This standard specifies the general security requirements and special security requirements for the targets of classified security of Level 1 to Level 4 under the classified protection of cybersecurity.
It applies to guide the security construction and supervisory management for classified non-secret-involved targets.
Note: The targets of classified security of Level 5 are very important supervision and management objects and special management mode and security requirements are proposed for them, which are not described herein.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB 17859 Classified criteria for security protection of computer information system
GB/T 22240 Information security technology - Classification guide for classified protection of information systems security
GB/T 25069 Information security technology - Glossary
GB/T 31167-2014 Information security technology - Security guide of cloud computing services
GB/T 31168-2014 Information security technology - Security capability requirements of cloud computing services
GB/T 32919-2016 Information security technology - Application guide to industrial control system security control
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB 17859, GB/T 22240, GB/T 25069, GB/T 31167-2014, GB/T 31168-2014 and GB/T 32919-2016 as well as the following ones apply. For the convenience of application, some terms and definitions in GB/T 31167-2014, GB/T 31168-2014 and GB/T 32919-2016 are re-listed as follows.
3.1
cybersecurity
capabilities to prevent the network from attack, intrusion, interference, damage, illegal use and unexpected accident, enable the network to operate stably and reliably and ensure the integrity, confidentiality and availability of network data by taking necessary measures
3.2
security protection ability
extent for defending against threat, detecting security event, restoring to the previous state, etc. in case of any damage
3.3
cloud computing
a mode of accessing to extensible and flexible physical or virtual sharing resource pool through the internet and self-obtaining and -managing resources as required
Note: Resource examples include the server, operating system, network, software, application, storage device, etc.
[GB/T 31167-2014, definition 3.1]
3.4
cloud service provider
a provider of cloud computing service
Note: The cloud service provider manages, operates and supports the computing infrastructure and software of cloud computing, and delivers the cloud computing resources through the internet.
[GB/T 31167-2014, definition 3.3]
3.5
cloud service customer
a participant entering into business relationship with the cloud service provider to use the cloud computing service
[GB/T 31168-2014, definition 3.4]
3.6
cloud computing platform/system
collection of cloud computing infrastructure and its service software provided by the cloud service provider
3.7
hypervisor
an intermediate software layer operated between the basic physical server and the operating system, which may allow sharing of hardware by multiple operating systems and applications
3.8
host machine
physical server that operates the hypervisor
3.9
mobile communication
a process of connecting the mobile device to the wired network by using radio communication technology
GB/T 22239-2019 The following standards are cited:
