GB 42250-2022 英文版 信息安全技术 网络安全专用产品安全技术要求
GB 42250-2022 英文版 信息安全技术 网络安全专用产品安全技术要求
我司提供标准英文版,更多信息请访问标准翻译网bzfyw.com
前言
本文件按照 GB / T1.1 — 2020 《标准化工作导则 第 1 部分: 标准化文件的结构和起草规则》的规定起草。
请注意本文件的某些内容可能涉及专利。 本文件的发布机构不承担识别专利的责任。
本文件由 中华人民共和国公安部提出 并归口 。
引言
为落实《中华人民共和国网络安全法》的第二十三条而制定本文件。 网络安全专用产品按照本文件的安全技术要求和国家相关主管部门规定的其他技术规范进行研发、生产、服务和检测工作。
本文件是所有网络安全专用产品和其提供者均需满足的基线要求。
信息安全技术
网络安全专用产品安全技术要求
1 范围
本文件规定了网络安全专用产品的安全功能要求、自 身安全要求与安全保障要求。
本文件适用于销售或提供的网络安全专用产品的研发、生产、服务、检测。
2 规范性引 用文件
下列文件中的内容通过文中的规范性引 用而构成本文件必不可少的条款。其中,注日期的引用文件,仅该日期对应的版本适用于本标准;不注日期的引用文件,其最新版本(包括所有的修改单) 适用于本文件。
GB / T25069 信息安全技术术语
3 术语和定义
GB / T25069 界定的以及下列术语和定义适用于本文件。
3.1
网络安全专用产品
specialized cybersecurity products
用于保护网络安全的专用硬件和软件产品。
注:包括以服务形式提供安全防护能力的产品。
3.2
网络安全专用产品提供者
specialized cybersecurity products provider
网络安全专用产品的研发者、生产者或维护服务提供者。
3.3
安全域
security domain
遵从共同安全策略的资产和资源的集合。
[来源: GB / T25069 — 2022 , 3.36 ]
3.4
个人信息
personal information
以电子方式记录的与已识别或者可识别的自然人有关的各种信息,不包括匿名化处理后的信息。
3.5
用户信息
user information
个人、法人或其他组织在安装、使用网络安全专用产品过程中产生、收集、存储、传输、处理的电子方式记录的信息。
注: 用户 信息包括网络流量信息、安全状态信息、安全配置数据、运行过程日 志等信息, 也包括个人信息。
3.6
恶意程序
malicious program
具有破坏网络和信息系统、干扰网络和信息系统正常使用、窃取或恶意加密网络和系统数据等网络攻击功能的程序。
注: 恶意程序主要包括病毒、蠕虫、木马, 以及其他影响主机、网络或系统安全、稳定运行的程序。
3.7
安全缺陷
security flaw
由 设计、开发、配置、生产、运维等阶段中的错误引 入, 可能影响网络安全专用产品安全的弱点。
3.8
漏洞
vulnerability
网络安全专用产品中能够被威胁利用的弱点。
4 安全功能要求
4.1 访问控制
具有访问控制功能的网络安全专用产品, 应具备下述功能:
a) 支持配置访问控制策略;
注: 不同类型网络安全专用产品的访问控制策略不同。 如: 网络型防火墙基于源地址、目 的地址、源端口 、目 的端口和网络通信协议等设置访问控制策略; 虚拟专用网类产品基于用户 安全属性等设置访问 控制策略; 安全隔离与信息交换类产品基于应用层协议等设置访问控制策略。
b) 支持根据访问控制策略控制对安全域的访问。
Foreword
This document is developed in accordance with the rules given in GB/T 1.1-2020 Directives for standardization - Part 1: Rules for the structure and drafting of standardizing documents.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights.
This document was proposed by and is under the jurisdiction of the Ministry of Public Security of the People's Republic of China.
Introduction
This document is formulated to implement Article 23 of the Cybersecurity Law of the People's Republic of China. Specialized cybersecurity products shall be developed, produced, served and tested in accordance with the security technical requirements of this document and other technical specifications stipulated by relevant competent departments of the nation.
This document gives the baseline requirements that all specialized cybersecurity products and their providers need to meet.
Information security technology -
Security technical requirements of specialized cybersecurity products
1 Scope
This document specifies the security function requirements, self-security requirements and security assurance requirements for the specialized cybersecurity products.
This document is applicable to the research, development, production, service and testing of specialized cybersecurity products to be sold or provided.
2 Normative references
The following documents contain provisions which, through reference in this text, constitute provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition (including any amendments) applies.
GB/T 25069 Information security techniques - Terminology
3 Terms and definitions
For the purposes of this document, the terms and definitions given in GB/T 25069 and the following apply.
3.1
specialized cybersecurity products
specialized hardware and software products for providing cybersecurity
Note: including products that provide security protection capabilities in the form of services.
3.2
specialized cybersecurity products provider
developer or producer of specialized cybersecurity products or maintenance service provider for such products
3.3
security domain
collection of assets and resources that comply with common security policies
[Source: GB/T 25069-2022, 3.36]
3.4
personal information
all kinds of information related to an identified or identifiable natural person, recorded by electronic means, excluding information that has been anonymized
3.5
user information
information recorded by electronic means generated, collected, stored, transmitted or processed while any individual, legal person or other organization installs and uses specialized cybersecurity products
Note: user information includes network traffic information, security status information, security configuration data, operation process logs, as well as personal information.
3.6
malicious program
program with cyber-attack functions such as destroying networks and information systems, interfering with the normal use of networks and information systems, stealing or maliciously encrypting network and system data
Note: malicious programs mainly include viruses, worms, Trojans, and other programs that affect the safe and stable operation of hosts, networks or systems.
3.7
security flaw
weakness introduced by errors in design, development, configuration, production, operation and maintenance, etc., which may affect the security of specialized cybersecurity products
3.8
vulnerability
weakness in specialized cybersecurity products that can be threatened and exploited
4 Security function requirements
4.1 Access control
Specialized cybersecurity products with access control functions shall have the following functions:
a) Supporting the configuration of access control policies;
Note: different types of specialized cybersecurity products have different access control policies. For example, for network-based firewalls, access control policies are set based on source addresses, destination addresses, source ports, destination ports and network communication protocols; for virtual specialized cybersecurity products, access control policies are set based on user security attributes; for security isolation and information exchange products, access control policies are set based on application layer protocols.
b) Supporting the control over access to a secure domain based on an access control policy.
