《 Basic requirements for network security level protection 》（GB/T 22239-2019） Standard interpretation

0 introduction

《 Information security technology Basic requirements for information system security level protection 》（GB/T 22239-2008） It has played a very important role in the process of implementing the classified protection system of information security in China , It is widely used in various industries or fields , Guide users to carry out construction and rectification of information system security level protection 、 Grade evaluation and other work [1]. With the development of information technology , existing 10 Year history 《GB/T 22239-2008》 In timeliness 、 Ease of use 、 The operability needs to be further improved .2017 year 《 Network security law of the people's Republic of China 》[2] The implementation of , In order to cooperate with the state to implement the network security classification protection system [3], It also needs to be revised 《GB/T 22239-2008》.

2014 year , National Information Security Standardization Technical Committee （ Hereinafter referred to as safety standard committee ） Issued the right 《GB/T 22239-2008》 The task of making revisions . The Third Research Institute of the Ministry of public security is mainly responsible for the revision of the standard （ Evaluation Center for classified protection of information security of the Ministry of public security ）, 20 Many enterprises and institutions sent personnel to participate in the revision of the standard . The standard preparation group was established on 2014 Founded in , We have investigated international and domestic cloud computing platforms 、 Big data applications 、 Mobile Internet access 、 New technologies such as Internet of things and industrial control system 、 Usage of new applications , The safety concerns and safety control elements in new technologies and applications are analyzed and summarized , The first draft of the basic requirements has been completed .

2015 year 2 Month to 2016 year 7 month , The standard preparation group is based on the first draft of the draft , Widely solicit industrial users 、 Safety service organizations and various industries / Opinions of experts in the field , And adjust and improve the standard draft according to the opinions , Have successively formed 7 A draft of the standard .2016 year 9 month , The standard preparation team participated in the safety standard committee WG5 The working group is working on the standard promotion meeting , According to the modification suggestions put forward by experts and member units , The draft has been revised , A draft of the standard has been formed .2017 year 4 month , The standard preparation team participated in the safety standard committee again WG5 The working group is working on the standard promotion meeting , Revision suggestions collected according to the exposure draft , Revised the exposure draft , The standard draft for review has been formed .2017 year 10 month , The standard preparation team once again participated in the safety standard committee WG5 The working group is working on the standard promotion meeting , At the meeting, the contents of the draft for review were introduced , And solicit the opinions of member units , According to the collected modification suggestions , Revised and improved the draft submitted for review , The standard draft for approval has been formed .

2019 year 《 Information security technology Basic requirements for network security level protection 》（GB/T 22239-2019） To be formally implemented . In this paper, 《GB/T 22239-2019》 Comparison 《GB/T 22239-2008》 Major changes have taken place , Interpret the main contents of its general security requirements and security extension requirements , So that readers can better understand and master 《GB/T 22239-2019》 The content of .

1 Changes in the overall structure

1.1 Main changes

《GB/T 22239-2019》 Compare with 《GB/T 22239-2008》, Changes have taken place in both the overall structure and the details [4]. The main changes in the overall structure are ：

1） To adapt to the network security law , Cooperate to implement the network security level protection system , The name of the standard is changed from 《 Basic requirements for information system security level protection 》 Change it to 《 Basic requirements for network security level protection 》.

2） The level protection object is adjusted from the original information system to the basic information network 、 The information system （ Including systems using mobile Internet technology ）、 Cloud computing platform / System 、 Big data applications / platform / resources 、 Internet of things and industrial control system .

3） The original security requirements at all levels are divided into general security requirements and security extension requirements , Security extension requirements include cloud computing security extension requirements 、 Mobile internet security extension requirements 、 Internet of things security expansion requirements and industrial control system security expansion requirements . The general requirements for safety are the requirements that must be met regardless of the form of the protected object ; For Cloud Computing 、 Mobile Internet 、 The special requirements put forward by the Internet of things and industrial control systems are called security extension requirements .

4） Technical requirements at all levels in the original basic requirements “ Physical security ” 、“ Network security ” 、“ Host security ” 、“ Application security ” and “ Backup and recovery of data ” Amend to “ Secure physical environment ” 、“ Secure communication network ” 、“ Security zone boundary ” 、“ Secure computing environment ” and “ Safety Management Center ” ; Required by the original management at all levels “ Safety management system ” 、“ Safety management organization ” 、“ Personnel safety management ” 、“ System construction management ” and “ System operation and maintenance management ” Amend to “ Safety management system ” 、“ Safety management organization ” 、“ Safety management personnel ” 、“ Safety construction management ” and “ Safety operation and maintenance management ” [5].

5） Cloud computing security extension requirements are proposed according to the characteristics of cloud computing environment . The main contents include “ Location of infrastructure ” 、“ Virtualization security ” 、“ Mirror and snapshot protection ” 、“ Cloud computing environment management ” and “ Cloud service providers choose ” etc. .

6） Mobile internet security extension requirements are proposed according to the characteristics of mobile Internet . The main contents include “ The physical location of the wireless access point ” 、“ Mobile terminal control ” 、“ Mobile application control ” 、“ Mobile application software procurement ” and “ Mobile application software development ” etc. .

7） The security expansion requirements of the Internet of things are put forward according to the characteristics of the Internet of things . The main contents include “ Sensing the physical protection of nodes ” 、“ Sense node device security ” 、“ Gateway node device security ” 、“ Aware node management ” and “ Data fusion processing ” etc. .

8） The safety expansion requirements of industrial control system are put forward according to the characteristics of industrial control system . The main contents include “ Protection of outdoor control equipment ” 、“ Industrial control system network architecture security ” 、“ Dial up usage control ” 、“ Wireless usage control ” and “ Control equipment safety ” etc. .

9） Cancel the original security control point S、A、G mark , Add appendix A“ Selection and use of general safety requirements and safety extension requirements ” , Describe the relationship between the grading result of the graded protection object and the safety requirements , Explain how to grade according to S、A As a result, select the relevant provisions of safety requirements , Simplified the content of the main body of the standard .

10） Add appendix C Describe the security framework and key technologies of hierarchical protection 、 appendix D Describe cloud computing application scenarios 、 appendix E Describe the mobile Internet application scenario 、 appendix F Describe the Internet of things application scenario 、 appendix G Describe the application scenario of industrial control system 、 appendix H Describe big data application scenarios [6, 7].

1.2 The meaning and function of change

《GB/T 22239-2019》 The division of general security requirements and security extension requirements makes the use of the standard more flexible and targeted . Due to the different information technologies adopted by different levels of protection objects , The protection measures adopted will also be different . for example , There are differences in protection measures between traditional information systems and cloud computing platforms , There are also differences in protection measures between cloud computing platforms and industrial control systems . In order to reflect the protection differences of different objects , 《GB/T 22239-2019》 The safety requirements are divided into general safety requirements and extended safety requirements .

The general requirements for safety are put forward according to the common protection requirements , No matter what form the protected object appears , It is necessary to realize the general safety requirements of the corresponding level according to the safety protection level . Security extension requirements are proposed for personalized protection requirements , Level protection objects need to be protected according to the safety protection level 、 Use specific technologies or specific application scenarios to achieve security extension requirements . The security protection measures for the classified protection objects need to realize both the general security requirements and the security extension requirements , So as to protect the objects with different levels more effectively . for example , The traditional information system may only need to adopt the protection measures proposed by the general security requirements , The cloud computing platform not only needs to adopt the protection measures proposed by the general security requirements , We should also adopt the protection measures proposed by the cloud computing security expansion requirements according to the technical characteristics of the cloud computing platform ; The industrial control system not only needs to adopt the protection measures proposed by the general safety requirements , In addition, according to the technical characteristics of the industrial control system, the protection measures proposed by the safety expansion requirements of the industrial control system shall be adopted .

2 Contents of general safety requirements

2.1 Basic classification of general safety requirements

《GB/T 22239-2019》 It specifies the safety requirements for the objects protected from the first level to the fourth level , The safety requirements of each level are composed of general safety requirements and extended safety requirements . for example , 《GB/T 22239-2019》 The basic structure of the proposed level III Safety requirements is ：

8 Level 3 Safety requirements

8.1 General requirements for safety

8.2 Cloud computing security extension requirements

8.3 Mobile internet security extension requirements

8.4 Internet of things security extension requirements

8.5 Safety extension requirements of industrial control system

The general safety requirements are subdivided into technical requirements and management requirements . The technical requirements include “ Secure physical environment ” 、“ Secure communication network ” 、“ Security zone boundary ” 、“ Secure computing environment ” and “ Safety Management Center ” ; Management requirements include “ Safety management system ” 、“ Safety management organization ” 、“ Safety management personnel ” 、“ Safety construction management ” and “ Safety operation and maintenance management ” . The two add up 10 Categories: , Pictured 1 Shown .

[ Failed to transfer the external chain picture (img-fz0Rkpbo-1569168897794)(《 Basic requirements for network security level protection 》（GB T 22239-2019） Standard interpretation /img_1.png)]
chart 1 Basic classification of general safety requirements

2.2 technical requirement

The classification of technical requirements reflects the defense in depth idea from the outside to the inside . For the security protection of the objects under grade protection, the overall protection from the outside to the inside from the communication network to the regional boundary and then to the computing environment shall be considered , At the same time, consider the security protection of the physical environment in which it is located . For high-level protection objects, it is also necessary to consider the centralized technical management means for the safety functions or safety components distributed in the whole system .

1） Secure physical environment

The safety physical environment part of the general safety requirements is the safety control requirements for the physical machine room . The main object is the physical environment 、 Physical equipment and facilities, etc ; The safety control points involved include the selection of physical location 、 Physical access control 、 Burglary and vandalism 、 Lightning protection 、 Fire prevention 、 Water and moisture resistance 、 Antistatic 、 Temperature and humidity control 、 Power supply and electromagnetic protection .

surface 1 The security physical environment control points are given / Step by step change of requirements . The number represents the number of required items at each level under each control point , The higher the level , The more items required . The figures in the following tables have this meaning .

surface 1 Secure physical environment control point / Step by step change of requirements

The computer room bearing the high-level system strengthens the physical access control compared with the computer room bearing the low-level system 、 Requirements for power supply and electromagnetic protection . for example , Compared with level 3, level 4 adds “ Important areas shall be equipped with a second electronic access control system ” 、“ Emergency power supply facilities shall be provided ” 、“ Electromagnetic shielding shall be applied to key areas ” Other requirements .

2） Secure communication network

The safety communication network part of the general safety requirements is the safety control requirements for the communication network . The main object is wan 、 Man, LAN, etc ; The security control points involved include network architecture 、 Communication transmission and trusted verification .

surface 2 The secure communication network control point is given / Step by step change of requirements .

surface 2 Secure communication network control point / Step by step change of requirements
The communication network of the high-level system strengthens the priority bandwidth allocation compared with the communication network of the low-level system 、 Device access authentication 、 Requirements for communication equipment certification, etc . for example , Compared with level 3, level 4 adds “ It shall be possible to allocate bandwidth according to the importance of business services , Give priority to important business ” , “ The trusted verification mechanism shall be adopted to perform trusted verification on the equipment in the access network , Ensure that the devices connected to the network are authentic ” , “ Both sides of the communication shall be verified or authenticated based on cryptographic technology before communication ” Other requirements .

3） Security zone boundary

The security zone boundary in the general security requirements is a security control requirement for the network boundary . The main objects are system boundary and area boundary ; The safety control points involved include boundary protection 、 Access control 、 Invasion prevention 、 Malicious code prevention 、 Security audit and trusted verification .

surface 3 The boundary control points of the safety zone are given / Step by step change of requirements .

surface 3 Safety zone boundary control points / Step by step change of requirements
The network boundary of the high-level system strengthens the requirements of high-strength isolation and illegal access blocking compared with the network boundary of the low-level system . for example , Compared with level 3, level 4 adds “ Data exchange shall be conducted at the network boundary by means of communication protocol conversion or communication protocol isolation ” , “ It shall be able to detect the unauthorized connection of unauthorized equipment to the internal network or the unauthorized connection of internal users to the external network , Effectively block it ” Other requirements .

4） Secure computing environment

The security computing environment part of the general security requirements is the security control requirements proposed for the interior of the boundary . The main object is all objects inside the boundary , Including network devices 、 Safety equipment 、 Server devices 、 Terminal equipment 、 Application system 、 Data objects and other devices ; The security control points involved include identity authentication 、 Access control 、 Security audit 、 Invasion prevention 、 Malicious code prevention 、 Trusted verification 、 Data integrity 、 Data confidentiality 、 Data backup and recovery 、 Residual information protection and personal information protection .

surface 4 The control points of secure computing environment are given / Step by step change of requirements .

* surface 4* Secure computing environment control point / Step by step change of requirements

surface 4 Secure computing environment control point / Step by step change of requirements
The computing environment of the high-level system strengthens the identity authentication compared with the computing environment of the low-level system 、 Requirements for access control and program integrity . for example , Compared with level 3, level 4 adds “ Password should be used 、 Cryptography 、 Biometrics and other two or more combinations of authentication technology to identify users , And at least one of the authentication techniques should be implemented by using cryptography ” , “ Response subject 、 The object is set with a security mark , The access of the subject to the object is determined according to the security mark and the mandatory access control rules ” , “ Active immune trusted verification mechanism shall be adopted to timely identify intrusion and virus behavior , And effectively block ” Other requirements .

5） Safety Management Center

The safety management center part of the general safety requirements is the technical control requirements for safety management proposed for the whole system , Realize centralized management through technical means . The safety control points involved include system management 、 Audit management 、 Safety management and centralized control .

surface 5 The control points of the safety management center are given / Step by step change of requirements .

surface 5 Security management center control point / Step by step change of requirements
The security management of the high-level system strengthens the requirements of centralized control by using technical means compared with the security management of the low-level system . for example , Compared with level II, level III adds “ Specific management areas shall be allocated , Control the security devices or components distributed in the network ” , “ Deal with network links 、 Safety equipment 、 Centralized monitoring of network equipment and servers ” , “ The audit data scattered on various devices shall be collected, summarized and analyzed in a centralized way , And ensure that the retention time of audit records meets the requirements of laws and regulations ” , “ Coping with security strategies 、 Malicious code 、 Patch upgrade and other security related matters shall be managed centrally ” Other requirements .

2.3 Management requirements

The classification of management requirements reflects the idea of comprehensive management from elements to activities . Safety management needs “ Institutions ” 、“ The system ” and “ personnel ” None of the three elements is indispensable , At the same time, it shall also control and manage important activities in the process of system construction and rectification and operation and maintenance . It is necessary to build a complete safety management system for high-level protection objects .

1） Safety management system

The safety management system in the general safety requirements is the safety control requirements for the whole management system , The security control points involved include security policies 、 Management system 、 Develop and issue, review and revise .

surface 6 The control points of safety management system are given / Step by step change of requirements .

surface 6 Safety management system control points / Step by step change of requirements
2） Safety management organization

The safety management organization part of the general safety requirements is the safety control requirements for the entire management organization structure , The safety control points involved include post setting 、 Staffing 、 Authorization and approval 、 Communication and cooperation, as well as audit and inspection .

surface 7 The control points of safety management organization are given / Step by step change of requirements .

surface 7 Safety management organization control point / Step by step change of requirements
3） Safety management personnel

The safety management personnel part of the general safety requirements is the safety control requirements for the personnel management mode , The safety control points involved include personnel recruitment 、 Personnel leave the post 、 Safety awareness education and training and access management of external personnel .

surface 8 The control points of safety management personnel are given / Step by step change of requirements .

surface 8 Safety management personnel control points / Step by step change of requirements
4） Safety construction management

The safety construction management part of the general safety requirements is the safety control requirements for the safety construction process , The safety control points involved include grading and filing 、 Safety scheme design 、 Procurement and use of safety products 、 Develop your own software 、 Outsourcing software development 、 Project implementation 、 Test acceptance 、 System delivery 、 Grade evaluation and service provider management .

surface 9 The safety construction management control points are given / Step by step change of requirements .

surface 9 Safety construction management control point / Step by step change of requirements
5） Safety operation and maintenance management

The security operation and maintenance management part of the general security requirements is the security control requirements for the security operation and maintenance process , The safety control points involved include environmental management 、 Asset management 、 Media management 、 Equipment maintenance management 、 Loopholes and risk management 、 Network and system security management 、 Malicious code prevention management 、 Configuration Management 、 Password management 、 Change management 、 Backup and recovery management 、 Security incident handling 、 Emergency plan management and outsourcing operation and maintenance management .

surface 10 The safety operation and maintenance management control points are given / Step by step change of requirements .

surface 10 Safety operation and maintenance management control point / Step by step change of requirements

3 Security extension requirements

Security extension requirements refer to the security requirements that need to be added to the level protection object under specific technology or specific application scenario .《GB/T 22239-2019》 The proposed security extension requirements include cloud computing security extension requirements 、 Mobile internet security extension requirements 、 Internet of things security expansion requirements and industrial control system security expansion requirements .

3.1 Cloud computing security extension requirements

The information system adopting cloud computing technology is usually called cloud computing platform . The cloud computing platform consists of facilities 、 Hardware 、 Resource abstraction control layer 、 Virtualize computing resources 、 Software platform and application software . Cloud computing platforms usually have cloud service providers and cloud service customers / Cloud tenants have two roles . According to the type of service provided by the cloud service provider , Cloud computing platforms have software as a service （SaaS）、 Platform as a service （PaaS）、 Infrastructure as a service （IaaS）3 A basic cloud computing service model . In different service modes , Cloud service providers and cloud service customers have different control ranges over resources , The control scope determines the boundary of safety responsibility .

Cloud computing security extension requirements are additional security requirements that need to be implemented in addition to the general security requirements proposed for the cloud computing platform . The control points involved in cloud computing security extension requirements include infrastructure location 、 Network architecture 、 Access control of network boundary 、 Intrusion prevention of network boundary 、 Security audit of network boundary 、 Centralized control 、 Authentication of computing environment 、 Access control of computing environment 、 Intrusion prevention in computing environment 、 Mirror and snapshot protection 、 Data security 、 Data backup recovery 、 Residual information protection 、 Cloud service providers choose 、 Supply chain management and cloud computing environment management .

surface 11 The control points of cloud computing security extension requirements are given / Step by step change of requirements .

surface 11 Cloud computing security extensions require control points / Step by step change of requirements

3.2 Mobile internet security extension requirements

Class protection objects adopting mobile Internet technology , Its mobile interconnection part is usually composed of mobile terminals 、 Mobile applications and wireless networks 3 Part of it is made up of . The mobile terminal connects the wireless access device to the wired network through the wireless channel ; The wireless access gateway restricts the access behavior of the mobile terminal through the access control policy ; Background mobile terminal management system （ If configured ） Responsible for the management of mobile terminals , Including sending mobile device management to client software 、 Mobile application management and mobile content management policies .

Mobile internet security extension requirements are for mobile terminals 、 Special security requirements for mobile applications and wireless networks , Together with the general security requirements, they constitute the complete security requirements for the classified protection objects using the mobile Internet technology . The control points involved in mobile internet security extension requirements include the physical location of wireless access points 、 Border protection between wireless and wired networks 、 Access control between wireless and wired networks 、 Intrusion prevention between wireless and wired networks , Mobile terminal control 、 Mobile application control 、 Mobile application software procurement 、 Mobile application software development and configuration management .

surface 12 The control points of mobile internet security extension requirements are given / Step by step change of requirements .

surface 12 Mobile internet security extension requires control points / Step by step change of requirements

3.3 Internet of things security extension requirements

The Internet of things can generally be divided into 3 A logic layer , Perception layer 、 Network transport layer and processing application layer . The sensing layer includes sensor nodes and sensor network gateway nodes RFID Labels and RFID Reader writer , It also includes the communication between the sensing device and the sensor network gateway 、RFID Labels and RFID Short distance communication between readers and writers （ Usually wireless ） part ; The network transport layer includes a network that transmits sensing data over a long distance to the processing center , Like the Internet 、 Mobile network or convergence of several different networks ; The processing application layer includes a platform for storing and intelligently processing perceptual data , And provide services for business application terminals . For the large Internet of things , The processing application layer is generally composed of cloud computing platform and business application terminal .

The security protection of the Internet of things should include the perception layer 、 Network transport layer and processing application layer . Because the network transport layer and processing application layer are usually composed of computer equipment , Therefore, these two parts are protected according to the requirements of the general safety requirements . The security extension requirements of the Internet of things are special security requirements for the perception layer , Together with the general security requirements, they constitute the complete security requirements for the Internet of things .

The control points involved in the security expansion requirements of the Internet of things include the physical protection of sensing nodes 、 Intrusion prevention of perceptual network 、 Access control of perceptual network 、 Sense node device security 、 Gateway node device security 、 Anti data replay 、 Data fusion processing and management of sensing nodes .

surface 13 The control points for the security expansion requirements of the Internet of things are given / Step by step change of requirements .

surface 13 IOT security extension requires control points / Step by step change of requirements

3.4 Safety extension requirements of industrial control system

Industrial control system is usually a high-level protection object with high availability requirements . Industrial control system is the general name of various control systems , Typical data acquisition and monitoring control system （SCADA）、 Distributed control system （DCS） etc. . Industrial control systems are usually used for electric power , Water and sewage treatment , Oil and gas , chemical , The transportation , Pharmacy , Pulp and paper , Food and beverage and discrete manufacturing （ Such as car 、 Aerospace and durable goods ） Other industries .

Industrial control system is generally divided into from top to bottom 5 A hierarchy , Enterprise resource layer in turn 、 Production management 、 Process monitoring layer 、 Field control layer and field equipment layer , Real time requirements vary at different levels , The safety protection of industrial control system shall include all levels . Because the enterprise resource layer 、 Production management layer and process monitoring layer are usually composed of computer equipment , Therefore, these levels are protected according to the requirements of the general safety requirements .

The safety expansion requirements of industrial control system are special safety requirements for field control layer and field equipment layer , Together with the general safety requirements, they constitute the complete safety requirements for industrial control systems . The control points involved in the safety expansion requirements of industrial control system include outdoor control equipment protection 、 Network architecture 、 Communication transmission 、 Access control 、 Dial up usage control 、 Wireless usage control 、 Control equipment safety 、 Product procurement and use and outsourced software development .

surface 14 The control points for safety extension requirements of industrial control system are given / Step by step change of requirements .

surface 14 Safety extension of industrial control systems requires control points / Step by step change of requirements

4 Conclusion

《GB/T 22239-2019》 Compare with in structure and content 《GB/T 22239-2008》 Great changes have taken place , These changes give rise to the rectification of the construction of network security level protection 、 Grade evaluation and other work have brought certain impact . How to form security solutions based on new standards , How to carry out grade protection evaluation based on the new standard , We need to study the new standards carefully , Based on the new standards, find new ideas and new methods to carry out network security level protection .