{"id":3358,"date":"2022-07-11T22:24:00","date_gmt":"2022-07-11T20:24:00","guid":{"rendered":"https:\/\/webdev.atsec.us\/?p=3358"},"modified":"2024-07-24T22:31:58","modified_gmt":"2024-07-24T20:31:58","slug":"update-on-the-it-security-standards-in-china","status":"publish","type":"post","link":"https:\/\/webdev.atsec.us\/update-on-the-it-security-standards-in-china\/","title":{"rendered":"Update on the IT Security Standards in China"},"content":{"rendered":"\n
\"\"<\/figure>\n\n\n\n

(\u201cInformation Security and Cryptography\u201d in Chinese Calligraphy)<\/p>\n\n\n\n

In this article, we provide an up-to-date overview regarding IT security standards as well as the current situation of IT security testing and certification in China. It also covers the topics related to security assessment and compliance in the financial industry.

Security standards are established to support organizations improving the information security baseline and mitigating potential risks. As shown in the figure below, an organization may establish its own information security policy including appropriate security controls, by considering the compliance requirements from regulators and partners, as well as its own business and technical requirements. These controls can be defined based on the best practice, such as industry standards, national standards, international standards, or regulations.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1: Standards viewed from an organization perspective

The situation may be similar to every organization in the world, although the standardization processes and methods may vary in different countries and regions. The focus of this discussion is on the situation in China.

First, a high-level structure of security national standards in China is given.

Overview of information security national standards in China<\/strong>
In China, the National Information Security Standardization Technical Committee (\u201cTC260\u201d) is responsible for organizing technical work engaged in information security standardization. Currently, the following working groups are focusing on different areas of information security:<\/p>\n\n\n\n

WG1 – Information security standard system and coordination
WG3 – Cryptographic technology
WG4 – Authentication and authorization
WG5 – Information security evaluation
WG6 – Communication security standard
WG7 – Information security management
WG8 – Big data security standard<\/p>\n\n\n\n

According to the official TC260 website, there are 339 national security standards issued as of 7 June 2022. The high-level classification and structure of information security national standards are as follows:<\/p>\n\n\n\n

    \n
  1. Basic standards<\/strong>\n
      \n
    • Glossary: GB\/T 25069 \u201cinformation security technology \u2013 Glossary\u201d<\/li>\n\n\n\n
    • Framework and model: e.g., GB\/Z 29830 \u201ca framework for IT security assurance,\u201d which is identical to ISO\/IEC 15443<\/li>\n<\/ul>\n<\/li>\n\n\n\n
    • Technology and mechanism standards<\/strong>\n
        \n
      • Cryptographic algorithms and technology: e.g., GB\/T 32905 \u201cInformation security techniques – SM3 cryptographic hash algorithm\u201d; GB\/T 32907 \u201cInformation security technology – SM4 block cipher algorithm\u201d; GB\/T 32918 \u201cInformation security technology – SM2 based on elliptic curves\u201d<\/li>\n\n\n\n
      • Security identification: e.g., GB\/T 36629 \u201cInformation security technology – Security technique requirements for citizen cyber electronic identity\u201d<\/li>\n\n\n\n
      • Authentication and Authorization: e.g., GB\/T 15843 \u201cInformation technology – Security techniques – Entity authentication,\u201d which is identical to ISO\/IEC 9798<\/li>\n\n\n\n
      • Trusted computing: e.g., GB\/T 36639 \u201cInformation security technology – Trusted computing specification – Trusted support platform for server\u201d<\/li>\n\n\n\n
      • Biometric recognition: e.g., GB\/T 36651 \u201cInformation security techniques – Biometric authentication protocol framework based on trusted environment\u201d<\/li>\n\n\n\n
      • Identification management: e.g., GB\/T 31504 \u201cInformation security technology – Authentication and authorization – Digital identity information service framework specification\u201d<\/li>\n<\/ul>\n<\/li>\n\n\n\n
      • Security management standards<\/strong>\n
          \n
        • Information security management system: e.g., GB\/T 22080 \u201cInformation technology – security techniques – information security management systems \u2013 requirements,\u201d which is identical to ISO\/IEC 27001; GB\/T 22081, which is identical to ISO\/IEC 27002; GB\/T 25067, which is identical to ISO\/IEC 27006, etc.<\/li>\n\n\n\n
        • Risk management: e.g., GB\/T 31509 \u201cInformation security risk assessment implementation guide\u201d<\/li>\n\n\n\n
        • Operation management: e.g., GB\/T 36626 \u201cInformation system security operation and management guide\u201d<\/li>\n\n\n\n
        • Incident management: e.g., GB\/T 20985 \u201cInformation security incident management,\u201d which is identical to ISO\/IEC 27035<\/li>\n<\/ul>\n<\/li>\n\n\n\n
        • Security testing standards<\/strong>\n
            \n
          • Testing criteria: e.g., GB\/T 18336, which is identical to ISO\/IEC 15408; GB\/Z 20283 \u201cGuide for the production of Protection Profiles and Security Targets,\u201d which is identical to ISO\/IEC 15446<\/li>\n\n\n\n
          • Testing methodology: e.g., GB\/T 30270 \u201cInformation technology – security technology – methodology for IT security evaluation,\u201d which is identical to ISO\/IEC 18045<\/li>\n<\/ul>\n<\/li>\n\n\n\n
          • Products and Services standards<\/strong>\n
              \n
            • Components: e.g., GB\/T 37092 \u201cInformation security technology – security requirements for cryptographic modules\u201d<\/li>\n\n\n\n
            • Security products: e.g., GB\/T 33131 \u201cInformation security technology – Specification for IP storage network security based on IPSec\u201d<\/li>\n\n\n\n
            • IT Products: e.g., GB\/T 36950 \u201cInformation security technology – Security technical requirements of smart card (EAL4+)\u201d<\/li>\n\n\n\n
            • Network critical equipment: e.g., GB\/T 25063 \u201cInformation security technology – Testing and evaluation requirement for server security\u201d<\/li>\n\n\n\n
            • Network security dedicated products: e.g., GB\/T 36635-2018 \u201cInformation security technology \u2013 Basic requirements and implementation guide of network security monitoring\u201d<\/li>\n\n\n\n
            • Network services: e.g., GB\/T 32914 \u201cInformation security technology – Information security service provider management requirements\u201d<\/li>\n<\/ul>\n<\/li>\n\n\n\n
            • Network and System standards<\/strong>\n
                \n
              • Information system: e.g., GB 17859 \u201cClassified criteria for security protection of Computer information system\u201d; GB\/T 20274 \u201cInformation security technology – evaluation framework for information systems security assurance\u201d; GB\/T 22239 \u201cInformation security technology – Baseline for classified protection of cybersecurity\u201d; GB\/T 36959 \u201cInformation security technology – Capability requirements and evaluation specification for assessment organization of classified protection of cybersecurity\u201d<\/li>\n\n\n\n
              • Office system: e.g., GB\/T 35282 \u201cInformation security technology – Security technology specifications of mobile e-government system\u201d<\/li>\n\n\n\n
              • Communication network: e.g., GB\/T 33562 \u201cInformation security technology – Secure domain name system deployment guide\u201d<\/li>\n\n\n\n
              • Industrial control system: e.g., GB\/T 32919 \u201cInformation security technology – Application guide to industrial control system security control\u201d<\/li>\n<\/ul>\n<\/li>\n\n\n\n
              • Data security standards<\/strong>\n
                  \n
                • Personal information: e.g., GB\/Z 28828 \u201cInformation security technology – Guideline for personal information protection within information system for public and commercial services\u201d; GB\/T 35273 \u201cInformation security technology – Personal information security specification\u201d<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                • Organization management standard<\/strong>\n
                    \n
                  • Organization: e.g., GB\/T 35289 \u201cInformation security technology – Specification on the service quality of certification authority\u201d<\/li>\n\n\n\n
                  • Personnel: e.g., GB\/T 35288 \u201cInformation security technology – Specification on the job skills of certificate authority employees\u201d<\/li>\n\n\n\n
                  • Supervision: e.g., GB\/T 32926 \u201cInformation security technology – Information security management specification for government information technology service outsourcing\u201d<\/li>\n\n\n\n
                  • Supply Chain: e.g., GB\/T 36637 \u201cInformation security technology – Guidelines for the information and communication technology supply chain risk management\u201d<\/li>\n<\/ul>\n<\/li>\n\n\n\n
                  • New technology and application security standards:<\/strong>\n
                      \n
                    • Cloud computing: e.g., GB\/T 34942 \u201cInformation security technology – The assessment method for security capability of cloud computing service\u201d; GB\/T 35279 \u201cInformation security technology – Security reference architecture of cloud computing\u201d<\/li>\n\n\n\n
                    • Big data: e.g., GB\/T 35274-2017 \u201cInformation security technology – Security capability requirements for big data services\u201d<\/li>\n\n\n\n
                    • Internet of things: e.g., GB\/T 36951 \u201cInformation security technology – Security technical requirements for application of sensing terminals in internet of things\u201d; GB\/T 37025 \u201cInformation security technology\uff0dSecurity technical requirements of data transmission for internet of things\u201d<\/li>\n\n\n\n
                    • Mobile: e.g., GB\/T 33565 \u201cInformation security technology – Security technology requirements for wireless local area network (WLAN) access system (EAL2+)\u201d<\/li>\n\n\n\n
                    • Critical information infrastructure:\n
                        \n
                      • Information sharing: e.g., GB\/T 36643 \u201cInformation security technology – Cyber security threat information format\u201d<\/li>\n\n\n\n
                      • Monitoring and early warning: e.g., GB\/T 32924 \u201cInformation security technology – Guideline for cyber security warning\u201d<\/li>\n\n\n\n
                      • Incident emergency response: e.g., GB\/T 24363 \u201cInformation security technology – Specifications of emergency response plan for information security\u201d<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n

                        For these Chinese national standards, a series number follows the prefix \u201cGB,\u201d \u201cGB\/T,\u201d or \u201cGB\/Z.\u201d Mandatory national standards are prefixed with \u201cGB.\u201d Based on current index information (as of 7 June 2022) published by TC260, GB 17859-1999 is the only mandatory standard. GB standards are the basis for the product testing that products must undergo during the China Compulsory Certificate (CCC or 3C) certification. If there is no corresponding GB Standard, CCC is not required.

                        Recommended national standards are prefixed with \u201cGB\/T,\u201d and related organizations are encouraged to implement the standards voluntarily. As we can see from the list above, most of the Chinese standards in information security area are recommended standards.

                        \u201cGB\/Z\u201c means the standard is for guidance only.

                        A few organizations in China related to IT security testing, evaluation, and\/or certification are introduced in the next section.

                        Organizations related to IT security testing, evaluation, and\/or certification<\/strong>
                        The Chinese national standards could be used to perform IT security testing, evaluation, and\/or certification related to products, services, management systems, etc.<\/p>\n\n\n\n

                        \"\"<\/figure>\n\n\n\n

                        Figure 2: Organizations related to IT security testing, evaluation, and\/or certification

                        As shown in the above figure, there are two high-level dimensions considering cyber security testing and\/or certification: one is the certification and accreditation, and another one is related to cyber security.<\/p>\n\n\n\n

                        From the dimension of certification and accreditation, the China National Accreditation Service for Conformity Assessment (\u201cCNAS\u201c for short) is the national accreditation body of China responsible for the accreditation of certification bodies, laboratories, and inspection bodies, which is established under the approval of the Certification and Accreditation Administration of the People\u2019s Republic of China (CNCA) and authorized by CNCA in accordance with the regulations. For instance, atsec is one of the global IT security evaluation facilities with an office in China since February 2006, and atsec China was accredited by CNAS in accordance with ISO\/IEC 17025 General Requirements for the competence of testing and calibration laboratories (CNAS-CL01) initially on 24 December 2010.

                        As shown in the above figure, the China Cybersecurity Review Technology and Certification Center (\u201cCCRC\u201c for short), with former name ISCCC (Information security certification center of China), is one of the important certification bodies in China to carry out security certification on products, management systems, services, etc., in order to better address the regulation defined in the national cyber security law issued in 2016 and enforced in 2017. ISCCC was established in 2006, with the approval of the China central government, and authorized by eight government authorities and ministries including CNCA.

                        In China, commercial cryptography is regulated by the department of State Cryptography Administration. I will not introduce the Chinese commercial cryptographic scheme in this article, and another article related to this topic could be published by atsec at a later time.

                        In addition to these national standards, some industry standards are adopted and implemented in different industry areas, e.g., financial industry, telecommunication industry, etc. I will emphasize a little more on industry security standards and programs in the financial industry in the next section.<\/p>\n\n\n\n

                        Security standards and programs in the financial industry<\/strong>
                        In China, more and more financial organizations, including banks, payment service providers, and merchants who implement financial payment systems, have placed their attention on or been compliant with global standards and\/or related validation programs, for instance ISO\/IEC 27001, PCI standards, the security controls defined in SWIFT Customer Security Program (CSP), etc. Although these compliances are not mandatory by local regulators, in some cases, they are requested by global and\/or local business partners. In addition, since more and more organizations have realized the importance of security implementation and compliance, they are voluntarily investing and putting effort into the improvement of information security. The compliance result can also provide more confidence during the business cooperation and is valuable for their brand reputation and marketing activities as well.<\/p>\n\n\n\n

                        1. PCI standards<\/strong>
                        In the payment industry, various standards and programs (as shown in the figure below) are developed and maintained by PCI SSC (Payment Card Industry Security Standards Council), covering the security of data environment (PCI DSS: Data Security Standard), software security (PCI SSF: Secure Software Framework), security scanning and testing (ASV – approved scanning vendor program), Card Production (physical and logical security), P2PE (Point to Point Encryption), PCI 3DS, PIN Security, PFI (PCI Forensic Investigation), and so on. atsec offers a full range of services to support organizations in achieving PCI compliance.<\/p>\n\n\n\n

                        \"\"<\/figure>\n\n\n\n

                        Figure 3: Overview of PCI security standards and programs

                        As shown in the above figure, PCI DSS is the most important (and also the first) standard within the PCI standards family. PCI DSS version 4.0, as the next evolution of the standard, has been released in the first quarter of 2022. Industry organizations will have two years to become familiar with the new version and plan for and implement the changes needed. On 31 March 2024, the old version of PCI DSS (v3.2.1) will be formally retired.<\/p>\n\n\n\n

                        \"\"<\/figure>\n\n\n\n

                        Figure 4: PCI DSS v4.0 (source from PCI SSC website [3])

                        2. SWIFT CSP program<\/strong>
                        Similar to the PCI industry, the Customer Security Programme (CSP) was launched in 2016 by SWIFT (Society for Worldwide Interbank Financial Telecommunication, a global provider on secure financial messaging services) and designed to reinforce the security of the SWIFT community. Whether directly or indirectly connected, it complies with the SWIFT Customer Security Controls Framework (CSCF) to enhance the security of the local environment of each financial organization and helps protect the whole community. The financial institutes (e.g., banks) are required to comply with at least the mandatory controls to build a SWIFT infrastructure. The security controls are applicable to all users and recommended for the whole transaction chain, beyond the in-scope environment, and they are mapped against recognized international standards, e.g., NIST, PCI DSS, and ISO\/IEC 27002.

                        As one of the independent security assessment providers, atsec has worked with quite a few banks in China to meet the security controls defined by SWIFT CSP.<\/p>\n\n\n\n

                        3. Technical Certification of Payment Business Facilities of Non-Bank Payment Institutions<\/strong>
                        In addition to the global security standards and assessment programs, the local requirements are mainly proposed and regulated by the PBOC (People\u2019s Bank of China) in the financial industry in China. One example is the \u201cTechnical Certification of Payment Business Facilities of Non-Bank Payment Institutions,\u201d which was initially launched in 2010. Currently, the certification activities can be performed by CCRC as one of the certification bodies in China, and PBOC can issue and maintain the \u201cPayment Business Licenses\u201d to these payment institutions based on the testing and certification results.

                        The focuses of this testing and certification are on functional testing, performance testing, risk monitoring and anti-money laundering detection, as well as security testing.

                        Global industry communication<\/strong>
                        Global communication and collaboration in the technical and industry communities between China and the rest of the world never stop, not even during the pandemic in recent years. I will mention some observations during my work at atsec:<\/p>\n\n\n\n