Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative.
This document is developed in accordance with the rules given in GB/T 1.1-2020 Directives for standardization - Part 1: Rules for the structure and drafting of standardizing documents.
Attention is drawn to the possibility that some of the parts of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights. This standard was proposed by and is under the jurisdiction of National Technical Committee on Transportation Information Communication and Navigation of Standardization Administration of China.
Introduction
The transportation is an important part of the entire national economy and one of the key industries to implement classified protection of cybersecurity for China, so that the competent department of the industry shall further strengthen the management and guidance of cybersecurity, standardize the development of related work, and effectively ensure the cybersecurity of the industry.
Based on national standards such as GB 17859-1999 and GB/T 22239-2019, this document proposes the minimum protection requirements for targets of classified security with different security protection levels for transportation according to the technical development level of the transportation and cybersecurity protection requirements.
In order to facilitate the use of this document, many clauses in GB/T 22239-2019 are referenced and their sources are indicated. In the texts of this document, those in bold represent requirements added or strengthened in higher level for national standards.
Baseline for classified protection of cybersecurity of transportation
1 Scope
This document specifies the general principles for classified protection of cybersecurity of transportation, as well as the security requirements for the targets of classified security of Level 1 to Level 4.
This document is applicable to the planning design, security construction, supervision and management of cybersecurity of transportation.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute indispensable provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 5271.8 Information technology - Vocabulary - Part 8: Databases
GB 17859 Classified criteria for security protection of computer information system
GB/T 20839 Intelligent transport systems - General terminology
GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity
JT/T 904 Classification guide for security classified protection of transportation information system
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 5271.8, GB 17859, GB/T 20839, GB/T 22239 and JT/T 904 as well as the following apply.
3.1
cyber security
capabilities to prevent the network from attack, intrusion, interference, damage, illegal use and unexpected accident, enable the network to operate stably and reliably and ensure the integrity, confidentiality and availability of network data by taking necessary measures
[Source: GB/T 22239-2019, 3.1]
?
3.2
cloud service provider
provider of cloud computing service
Note: The cloud service provider manages, operates and supports the infrastructure and software of cloud computing, and delivers the cloud computing resources through the Internet.
[Source: GB/T 31167-2014, 3.3]
3.3
cloud service customer
participant entering into business relationship with the cloud service provider by using cloud computing service
[Source: GB/T 31167-2014, 3.4, modified]
3.4
baseline verification
method for verifying the baseline configured based on minimum security requirements for network device, security device, host operating system, database management system and business application system
3.5
important data processing system
important communication device and computing device for routing forward, access control, network switching, releasing for use and storage of data
Note: Important communication device and computing device include but are not limited to boundary routers, boundary firewalls, core switches, application servers and database servers.
3.6
data security protection system
system or tool for protecting data
Note: The systems or tools include but are not limited to database firewalls, data leakage prevention, desensitization system, database encryption system and file encryption system.
4 Abbreviations
For the purposes of this document, the following abbreviations apply.
AP: Wireless Access Point
CPU: Central Processing Unit
DDoS: Distributed Denial of Service
DNS: Domain Name System
FTP: File Transfer Protocol
HTTP: Hyper Text Transfer Protocol
HTTPS: Hyper Text Transfer Protocol over Secure Socket Layer
IP: Internet Protocol
IT: Information Technology
MAC: Message Authentication Code
POP3: Post Office Protocol-Version 3
SMTP: Simple Mail Transfer Protocol
SQL: Structured Query Language
SSH: Secure Shell
SSID: Service Set Identifier
VPN: Virtual Private Network
WEP: Wired Equivalent Privacy
5 General
5.1 Target of classified security and security protection level
The target of classified security refers to the target in classified protection of cybersecurity and those systems, formed by computer or other information terminals as well as relevant devices, for collection, storage, transmission, exchange and processing of information according to certain rules and programs, mainly including basic information network, information system (including the system adopting mobile communication technology), cloud computing platform/system, big data application/platform/resource, Internet of Things (IoT), and industrial control system, etc.
The targets of classified security for transportation are classified into five security protection levels from low to high according to their importance in national security, economic construction and society life as well as their harmfulness to national security, public interest as well as the legitimate rights and interests of citizen, legal person and other organizations once they are damaged. The security protection level for target of classified protection of cybersecurity of transportation shall be determined according to the requirements of JT/T 904.
5.2 Security protection ability
The basic security protection ability for different levels of targets of classified security of the transportation shall meet those specified in 5.2 of GB/T 22239-2019.
5.3 General security requirements and special security requirements
?
Due to different business objectives, adopted technologies, and application scenarios, target of classified security will appear in different forms. Targets of classified security in different forms will face different threats, so their security protection requirements are also different. For implementing the general and individualized protection for different levels and different forms of targets of classified security, security requirements of targets of classified security are divided into general security requirements and special security requirements.
The general security requirements are put forward in allusion to general protection; the target of classified security, regardless of its appearance form, shall realize general security requirements for corresponding level according to security protection level; the special security requirements are put forward in allusion to individualized protection and shall be realized selectively according to security protection level and the adopted specific technology or specific application scenario.
[Source: GB/T 22239-2019, 5.3]
The security requirements shall be selected in accordance with Annex A of GB/T 22239-2019.
6 Level 1 security requirements
6.1 General security requirements
6.1.1 Physical environment security
6.1.1.1 Physical access control
Special personnel shall be designated or electronic access control system shall be set at the entrance/exit of machine room to control, identify and record the personnel entering the machine room.
[Source: GB/T 22239-2019, 6.1.1.1]
6.1.1.2 Prevention of burglary and damage
The network device, security device, server, storage device and other devices or main components shall be fixed and marked with obvious and indelible signs, which shall indicate asset number, person in charge of the device and other information.
6.1.1.3 Lightning protection
Various cabinets, facilities, devices and the like shall be safely earthed via the earthing system.
[Source: GB/T 22239-2019, 6.1.1.3]
6.1.1.4 Fire prevention
Portable gas extinguisher shall be set in machine room. The fire extinguisher shall pass the annual inspection, operate normally within the validity period.
6.1.1.5 Waterproofing and dampproofing
Measures shall be taken to prevent the penetration of rainwater through the window, roof and wall of the machine room.
[Source: GB/T 22239-2019, 6.1.1.5]
6.1.1.6 Temperature and humidity control
The necessary temperature and humidity regulating facilities shall be installed so that the temperature and humidity changes in the machine room are within the allowable range for device operation.
[Source: GB/T 22239-2019, 6.1.1.6]
6.1.1.7 Power supply
The voltage regulator and overvoltage protection device shall be configured on the power supply line of the machine room.
[Source: GB/T 22239-2019, 6.1.1.7]
6.1.2 Communication network security
6.1.2.1 Communication transmission
Check technology shall be adopted to ensure the integrity of data in communication process.
[Source: GB/T 22239-2019, 6.1.2.1]
6.1.2.2 Trusted verification
The trusted verification shall be carried out for the system boot program, system program and the like of the communication device based on the trusted root, and an alarm is given after the credibility is detected as being damaged.
[Source: GB/T 22239-2019, 6.1.2.2]
6.1.3 Area boundary security
6.1.3.1 Boundary protection
The boundary protection requirements shall include:
a) ensuring that the access and data flow which cross over the boundary carry out communication via the controlled interface provided by boundary device;
b) being able to restrict the behavior of unauthorized device from connecting to the internal network privately; measures such as IP/MAC address binding and disabling the idle port of the network access device should be taken to restrict the networking;
c) being able to restrict the behavior of unauthorized connection of internal user to the external network; measures such as controlling the physical interface should be taken to restrict the behavior of connection of external network.
6.1.3.2 Access control
The access control requirements shall include:
a) setting access control rule at network boundary according to access control policy; the controlled interface will deny all the communication (except for the allowable communication) in default situation;
b) deleting excessive or invalid access control rules, optimizing the access control list and ensuring to minimize the quantity of access control rules;
c) inspecting the source address, destination address, source port, destination port and protocol, etc. to allow/deny the data package passing in and out.
[Source: GB/T 22239-2019, 6.1.3.2]
6.1.3.3 Security audit
Technical measures shall be taken to monitor and record network operating status and cybersecurity incidents for security audit, and keeping relevant network logs for at least six months.
6.1.3.4 Trusted verification
The trusted verification shall be carried out for the system boot program, system program and the like of the boundary device based on the trusted root, and an alarm is given after the credibility is detected as being damaged.
[Source: GB/T 22239-2019, 6.1.4.5]
6.1.4 Computing environment security
6.1.4.1 Network device
6.1.4.1.1 Identity authentication
The identity authentication shall meet the following requirements:
a) The identity of login user shall be identified and authenticated; the identity identification shall be unique and the identity authentication information shall be required of complexity and be replaced regularly. Specific requirements are as follows:
1) the static password shall not be less than 8 bits in length, including at least three types of such elements as uppercase English letters, lowercase English letters, numerals and special symbols;
2) the replacement cycle of user password shall not exceed one year;
3) the user needs to modify the initial default password when logging in for the first time, and shall not set a new password the same as the old one every time the password is modified;
b) The login failure handling function shall be available, and related measures, such as configuring and enabling end session, limiting illegal login times to no more than five times and automatic logout in case of login connection timeout shall be configured.
6.1.4.1.2 Access control
The access control requirements shall include:
a) allocating account and authority for the login user;
b) renaming or deleting default account and modifying the default password of the default account;
c) deleting or disabling redundant and expired accounts timely to avoid shared accounts.
[Source: GB/T 22239-2019, 6.1.4.2]
6.1.4.1.3 Intrusion prevention
The intrusion prevention requirements shall include:
a) following the minimum installation principle and only installing the necessary component and application program;
b) disabling the unnecessary system service, default-sharing and high-risk ports.
[Source: GB/T 22239-2019, 6.1.4.3]
6.1.4.1.4 Data backup and recovery
The local data backup and recovery function shall be provided for important data.
[Source: GB/T 22239-2019, 6.1.4.7]
6.1.4.2 Safety device
6.1.4.2.1 Identity authentication
The identity authentication shall meet the following requirements:
a) The identity of login user shall be identified and authenticated; the identity identification shall be unique and the identity authentication information shall be required of complexity and be replaced regularly. Specific requirements are as follows:
1) the static password shall not be less than 8 bits in length, including at least three types of such elements as uppercase English letters, lowercase English letters, numerals and special symbols;
2) the replacement cycle of user password shall not exceed one year;
3) the user needs to modify the initial default password when logging in for the first time, and shall not set a new password the same as the old one every time the password is modified;
b) The login failure handling function shall be available, and related measures, such as configuring and enabling end session, limiting illegal login times to no more than five times and automatic logout in case of login connection timeout shall be taken.
6.1.4.2.2 Access control
The access control requirements shall include:
a) allocating account and authority for the login user;
b) renaming or deleting default account and modifying the default password of the default account;
c) deleting or disabling redundant and expired accounts timely to avoid shared accounts.
[Source: GB/T 22239-2019, 6.1.4.2]
6.1.4.2.3 Intrusion prevention
The intrusion prevention requirements shall include:
a) following the minimum installation principle and only installing the necessary component and application program;
b) disabling the unnecessary system service, default-sharing and high-risk ports.
[Source: GB/T 22239-2019, 6.1.4.3]
6.1.4.2.4 Data backup and recovery
The local data backup and recovery function shall be provided for important data.
[Source: GB/T 22239-2019, 6.1.4.7]
6.1.4.3 Host operating system
6.1.4.3.1 Identity authentication
The identity authentication shall meet the following requirements:
a) The identity of login user shall be identified and authenticated; the identity identification shall be unique and the identity authentication information shall be required of complexity and be replaced regularly. Specific requirements are as follows:
1) the static password shall not be less than 8 bits in length, including at least three types of such elements as uppercase English letters, lowercase English letters, numerals and special symbols;
2) the replacement cycle of user password shall not exceed one year;
3) the user needs to modify the initial default password when logging in for the first time, and shall not set a new password the same as the old one every time the password is modified;
b) The login failure handling function shall be available, and related measures, such as configuring and enabling end session, limiting illegal login times to no more than five times and automatic logout in case of login connection timeout shall be taken.
6.1.4.3.2 Access control
The access control requirements shall include:
a) allocating account and authority for the login user;
b) renaming or deleting default account and modifying the default password of the default account;
c) deleting or disabling redundant and expired accounts timely to avoid shared accounts.
[Source: GB/T 22239-2019, 6.1.4.2]
6.1.4.3.3 Intrusion prevention
The intrusion prevention requirements shall include:
a) following the minimum installation principle and only installing the necessary component and application program;
b) disabling the unnecessary system service, default-sharing and high-risk ports;
c) being able to find possible known vulnerabilities and repairing them timely.
6.1.4.3.4 Malicious code prevention
Anti-malicious code software shall be installed or software with corresponding function shall be configured, and anti-malicious code library shall be upgraded and updated once every three months.
6.1.4.3.5 Trusted verification
The trusted verification shall be carried out for the system boot program, system program and the like of the computing device based on the trusted root, and an alarm is given after the credibility is detected as being damaged.
[Source: GB/T 22239-2019, 6.1.4.5]
6.1.4.3.6 Data backup and recovery
The local data backup and recovery function shall be provided for important data.
[Source: GB/T 22239-2019, 6.1.4.7]
Foreword i
Introduction ii
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviations
5 General
5.1 Target of classified security and security protection level
5.2 Security protection ability
5.3 General security requirements and special security requirements
6 Level 1 security requirements
6.1 General security requirements
6.2 Special security requirements for cloud computing
6.3 Special security requirements for mobile communication
6.4 Special security requirements for IoT
6.5 Special security requirements for industrial control system
6.6 Special security requirements for big data
7 Level 2 security requirements
7.1 General security requirements
7.2 Special security requirements for cloud computing
7.3 Special security requirements for mobile communication
7.4 Special security requirements for IoT
7.5 Special security requirements for industrial control system
7.6 Special security requirements for big data
8 Level 3 security requirements
8.1 General security requirements
8.2 Special security requirements for cloud computing
8.3 Special security requirements for mobile communication
8.4 Special security requirements for IoT
8.5 Special security requirements for industrial control system
8.6 Special security requirements for big data
9 Level 4 security requirements
Bibliography
交通運輸行業網絡安全等級保護基本要求
1 范圍
本文件規定了交通運輸行業網絡安全等級保護的通則,以及第一級至第四級的安全要求。 本文件適用于交通運輸行業網絡安全的規劃設計、安全建設和監督管理。
2 規范性引用文件
下列文件中的內容通過文中的規范性引用而構成本文件必不可少的條款。 其中,注日期的引用文件,僅該日期對應的版本適用于本文件;不注日期的引用文件,其最新版本( 包括所有的修改單) 適用于本文件。
GB / T 5271. 8 信息技術 詞匯 第 8 部分:安全GB 17859 計算機信息系統安全保護等級劃分準則 GB / T 20839 智能運輸系統 通用術語
GB / T 22239—2019 信息安全技術 網絡安全等級保護基本要求
JT / T 904 交通運輸行業信息系統安全等級保護定級指南
3 術語和定義
GB / T 5271. 8、GB 17859、GB / T 20839、GB / T 22239 和 JT / T 904 界定的以及下列術語和定義適用于本文件。
3. 1
網絡安全 cyber security
通過采取必要措施,防范網絡的攻擊、侵入、干擾、破壞和非法使用以及意外事故,使網絡處于穩定可靠運行的狀態,以及保障網絡數據的完整性、保密性和可用性的能力。
[ 來源:GB / T 22239—2019,3. 1]
3. 2
3. 3
3. 4
云服務商 cloud service provider
云計算服務的供應方。
注:云服務商管理、運營、支撐云計算的基礎設施及軟件,通過網絡交付云計算的資源。[ 來源:GB / T 31167—2014,3. 3]
云服務客戶 cloud service customer
使用云計算服務同云服務商建立業務關系的參與方。
[ 來源:GB / T 31167—2014,3. 4,有修改]
基線核查 baseline verification
一種對網絡設備、安全設備、主機操作系統、數據庫管理系統和業務應用系統的最低安全要求配置
基線進行核查的方法。
1
JT / T 1417—2022
3. 5
3. 6
重要數據處理系統 important data processing system
對數據進行路由轉發、訪問控制、網絡交換、發布使用和存儲的重要通信設備和計算設備。
注:重要通信設備和計算設備包括但不限于邊界路由器、邊界防火墻、核心交換機、應用服務器和數據庫服務器。
數據安全保護系統 data security protection system
對數據進行保護的系統或工具。
注:系統或工具包括但不限于數據庫防火墻、數據防泄露、脫敏系統、數據庫加密系統、文件加密系統。
4 縮略語
下列縮略語適用于本文件。
AP:無線訪問接入點( Wireless Access Point) CPU:中央處理器( Central Processing Unit) DDoS:拒絕服務( Distributed Denial of Service) DNS:域名系統( Domain Name System)
FTP:文件傳輸協議( File Transfer Protocol)
HTTP:超文本傳輸協議( Hyper Text Transfer Protocol)
HTTPS:超文本傳輸安全協議( Hyper Text Transfer Protocol over Secure Socket Layer) IP:互聯網協議( Internet Protocol)
IT:信息技術( Information Technology)
MAC:消息認證碼( Message Authentication Code) POP3:郵局協議版本 3( Post Office Protocol-Version 3)
SMTP:簡單郵件傳輸協議( Simple Mail Transfer Protocol) SQL:結構化查詢語言( Structured Query Language)
SSH:安全外殼協議( Secure Shell) SSID:服務集標識( Service Set Identifier)
VPN:虛擬專用網絡( Virtual Private Network) WEP:有線等效加密( Wired Equivalent Privacy)
5 通則
5. 1 等級保護對象與安全保護等級
等級保護對象,即網絡安全等級保護工作中的對象,是指由計算機或其他信息終端及相關設備組成 的按照一定的規則和程序對信息進行收集、存儲、傳輸、交換、處理的系統,主要包括基礎信息網絡、信息系統( 包含采用移動互聯等技術的系統)、云計算平臺/ 系統、大數據應用/ 平臺/ 資源、物聯網、工業控制系統等。
交通運輸行業等級保護對象根據其在國家安全、經濟建設、社會生活中的重要程度,遭到破壞后對國家安全、公共利益以及公民、法人和其他組織合法權益的危害程度,由低到高劃分為五個安全保護等級。 交通運輸行業網絡安全等級保護對象的安全保護等級按照 JT / T 904 的要求確定。
5. 2 安全保護能力
2 不同級別的交通運輸行業等級保護對象應具備的基本安全保護能力應符合 GB / T 22239—2019 中
JT / T 1417—2022
5. 2 的規定。
5. 3 安全通用要求與安全擴展要求
由于業務目標、使用技術及應用場景的不同,等級保護對象會以不同的形態出現,形態不同的等級 保護對象面臨的威脅不同,安全保護需求也應不同。 為實現對不同級別和不同形態的等級保護對象的共性化和個性化保護,等級保護對象的安全要求分為安全通用要求和安全擴展要求。
安全通用要求針對共性化保護需求提出,等級保護對象無論以何種形式出現,應根據安全保護等級 實現相應級別的安全通用要求;安全擴展要求針對個性化保護需求提出,應根據安全保護等級和使用的 特定技術或特定的應用場景選擇實現安全擴展要求。
[ 來源:GB / T 22239—2019,5. 3]
安全要求的選擇應符合 GB / T 22239—2019 中附錄 A 的規定。
6 第一級安全要求
6. 1 安全通用要求
6. 1. 1 安全物理環境
6. 1. 1. 1 物理訪問控制
機房出入口應安排專人值守或配置電子門禁系統,控制、鑒別和記錄進入的人員。
[ 來源:GB / T 22239—2019,6. 1. 1. 1]
6. 1. 1. 2 防盜竊和防破壞
應將網絡設備、安全設備、服務器及存儲設備等設備或主要部件進行固定,并設置明顯的不易除去的標識,標識應標明資產編號、設備責任人等信息。
6. 1. 1. 3 防雷擊
應將各類機柜、設施和設備等通過接地系統安全接地。
[ 來源:GB / T 22239—2019,6. 1. 1. 3]
6. 1. 1. 4 防火
機房應設置手提式氣體滅火器。 滅火器應通過年檢,應在有效期內并能夠正常使用。
6. 1. 1. 5 防水和防潮
應采取措施防止雨水通過機房窗戶、屋頂和墻壁滲透。
[ 來源:GB / T 22239—2019,6. 1. 1. 5]
6. 1. 1. 6 溫濕度控制
應設置必要的溫濕度調節設施,使機房溫濕度變化在設備運行所允許的范圍之內。
[ 來源:GB / T 22239—2019,6. 1. 1. 6]
6. 1. 1. 7 電力供應
應在機房供電線路上配置穩壓器和過電壓防護設備。
[ 來源:GB / T 22239—2019,6. 1. 1. 7]
3
JT / T 1417—2022
6. 1. 2 安全通信網絡
6. 1. 2. 1 通信傳輸
應采用校驗技術保證通信過程中數據的完整性。
[ 來源:GB / T 22239—2019,6. 1. 2. 1]
6. 1. 2. 2 可信驗證
可基于可信根對通信設備的系統引導程序、系統程序等進行可信驗證,并在檢測到其可信性受到破 壞后進行報警。
[ 來源:GB / T 22239—2019,6. 1. 2. 2]
6. 1. 3 安全區域邊界
6. 1. 3. 1 邊界防護
邊界防護要求應包括:
a) 保證跨越邊界的訪問和數據流通過邊界設備提供的受控接口進行通信;
b) 能對非授權設備私自聯到內部網絡的行為進行限制,宜采用 IP / MAC 地址綁定、關閉網絡接入設備的閑置端口等措施限制網絡連接;
c) 能對內部用戶非授權聯到外部網絡的行為進行限制,宜采用管控物理接口等措施限制外部網 絡連接行為。
6. 1. 3. 2 訪問控制
訪問控制要求應包括:
a) 在網絡邊界根據訪問控制策略設置訪問控制規則,默認情況下除允許通信外受控接口拒絕所
有通信;
b) 刪除多余或無效的訪問控制規則,優化訪問控制列表,并保證訪問控制規則數量最小化;
c) 對源地址、目的地址、源端口、目的端口和協議等進行檢查,以允許/ 拒絕數據包進出。
[ 來源:GB / T 22239—2019,6. 1. 3. 2]
6. 1. 3. 3 安全審計
采取監測、記錄網絡運行狀態、網絡安全事件的技術措施進行安全審計,并應留存相關的網絡日志不少于 6 個月。
6. 1. 3. 4 可信驗證
可基于可信根對邊界設備的系統引導程序、系統程序等進行可信驗證,并在檢測到其可信性受到破 壞后進行報警。
[ 來源:GB / T 22239—2019,6. 1. 4. 5]
6. 1. 4 安全計算環境6. 1. 4. 1 網絡設備 6. 1. 4. 1. 1 身份鑒別
4 身份鑒別應按照如下要求。
JT / T 1417—2022
a) 對登錄的用戶進行身份標識和鑒別,身份標識具有唯一性,身份鑒別信息具有復雜度要求并 定期更換,具體要求如下:
1) 靜態口令長度不少于 8 位,至少包含大寫英文字母、小寫英文字母、數字、特殊符號中 3 類;
2) 用戶口令更換周期不大于 1 年;
3) 用戶首次登錄時修改初始默認口令,每次修改口令時,不準許新設定的口令與舊口令
相同。
b) 具有登錄失敗處理功能,應配置并啟用結束會話、限制非法登錄次數和當登錄連接超時自動 退出等相關措施。
6. 1. 4. 1. 2 訪問控制
訪問控制要求應包括:
a) 對登錄的用戶分配賬戶和權限;
b) 重命名或刪除默認賬戶,修改默認賬戶的默認口令;
c) 及時刪除或停用多余的、過期的賬戶,避免共享賬戶的存在。
[ 來源:GB / T 22239—2019,6. 1. 4. 2]
6. 1. 4. 1. 3 入侵防范
入侵防范要求應包括:
a) 遵循最小安裝的原則,僅安裝需要的組件和應用程序;
b) 關閉不需要的系統服務、默認共享和高危端口。
[ 來源:GB / T 22239—2019,6. 1. 4. 3]
6. 1. 4. 1. 4 數據備份恢復
應提供重要數據的本地數據備份與恢復功能。
[ 來源:GB / T 22239—2019,6. 1. 4. 7]
6. 1. 4. 2 安全設備
6. 1. 4. 2. 1 身份鑒別
身份鑒別應按照如下要求。
a) 對登錄的用戶進行身份標識和鑒別,身份標識具有唯一性,身份鑒別信息具有復雜度要求并 定期更換,具體要求如下:
1) 靜態口令長度不少于 8 位,至少包含大寫英文字母、小寫英文字母、數字、特殊符號中
3 類;
2) 用戶口令更換周期不大于 1 年;
3) 用戶首次登錄時修改初始默認口令,每次修改口令時,不準許新設定的口令與舊口令
b) 相同。
具有登錄失敗處理功能,應配置并啟用結束會話、限制非法登錄次數和當登錄連接超時自動
退出等相關措施。
6. 1. 4. 2. 2 訪問控制
訪問控制要求應包括:
a) 對登錄的用戶分配賬戶和權限;
b) 重命名或刪除默認賬戶,修改默認賬戶的默認口令;
5
JT / T 1417—2022
c) 及時刪除或停用多余的、過期的賬戶,避免共享賬戶的存在。
[ 來源:GB / T 22239—2019,6. 1. 4. 2]
6. 1. 4. 2. 3 入侵防范
入侵防范要求應包括:
a) 遵循最小安裝的原則,僅安裝需要的組件和應用程序;
b) 關閉不需要的系統服務、默認共享和高危端口。
[ 來源:GB / T 22239—2019,6. 1. 4. 3]
6. 1. 4. 2. 4 數據備份恢復
應提供重要數據的本地數據備份與恢復功能。
[ 來源:GB / T 22239—2019,6. 1. 4. 7]
6. 1. 4. 3 主機操作系統
6. 1. 4. 3. 1 身份鑒別
身份鑒別應按照如下要求。
a) 對登錄的用戶進行身份標識和鑒別,身份標識具有唯一性,身份鑒別信息具有復雜度要求并 定期更換,具體要求如下:
1) 靜態口令長度不少于8 位,需至少包含大寫英文字母、小寫英文字母、數字、特殊符號中3 類;
2) 用戶口令更換周期不大于 1 年;
3) 用戶首次登錄時修改初始默認口令,每次修改口令時,不準許新設定的口令與舊口令相同。
b) 具有登錄失敗處理功能,應配置并啟用結束會話、限制非法登錄次數和當登錄連接超時自動 退出等相關措施。
6. 1. 4. 3. 2 訪問控制
訪問控制要求應包括:
a) 對登錄的用戶分配賬戶和權限;
b) 重命名或刪除默認賬戶,修改默認賬戶的默認口令;
c) 及時刪除或停用多余的、過期的賬戶,避免共享賬戶的存在。
[ 來源:GB / T 22239—2019,6. 1. 4. 2]
6. 1. 4. 3. 3 入侵防范
入侵防范要求應包括:
a) 遵循最小安裝的原則,僅安裝需要的組件和應用程序;
b) 關閉不需要的系統服務、默認共享和高危端口;
c) 能發現可能存在的已知漏洞,及時修補漏洞。
6. 1. 4. 3. 4 惡意代碼防范
應安裝防惡意代碼軟件或配置具有相應功能的軟件,至少每 3 個月進行一次升級和更新防惡意代碼庫。
6. 1. 4. 3. 5 可信驗證
6 可基于可信根對計算設備的系統引導程序、系統程序等進行可信驗證,并在檢測到其可信性受到破
JT / T 1417—2022
壞后進行報警。
[ 來源:GB / T 22239—2019,6. 1. 4. 5]
6. 1. 4. 3. 6 數據備份恢復
應提供重要數據的本地數據備份與恢復功能。
[ 來源:GB / T 22239—2019,6. 1. 4. 7]
6. 1. 4. 4 數據庫管理系統
6. 1. 4. 4. 1 身份鑒別
身份鑒別應按照如下要求。
a) 對登錄的用戶進行身份標識和鑒別,身份標識具有唯一性,身份鑒別信息具有復雜度要求并 定期更換,具體要求如下:
1) 靜態口令長度不少于 8 位,需至少包含大寫英文字母、小寫英文字母、數字、特殊符號中
3 類;
2) 用戶口令更換周期不大于 1 年;
3) 用戶首次登錄時修改初始默認口令,每次修改口令時,不準許新設定的口令與舊口令
b) 相同。
具有登錄失敗處理功能,應配置并啟用結束會話、限制非法登錄次數和當登錄連接超時自動
退出等相關措施。
6. 1. 4. 4. 2 訪問控制
訪問控制要求應包括:
a) 對登錄的用戶分配賬戶和權限;
b) 重命名或刪除默認賬戶,修改默認賬戶的默認口令;
c) 及時刪除或停用多余的、過期的賬戶,避免共享賬戶的存在。
[ 來源:GB / T 22239—2019,6. 1. 4. 2]
6. 1. 4. 4. 3 數據完整性
應采用校驗技術保證重要數據在傳輸過程中的完整性。
[ 來源:GB / T 22239—2019,6. 1. 4. 6]
6. 1. 4. 4. 4 數據備份恢復
應提供重要數據的本地數據備份與恢復功能。
[ 來源:GB / T 22239—2019,6. 1. 4. 7]
6. 1. 4. 4. 5 個人信息保護
應禁止未授權訪問和非法使用個人信息。
6. 1. 4. 5 業務應用系統
6. 1. 4. 5. 1 身份鑒別
身份鑒別應按照如下要求。
a) 對登錄的用戶進行身份標識和鑒別,身份標識具有唯一性,身份鑒別信息具有復雜度要求并
7
JT / T 1417—2022
定期更換,具體要求如下:
1) 靜態口令長度不少于 8 位,需至少包含大寫英文字母、小寫英文字母、數字、特殊符號中
3 類;
2) 用戶口令更換周期不大于 1 年;
3) 用戶首次登錄時修改初始默認口令,每次修改口令時,不準許新設定的口令與舊口令
b) 相同。
具有登錄失敗處理功能,應配置并啟用結束會話、限制非法登錄次數和當登錄連接超時自動
退出等相關措施。
6. 1. 4. 5. 2 訪問控制
訪問控制要求應包括:
a) 對登錄的用戶分配賬戶和權限;
b) 重命名或刪除默認賬戶,修改默認賬戶的默認口令;
c) 至少每年一次檢查賬戶使用情況, 及時刪除或停用多余的、過期的賬戶, 避免共享賬戶的存在。
6. 1. 4. 5. 3 入侵防范
應提供完善的數據有效性驗證機制,避免 SQL 注入、跨站腳本攻擊、文件上傳等可被利用的高危風險漏洞的存在。
6. 1. 4. 5. 4 數據完整性
應采用校驗技術保證重要數據在傳輸過程中的完整性。
[ 來源:GB / T 22239—2019,6. 1. 4. 6]
6. 1. 4. 5. 5 數據備份恢復
應提供重要數據的本地數據備份與恢復功能。
[ 來源:GB / T 22239—2019,6. 1. 4. 7]
6. 1. 4. 5. 6 個人信息保護
個人信息保護要求應包括:
a) 僅采集和保存業務必需的用戶個人信息;
b) 禁止未授權訪問和非法使用個人信息。
6. 1. 4. 6 中間件及系統管理軟件
6. 1. 4. 6. 1 身份鑒別
身份鑒別應按照如下要求。
a) 對登錄的用戶進行身份標識和鑒別,身份標識具有唯一性,身份鑒別信息具有復雜度要求并 定期更換,具體要求如下:
1) 靜態口令長度不少于 8 位,需至少包含大寫英文字母、小寫英文字母、數字、特殊符號中
3 類;
2) 用戶口令更換周期不大于 1 年;
3) 用戶首次登錄時修改初始默認口令,每次修改口令時,不準許新設定的口令與舊口令 相同。
8
JT / T 1417—2022
b) 具有登錄失敗處理功能,應配置并啟用結束會話、限制非法登錄次數和當登錄連接超時自動 退出等相關措施。
6. 1. 4. 6. 2 訪問控制
訪問控制要求應包括:
a) 對登錄的用戶分配賬戶和權限;
b) 重命名或刪除默認賬戶,修改默認賬戶的默認口令;
c) 及時刪除或停用多余的、過期的賬戶,避免共享賬戶的存在。
[ 來源:GB / T 22239—2019,6. 1. 4. 2]
6. 1. 4. 6. 3 入侵防范
應能發現可能存在的已知漏洞,及時修補漏洞,避免環境、框架、組件中存在可被利用的高危漏洞。
6. 1. 4. 6. 4 數據完整性
應采用校驗技術保證重要數據在傳輸過程中的完整性。
[ 來源:GB / T 22239—2019,6. 1. 4. 6]
6. 1. 4. 6. 5 數據備份恢復
應提供重要數據的本地數據備份與恢復功能。
[ 來源:GB / T 22239—2019,6. 1. 4. 7]
6. 1. 5 安全管理制度
應建立日常管理活動中常用的安全管理制度,至少包括環境管理、漏洞和風險管理、網絡和系統安全管理、惡意代碼防范管理的制度。
6. 1. 6 安全管理機構
6. 1. 6. 1 崗位設置
應設立系統管理員等崗位,并定義各個工作崗位的職責。
[ 來源:GB / T 22239—2019,6. 1. 6. 1]
6. 1. 6. 2 人員配備
應配備一定數量的系統管理員。
[ 來源:GB / T 22239—2019,6. 1. 6. 2]
6. 1. 6. 3 授權和審批
應根據各個部門和崗位的職責明確授權審批事項、審批部門和批準人等。
[ 來源:GB / T 22239—2019,6. 1. 6. 3]
6. 1. 7 安全管理人員
6. 1. 7. 1 人員錄用
應指定或授權專門的部門或人員負責人員錄用。
[ 來源:GB / T 22239—2019,6. 1. 7. 1]
9
JT / T 1417—2022
6. 1. 7. 2 人員離崗
應及時終止離崗人員的所有訪問權限,取回各種身份證件、鑰匙、徽章等以及機構提供的軟硬件設備。
[ 來源:GB / T 22239—2019,6. 1. 7. 2]
6. 1. 7. 3 安全意識教育和培訓
應對各類人員進行安全意識教育和崗位技能培訓,并告知相關的安全責任和懲戒措施。
[ 來源:GB / T 22239—2019,6. 1. 7. 3]
6. 1. 7. 4 外部人員訪問管理
應保證在外部人員訪問受控區域前得到授權或審批。
[ 來源:GB / T 22239—2019,6. 1. 7. 4]
6. 1. 8 安全建設管理
6. 1. 8. 1 定級和備案
應以書面的形式說明保護對象的安全保護等級及確定等級的方法和理由。
[ 來源:GB / T 22239—2019,6. 1. 8. 1]
6. 1. 8. 2 安全方案設計
應根據安全保護等級選擇基本安全措施,依據風險分析的結果補充和調整安全措施。
[ 來源:GB / T 22239—2019,6. 1. 8. 2]
6. 1. 8. 3 產品采購和使用
應采購和使用合格的網絡安全產品。
6. 1. 8. 4 工程實施
應指定或授權專門的部門或人員負責工程實施過程的管理。
[ 來源:GB / T 22239—2019,6. 1. 8. 4]
6. 1. 8. 5 測試驗收
應進行安全性測試驗收。
[ 來源:GB / T 22239—2019,6. 1. 8. 5]
6. 1. 8. 6 系統交付
系統交付要求應包括:
a) 制訂交付清單,并根據交付清單對所交接的設備、軟件和文檔等進行清點;
b) 對負責運行維護的技術人員進行相應的技能培訓。
[ 來源:GB / T 22239—2019,6. 1. 8. 6]
6. 1. 8. 7 服務供應商選擇
服務供應商要求應包括:
a) 選擇合格的服務供應商;
b) 與選定的服務供應商簽訂與安全相關的協議,明確約定相關責任。10
JT / T 1417—2022
6. 1. 9 安全運維管理
6. 1. 9. 1 環境管理
環境管理要求應包括:
a) 指定專門的部門或人員負責機房安全,對機房出入進行管理,至少每年一次對機房配電、空
調、溫濕度控制、消防等設施進行維護管理;
b) 對機房的安全管理做出規定,包括物理訪問、物品進出和環境安全等方面。
6. 1. 9. 2 介質管理
應將介質存放在安全的環境中,對各類介質進行控制和保護,實行存儲環境專人管理,并根據存檔 介質的目錄清單定期盤點。
6. 1. 9. 3 設備維護管理
應對各種設備( 包括備份和冗余設備)、線路等指定專門的部門或人員定期進行維護管理。
[ 來源:GB / T 22239—2019,6. 1. 9. 3]
6. 1. 9. 4 漏洞和風險管理
應采取必要的措施識別安全漏洞和隱患,對發現的安全漏洞和隱患及時進行修補或評估可能的影 響后進行修補。
[ 來源:GB / T 22239—2019,6. 1. 9. 4]
6. 1. 9. 5 網絡和系統安全管理
網絡和系統安全管理要求應包括:
a) 劃分不同的管理員角色進行網絡和系統的運維管理,明確各個角色的責任和權限;
b) 指定專門的部門或人員進行賬戶管理,對申請賬戶、建立賬戶、刪除賬戶等進行控制。
[ 來源:GB / T 22239—2019,6. 1. 9. 5]
6. 1. 9. 6 惡意代碼防范管理
惡意代碼防范管理要求應包括:
a) 提高所有用戶的防惡意代碼意識, 對外來計算機或存儲設備接入系統前進行惡意代碼檢
查等;
b) 對惡意代碼防范要求做出規定,包括防惡意代碼軟件的授權使用、惡意代碼庫升級、惡意代碼的定期查殺等。
6. 1. 9. 7 備份與恢復管理
備份與恢復管理要求應包括:
a) 識別需要定期備份的重要業務信息、系統數據及軟件系統等;
b) 規定備份信息的備份方式、備份頻度、存儲介質、保存期等。
[ 來源:GB / T 22239—2019,6. 1. 9. 7]
