本书针对《信息安全技术 网络安全等级保护测评要求》(GB/T 28448-2019)中的每个测评单元,重点介绍了测评对象的确定、测评实施要点和方法,从而能够更好的指导网络安全等级测评机构、等级保护对象的运营使用单位及主管部门开展网络安全等级保护测评工作。全书共分8章。第1章是基本概念,针对网络安全等级保护测评相关的术语或概念进行了解读,主要包括等级测评、测评对象及其选择、测评指标及其选择、测评对象和测评指标的映射关系、不适用测评指标、测评力度、测评方法、单项测评、整体测评和测评结论等。第2章是《测评要求》总体介绍
Foreword
The Cybersecurity Law of the People’s Republic of China was officially implemented on June 1, 2017. In this fundamental law in the field of cybersecurity, it is clearly stipulated that China implements the classified system of classified protection of cybersecurity. On December 1, 2019, Information Security Technology Network Security—Evaluation Requirements for Classified Protection of Cybersecurity GB/T 28448—2019 (hereinafter referred to as “Evaluation Requirements”), the National Standard of the People’s Republic of China, was implemented.
The Evaluation Requirements is the core standard that guides the test and evaluation agencies to carry out the evaluation for the classified protection of cybersecurity. The correct understanding and use of this standard is the prerequisite for the smooth implementation for the classified protection of cybersecurity.
In order to better understand and comprehend the “Evaluation Requirements” and further improve the evaluation capabilities of test and evaluation agencies, the Cybersecurity Bureau under the Ministry of Public Security, the Zhong guan cun Information Security Evaluation Alliance, and the Information Security Rating Center of the Ministry of Public Security jointly organized and compiled the “Guidelines for the Application of Evaluation Requirements for Classified Protection of Cybersecurity”.
For each evaluation unit in the Evaluation Requirements, this book focuses on the determination of evaluation targets, the key points and methods of evaluation implementation, so as to better guide the classified test and evaluation agencies, the operation and using organizations of classified protection objects and the competent authorities to carry out the evaluation work for classified cybersecurity protection.
This book is divided into 8 chapters. Chapter 1 is the basic concept, which explains the terms or concepts related to the evaluation of classified cybersecurity protection, mainly including classified test and evaluation, evaluation targets and selection, evaluation index and selection, the mapping relationship between evaluation targets and evaluation indicators, and non applicable evaluation index, evaluation intensity, evaluation method, singular evaluation, overall evaluation and evaluation conclusion, etc. Chapter 2 is the general introduction of the Evaluation Requirements, elaborating on the meaning of general requirements for security evaluation and extended requirements for security evaluation. Chapter 3 is the application interpretation of the general evaluation requirements at Level Ⅲ and Level Ⅳ. Chapter 4 is the application and interpretation of the extended requirements of cloud computing security evaluation. Chapter 5 is the application and interpretation of the extended security evaluation requirements of mobile Internet. Chapter 6 is the application and interpretation of the extended security evaluation requirements of Internet of Things. Chapter 7 is the application and interpretation of the extended security evaluation requirements of industrial control systems, and Chapter 8 is the application and interpretation of the extended security evaluation requirements of big data. The content of interpretation includes the evaluation targets, the main points and methods of the evaluation implementation, etc., and the security protection level of the evaluation metric is identified by the evaluation unit number.
The editor in chief of this book is Guo Qiquan, the associate editor in chief are Liu Jianwei and Wang Xinjie, and other main contributors are Zhu Guobang, Fan Chunling, Pan Wenbo, Wang Lianqiang, Yang Yuzhong.
Due to the limited knowledge of the authors, there are inevitably some inadequacies in this book. Please feel free to kindly provide your feedback and correction.
the Author
March,2022
郭启权,公安部网络安全保护局总工程师。
刘建伟,北京航空航天大学网络空间安全学院 院长,主要研究领域包括:密码学、5G网络安全、移动通信网络安全、天空地一体化网络安全、电子健康网络安全、智能移动终端安全、星地数据链安全等。
王新杰,北京时代新威信息技术有限公司总经理。 2003年开始从事网络安全行业,参与了“全国信息安全标准化”系列标准的研制。主要担任:信息安全等级保护高级测评师 、全国信息安全标准化技术委员会(SAC/TC 260)委员、国际信息系统安全认证联盟((ISC)2)中国顾问。