent relevant information to avoid adverse social impacts 2. Main security management strategies
a) Separation of powers and checks and balances
The principle of separation of powers and checks and balances is adopted to reduce the chances of unauthorized modification or abuse of system resources, and the management execution functions of specific functions or areas of responsibility are separated and independently audited to avoid excessive concentration of operational power. b) Least privileges
Any entity (such as user, administrator, process, application or system) only enjoys the privileges necessary for the entity to complete its tasks, and should not enjoy any unnecessary privileges.
c) Select mature technology
Mature technology provides reliability and stability guarantees. When adopting new technologies, its maturity should be emphasized. If new technologies are imperative, they should first be piloted locally and then gradually promoted to reduce or avoid possible losses. d) Universal participation
Regardless of the security level of the information system, it is required that the personnel involved in the information system participate universally and cooperate and coordinate with relevant social parties to jointly ensure the security of the information system.
The process of security management
1. Security management process model
Figure 1 shows a computer information system security management process model. Security management is a process of continuous development and revision throughout the life cycle of information systems, involving security risk management at the information system management level, physical level, network level, operating system level, application system level and operation level. Security management of the above-mentioned levels of information systems is the basis for ensuring the correct, safe and effective security technology, security engineering and security operation of information systems. In the security management process model, the management work of each stage has different focuses and requirements. 5
Security goals
Security goals, strategies, policies and tactics
Risk analysis
GA/T391—2002
Influence of organization, environment and law
Determine the security protection level,
Select and implement protection measures
Monitoring, security awareness, configuration management,
Change management, business continuity plan.
Computer information system security management process model prevents the loss, leakage and theft of state secrets and sensitive information of units, prevents unauthorized modification, loss and destruction of data, prevents the loss and reduction of system capabilities, prevents deception, and ensures the credibility of information and systems and the security of assets. Determination of security protection level
The supervisor of the unit using the computer information system shall determine the protection level of the computer information system in accordance with relevant national laws and regulations, the security requirements of the information processed by the computer information system and the operational security requirements, and implement the level of protection in accordance with GA/TXX1-XXXX (technical requirements), GA/TXXX-XXXX (engineering requirements) and the management requirements of this standard. Security risk analysis and assessment
Identify risks that need to be controlled or acceptable and form a risk analysis and assessment report. Method
When conducting security risk analysis, we should adopt a multi-level and multi-angle system analysis method based on relevant information system security standards and regulations, formulate detailed analysis plans and analysis steps, avoid omissions, ensure the reliability and scientificity of the results, and form documents to ensure that they are traceable. Content and scope
Information system security organization, system and personnel, information system architecture, strategy and technology application, security facility deployment and outsourcing service status, dynamic security operation status, etc. Analysis process
Classification of information and information systems;
Identify assets and values to be protected;
Analyze the interdependence between information assets: identify existing vulnerabilities and threats;
Analyze the impact of possible intruders and intrusion activities; prepare security risk analysis reports.
Formulate security strategies
a) Purpose
GA/T391—2002
Provides a framework to ensure the security of information systems, provides security management methods, stipulates the specifications to be followed and the responsibilities to be borne by each department, and provides a basis and foundation for the specific implementation of information system security. Mobilize, coordinate and organize resources from all aspects to jointly ensure the security of information systems.
b) Methods
Security policies should be formulated by the relevant departments of the computer information system user unit, which should be composed of the supervisors and professional security technicians of the user unit and relevant members from different departments of the unit. Departments with conditions can hire security experts. When formulating security policies, consideration should be given to the systematic nature of the structure, the comprehensibility of the content, the feasibility of the technology, and the enforceability of the management. Security policies should keep pace with the times and be adjusted and updated regularly. Contents of security strategy
Content and objectives of protection: The security strategy should include all assets to be protected in the computer information system and the importance of each asset. The elements or assets in the computer information system should be classified. The classification should reflect the importance of each type of asset, the main threats faced, and specify their protection levels: Clarify the responsibilities of personnel: Clarify the responsibilities and obligations of each person in information security protection so as to effectively organize the collaborative work of all personnel: Implement protection methods: Determine the specific methods for protecting various types of assets in the computer information system, such as isolation and radiation protection and natural disaster prevention measures for entities, authorized access control technology for data information, and secure tunnel technology for network transmission:
Handling of accidents: In order to ensure the implementation of tasks and improve safety awareness and vigilance, relevant reward and punishment clauses should be stipulated, and a supervision mechanism should be established to ensure the strict implementation of various clauses. Security requirements analysis
c) Purpose
Improve the effectiveness and pertinence of security measures such as computer information system security services and security mechanisms, and form a security requirements analysis report.
1) Combined with reality: security requirements are proposed for the actual environment and security goals of computer information systems; 2) Based on standards: in order to ensure quality and be traceable, security requirements analysis should comply with relevant standards; 3) Layered analysis: analyze from the various levels involved, such as strategy, architecture, technology, and management; 4) Dynamic feedback: security requirements analysis is an evolving process. With the system upgrade or functional expansion, changes in the internal and external environment, security requirements will change accordingly. Security requirements analysis should maintain the effectiveness and adaptability of the results, ensure the scientific and systematic nature of the analysis method, and the security requirements analysis process should be synchronized with the system development process. Contents
Management level: According to the actual situation of the organization and institution, determine the form and scale of the management organization or department, and clarify its goals, principles, tasks, functions and staffing, etc.; Physical level: According to the actual situation of the organization or institution, determine the security level of various types of physical assets, as well as the degree and method of protection required;
System level: Clarify the security level that the operating platform should have, and the operating system that should be selected to achieve the required level;
Network level: According to the business direction of the information system, analyze the system's network, especially the security requirements of the network boundary, and determine the protection system to be adopted;
Application level: Based on the diversity and complexity of network-based applications and application providers, the corresponding security protection systems and technical measures are not the same, and it is necessary to determine and select their security needs based on actual conditions. Implementation of security measures
Tip: This standard content only shows part of the intercepted content of the complete standard. If you need the complete standard, please go to the top to download the complete standard document for free.