JR/T 0071-2012 English PDF (JR/T0071-2012)

Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click JR/T 0071-2012
Historical versions: JR/T 0071-2012
Preview True-PDF (Reload/Scroll if blank)

JR/T 0071-2012: Implementation guide for classified protection of information system of financial industry
JR/T 0071-2012
JR
FINANCIAL INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 03.060
A 11
Implementation guide for classified protection of
information system of financial industry
ISSUED ON. JULY 6, 2012
IMPLEMENTED ON. JULY 6, 2012
Issued by. The People's Bank of China
Table of Contents
Foreword ... 4 
Introduction ... 5 
1 Scope ... 6 
2 Normative references ... 6 
3 Terms and definitions ... 8 
3.1 Sensitive data ... 8 
3.2 Risk ... 8 
3.3 Security policy... 8 
3.4 Security requirement... 9 
3.5 Integrity ... 9 
3.6 Availability ... 9 
3.7 Weak password ... 9 
4 Guide Preparation Policy ... 9 
4.1 National requirements of classified protection ... 9 
4.1.1 Basic requirements ... 10 
4.1.2 Design requirements ... 12 
4.2 Guidelines ... 13 
4.2.1 Necessity of defense-in-depth design ... 15 
4.2.2 Significance of the combination between basic requirements and
defense-in-depth design ... 15 
5 Information Security Assurance Framework ... 16 
5.1 General ... 16 
5.2 Technical system ... 18 
5.2.1 Computing environment ... 19 
5.2.2 Zone boundary ... 21 
5.2.3 Communication network ... 22 
5.2.4 Supporting facilities ... 22 
5.3 Management system ... 22 
6 Protection Requirements ... 24 
6.1 Level II requirements ... 24 
6.1.1 Technical requirements ... 24 
6.1.2 Management requirements ... 32 
6.2 Level III requirements ... 48 
6.2.1 Technical requirements ... 48 
6.2.2 Management Requirements ... 65 
6.3 Level IV requirements ... 90 
6.3.1 Technical requirements ... 90 
6.3.2 Management requirements ... 109 
Appendix A (Informative) Implementation Measures for Classified Protection
... 137 
A.1 Network security ... 137 
A.1.1 Level II requirements and measures ... 137 
A.1.2 Level III requirements and measures ... 145 
A.1.3 Level IV requirements and measures ... 158 
A.2 Host security ... 171 
A.2.1 Level II requirements and measures ... 171 
A.2.2 Level III requirements and measures ... 177 
A.2.3 Level IV requirements and measures ... 186 
A.3 Application security ... 196 
A.3.1 Level II requirements and measures ... 196 
A.3.2 Level III requirements and measures ... 201 
A.3.3 Level IV requirements and measures ... 209 
A.4 Data security... 219 
A.4.1 Level II requirements and measures ... 219 
A.4.2 Level III requirements and measures ... 220 
A.4.3 Level IV requirements and measures ... 222 
Appendix B (Informative) Selection of Security Requirements of Financial
Industry and the Use Instructions ... 225 
Bibliography ... 229 
Foreword
This Standard is the first standard of the series "Classified Protection of
Information System for Financial Industry". The structures and names of this
series of standards are as follows.
Implementation Guide for Classified Protection of Information System of
Financial Industry;
Guidance on Assessment of Classified Protection of Information System for
Financial Industry;
Guide for Assessment Service Security of Classified Information Security
Protection of Financial Industry.
This Standard was drafted according to the rules given in GB/T 1.1-2009.
This Standard was proposed by the People's Bank of China.
This Standard shall be under the jurisdiction of the National Technical
Committee on Finance of Standardization Administration of China.
Main drafting organization of this Standard. The Science and Technology
Department of the People's Bank of China.
Drafting organization of this Standard. China Financial Computerization Corp.
Main drafters of this Standard. Wang Yonghong, Wang Xiaoqing, Zhang Yongfu,
Wang Xiaoyan, Wang Haitao, Yang Jian, Bai Zhiyong, Shen Like, Xu Ming, Xu
Ziqiang, Qiu Ningning, Li Fan, Zheng Kaiyi, Chen Guanghui, Zhao Yibin, Yang
Ying, Zhou Qingbin.
This Standard is first-time issued.
Introduction
Important information systems of financial industry are concerned in national
welfare and people's livelihood, and are the principal objects of national
information security protection. National functions for supervising information
security are required to guide and supervise the information security protection
works for their important information and information systems.
Classified protection of information security, a basic system for information
security assurance works, shall be run by the financial industry as one of the
important information system industries. The progressing of classified
protection for financial information security requires supports from a series of
standard systems appropriate to the classified protection of financial industry,
so as to regulate and supervise the operation of the classified protection. In this
regard, the Science and Technology Department of the People's Bank of China
has organized experts and technical personnel in classified security protection,
allowing for the national systems and standards on classified protection of
information security, so as to develop industry standards and implementation
guidelines for the classified protection which are appropriate to the
characteristics of financial industry and are practicable. According to the
information system rating in financial industry, there is no Level V system; Level
I systems are exempted from registration with public security authority and are
not regarded as the key assessment objects. This Standard has deleted the
requirements of the specific contents of organization assessment for Level I
and V information systems.
In this document, those which are in bold type and marked as Class F are the
security requirements added according to the service characteristics of financial
industry, and those which are in bold type but not marked as Class F are the
requirements enhanced for the required in "Baseline for Classified Protection
of Information System Security" (GB/T 22239-2008).
Implementation...