標(biāo)準(zhǔn)編號(hào):	JT/T 1417-2022
中文名稱:	交通運(yùn)輸行業(yè)網(wǎng)絡(luò)安全等級(jí)保護(hù)基本要求
英文名稱:	Baseline for classified protection of cybersecurity of transportation
行業(yè)分類(lèi):	JT    交通行業(yè)標(biāo)準(zhǔn)
發(fā)布機(jī)構(gòu):	中華人民共和國(guó)交通運(yùn)輸部
發(fā)布日期:	2022-06-09
實(shí)施日期:	2022-9-9
標(biāo)準(zhǔn)狀態(tài):	valid
翻譯語(yǔ)言:	英文
文件格式:	PDF
中文字符數(shù):	72000 字
翻譯價(jià)格(元):	5040.0
交付時(shí)間:	付款后 1 個(gè)工作日

Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative. This document is developed in accordance with the rules given in GB/T 1.1-2020 Directives for standardization - Part 1: Rules for the structure and drafting of standardizing documents. Attention is drawn to the possibility that some of the parts of this document may be the subject of patent rights. The issuing body of this document shall not be held responsible for identifying any or all such patent rights. This standard was proposed by and is under the jurisdiction of National Technical Committee on Transportation Information Communication and Navigation of Standardization Administration of China. Introduction The transportation is an important part of the entire national economy and one of the key industries to implement classified protection of cybersecurity for China, so that the competent department of the industry shall further strengthen the management and guidance of cybersecurity, standardize the development of related work, and effectively ensure the cybersecurity of the industry. Based on national standards such as GB 17859-1999 and GB/T 22239-2019, this document proposes the minimum protection requirements for targets of classified security with different security protection levels for transportation according to the technical development level of the transportation and cybersecurity protection requirements. In order to facilitate the use of this document, many clauses in GB/T 22239-2019 are referenced and their sources are indicated. In the texts of this document, those in bold represent requirements added or strengthened in higher level for national standards. Baseline for classified protection of cybersecurity of transportation 1 Scope This document specifies the general principles for classified protection of cybersecurity of transportation, as well as the security requirements for the targets of classified security of Level 1 to Level 4. This document is applicable to the planning design, security construction, supervision and management of cybersecurity of transportation. 2 Normative references The following documents contain provisions which, through reference in this text, constitute indispensable provisions of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. GB/T 5271.8 Information technology - Vocabulary - Part 8: Databases GB 17859 Classified criteria for security protection of computer information system GB/T 20839 Intelligent transport systems - General terminology GB/T 22239-2019 Information security technology - Baseline for classified protection of cybersecurity JT/T 904 Classification guide for security classified protection of transportation information system 3 Terms and definitions For the purposes of this document, the terms and definitions given in GB/T 5271.8, GB 17859, GB/T 20839, GB/T 22239 and JT/T 904 as well as the following apply. 3.1 cyber security capabilities to prevent the network from attack, intrusion, interference, damage, illegal use and unexpected accident, enable the network to operate stably and reliably and ensure the integrity, confidentiality and availability of network data by taking necessary measures [Source: GB/T 22239-2019, 3.1] ? 3.2 cloud service provider provider of cloud computing service Note: The cloud service provider manages, operates and supports the infrastructure and software of cloud computing, and delivers the cloud computing resources through the Internet. [Source: GB/T 31167-2014, 3.3] 3.3 cloud service customer participant entering into business relationship with the cloud service provider by using cloud computing service [Source: GB/T 31167-2014, 3.4, modified] 3.4 baseline verification method for verifying the baseline configured based on minimum security requirements for network device, security device, host operating system, database management system and business application system 3.5 important data processing system important communication device and computing device for routing forward, access control, network switching, releasing for use and storage of data Note: Important communication device and computing device include but are not limited to boundary routers, boundary firewalls, core switches, application servers and database servers. 3.6 data security protection system system or tool for protecting data Note: The systems or tools include but are not limited to database firewalls, data leakage prevention, desensitization system, database encryption system and file encryption system. 4 Abbreviations For the purposes of this document, the following abbreviations apply. AP: Wireless Access Point CPU: Central Processing Unit DDoS: Distributed Denial of Service DNS: Domain Name System FTP: File Transfer Protocol HTTP: Hyper Text Transfer Protocol HTTPS: Hyper Text Transfer Protocol over Secure Socket Layer IP: Internet Protocol IT: Information Technology MAC: Message Authentication Code POP3: Post Office Protocol-Version 3 SMTP: Simple Mail Transfer Protocol SQL: Structured Query Language SSH: Secure Shell SSID: Service Set Identifier VPN: Virtual Private Network WEP: Wired Equivalent Privacy 5 General 5.1 Target of classified security and security protection level The target of classified security refers to the target in classified protection of cybersecurity and those systems, formed by computer or other information terminals as well as relevant devices, for collection, storage, transmission, exchange and processing of information according to certain rules and programs, mainly including basic information network, information system (including the system adopting mobile communication technology), cloud computing platform/system, big data application/platform/resource, Internet of Things (IoT), and industrial control system, etc. The targets of classified security for transportation are classified into five security protection levels from low to high according to their importance in national security, economic construction and society life as well as their harmfulness to national security, public interest as well as the legitimate rights and interests of citizen, legal person and other organizations once they are damaged. The security protection level for target of classified protection of cybersecurity of transportation shall be determined according to the requirements of JT/T 904. 5.2 Security protection ability The basic security protection ability for different levels of targets of classified security of the transportation shall meet those specified in 5.2 of GB/T 22239-2019. 5.3 General security requirements and special security requirements ? Due to different business objectives, adopted technologies, and application scenarios, target of classified security will appear in different forms. Targets of classified security in different forms will face different threats, so their security protection requirements are also different. For implementing the general and individualized protection for different levels and different forms of targets of classified security, security requirements of targets of classified security are divided into general security requirements and special security requirements. The general security requirements are put forward in allusion to general protection; the target of classified security, regardless of its appearance form, shall realize general security requirements for corresponding level according to security protection level; the special security requirements are put forward in allusion to individualized protection and shall be realized selectively according to security protection level and the adopted specific technology or specific application scenario. [Source: GB/T 22239-2019, 5.3] The security requirements shall be selected in accordance with Annex A of GB/T 22239-2019. 6 Level 1 security requirements 6.1 General security requirements 6.1.1 Physical environment security 6.1.1.1 Physical access control Special personnel shall be designated or electronic access control system shall be set at the entrance/exit of machine room to control, identify and record the personnel entering the machine room. [Source: GB/T 22239-2019, 6.1.1.1] 6.1.1.2 Prevention of burglary and damage The network device, security device, server, storage device and other devices or main components shall be fixed and marked with obvious and indelible signs, which shall indicate asset number, person in charge of the device and other information. 6.1.1.3 Lightning protection Various cabinets, facilities, devices and the like shall be safely earthed via the earthing system. [Source: GB/T 22239-2019, 6.1.1.3] 6.1.1.4 Fire prevention Portable gas extinguisher shall be set in machine room. The fire extinguisher shall pass the annual inspection, operate normally within the validity period. 6.1.1.5 Waterproofing and dampproofing Measures shall be taken to prevent the penetration of rainwater through the window, roof and wall of the machine room. [Source: GB/T 22239-2019, 6.1.1.5] 6.1.1.6 Temperature and humidity control The necessary temperature and humidity regulating facilities shall be installed so that the temperature and humidity changes in the machine room are within the allowable range for device operation. [Source: GB/T 22239-2019, 6.1.1.6] 6.1.1.7 Power supply The voltage regulator and overvoltage protection device shall be configured on the power supply line of the machine room. [Source: GB/T 22239-2019, 6.1.1.7] 6.1.2 Communication network security 6.1.2.1 Communication transmission Check technology shall be adopted to ensure the integrity of data in communication process. [Source: GB/T 22239-2019, 6.1.2.1] 6.1.2.2 Trusted verification The trusted verification shall be carried out for the system boot program, system program and the like of the communication device based on the trusted root, and an alarm is given after the credibility is detected as being damaged. [Source: GB/T 22239-2019, 6.1.2.2] 6.1.3 Area boundary security 6.1.3.1 Boundary protection The boundary protection requirements shall include: a) ensuring that the access and data flow which cross over the boundary carry out communication via the controlled interface provided by boundary device; b) being able to restrict the behavior of unauthorized device from connecting to the internal network privately; measures such as IP/MAC address binding and disabling the idle port of the network access device should be taken to restrict the networking; c) being able to restrict the behavior of unauthorized connection of internal user to the external network; measures such as controlling the physical interface should be taken to restrict the behavior of connection of external network. 6.1.3.2 Access control The access control requirements shall include: a) setting access control rule at network boundary according to access control policy; the controlled interface will deny all the communication (except for the allowable communication) in default situation; b) deleting excessive or invalid access control rules, optimizing the access control list and ensuring to minimize the quantity of access control rules; c) inspecting the source address, destination address, source port, destination port and protocol, etc. to allow/deny the data package passing in and out. [Source: GB/T 22239-2019, 6.1.3.2] 6.1.3.3 Security audit Technical measures shall be taken to monitor and record network operating status and cybersecurity incidents for security audit, and keeping relevant network logs for at least six months. 6.1.3.4 Trusted verification The trusted verification shall be carried out for the system boot program, system program and the like of the boundary device based on the trusted root, and an alarm is given after the credibility is detected as being damaged. [Source: GB/T 22239-2019, 6.1.4.5] 6.1.4 Computing environment security 6.1.4.1 Network device 6.1.4.1.1 Identity authentication The identity authentication shall meet the following requirements: a) The identity of login user shall be identified and authenticated; the identity identification shall be unique and the identity authentication information shall be required of complexity and be replaced regularly. Specific requirements are as follows: 1) the static password shall not be less than 8 bits in length, including at least three types of such elements as uppercase English letters, lowercase English letters, numerals and special symbols; 2) the replacement cycle of user password shall not exceed one year; 3) the user needs to modify the initial default password when logging in for the first time, and shall not set a new password the same as the old one every time the password is modified; b) The login failure handling function shall be available, and related measures, such as configuring and enabling end session, limiting illegal login times to no more than five times and automatic logout in case of login connection timeout shall be configured. 6.1.4.1.2 Access control The access control requirements shall include: a) allocating account and authority for the login user; b) renaming or deleting default account and modifying the default password of the default account; c) deleting or disabling redundant and expired accounts timely to avoid shared accounts. [Source: GB/T 22239-2019, 6.1.4.2] 6.1.4.1.3 Intrusion prevention The intrusion prevention requirements shall include: a) following the minimum installation principle and only installing the necessary component and application program; b) disabling the unnecessary system service, default-sharing and high-risk ports. [Source: GB/T 22239-2019, 6.1.4.3] 6.1.4.1.4 Data backup and recovery The local data backup and recovery function shall be provided for important data. [Source: GB/T 22239-2019, 6.1.4.7] 6.1.4.2 Safety device 6.1.4.2.1 Identity authentication The identity authentication shall meet the following requirements: a) The identity of login user shall be identified and authenticated; the identity identification shall be unique and the identity authentication information shall be required of complexity and be replaced regularly. Specific requirements are as follows: 1) the static password shall not be less than 8 bits in length, including at least three types of such elements as uppercase English letters, lowercase English letters, numerals and special symbols; 2) the replacement cycle of user password shall not exceed one year; 3) the user needs to modify the initial default password when logging in for the first time, and shall not set a new password the same as the old one every time the password is modified; b) The login failure handling function shall be available, and related measures, such as configuring and enabling end session, limiting illegal login times to no more than five times and automatic logout in case of login connection timeout shall be taken. 6.1.4.2.2 Access control The access control requirements shall include: a) allocating account and authority for the login user; b) renaming or deleting default account and modifying the default password of the default account; c) deleting or disabling redundant and expired accounts timely to avoid shared accounts. [Source: GB/T 22239-2019, 6.1.4.2] 6.1.4.2.3 Intrusion prevention The intrusion prevention requirements shall include: a) following the minimum installation principle and only installing the necessary component and application program; b) disabling the unnecessary system service, default-sharing and high-risk ports. [Source: GB/T 22239-2019, 6.1.4.3] 6.1.4.2.4 Data backup and recovery The local data backup and recovery function shall be provided for important data. [Source: GB/T 22239-2019, 6.1.4.7] 6.1.4.3 Host operating system 6.1.4.3.1 Identity authentication The identity authentication shall meet the following requirements: a) The identity of login user shall be identified and authenticated; the identity identification shall be unique and the identity authentication information shall be required of complexity and be replaced regularly. Specific requirements are as follows: 1) the static password shall not be less than 8 bits in length, including at least three types of such elements as uppercase English letters, lowercase English letters, numerals and special symbols; 2) the replacement cycle of user password shall not exceed one year; 3) the user needs to modify the initial default password when logging in for the first time, and shall not set a new password the same as the old one every time the password is modified; b) The login failure handling function shall be available, and related measures, such as configuring and enabling end session, limiting illegal login times to no more than five times and automatic logout in case of login connection timeout shall be taken. 6.1.4.3.2 Access control The access control requirements shall include: a) allocating account and authority for the login user; b) renaming or deleting default account and modifying the default password of the default account; c) deleting or disabling redundant and expired accounts timely to avoid shared accounts. [Source: GB/T 22239-2019, 6.1.4.2] 6.1.4.3.3 Intrusion prevention The intrusion prevention requirements shall include: a) following the minimum installation principle and only installing the necessary component and application program; b) disabling the unnecessary system service, default-sharing and high-risk ports; c) being able to find possible known vulnerabilities and repairing them timely. 6.1.4.3.4 Malicious code prevention Anti-malicious code software shall be installed or software with corresponding function shall be configured, and anti-malicious code library shall be upgraded and updated once every three months. 6.1.4.3.5 Trusted verification The trusted verification shall be carried out for the system boot program, system program and the like of the computing device based on the trusted root, and an alarm is given after the credibility is detected as being damaged. [Source: GB/T 22239-2019, 6.1.4.5] 6.1.4.3.6 Data backup and recovery The local data backup and recovery function shall be provided for important data. [Source: GB/T 22239-2019, 6.1.4.7]

Foreword i Introduction ii 1 Scope 2 Normative references 3 Terms and definitions 4 Abbreviations 5 General 5.1 Target of classified security and security protection level 5.2 Security protection ability 5.3 General security requirements and special security requirements 6 Level 1 security requirements 6.1 General security requirements 6.2 Special security requirements for cloud computing 6.3 Special security requirements for mobile communication 6.4 Special security requirements for IoT 6.5 Special security requirements for industrial control system 6.6 Special security requirements for big data 7 Level 2 security requirements 7.1 General security requirements 7.2 Special security requirements for cloud computing 7.3 Special security requirements for mobile communication 7.4 Special security requirements for IoT 7.5 Special security requirements for industrial control system 7.6 Special security requirements for big data 8 Level 3 security requirements 8.1 General security requirements 8.2 Special security requirements for cloud computing 8.3 Special security requirements for mobile communication 8.4 Special security requirements for IoT 8.5 Special security requirements for industrial control system 8.6 Special security requirements for big data 9 Level 4 security requirements Bibliography

交通運(yùn)輸行業(yè)網(wǎng)絡(luò)安全等級(jí)保護(hù)基本要求 1 范圍 本文件規(guī)定了交通運(yùn)輸行業(yè)網(wǎng)絡(luò)安全等級(jí)保護(hù)的通則,以及第一級(jí)至第四級(jí)的安全要求。 本文件適用于交通運(yùn)輸行業(yè)網(wǎng)絡(luò)安全的規(guī)劃設(shè)計(jì)、安全建設(shè)和監(jiān)督管理。 2 規(guī)范性引用文件 下列文件中的內(nèi)容通過(guò)文中的規(guī)范性引用而構(gòu)成本文件必不可少的條款。 其中,注日期的引用文件,僅該日期對(duì)應(yīng)的版本適用于本文件;不注日期的引用文件,其最新版本( 包括所有的修改單) 適用于本文件。 GB / T 5271. 8 信息技術(shù) 詞匯 第 8 部分:安全GB 17859 計(jì)算機(jī)信息系統(tǒng)安全保護(hù)等級(jí)劃分準(zhǔn)則 GB / T 20839 智能運(yùn)輸系統(tǒng) 通用術(shù)語(yǔ) GB / T 22239—2019 信息安全技術(shù) 網(wǎng)絡(luò)安全等級(jí)保護(hù)基本要求 JT / T 904 交通運(yùn)輸行業(yè)信息系統(tǒng)安全等級(jí)保護(hù)定級(jí)指南 3 術(shù)語(yǔ)和定義 GB / T 5271. 8、GB 17859、GB / T 20839、GB / T 22239 和 JT / T 904 界定的以及下列術(shù)語(yǔ)和定義適用于本文件。 3. 1 網(wǎng)絡(luò)安全 cyber security 通過(guò)采取必要措施,防范網(wǎng)絡(luò)的攻擊、侵入、干擾、破壞和非法使用以及意外事故,使網(wǎng)絡(luò)處于穩(wěn)定可靠運(yùn)行的狀態(tài),以及保障網(wǎng)絡(luò)數(shù)據(jù)的完整性、保密性和可用性的能力。 [ 來(lái)源:GB / T 22239—2019,3. 1] 3. 2 3. 3 3. 4 云服務(wù)商 cloud service provider 云計(jì)算服務(wù)的供應(yīng)方。 注:云服務(wù)商管理、運(yùn)營(yíng)、支撐云計(jì)算的基礎(chǔ)設(shè)施及軟件,通過(guò)網(wǎng)絡(luò)交付云計(jì)算的資源。[ 來(lái)源:GB / T 31167—2014,3. 3] 云服務(wù)客戶 cloud service customer 使用云計(jì)算服務(wù)同云服務(wù)商建立業(yè)務(wù)關(guān)系的參與方。 [ 來(lái)源:GB / T 31167—2014,3. 4,有修改] 基線核查 baseline verification 一種對(duì)網(wǎng)絡(luò)設(shè)備、安全設(shè)備、主機(jī)操作系統(tǒng)、數(shù)據(jù)庫(kù)管理系統(tǒng)和業(yè)務(wù)應(yīng)用系統(tǒng)的最低安全要求配置 基線進(jìn)行核查的方法。 1 JT / T 1417—2022 3. 5 3. 6 重要數(shù)據(jù)處理系統(tǒng) important data processing system 對(duì)數(shù)據(jù)進(jìn)行路由轉(zhuǎn)發(fā)、訪問(wèn)控制、網(wǎng)絡(luò)交換、發(fā)布使用和存儲(chǔ)的重要通信設(shè)備和計(jì)算設(shè)備。 注:重要通信設(shè)備和計(jì)算設(shè)備包括但不限于邊界路由器、邊界防火墻、核心交換機(jī)、應(yīng)用服務(wù)器和數(shù)據(jù)庫(kù)服務(wù)器。 數(shù)據(jù)安全保護(hù)系統(tǒng) data security protection system 對(duì)數(shù)據(jù)進(jìn)行保護(hù)的系統(tǒng)或工具。 注:系統(tǒng)或工具包括但不限于數(shù)據(jù)庫(kù)防火墻、數(shù)據(jù)防泄露、脫敏系統(tǒng)、數(shù)據(jù)庫(kù)加密系統(tǒng)、文件加密系統(tǒng)。 4 縮略語(yǔ) 下列縮略語(yǔ)適用于本文件。 AP:無(wú)線訪問(wèn)接入點(diǎn)( Wireless Access Point) CPU:中央處理器( Central Processing Unit) DDoS:拒絕服務(wù)( Distributed Denial of Service) DNS:域名系統(tǒng)( Domain Name System) FTP:文件傳輸協(xié)議( File Transfer Protocol) HTTP:超文本傳輸協(xié)議( Hyper Text Transfer Protocol) HTTPS:超文本傳輸安全協(xié)議( Hyper Text Transfer Protocol over Secure Socket Layer) IP:互聯(lián)網(wǎng)協(xié)議( Internet Protocol) IT:信息技術(shù)( Information Technology) MAC:消息認(rèn)證碼( Message Authentication Code) POP3:郵局協(xié)議版本 3( Post Office Protocol-Version 3) SMTP:簡(jiǎn)單郵件傳輸協(xié)議( Simple Mail Transfer Protocol) SQL:結(jié)構(gòu)化查詢語(yǔ)言( Structured Query Language) SSH:安全外殼協(xié)議( Secure Shell) SSID:服務(wù)集標(biāo)識(shí)( Service Set Identifier) VPN:虛擬專用網(wǎng)絡(luò)( Virtual Private Network) WEP:有線等效加密( Wired Equivalent Privacy) 5 通則 5. 1 等級(jí)保護(hù)對(duì)象與安全保護(hù)等級(jí) 等級(jí)保護(hù)對(duì)象,即網(wǎng)絡(luò)安全等級(jí)保護(hù)工作中的對(duì)象,是指由計(jì)算機(jī)或其他信息終端及相關(guān)設(shè)備組成 的按照一定的規(guī)則和程序?qū)π畔⑦M(jìn)行收集、存儲(chǔ)、傳輸、交換、處理的系統(tǒng),主要包括基礎(chǔ)信息網(wǎng)絡(luò)、信息系統(tǒng)( 包含采用移動(dòng)互聯(lián)等技術(shù)的系統(tǒng))、云計(jì)算平臺(tái)/ 系統(tǒng)、大數(shù)據(jù)應(yīng)用/ 平臺(tái)/ 資源、物聯(lián)網(wǎng)、工業(yè)控制系統(tǒng)等。 交通運(yùn)輸行業(yè)等級(jí)保護(hù)對(duì)象根據(jù)其在國(guó)家安全、經(jīng)濟(jì)建設(shè)、社會(huì)生活中的重要程度,遭到破壞后對(duì)國(guó)家安全、公共利益以及公民、法人和其他組織合法權(quán)益的危害程度,由低到高劃分為五個(gè)安全保護(hù)等級(jí)。 交通運(yùn)輸行業(yè)網(wǎng)絡(luò)安全等級(jí)保護(hù)對(duì)象的安全保護(hù)等級(jí)按照 JT / T 904 的要求確定。 5. 2 安全保護(hù)能力 2 不同級(jí)別的交通運(yùn)輸行業(yè)等級(jí)保護(hù)對(duì)象應(yīng)具備的基本安全保護(hù)能力應(yīng)符合 GB / T 22239—2019 中 JT / T 1417—2022 5. 2 的規(guī)定。 5. 3 安全通用要求與安全擴(kuò)展要求 由于業(yè)務(wù)目標(biāo)、使用技術(shù)及應(yīng)用場(chǎng)景的不同,等級(jí)保護(hù)對(duì)象會(huì)以不同的形態(tài)出現(xiàn),形態(tài)不同的等級(jí) 保護(hù)對(duì)象面臨的威脅不同,安全保護(hù)需求也應(yīng)不同。 為實(shí)現(xiàn)對(duì)不同級(jí)別和不同形態(tài)的等級(jí)保護(hù)對(duì)象的共性化和個(gè)性化保護(hù),等級(jí)保護(hù)對(duì)象的安全要求分為安全通用要求和安全擴(kuò)展要求。 安全通用要求針對(duì)共性化保護(hù)需求提出,等級(jí)保護(hù)對(duì)象無(wú)論以何種形式出現(xiàn),應(yīng)根據(jù)安全保護(hù)等級(jí) 實(shí)現(xiàn)相應(yīng)級(jí)別的安全通用要求;安全擴(kuò)展要求針對(duì)個(gè)性化保護(hù)需求提出,應(yīng)根據(jù)安全保護(hù)等級(jí)和使用的 特定技術(shù)或特定的應(yīng)用場(chǎng)景選擇實(shí)現(xiàn)安全擴(kuò)展要求。 [ 來(lái)源:GB / T 22239—2019,5. 3] 安全要求的選擇應(yīng)符合 GB / T 22239—2019 中附錄 A 的規(guī)定。 6 第一級(jí)安全要求 6. 1 安全通用要求 6. 1. 1 安全物理環(huán)境 6. 1. 1. 1 物理訪問(wèn)控制 機(jī)房出入口應(yīng)安排專人值守或配置電子門(mén)禁系統(tǒng),控制、鑒別和記錄進(jìn)入的人員。 [ 來(lái)源:GB / T 22239—2019,6. 1. 1. 1] 6. 1. 1. 2 防盜竊和防破壞 應(yīng)將網(wǎng)絡(luò)設(shè)備、安全設(shè)備、服務(wù)器及存儲(chǔ)設(shè)備等設(shè)備或主要部件進(jìn)行固定,并設(shè)置明顯的不易除去的標(biāo)識(shí),標(biāo)識(shí)應(yīng)標(biāo)明資產(chǎn)編號(hào)、設(shè)備責(zé)任人等信息。 6. 1. 1. 3 防雷擊 應(yīng)將各類(lèi)機(jī)柜、設(shè)施和設(shè)備等通過(guò)接地系統(tǒng)安全接地。 [ 來(lái)源:GB / T 22239—2019,6. 1. 1. 3] 6. 1. 1. 4 防火 機(jī)房應(yīng)設(shè)置手提式氣體滅火器。 滅火器應(yīng)通過(guò)年檢,應(yīng)在有效期內(nèi)并能夠正常使用。 6. 1. 1. 5 防水和防潮 應(yīng)采取措施防止雨水通過(guò)機(jī)房窗戶、屋頂和墻壁滲透。 [ 來(lái)源:GB / T 22239—2019,6. 1. 1. 5] 6. 1. 1. 6 溫濕度控制 應(yīng)設(shè)置必要的溫濕度調(diào)節(jié)設(shè)施,使機(jī)房溫濕度變化在設(shè)備運(yùn)行所允許的范圍之內(nèi)。 [ 來(lái)源:GB / T 22239—2019,6. 1. 1. 6] 6. 1. 1. 7 電力供應(yīng) 應(yīng)在機(jī)房供電線路上配置穩(wěn)壓器和過(guò)電壓防護(hù)設(shè)備。 [ 來(lái)源:GB / T 22239—2019,6. 1. 1. 7] 3 JT / T 1417—2022 6. 1. 2 安全通信網(wǎng)絡(luò) 6. 1. 2. 1 通信傳輸 應(yīng)采用校驗(yàn)技術(shù)保證通信過(guò)程中數(shù)據(jù)的完整性。 [ 來(lái)源:GB / T 22239—2019,6. 1. 2. 1] 6. 1. 2. 2 可信驗(yàn)證 可基于可信根對(duì)通信設(shè)備的系統(tǒng)引導(dǎo)程序、系統(tǒng)程序等進(jìn)行可信驗(yàn)證,并在檢測(cè)到其可信性受到破 壞后進(jìn)行報(bào)警。 [ 來(lái)源:GB / T 22239—2019,6. 1. 2. 2] 6. 1. 3 安全區(qū)域邊界 6. 1. 3. 1 邊界防護(hù) 邊界防護(hù)要求應(yīng)包括: a) 保證跨越邊界的訪問(wèn)和數(shù)據(jù)流通過(guò)邊界設(shè)備提供的受控接口進(jìn)行通信; b) 能對(duì)非授權(quán)設(shè)備私自聯(lián)到內(nèi)部網(wǎng)絡(luò)的行為進(jìn)行限制,宜采用 IP / MAC 地址綁定、關(guān)閉網(wǎng)絡(luò)接入設(shè)備的閑置端口等措施限制網(wǎng)絡(luò)連接; c) 能對(duì)內(nèi)部用戶非授權(quán)聯(lián)到外部網(wǎng)絡(luò)的行為進(jìn)行限制,宜采用管控物理接口等措施限制外部網(wǎng) 絡(luò)連接行為。 6. 1. 3. 2 訪問(wèn)控制 訪問(wèn)控制要求應(yīng)包括: a) 在網(wǎng)絡(luò)邊界根據(jù)訪問(wèn)控制策略設(shè)置訪問(wèn)控制規(guī)則,默認(rèn)情況下除允許通信外受控接口拒絕所 有通信; b) 刪除多余或無(wú)效的訪問(wèn)控制規(guī)則,優(yōu)化訪問(wèn)控制列表,并保證訪問(wèn)控制規(guī)則數(shù)量最小化; c) 對(duì)源地址、目的地址、源端口、目的端口和協(xié)議等進(jìn)行檢查,以允許/ 拒絕數(shù)據(jù)包進(jìn)出。 [ 來(lái)源:GB / T 22239—2019,6. 1. 3. 2] 6. 1. 3. 3 安全審計(jì) 采取監(jiān)測(cè)、記錄網(wǎng)絡(luò)運(yùn)行狀態(tài)、網(wǎng)絡(luò)安全事件的技術(shù)措施進(jìn)行安全審計(jì),并應(yīng)留存相關(guān)的網(wǎng)絡(luò)日志不少于 6 個(gè)月。 6. 1. 3. 4 可信驗(yàn)證 可基于可信根對(duì)邊界設(shè)備的系統(tǒng)引導(dǎo)程序、系統(tǒng)程序等進(jìn)行可信驗(yàn)證,并在檢測(cè)到其可信性受到破 壞后進(jìn)行報(bào)警。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 5] 6. 1. 4 安全計(jì)算環(huán)境6. 1. 4. 1 網(wǎng)絡(luò)設(shè)備 6. 1. 4. 1. 1 身份鑒別 4 身份鑒別應(yīng)按照如下要求。 JT / T 1417—2022 a) 對(duì)登錄的用戶進(jìn)行身份標(biāo)識(shí)和鑒別,身份標(biāo)識(shí)具有唯一性,身份鑒別信息具有復(fù)雜度要求并 定期更換,具體要求如下: 1) 靜態(tài)口令長(zhǎng)度不少于 8 位,至少包含大寫(xiě)英文字母、小寫(xiě)英文字母、數(shù)字、特殊符號(hào)中 3 類(lèi); 2) 用戶口令更換周期不大于 1 年; 3) 用戶首次登錄時(shí)修改初始默認(rèn)口令,每次修改口令時(shí),不準(zhǔn)許新設(shè)定的口令與舊口令 相同。 b) 具有登錄失敗處理功能,應(yīng)配置并啟用結(jié)束會(huì)話、限制非法登錄次數(shù)和當(dāng)?shù)卿涍B接超時(shí)自動(dòng) 退出等相關(guān)措施。 6. 1. 4. 1. 2 訪問(wèn)控制 訪問(wèn)控制要求應(yīng)包括: a) 對(duì)登錄的用戶分配賬戶和權(quán)限; b) 重命名或刪除默認(rèn)賬戶,修改默認(rèn)賬戶的默認(rèn)口令; c) 及時(shí)刪除或停用多余的、過(guò)期的賬戶,避免共享賬戶的存在。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 2] 6. 1. 4. 1. 3 入侵防范 入侵防范要求應(yīng)包括: a) 遵循最小安裝的原則,僅安裝需要的組件和應(yīng)用程序; b) 關(guān)閉不需要的系統(tǒng)服務(wù)、默認(rèn)共享和高危端口。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 3] 6. 1. 4. 1. 4 數(shù)據(jù)備份恢復(fù) 應(yīng)提供重要數(shù)據(jù)的本地?cái)?shù)據(jù)備份與恢復(fù)功能。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 7] 6. 1. 4. 2 安全設(shè)備 6. 1. 4. 2. 1 身份鑒別 身份鑒別應(yīng)按照如下要求。 a) 對(duì)登錄的用戶進(jìn)行身份標(biāo)識(shí)和鑒別,身份標(biāo)識(shí)具有唯一性,身份鑒別信息具有復(fù)雜度要求并 定期更換,具體要求如下: 1) 靜態(tài)口令長(zhǎng)度不少于 8 位,至少包含大寫(xiě)英文字母、小寫(xiě)英文字母、數(shù)字、特殊符號(hào)中 3 類(lèi); 2) 用戶口令更換周期不大于 1 年; 3) 用戶首次登錄時(shí)修改初始默認(rèn)口令,每次修改口令時(shí),不準(zhǔn)許新設(shè)定的口令與舊口令 b) 相同。 具有登錄失敗處理功能,應(yīng)配置并啟用結(jié)束會(huì)話、限制非法登錄次數(shù)和當(dāng)?shù)卿涍B接超時(shí)自動(dòng) 退出等相關(guān)措施。 6. 1. 4. 2. 2 訪問(wèn)控制 訪問(wèn)控制要求應(yīng)包括: a) 對(duì)登錄的用戶分配賬戶和權(quán)限; b) 重命名或刪除默認(rèn)賬戶,修改默認(rèn)賬戶的默認(rèn)口令; 5 JT / T 1417—2022 c) 及時(shí)刪除或停用多余的、過(guò)期的賬戶,避免共享賬戶的存在。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 2] 6. 1. 4. 2. 3 入侵防范 入侵防范要求應(yīng)包括: a) 遵循最小安裝的原則,僅安裝需要的組件和應(yīng)用程序; b) 關(guān)閉不需要的系統(tǒng)服務(wù)、默認(rèn)共享和高危端口。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 3] 6. 1. 4. 2. 4 數(shù)據(jù)備份恢復(fù) 應(yīng)提供重要數(shù)據(jù)的本地?cái)?shù)據(jù)備份與恢復(fù)功能。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 7] 6. 1. 4. 3 主機(jī)操作系統(tǒng) 6. 1. 4. 3. 1 身份鑒別 身份鑒別應(yīng)按照如下要求。 a) 對(duì)登錄的用戶進(jìn)行身份標(biāo)識(shí)和鑒別,身份標(biāo)識(shí)具有唯一性,身份鑒別信息具有復(fù)雜度要求并 定期更換,具體要求如下: 1) 靜態(tài)口令長(zhǎng)度不少于8 位,需至少包含大寫(xiě)英文字母、小寫(xiě)英文字母、數(shù)字、特殊符號(hào)中3 類(lèi); 2) 用戶口令更換周期不大于 1 年; 3) 用戶首次登錄時(shí)修改初始默認(rèn)口令,每次修改口令時(shí),不準(zhǔn)許新設(shè)定的口令與舊口令相同。 b) 具有登錄失敗處理功能,應(yīng)配置并啟用結(jié)束會(huì)話、限制非法登錄次數(shù)和當(dāng)?shù)卿涍B接超時(shí)自動(dòng) 退出等相關(guān)措施。 6. 1. 4. 3. 2 訪問(wèn)控制 訪問(wèn)控制要求應(yīng)包括: a) 對(duì)登錄的用戶分配賬戶和權(quán)限; b) 重命名或刪除默認(rèn)賬戶,修改默認(rèn)賬戶的默認(rèn)口令; c) 及時(shí)刪除或停用多余的、過(guò)期的賬戶,避免共享賬戶的存在。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 2] 6. 1. 4. 3. 3 入侵防范 入侵防范要求應(yīng)包括: a) 遵循最小安裝的原則,僅安裝需要的組件和應(yīng)用程序; b) 關(guān)閉不需要的系統(tǒng)服務(wù)、默認(rèn)共享和高危端口; c) 能發(fā)現(xiàn)可能存在的已知漏洞,及時(shí)修補(bǔ)漏洞。 6. 1. 4. 3. 4 惡意代碼防范 應(yīng)安裝防惡意代碼軟件或配置具有相應(yīng)功能的軟件,至少每 3 個(gè)月進(jìn)行一次升級(jí)和更新防惡意代碼庫(kù)。 6. 1. 4. 3. 5 可信驗(yàn)證 6 可基于可信根對(duì)計(jì)算設(shè)備的系統(tǒng)引導(dǎo)程序、系統(tǒng)程序等進(jìn)行可信驗(yàn)證,并在檢測(cè)到其可信性受到破 JT / T 1417—2022 壞后進(jìn)行報(bào)警。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 5] 6. 1. 4. 3. 6 數(shù)據(jù)備份恢復(fù) 應(yīng)提供重要數(shù)據(jù)的本地?cái)?shù)據(jù)備份與恢復(fù)功能。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 7] 6. 1. 4. 4 數(shù)據(jù)庫(kù)管理系統(tǒng) 6. 1. 4. 4. 1 身份鑒別 身份鑒別應(yīng)按照如下要求。 a) 對(duì)登錄的用戶進(jìn)行身份標(biāo)識(shí)和鑒別,身份標(biāo)識(shí)具有唯一性,身份鑒別信息具有復(fù)雜度要求并 定期更換,具體要求如下: 1) 靜態(tài)口令長(zhǎng)度不少于 8 位,需至少包含大寫(xiě)英文字母、小寫(xiě)英文字母、數(shù)字、特殊符號(hào)中 3 類(lèi); 2) 用戶口令更換周期不大于 1 年; 3) 用戶首次登錄時(shí)修改初始默認(rèn)口令,每次修改口令時(shí),不準(zhǔn)許新設(shè)定的口令與舊口令 b) 相同。 具有登錄失敗處理功能,應(yīng)配置并啟用結(jié)束會(huì)話、限制非法登錄次數(shù)和當(dāng)?shù)卿涍B接超時(shí)自動(dòng) 退出等相關(guān)措施。 6. 1. 4. 4. 2 訪問(wèn)控制 訪問(wèn)控制要求應(yīng)包括: a) 對(duì)登錄的用戶分配賬戶和權(quán)限; b) 重命名或刪除默認(rèn)賬戶,修改默認(rèn)賬戶的默認(rèn)口令; c) 及時(shí)刪除或停用多余的、過(guò)期的賬戶,避免共享賬戶的存在。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 2] 6. 1. 4. 4. 3 數(shù)據(jù)完整性 應(yīng)采用校驗(yàn)技術(shù)保證重要數(shù)據(jù)在傳輸過(guò)程中的完整性。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 6] 6. 1. 4. 4. 4 數(shù)據(jù)備份恢復(fù) 應(yīng)提供重要數(shù)據(jù)的本地?cái)?shù)據(jù)備份與恢復(fù)功能。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 7] 6. 1. 4. 4. 5 個(gè)人信息保護(hù) 應(yīng)禁止未授權(quán)訪問(wèn)和非法使用個(gè)人信息。 6. 1. 4. 5 業(yè)務(wù)應(yīng)用系統(tǒng) 6. 1. 4. 5. 1 身份鑒別 身份鑒別應(yīng)按照如下要求。 a) 對(duì)登錄的用戶進(jìn)行身份標(biāo)識(shí)和鑒別,身份標(biāo)識(shí)具有唯一性,身份鑒別信息具有復(fù)雜度要求并 7 JT / T 1417—2022 定期更換,具體要求如下: 1) 靜態(tài)口令長(zhǎng)度不少于 8 位,需至少包含大寫(xiě)英文字母、小寫(xiě)英文字母、數(shù)字、特殊符號(hào)中 3 類(lèi); 2) 用戶口令更換周期不大于 1 年; 3) 用戶首次登錄時(shí)修改初始默認(rèn)口令,每次修改口令時(shí),不準(zhǔn)許新設(shè)定的口令與舊口令 b) 相同。 具有登錄失敗處理功能,應(yīng)配置并啟用結(jié)束會(huì)話、限制非法登錄次數(shù)和當(dāng)?shù)卿涍B接超時(shí)自動(dòng) 退出等相關(guān)措施。 6. 1. 4. 5. 2 訪問(wèn)控制 訪問(wèn)控制要求應(yīng)包括: a) 對(duì)登錄的用戶分配賬戶和權(quán)限; b) 重命名或刪除默認(rèn)賬戶,修改默認(rèn)賬戶的默認(rèn)口令; c) 至少每年一次檢查賬戶使用情況, 及時(shí)刪除或停用多余的、過(guò)期的賬戶, 避免共享賬戶的存在。 6. 1. 4. 5. 3 入侵防范 應(yīng)提供完善的數(shù)據(jù)有效性驗(yàn)證機(jī)制,避免 SQL 注入、跨站腳本攻擊、文件上傳等可被利用的高危風(fēng)險(xiǎn)漏洞的存在。 6. 1. 4. 5. 4 數(shù)據(jù)完整性 應(yīng)采用校驗(yàn)技術(shù)保證重要數(shù)據(jù)在傳輸過(guò)程中的完整性。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 6] 6. 1. 4. 5. 5 數(shù)據(jù)備份恢復(fù) 應(yīng)提供重要數(shù)據(jù)的本地?cái)?shù)據(jù)備份與恢復(fù)功能。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 7] 6. 1. 4. 5. 6 個(gè)人信息保護(hù) 個(gè)人信息保護(hù)要求應(yīng)包括: a) 僅采集和保存業(yè)務(wù)必需的用戶個(gè)人信息; b) 禁止未授權(quán)訪問(wèn)和非法使用個(gè)人信息。 6. 1. 4. 6 中間件及系統(tǒng)管理軟件 6. 1. 4. 6. 1 身份鑒別 身份鑒別應(yīng)按照如下要求。 a) 對(duì)登錄的用戶進(jìn)行身份標(biāo)識(shí)和鑒別,身份標(biāo)識(shí)具有唯一性,身份鑒別信息具有復(fù)雜度要求并 定期更換,具體要求如下: 1) 靜態(tài)口令長(zhǎng)度不少于 8 位,需至少包含大寫(xiě)英文字母、小寫(xiě)英文字母、數(shù)字、特殊符號(hào)中 3 類(lèi); 2) 用戶口令更換周期不大于 1 年; 3) 用戶首次登錄時(shí)修改初始默認(rèn)口令,每次修改口令時(shí),不準(zhǔn)許新設(shè)定的口令與舊口令 相同。 8 JT / T 1417—2022 b) 具有登錄失敗處理功能,應(yīng)配置并啟用結(jié)束會(huì)話、限制非法登錄次數(shù)和當(dāng)?shù)卿涍B接超時(shí)自動(dòng) 退出等相關(guān)措施。 6. 1. 4. 6. 2 訪問(wèn)控制 訪問(wèn)控制要求應(yīng)包括: a) 對(duì)登錄的用戶分配賬戶和權(quán)限; b) 重命名或刪除默認(rèn)賬戶,修改默認(rèn)賬戶的默認(rèn)口令; c) 及時(shí)刪除或停用多余的、過(guò)期的賬戶,避免共享賬戶的存在。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 2] 6. 1. 4. 6. 3 入侵防范 應(yīng)能發(fā)現(xiàn)可能存在的已知漏洞,及時(shí)修補(bǔ)漏洞,避免環(huán)境、框架、組件中存在可被利用的高危漏洞。 6. 1. 4. 6. 4 數(shù)據(jù)完整性 應(yīng)采用校驗(yàn)技術(shù)保證重要數(shù)據(jù)在傳輸過(guò)程中的完整性。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 6] 6. 1. 4. 6. 5 數(shù)據(jù)備份恢復(fù) 應(yīng)提供重要數(shù)據(jù)的本地?cái)?shù)據(jù)備份與恢復(fù)功能。 [ 來(lái)源:GB / T 22239—2019,6. 1. 4. 7] 6. 1. 5 安全管理制度 應(yīng)建立日常管理活動(dòng)中常用的安全管理制度,至少包括環(huán)境管理、漏洞和風(fēng)險(xiǎn)管理、網(wǎng)絡(luò)和系統(tǒng)安全管理、惡意代碼防范管理的制度。 6. 1. 6 安全管理機(jī)構(gòu) 6. 1. 6. 1 崗位設(shè)置 應(yīng)設(shè)立系統(tǒng)管理員等崗位,并定義各個(gè)工作崗位的職責(zé)。 [ 來(lái)源:GB / T 22239—2019,6. 1. 6. 1] 6. 1. 6. 2 人員配備 應(yīng)配備一定數(shù)量的系統(tǒng)管理員。 [ 來(lái)源:GB / T 22239—2019,6. 1. 6. 2] 6. 1. 6. 3 授權(quán)和審批 應(yīng)根據(jù)各個(gè)部門(mén)和崗位的職責(zé)明確授權(quán)審批事項(xiàng)、審批部門(mén)和批準(zhǔn)人等。 [ 來(lái)源:GB / T 22239—2019,6. 1. 6. 3] 6. 1. 7 安全管理人員 6. 1. 7. 1 人員錄用 應(yīng)指定或授權(quán)專門(mén)的部門(mén)或人員負(fù)責(zé)人員錄用。 [ 來(lái)源:GB / T 22239—2019,6. 1. 7. 1] 9 JT / T 1417—2022 6. 1. 7. 2 人員離崗 應(yīng)及時(shí)終止離崗人員的所有訪問(wèn)權(quán)限,取回各種身份證件、鑰匙、徽章等以及機(jī)構(gòu)提供的軟硬件設(shè)備。 [ 來(lái)源:GB / T 22239—2019,6. 1. 7. 2] 6. 1. 7. 3 安全意識(shí)教育和培訓(xùn) 應(yīng)對(duì)各類(lèi)人員進(jìn)行安全意識(shí)教育和崗位技能培訓(xùn),并告知相關(guān)的安全責(zé)任和懲戒措施。 [ 來(lái)源:GB / T 22239—2019,6. 1. 7. 3] 6. 1. 7. 4 外部人員訪問(wèn)管理 應(yīng)保證在外部人員訪問(wèn)受控區(qū)域前得到授權(quán)或?qū)徟?[ 來(lái)源:GB / T 22239—2019,6. 1. 7. 4] 6. 1. 8 安全建設(shè)管理 6. 1. 8. 1 定級(jí)和備案 應(yīng)以書(shū)面的形式說(shuō)明保護(hù)對(duì)象的安全保護(hù)等級(jí)及確定等級(jí)的方法和理由。 [ 來(lái)源:GB / T 22239—2019,6. 1. 8. 1] 6. 1. 8. 2 安全方案設(shè)計(jì) 應(yīng)根據(jù)安全保護(hù)等級(jí)選擇基本安全措施,依據(jù)風(fēng)險(xiǎn)分析的結(jié)果補(bǔ)充和調(diào)整安全措施。 [ 來(lái)源:GB / T 22239—2019,6. 1. 8. 2] 6. 1. 8. 3 產(chǎn)品采購(gòu)和使用 應(yīng)采購(gòu)和使用合格的網(wǎng)絡(luò)安全產(chǎn)品。 6. 1. 8. 4 工程實(shí)施 應(yīng)指定或授權(quán)專門(mén)的部門(mén)或人員負(fù)責(zé)工程實(shí)施過(guò)程的管理。 [ 來(lái)源:GB / T 22239—2019,6. 1. 8. 4] 6. 1. 8. 5 測(cè)試驗(yàn)收 應(yīng)進(jìn)行安全性測(cè)試驗(yàn)收。 [ 來(lái)源:GB / T 22239—2019,6. 1. 8. 5] 6. 1. 8. 6 系統(tǒng)交付 系統(tǒng)交付要求應(yīng)包括: a) 制訂交付清單,并根據(jù)交付清單對(duì)所交接的設(shè)備、軟件和文檔等進(jìn)行清點(diǎn); b) 對(duì)負(fù)責(zé)運(yùn)行維護(hù)的技術(shù)人員進(jìn)行相應(yīng)的技能培訓(xùn)。 [ 來(lái)源:GB / T 22239—2019,6. 1. 8. 6] 6. 1. 8. 7 服務(wù)供應(yīng)商選擇 服務(wù)供應(yīng)商要求應(yīng)包括: a) 選擇合格的服務(wù)供應(yīng)商; b) 與選定的服務(wù)供應(yīng)商簽訂與安全相關(guān)的協(xié)議,明確約定相關(guān)責(zé)任。10 JT / T 1417—2022 6. 1. 9 安全運(yùn)維管理 6. 1. 9. 1 環(huán)境管理 環(huán)境管理要求應(yīng)包括: a) 指定專門(mén)的部門(mén)或人員負(fù)責(zé)機(jī)房安全,對(duì)機(jī)房出入進(jìn)行管理,至少每年一次對(duì)機(jī)房配電、空 調(diào)、溫濕度控制、消防等設(shè)施進(jìn)行維護(hù)管理; b) 對(duì)機(jī)房的安全管理做出規(guī)定,包括物理訪問(wèn)、物品進(jìn)出和環(huán)境安全等方面。 6. 1. 9. 2 介質(zhì)管理 應(yīng)將介質(zhì)存放在安全的環(huán)境中,對(duì)各類(lèi)介質(zhì)進(jìn)行控制和保護(hù),實(shí)行存儲(chǔ)環(huán)境專人管理,并根據(jù)存檔 介質(zhì)的目錄清單定期盤(pán)點(diǎn)。 6. 1. 9. 3 設(shè)備維護(hù)管理 應(yīng)對(duì)各種設(shè)備( 包括備份和冗余設(shè)備)、線路等指定專門(mén)的部門(mén)或人員定期進(jìn)行維護(hù)管理。 [ 來(lái)源:GB / T 22239—2019,6. 1. 9. 3] 6. 1. 9. 4 漏洞和風(fēng)險(xiǎn)管理 應(yīng)采取必要的措施識(shí)別安全漏洞和隱患,對(duì)發(fā)現(xiàn)的安全漏洞和隱患及時(shí)進(jìn)行修補(bǔ)或評(píng)估可能的影 響后進(jìn)行修補(bǔ)。 [ 來(lái)源:GB / T 22239—2019,6. 1. 9. 4] 6. 1. 9. 5 網(wǎng)絡(luò)和系統(tǒng)安全管理 網(wǎng)絡(luò)和系統(tǒng)安全管理要求應(yīng)包括: a) 劃分不同的管理員角色進(jìn)行網(wǎng)絡(luò)和系統(tǒng)的運(yùn)維管理,明確各個(gè)角色的責(zé)任和權(quán)限; b) 指定專門(mén)的部門(mén)或人員進(jìn)行賬戶管理,對(duì)申請(qǐng)賬戶、建立賬戶、刪除賬戶等進(jìn)行控制。 [ 來(lái)源:GB / T 22239—2019,6. 1. 9. 5] 6. 1. 9. 6 惡意代碼防范管理 惡意代碼防范管理要求應(yīng)包括: a) 提高所有用戶的防惡意代碼意識(shí), 對(duì)外來(lái)計(jì)算機(jī)或存儲(chǔ)設(shè)備接入系統(tǒng)前進(jìn)行惡意代碼檢 查等; b) 對(duì)惡意代碼防范要求做出規(guī)定,包括防惡意代碼軟件的授權(quán)使用、惡意代碼庫(kù)升級(jí)、惡意代碼的定期查殺等。 6. 1. 9. 7 備份與恢復(fù)管理 備份與恢復(fù)管理要求應(yīng)包括: a) 識(shí)別需要定期備份的重要業(yè)務(wù)信息、系統(tǒng)數(shù)據(jù)及軟件系統(tǒng)等; b) 規(guī)定備份信息的備份方式、備份頻度、存儲(chǔ)介質(zhì)、保存期等。 [ 來(lái)源:GB / T 22239—2019,6. 1. 9. 7]