本書針對《信息安全技術(shù) 網(wǎng)絡(luò)安全等級保護(hù)測評要求》(GB/T 28448-2019)中的每個(gè)測評單元,重點(diǎn)介紹了測評對象的確定、測評實(shí)施要點(diǎn)和方法,從而能夠更好的指導(dǎo)網(wǎng)絡(luò)安全等級測評機(jī)構(gòu)、等級保護(hù)對象的運(yùn)營使用單位及主管部門開展網(wǎng)絡(luò)安全等級保護(hù)測評工作。全書共分8章。第1章是基本概念,針對網(wǎng)絡(luò)安全等級保護(hù)測評相關(guān)的術(shù)語或概念進(jìn)行了解讀,主要包括等級測評、測評對象及其選擇、測評指標(biāo)及其選擇、測評對象和測評指標(biāo)的映射關(guān)系、不適用測評指標(biāo)、測評力度、測評方法、單項(xiàng)測評、整體測評和測評結(jié)論等。第2章是《測評要求》總體介紹
Foreword
The Cybersecurity Law of the People’s Republic of China was officially implemented on June 1, 2017. In this fundamental law in the field of cybersecurity, it is clearly stipulated that China implements the classified system of classified protection of cybersecurity. On December 1, 2019, Information Security Technology Network Security—Evaluation Requirements for Classified Protection of Cybersecurity GB/T 28448—2019 (hereinafter referred to as “Evaluation Requirements”), the National Standard of the People’s Republic of China, was implemented.
The Evaluation Requirements is the core standard that guides the test and evaluation agencies to carry out the evaluation for the classified protection of cybersecurity. The correct understanding and use of this standard is the prerequisite for the smooth implementation for the classified protection of cybersecurity.
In order to better understand and comprehend the “Evaluation Requirements” and further improve the evaluation capabilities of test and evaluation agencies, the Cybersecurity Bureau under the Ministry of Public Security, the Zhong guan cun Information Security Evaluation Alliance, and the Information Security Rating Center of the Ministry of Public Security jointly organized and compiled the “Guidelines for the Application of Evaluation Requirements for Classified Protection of Cybersecurity”.
For each evaluation unit in the Evaluation Requirements, this book focuses on the determination of evaluation targets, the key points and methods of evaluation implementation, so as to better guide the classified test and evaluation agencies, the operation and using organizations of classified protection objects and the competent authorities to carry out the evaluation work for classified cybersecurity protection.
This book is divided into 8 chapters. Chapter 1 is the basic concept, which explains the terms or concepts related to the evaluation of classified cybersecurity protection, mainly including classified test and evaluation, evaluation targets and selection, evaluation index and selection, the mapping relationship between evaluation targets and evaluation indicators, and non applicable evaluation index, evaluation intensity, evaluation method, singular evaluation, overall evaluation and evaluation conclusion, etc. Chapter 2 is the general introduction of the Evaluation Requirements, elaborating on the meaning of general requirements for security evaluation and extended requirements for security evaluation. Chapter 3 is the application interpretation of the general evaluation requirements at Level Ⅲ and Level Ⅳ. Chapter 4 is the application and interpretation of the extended requirements of cloud computing security evaluation. Chapter 5 is the application and interpretation of the extended security evaluation requirements of mobile Internet. Chapter 6 is the application and interpretation of the extended security evaluation requirements of Internet of Things. Chapter 7 is the application and interpretation of the extended security evaluation requirements of industrial control systems, and Chapter 8 is the application and interpretation of the extended security evaluation requirements of big data. The content of interpretation includes the evaluation targets, the main points and methods of the evaluation implementation, etc., and the security protection level of the evaluation metric is identified by the evaluation unit number.
The editor in chief of this book is Guo Qiquan, the associate editor in chief are Liu Jianwei and Wang Xinjie, and other main contributors are Zhu Guobang, Fan Chunling, Pan Wenbo, Wang Lianqiang, Yang Yuzhong.
Due to the limited knowledge of the authors, there are inevitably some inadequacies in this book. Please feel free to kindly provide your feedback and correction.
the Author
March,2022
郭啟權(quán),公安部網(wǎng)絡(luò)安全保護(hù)局總工程師。
劉建偉,北京航空航天大學(xué)網(wǎng)絡(luò)空間安全學(xué)院 院長,主要研究領(lǐng)域包括:密碼學(xué)、5G網(wǎng)絡(luò)安全、移動(dòng)通信網(wǎng)絡(luò)安全、天空地一體化網(wǎng)絡(luò)安全、電子健康網(wǎng)絡(luò)安全、智能移動(dòng)終端安全、星地?cái)?shù)據(jù)鏈安全等。
王新杰,北京時(shí)代新威信息技術(shù)有限公司總經(jīng)理。 2003年開始從事網(wǎng)絡(luò)安全行業(yè),參與了“全國信息安全標(biāo)準(zhǔn)化”系列標(biāo)準(zhǔn)的研制。主要擔(dān)任:信息安全等級保護(hù)高級測評師 、全國信息安全標(biāo)準(zhǔn)化技術(shù)委員會(SAC/TC 260)委員、國際信息系統(tǒng)安全認(rèn)證聯(lián)盟((ISC)2)中國顧問。