本書針對《信息安全技術 網絡安全等級保護測評要求》(GB/T 28448-2019)中的每個測評單元,重點介紹了測評對象的確定、測評實施要點和方法,從而能夠更好的指導網絡安全等級測評機構、等級保護對象的運營使用單位及主管部門開展網絡安全等級保護測評工作。全書共分8章。第1章是基本概念,針對網絡安全等級保護測評相關的術語或概念進行了解讀,主要包括等級測評、測評對象及其選擇、測評指標及其選擇、測評對象和測評指標的映射關系、不適用測評指標、測評力度、測評方法、單項測評、整體測評和測評結論等。第2章是《測評要求》總體介紹
Foreword
The Cybersecurity Law of the People’s Republic of China was officially implemented on June 1, 2017. In this fundamental law in the field of cybersecurity, it is clearly stipulated that China implements the classified system of classified protection of cybersecurity. On December 1, 2019, Information Security Technology Network Security—Evaluation Requirements for Classified Protection of Cybersecurity GB/T 28448—2019 (hereinafter referred to as “Evaluation Requirements”), the National Standard of the People’s Republic of China, was implemented.
The Evaluation Requirements is the core standard that guides the test and evaluation agencies to carry out the evaluation for the classified protection of cybersecurity. The correct understanding and use of this standard is the prerequisite for the smooth implementation for the classified protection of cybersecurity.
In order to better understand and comprehend the “Evaluation Requirements” and further improve the evaluation capabilities of test and evaluation agencies, the Cybersecurity Bureau under the Ministry of Public Security, the Zhong guan cun Information Security Evaluation Alliance, and the Information Security Rating Center of the Ministry of Public Security jointly organized and compiled the “Guidelines for the Application of Evaluation Requirements for Classified Protection of Cybersecurity”.
For each evaluation unit in the Evaluation Requirements, this book focuses on the determination of evaluation targets, the key points and methods of evaluation implementation, so as to better guide the classified test and evaluation agencies, the operation and using organizations of classified protection objects and the competent authorities to carry out the evaluation work for classified cybersecurity protection.
This book is divided into 8 chapters. Chapter 1 is the basic concept, which explains the terms or concepts related to the evaluation of classified cybersecurity protection, mainly including classified test and evaluation, evaluation targets and selection, evaluation index and selection, the mapping relationship between evaluation targets and evaluation indicators, and non applicable evaluation index, evaluation intensity, evaluation method, singular evaluation, overall evaluation and evaluation conclusion, etc. Chapter 2 is the general introduction of the Evaluation Requirements, elaborating on the meaning of general requirements for security evaluation and extended requirements for security evaluation. Chapter 3 is the application interpretation of the general evaluation requirements at Level Ⅲ and Level Ⅳ. Chapter 4 is the application and interpretation of the extended requirements of cloud computing security evaluation. Chapter 5 is the application and interpretation of the extended security evaluation requirements of mobile Internet. Chapter 6 is the application and interpretation of the extended security evaluation requirements of Internet of Things. Chapter 7 is the application and interpretation of the extended security evaluation requirements of industrial control systems, and Chapter 8 is the application and interpretation of the extended security evaluation requirements of big data. The content of interpretation includes the evaluation targets, the main points and methods of the evaluation implementation, etc., and the security protection level of the evaluation metric is identified by the evaluation unit number.
The editor in chief of this book is Guo Qiquan, the associate editor in chief are Liu Jianwei and Wang Xinjie, and other main contributors are Zhu Guobang, Fan Chunling, Pan Wenbo, Wang Lianqiang, Yang Yuzhong.
Due to the limited knowledge of the authors, there are inevitably some inadequacies in this book. Please feel free to kindly provide your feedback and correction.
the Author
March,2022
郭啟權,公安部網絡安全保護局總工程師。
劉建偉,北京航空航天大學網絡空間安全學院 院長,主要研究領域包括:密碼學、5G網絡安全、移動通信網絡安全、天空地一體化網絡安全、電子健康網絡安全、智能移動終端安全、星地數(shù)據(jù)鏈安全等。
王新杰,北京時代新威信息技術有限公司總經理。 2003年開始從事網絡安全行業(yè),參與了“全國信息安全標準化”系列標準的研制。主要擔任:信息安全等級保護高級測評師 、全國信息安全標準化技術委員會(SAC/TC 260)委員、國際信息系統(tǒng)安全認證聯(lián)盟((ISC)2)中國顧問。