introduction of cyber security national standards · forward advice for national standards...
TRANSCRIPT
Secretariat of National Information Security Standardization Technical Committee
16 April 2019
Introduction of Cyber Security National Standards
2
Contents
Panorama and keypoints ofnational cyber security standards
Participation in the international standardization of cyber security
China-EU cooperation and exchanges and suggestions on the following work
3
Panorama and Keypoints ofNational Cyber Security Standards
4Introduction to TC260
⚫ National Information Security Standardization Technical Committee (No. SAC/TC260) was established in April 2002, directly subordinate to National Standardization Administration, and is under the supervision of Office of the Central Cyberspace Affairs of China.
⚫ Scope of Work:Including standardization of information security technology, mechanism, services, management, evaluation and other fields.
⚫ Duties:TC260 shall unify and organize the application, examination and approval of the national standards of cyber security (Several Opinions on Strengthening National Cybersecurity Standardization Work, No.5 [2016] of the Office of the Central Leading Group for Cyberspace Affairs).
⚫ International Correspondence:ISO/IEC JTC1 SC27
National Information Security Standardization
Technical CommitteeSAC/TC260
5Introduction to TC260
Chairman:
Honglie LIU
Deputy Director of Office of the Central Cyberspace Affairs of China
Vice Chairman:
Zeliang ZHAO Chief Engineer of Office of the Central Cyberspace Affairs of China/Director General of Cyber Security Coordination Wing
Jun HANFormer Inspector of Science and Technology Division at Ministry of Industry and Information Technology
Lin ZHAOInspector/Deputy Director of Science and Technology InformatizationBureau at Ministry of Public Security
Shoupeng LI
Deputy Director of China Information Technology Security Evaluation
Center
Liangsheng HE
Deputy Director of State Cryptography Administration
Jingtao WANG
Chief Engineer of National Administration of State Secrets Protection
Weijun LIU
Director of Department of Certification Supervision and ManagementState at Administration for Market Regulation
Secreariat:
Held by China Electronics Standardization Institute
Commissioner:
81people
Nearly 50% of the representatives come from domestic enterprises, 4 are foreign enterprises representativesl.
Introduction to TC260 5
6Introduction to TC260
Up to now, TC260 has 710members, among which there are
30 members of WG3,
204 members of WG5,
57 members of WG6,
157 members of WG7 and
168 members of SWG-BDS.
7Panorama of National Cyber Security Standards
Since its establishment, TC260 has developed nearly 400 nationalstandards, including 268 issued standards on cyber security and 111projects under research, mainly covering the fields of cryptogram,authentication and authorization, security assessment, communicationsecurity, security management and big data security. These standardsprovide strong support for the examination of cyber security, classifiedprotection of information security, testing and certification for informationsecurity products, risk assessment of information security, informationsystem incidents recovery and other relevant safeguarding work, as wellas the implementation of Electronic Signatures Law and Cybersecurity Lawof the People's Republic of China.
authentication & authorization
big data/cloud computing/personal information
security management
communication security
testing & assessment of products
cryptogram management & application
8Key Work of 2018 - Standard Projects
In 2018, TC260 deployed its work on national network security workdeployment, after project solicitation and evaluation, started a batch ofstandardization projects focused on key fields which in need of standardssuch as naming and classifying vulnerabilities of information security,security of government affairs information sharing, security of industrialInternet platform, application of information system cryptogram,protection of biometrics identification information and security of serversetc. Additionally, the researching work around AI, blockchain and IPV6was deployed at the meantime.
01 03
Guidelines for the application of national standardsproject on syber security in 2018was issued on 19th January
02
Secreariat conducted formality examination
13th-28th March
up to 28th March
124 suggestions
on project
appication were
received
04
14th-18th April
Working group conducting technology review
05
15th May
Joint meeting
between WG1and
the leader of
working groups
06
25th May-4th June
The committee voted by ballot
07
Deliberation of
director's office
27th June08
12th July
Issued the project notice
9Key Work of 2018 - Standard Projects
8 Standard Amendment Projects10 Standard Issuing Projects
In total, TC260 issued 85 national standards on cyber security
10Key Work of 2018 - Standards Issuing
网络安全国家标准
•Financial information service
•Security of ICT supply chain
• internet-based e-government information
•domain names of chinese government organs and public institutions
• Security of project control system
• office information systems
• Security of Internet of Things
• Entity authentication
• Time stamp
• Digital signature
• eID
• Biometric authenticationcryptography Authentication &
Authorization
Information security management
Information security evaluation
• Application of cryptographic equipment
• Security requirements for cryptographic modules
• Technical requirements for cryptographic application for radio frequency identification systems
11Key Work of 2018 - Standards IssuingNo. Standard Number Standard Title No. of Working
Group
1 GB/T 36322-2018 Information security technology—Cryptographic device application interface specifications WG3
2 GB/T 37092-2018 Information security technology—Security requirements for cryptographic modules WG3
3 GB/T 25056-2018 Information security technology—Specifications of cryptograph and related security technology for certificate authentication system WG3
4 Information security technology —Technical specification for IPSec VPN WG3
5 GB/T 37033.1-2018 Information security technology—Technical requirements for cryptographic application for radio frequency identification systems—Part 1:
Cryptographic protection framework and security levels
WG3
6 GB/T 37033.2-2018 Information security technology—Technical requirements for cryptographic application for radio frequency identification systems—Part 2:
Technical requirements for cryptographic application for RF tag, reader and communication
WG3
7 GB/T 37033.3-2018 Information security technology—Technical requirements for cryptographic application for radio frequency identification systems—Part 3:
Technical requirements for key management
WG3
8 GB/T 20518-2018 Information security technology—Public key infrastructure—Digital certificate format WG3
9 GB/T 15843.6-2018 Information technology—Security techniques—Entity authentication—Part 6: Mechanisms using manual data transfer WG4
10 Information technology-Security techniques—Anonymous entity authentication-Part 2: Mechanisms based on
signatures using a group public key
WG4
11 GB/T 36624-2018 Information technology—Security techniques—Authenticated encryption WG4
12 GB/T 36960-2018 Information security technology —Authentication and authorization—Access control middleware framework and interface WG4
13 GB/T 36644-2018 Information security technology—Methods for obtaining security attestations for digital signature applications WG4
14 GB/T 36632-2018 Information security technology-Format specifications for citizen cyber electronic identity WG4
15 GB/T 36629.1-2018 Information security technology—Security technique requirements for citizen cyber electronic identity—Part 1: Security
technique requirements for reader
WG4
16 GB/T 36629.2-2018 Information security technology—Security techniques requirement for citizen cyber electronic identity—Part 2:Security
technique requirements of carrier
WG4
17 GB/T 36629.3-2018 Information security technology—Security technique requirements for citizen cyber electronic identity—Part 3:
Verification service message and processing rules
WG4
18 GB/T 36631-2018 Information security technology—Time stamp policy and time stamp practice rules WG4
19 GB/T 37076-2018 Information security technology—Technical requirements for fingerprint recognition system WG4
20 Information security techniques—Biometric authentication protocol framework based on trusted environment WG4
12Key Work of 2018 - Standards IssuingNo. Standard Number Standard Title No. of Working
Group
21 GB/T 15851.3-2018 Information technology—Security techniques—Digital signature schemes giving message recovery—Part 3:Discrete logarithm based
mechanisms
WG4
22 GB/T 36323-2018 Information security technology—Security management fundamental requirements for industrial control systems WG5
23 GB/T 36324-2018 Information security technology—Information security classification specifications of industrial control systems WG5
24 GB/T 36466-2018 Information security technology—Implementation guide to risk assessment of industrial control systems WG5
25 GB/T 36470-2018 Information security technology—Common security functional requirements for data acquisition and control field devices of industrial
control systems
WG5
26 GB/T 36633-2018 Information security technology—Technical guide for identity authentication over network WG5
27 GB/T 36635-2018 Information security technology-Basic requirements and implementation guide of network security monitoring WG5
28 GB/T 36627-2018 Information security technology—Testing and evaluation technical guide for classified cybersecurity protection WG5
29 GB/T 28449-2018 Information security technology—Testing and evaluation process guide for classified protection of cybersecurity WG5
30 GB/T 36958-2018 Information security technology—Technical requirements of security management center for classified protection of cybersecuriy WG5
31 GB/T 36959-2018 Information security technology —Capability requirements and evaluation specification for assessment organization of classified
protection of cybersecurity
WG5
32 GB/T 36950-2018 Information security technology—Security technical requirements of smart card (EAL4+) WG5
33 GB/T 37002-2018 Information security technology-Security techniques requirement for electronic mail system WG5
34 GB/T 37090-2018 Information security technology—Security technical requirements,testing and evaluation methods for antivirus products WG5
35 GB/T 37027-2018 Information security technology—Specifications of definition and description for network attack WG5
36 GB/T 37091-2018 Information security technology—Security office USB disk technology requirement WG5
37 GB/T 37094-2018 Information security technology—Security management requirements for office information systems WG5
38 GB/T 37095-2018 Information security technology—Security basic technical requirements for office information systems WG5
39 GB/T 37096-2018 Information security technology—Security testing specification for office information systems WG5
40 GB/T 36951-2018 Information security technology—Security technical requirements for application of sensing terminals in internet of things WG5
13Key Work of 2018 - Standards Issuing
No. Standard Number Standard Title No. of Working
Group
41 GB/T 37024-2018 Information security technology-Security technical requirements of gateway in sensing layer of the internet of things WG5
42 GB/T 37025-2018 Information security technology-Security technical requirements of data transmission for internet of things WG5
43 GB/T 37044-2018 Information security technology—Security reference model and generic requirements for internet of things WG5
44 GB/T 37093-2018 Information security technology—Security requirements for IoT sensing layer access to communication network WG6
45 GB/Z 24294.1-2018 Information security technology—Guide of implementation for internet-based e-government information security—Part 1:
General
WG7
46 GB/T 36618-2018 Information security technology—Specification for financial information service security WG7
47 GB/T 36619-2018 Information security technology—Naming specification on domain names of chinese government organs and public
institutions
WG7
48 GB/T 36626-2018 Information security technology—Management guide for secure operation and maintenance of information systems WG7
49 GB/T 36630.1-2018 Information security technology—Controllability evaluation index for security of information technology products—Part
1:General principles
WG7
50 GB/T 36630.2-2018 Information security technology—Controllability evaluation index for security of information technology products—Part
2: Central processing unit
WG7
51 GB/T 36630.3-2018 Information security technology—Controllability evaluation index for security of information technology products—Part
3: Operating system
WG7
52 GB/T 36630.4-2018 Information security technology—Controllability evaluation index for security of information technology products—Part
4: Office suite
WG7
53 GB/T 36630.5-2018 Information security technology—Controllability evaluation index for security of information technology products—Part
5: General purpose computer
WG7
54 GB/T 36639-2018 Information security technology—Trusted computing specification—Trusted support platform for server WG7
55 GB/T 36637-2018 Information security technology—Guidelines for the information and communication technology supply chain risk
management
WG7
56 GB/T 36643-2018 Information security technology—Cyber security threat information format WG7
57 GB/T 36957-2018 Information security technology —Requirements for disaster recovery service WG7
58 GB/T 37046-2018 Information security techniques —Assessment criteria for disaster recovery service capability WG7
14Key Work of 2018 - White Papers and Practical Guidelines
3 Standardization White Papers
3 Practical Guidelines on Cyber Security
15
Participation in the international standardization of cyber security
16Participation in the international standardization of cyber security
Participated 15 years in a row in more than 20 SC27 forum as a team since 2004.
Started Chinese standards proposal and technical contribution in international standardization field from scratch, resulted in more than 20 achievements at present.
Continuing to enlarge the expert team of international standardization technique, the number of registed experts has reached 119 so far.
In order to standardize the international standardization activities on cyber security, TC206 officially released Management Measures for International Standardization Activities on Information Security in early 2017.
October 2018, SC27 Norway
April 2018, SC27 Wuhan
17
April 2009, for the first time, the SC27 working group meeting and plenary meeting were held in Beijing.
April 2018, after 9 years, the conference was held in Wuhan, Hubei province, and the International Cyber Security Standardization BBS was held at the meantime. Members from more than 30 countries, and over 280 foreign experts and 71 domestic technical experts from 11 international liaison organizations attended the conference. The conference was well organized and well prepared, and was highly praised by participators.
,
Participation in the international standardization of cyber security
18
◆Participation in 2018 SC27 Conference
➢ 11 Proposals on: Propulsion of symmetric encipherment algorithms; Entity authentication; Security of big data; Biometrics used with mobile devices etc.
➢ 8 Research Projects on: Security of data; ZUC stream cipher algorithm; Industrial internet; Network virtualization security etc.
◆Participation in 2019 SC27 Conference➢ 4 Research Projects have completed the study period and entered into NWIP voting phase:
Measurement Guideline of ICT Trusted Framework, Guide for Realizing Big Data Security and Privacy ProtectionManagement, Home IoT Security and Privacy Protection and Reference Model for Industrial Internet Platform Security .
➢ SM9-IBE Algorithms and SM9-KA Protocol have been incorporated into ISO/IEC 18033-5:2015and ISO/IEC 11770-3:2015.
➢ 2 Research Projects have been approved: Evaluation Criteria for the Information Security of Intelligent Connected Vehicle based on ISO/IEC15408; Information Security Incident Management - Part 4: Guide on Incident Response Collaboration.
April 2019, SC27 Israel
Participation in the international standardization of cyber security
October 2018, SC27 Norway
April 2018, SC27 Wuhan
19
China-EU cooperation and exchanges and suggestions on the following work
20Cooperation between EU Enterprises and TC260
So far, there are 16 EU enterprises have joined the relevant working group of TC260, including working groups on identification and authorization standards (WG4), security evaluation standards (WG5), communication security standards (WG6), information security management standards (WG7) and special working group on big data security (SWG-BDS).
As members of TC260, EU enterprises are able to fully understandand participate in national standards development work on cybersecurity. For instance, they can express their opinions and makesuggestions in the approval, drafting, commenting and reviewingprocesses of new standardization projects, and positively putforward advice for national standards formulation on cyber security.
Since 2016, by taking part in conference week activities and seminars of working groups, EU enterprises have presented a number of constructive suggestions on cyber security in standardization projects initiation and public consultation, which are highly valued by TC260. TC260 attaches great importance to the feedback from EU enterprises, timely organizes working groups and compilation units to work together on it and have adopted many reasonable opinions.
21
List of EU Enterprises Take Part in TC260 Working Groups
No. Name of Enterprise Participated Working Groups
1 Ericsson (China) Communications Co. LTDWG4、WG5、WG6、WG7、SWG-BDS
2 Nokia Communication System Technology (Beijing) Co. LTDWG4、WG5、WG6、WG7、SWG-BDS
3 Philips (China) Investment Co. LTD WG5、WG7、SWG-BDS
4 Schneider Electric (China) Co., LTD WG5、WG7
5 Siemens (Shenzhen) Magnetic Resonance Co. LTD SWG-BDS
6 Siemens (China) Co. LTD WG5、WG7、SWG-BDS
7 Reed Elsevier Information Technology (Beijing) Co. LTD SWG-BDS
8 Infineon Integrated Circuit (Beijing) Co. LTD WG5、WG7
9 Infineon Technology (China) Co., LTD WG5
10 ARM Electronic Technology (Shanghai) Co., LTD WG5、WG6、WG7
11 T-Systems P.R. China WG5、WG7
12 Atsec(Beijing) Information Technology Co. LTD WG5
13 Nestle (China) Co., LTD SWG-BDS
14 Aspire Digital Technology (Shenzhen) Co. LTD WG5、WG6、WG7
15 Bosch (China) Investment Co. LTD WG5
16 SAP (China) Co., LTD WG5、WG7、SWG-BDS
22China-EU Cooperation and Exchanges
On 11 to 15 June 2018, deputy inspector of Cyber Security Coordination Wing at the Office of the Central Cyberspace Affairs of China, Wei DU, led a delegation to France to participate in ETSI Security Conference Week. He delivered a keynote speech on China's cybersecurity development and policy at the“latest drive of cybersecurity" BBS, introducing the cyber power strategic thought of President Jinping XI's and achievements made on cybersecurity since the 18th National Congress of the Communist Party of China. Representatives from TC260 Secretariat attended the conference.
On 19 to 23 June 2018, the Secretary General of TC260, who is also the Vice President of China Electronics Standardization Institute, Jianjun YANG led a delegation participated in the workshop of China-Germany cyber and information security and relevant technical seminars in Germany, introduced the development and conformity assessment mechanism of China’s cyber security standardization. This laid a good foundation for the follow-up implementation of Cybersecurity Law of the P.R.C in terms of compliance and certification on security issues, also for further cooperation in GDPR, personal information protection and cross-border data flow.
On 21 to 25 February 2019, deputy inspector of Cyber Security Coordination Wing at theOffice of the Central Cyberspace Affairs of China, Wei DU, led a delegation to Berlin,Germany for the first "Sino-German Technology Conference on Information SecurityStandardization, Certification and Assessment", the Deputy Secretary General XiangangLIU attended the conference and signed a memorandum of understanding on cooperationon behalf of TC260 with DIN/NIA.
23Suggestions on the Following Work
TC260 welcomes EU enterprises and relevant institutions to takean active part in China's cybersecurity standardization work inaccordance with the relevant regulations of the TC260.
TC260 will organize thesis seminars on cybersecurity technologystandards, for instance, to hold workshops on topics of mutualinterest and to invite each other to participate in variousactivities.
TC260 will work together with all stakeholders to contribute tothe standardization of international cyber security, for example,to advance the proposal of international standards around thetheme of new technology, new application security or othertopics of mutual interest.
Thank You for Listening !