網路安全等級保護測評要求套用指南

為了更好地理解《信息安全技術網路安全等級保護評估要求》GB/T 28448-2019的相關內容，進一步提高測試評估機構的評估能力，國家相關部門和主要機構聯合編寫了本書。

對於評估要求中的每個評估單元，本書重點介紹了評估目標的確定、評估實施的要點和方法，以便更好地指導分類測試和評估機構，涉密保護對象的運行使用單位和主管部門開展網路安全涉密保護評估工作。

這本書分為八章。第一章是基本概念，闡述了網路安全保密評估的相關術語或概念，主要包括保密測試與評估、評估目標與選擇、評估指標與選擇、評估目標與評估指標的映射關係、非適用的評價指標、評價強度、評價方法、單項評價、整體評價和評價結論等。第二章是評價要求的總體介紹，闡述了安全評價一般要求和安全評價擴展要求的含義。第三章是三級和四級通用評估要求的套用解釋。第四章是雲計算安全評估擴展需求的套用和解釋。第五章是移動網際網路擴展安全評估要求的套用和解釋。第六章是物聯網擴展安全評估要求的套用和解釋。第7章是工控系統擴展安全評估要求的套用和解釋，第8章是大數據擴展安全評估要求的套用和解釋。解釋的內容包括評價目標、評價實施要點和方法等，評價指標的安全防護等級由評價單元編號確定。

Chapter 1Basic Concepts 1

1.1Classified Evaluation1

1.2Evaluation Targets Selection1

1.3Evaluation Index Selection2

1.4The Mapping Relationship Between Evaluation Targets and Evaluation Index

3

1.5NonApplicable Evaluation Index4

1.6Evaluation Strength5

1.7Evaluation Method6

1.8Singular Evaluation6

1.9Overall Evaluation7

1.10Evaluation Conclusion7

Chapter 2General Introduction of the Evaluation Requirements9

2.1Relevant Description of the Evaluation Requirements9

2.2Text Structure of the Evaluation Requirements11

2.3General Requirements and Extended Requirements of Security Evaluation12

Chapter 3Application and Interpretation of the General Security Evaluation

Requirements at Level Ⅲ and Level Ⅳ13

3.1Security Physical Environment13

3.1.1Selection of Physical Location13

3.1.2Physical Access Control 14

3.1.3AntiTheft and AntiVandal15

3.1.4Lightning Prevention 16

3.1.5Fire Protection17

3.1.6Water Resistance and Moisture Resistance19

3.1.7Static Electricity Prevention20

3.1.8Temperature and Humidity Control20

3.1.9Power Supply21

3.1.10Electromagnetic Protection23

3.2Security Communication Network24

3.2.1Network Architecture24

3.2.2Communication Transmission27

3.2.3Trusted Verification29

3.3Security Area Boundary31

3.3.1Boundary Protection31

3.3.2Access Control34

3.3.3Intrusion Prevention37

3.3.4Malicious Code and Spam Prevention39

3.3.5Security Audit40

3.3.6Trusted Verification43

3.4Security Computing Environment44

3.4.1Network Device and Security Device 44

3.4.2Server and Terminal55

3.4.3Application System67

3.4.4Data Security79

3.5Security Management Center87

3.5.1System Management87

3.5.2Audit Management88

3.5.3Security Management89

3.5.4Centralized Management and Control90

3.6Security Management Systems94

3.6.1Security Strategy94

3.6.2Management Systems95

3.6.3Development and Release96

3.6.4Review and Revision97

3.7Security Management Organization98

3.7.1Post Setting98

3.7.2Staffing99

3.7.3Authorization and Approval101

3.7.4Communication and Cooperation102

3.7.5Review and Inspection104

3.8Security Management Personnel106

3.8.1Staff Recruitment106

3.8.2Staff Dismissal108

3.8.3Security Awareness Education and Training109

3.8.4External Visitor Access Management110

3.9Security Development Management113

3.9.1Grading and Filing113

3.9.2Security Scheme Design114

3.9.3Product Procurement and Usage116

3.9.4Software SelfDevelopment118

3.9.5Outsourcing Software Development122

3.9.6Security Engineering Implementation123

3.9.7Test and Acceptance125

3.9.8System Delivery126

3.9.9Classified Security Evaluation127

3.9.10Service Provider Management128

3.10Security Operation and Maintenance Management130

3.10.1Environment Management130

3.10.2Asset Management132

3.10.3Media Management133

3.10.4Device Maintenance Management134

3.10.5Vulnerability and Risk Management136

3.10.6Network and System Security Management137

3.10.7Malicious Code Prevention Management142

3.10.8Configuration Management143

3.10.9Password Management144

3.10.10Change Management145

3.10.11Backup and Recovery146

3.10.12Security Incident Handling148

3.10.13Contingency Plan Management150

3.10.14Outsourcing Operation and Maintenance Management152

Chapter 4Application and Interpretation of the Extended Security Evaluation

Requirements of Cloud Computing155

4.1Overview of Cloud Computing155

4.1.1Basic Concepts155

4.1.2Characteristics of Cloud Computing System156

4.1.3Deployment Model of Cloud Computing157

4.1.4Service Model of Cloud Computing157

4.1.5Cloud Computing Evaluation158

4.2Application and Interpretation of the Extended Security Evaluation

Requirements of Cloud Computing at Level Ⅲ and Level Ⅳ162

4.2.1Security Physical Environment162

4.2.2Security Communication Network163

4.2.3Security Area Boundary168

4.2.4Security Computing Environment175

4.2.5Security Management Center186

4.2.6Security Management System190

4.2.7Security Management Organization190

4.2.8Security Management Personnel190

4.2.9Security Development Management190

4.2.10Security Operation and Maintenance Management194

Chapter 5Application and Interpretation of the Extended Security Evaluation

Requirements of Mobile Internet196

5.1Basic Concepts196

5.1.1Mobile Interconnection196

5.1.2Mobile Terminals196

5.1.3Wireless Access Gateway196

5.1.4Mobile Application Software196

5.1.5Mobile Terminal Management System197

5.2Application Interpretation of Extended Security Evaluation

Requirements of Mobile Internet at Level Ⅲ and Level Ⅳ197

5.2.1Security Physical Environment197

5.2.2Security Communication Network198

5.2.3Security Area Boundary199

5.2.4Security Computing Environment206

5.2.5Security Management Center230

5.2.6Security Management System230

5.2.7Security Management Organization231

5.2.8Security Management Personnel231

5.2.9Security Development Management231

5.2.10Security Operation and Maintenance Management233

Chapter 6Application and Interpretation of the Extended Security Evaluation

Requirements of IoT235

6.1Overview of IoT System235

6.1.1Characteristics of IoT System235

6.1.2Composition of IoT System235

6.1.3Overview of Extended Requirements for IoT Security237

6.1.4Basic Concepts238

6.2Application and Interpretation of the Extended Security Evaluation

Requirements of IoT at Level Ⅲ and Level Ⅳ 239

6.2.1Security Physical Environment239

6.2.2Security Communication Network241

6.2.3Security Area Boundary245

6.2.4Security Computing Environment253

6.2.5Security Management Center268

6.2.6Security Management System277

6.2.7Security Management Organization277

6.2.8Security Management Personnel277

6.2.9Security Development Management277

6.2.10Security Operation and Maintenance Management277

Chapter 7Application and Interpretation of the Extended Security Evaluation

Requirements of Industrial Control System280

7.1Overview of Industrial Control System280

7.1.1Characteristics of Industrial Control System280

7.1.2Functional Hierarchy Model of Industrial Control System282

7.1.3Evaluation Target and Index of Industrial Control System284

7.1.4Typical Industrial Control System287

7.2Application and Interpretation of the Extended Security Evaluation

Requirements of Industrial Control System at Level Ⅲ and Level Ⅳ290

7.2.1Security Physical Environment290

7.2.2Security Communication Network291

7.2.3Security Area Boundary300

7.2.4Security Computing Environment317

7.2.5Security Management Center343

7.2.6Security Management System343

7.2.7Security Management Organization343

7.2.8Security Management Personnel344

7.2.9Security Development Management344

7.2.10Security Operation and Maintenance Management345

Chapter 8Application and Interpretation of the Extended Security Evaluation

Requirement of Big Data346

8.1Basic Concepts346

8.1.1Big Data346

8.1.2Targets of Big Data Classification Protection347

8.2Extended Security Requirements and Best Practices348

8.3Application and Interpretation of the Extended Security Evaluation

Requirements of Big Data at Level Ⅲ and Level Ⅳ358

8.3.1Security Physical Environment358

8.3.2Security Communication Network358

8.3.3Security Area Boundary363

8.3.4Security Computing Environment364

8.3.5Security Management Center382

8.3.6Security Management System385

8.3.7Security Management Organization387

8.3.8Security Management Personnel390

8.3.9Security Development Management392

8.3.10Security Operation and Maintenance Management396