GM/T 0132-2023 信息系统密码应用实施指南
GM/T 0132-2023 Implementation guide for information system cryptography application
基本信息
发布历史
-
2023年12月
文前页预览
研制信息
- 起草单位:
- 兴唐通信科技有限公司、国家密码管理局商用密码检测中心、中国科学院信息工程研究所、中国科学院数据与通信保护研究教育中心、北京信安世纪科技有限公司、北京数盾信息科技有限公司、三未信安科技股份有限公司、阿里云计算有限公司、中电科网络安全科技股份有限公司、公安部第三研究所、蚂蚁科技集团股份有限公司、鼎铉商用密码测评技术(深圳)有限公司、北京天融信网络安全技术有限公司、中金金融认证中心有限公司、阿里巴巴(中国)网络技术有限公司、上海市数字证书认证中心有限公司、中互金认证有限公司、国家信息技术安全研究中心、深圳市腾讯计算机系统有限公司、中国电子科技集团公司第十五研究所、中国国家铁路集团有限公司、暨南大学、启明星辰信息安全技术有限公司
- 起草人:
- 王彦力、刘尚焱、许长伟、王兵、马原、郑昉昱、肖秋林、吴星宇、贾世杰、田爱军、孙丽伟、姚长远、胡伟、何济尘、梅秋丽、汪宗斌、秦体红、吴冬宇、刘健、张立花、杨辰、陈天宇、吕娜、袁静、乐宏彦、陈萧宇、许涛、张大江、周君平、张宇翔、宋铮、陈磊、万志宇、马春旺、朱红儒、谭武征、李增局、姬生利、杨龙、田涛、于航、高志权、鹿淑煜、吴波、华珊、李升、方海峰、肖飞、安高峰、贺磊、司华峰、彭晋、黄天宁、李冰、谢灿、蒋增增、苏继海、孙欣、刘志刚、史汝辉、朱凌
- 出版信息:
- 页数:32页 | 字数:54 千字 | 开本: 大16开
内容描述
ICS35.030
CCSL80
中华人民共和国密码行业标准
GM/T0132—2023
信息系统密码应用实施指南
Implementationguideforinformationsystemcryptographyapplication
2023⁃12⁃04发布2024⁃06⁃01实施
国家密码管理局发布
GM/T0132—2023
目次
前言··························································································································Ⅲ
1范围·······················································································································1
2规范性引用文件········································································································1
3术语和定义··············································································································1
4信息系统密码应用实施概述·························································································1
4.1角色和职责········································································································1
4.2基本流程···········································································································2
5信息系统密码应用规划·······························································································2
5.1规划阶段的工作流程····························································································2
5.2密码应用需求分析·······························································································3
5.2.1信息系统现状分析··························································································3
5.2.2密码应用安全风险分析····················································································4
5.2.3密码应用基本需求的确定·················································································4
5.2.4密码应用特殊需求的确定·················································································4
5.2.5需求分析结果文档化·······················································································5
5.3密码应用方案设计·······························································································5
5.3.1总体策略设计································································································5
5.3.2密码应用技术方案设计····················································································5
5.3.3密码应用安全管理方案设计··············································································6
5.3.4合规性自查···································································································6
5.3.5实施保障方案设计··························································································6
5.3.6设计结果文档化·····························································································7
5.4方案密评···········································································································7
6信息系统密码应用建设·······························································································8
6.1建设阶段的工作流程····························································································8
6.2密码建设方案设计·······························································································8
6.2.1密码应用技术措施实现内容的设计·····································································8
6.2.2密码应用安全管理措施实现内容的设计·······························································9
6.2.3设计结果文档化·····························································································9
6.3密码应用技术措施的实现······················································································9
6.3.1密码产品与密码服务采购·················································································9
6.3.2密码应用集成······························································································10
Ⅰ
GM/T0132—2023
6.4密码应用安全管理措施的实现···············································································10
6.4.1密码应用配套安全管理制度的制定···································································10
6.4.2密码管理岗位和人员的设置············································································10
6.4.3建设过程管理······························································································11
6.5系统密评··········································································································11
7信息系统密码应用运行·····························································································12
7.1运行阶段的工作流程···························································································12
7.2运行管理和控制·································································································13
7.2.1运行管理过程控制························································································13
7.2.2运行管理人员控制························································································13
7.3变更管理和控制·································································································13
7.3.1变更需求和影响分析·····················································································13
7.3.2变更过程控制······························································································14
7.4密码应用安全状态监控························································································14
7.4.1监控对象确定······························································································14
7.4.2监控对象状态信息收集··················································································14
7.4.3监控状态分析和报告·····················································································15
7.5安全自查和持续改进···························································································15
7.5.1密码应用安全状态自查··················································································15
7.5.2密码应用整改······························································································16
7.6系统密评··········································································································16
7.7应急响应与保障·································································································17
7.7.1应急准备····································································································17
7.7.2应急监测与响应···························································································17
7.7.3后期评估与改进···························································································18
7.7.4应急保障····································································································18
8信息系统密码应用终止·····························································································18
8.1终止阶段工作流程······························································································18
8.2密码应用信息转移、暂存和清除·············································································19
8.3密码应用设备迁移或废弃·····················································································19
8.4密码应用存储介质的清除或销毁············································································20
附录A(规范性)主要过程及其活动和输入输出································································21
参考文献····················································································································24
Ⅱ
GM/T0132—2023
前言
本文件按照GB/T1.1—2020《标准化工作导则第1部分:标准化文件的结构和起草规则》的规
定起草。
请注意本文件的某些内容可能涉及专利。本文件的发布机构不承担识别专利的责任。
本文件由密码行业标准化技术委员会提出并归口。
本文件起草单位:兴唐通信科技有限公司、国家密码管理局商用密码检测中心、中国科学院信息工
程研究所、中国科学院数据与通信保护研究教育中心、北京信安世纪科技有限公司、北京数盾信息科技
有限公司、三未信安科技股份有限公司、阿里云计算有限公司、中电科网络安全科技股份有限公司、
公安部第三研究所、蚂蚁科技集团股份有限公司、鼎铉商用密码测评技术(深圳)有限公司、北京天融信
网络安全技术有限公司、中金金融认证中心有限公司、阿里巴巴(中国)网络技术有限公司、上海市数字
证书认证中心有限公司、中互金认证有限公司、国家信息技术安全研究中心、深圳市腾讯计算机系统有
限公司、中国电子科技集团公司第十五研究所、中国国家铁路集团有限公司、暨南大学、启明星辰信息
安全技术有限公司。
本文件主要起草人:王彦力、刘尚焱、许长伟、王兵、马原、郑昉昱、肖秋林、吴星宇、贾世杰、田爱军、
孙丽伟、姚长远、胡伟、何济尘、梅秋丽、汪宗斌、秦体红、吴冬宇、刘健、张立花、杨辰、陈天宇、吕娜、
袁静、乐宏彦、陈萧宇、许涛、张大江、周君平、张宇翔、宋铮、陈磊、万志宇、马春旺、朱红儒、谭武征、
李增局、姬生利、杨龙、田涛、于航、高志权、鹿淑煜、吴波、华珊、李升、方海峰、肖飞、安高峰、贺磊、
司华峰、彭晋、黄天宁、李冰、谢灿、蒋增增、苏继海、孙欣、刘志刚、史汝辉、朱凌。
Ⅲ
GM/T0132—2023
信息系统密码应用实施指南
1范围
本文件给出了信息系统密码应用的流程指导和建议,描述了规划、建设、运行及终止阶段的实施过
程及主要活动。
本文件适用于指导信息系统密码应用的实施。
2规范性引用文件
下列文件中的内容通过文中的规范性引用而构成本文件必不可少的条款。其中,注日期的引用文
件,仅该日期对应的版本适用于本文件;不注日期的引用文件,其最新版本(包括所有的修改单)适用于
本文件。
GB/T20984信息安全技术信息安全风险评估方法
GB/T39786信息安全技术信息系统密码应用基本要求
GM/T0115信息系统密码应用测评要求
GM/T0116信息系统密码应用测评过程指南
GM/Z4001密码术语
3术语和定义
GB/T39786和GM/Z4001界定的术语和定义适用于本文件。
4信息系统密码应用实施概述
4.1角色和职责
信息系统密码应用中涉及的各类角色及其职责如下。
a)密码管理部门
负责依法管理密码工作。
b)信息系统责任单位
通常包括项目建设单位以及信息系统运营、使用单位,负责依照信息系统密码应用的管理规范和
技术标准,进行密码应用方案的设计;使用符合国家规定、满足信息系统对应等级密码应用基本要求的
密码算法、密码技术、密码产品和密码服务,开展信息系统密码应用建设或整改工作;制定、落实各项密
码应用配套安全管理制度,定期对信息系统密码应用安全状况、密码应用配套安全管理制度及措施的
落实情况进行自查;自行或委托商用密码应用安全性评估机构开展商用密码应用安全性评估(简称“密
评”),包括密码应用方案密评(简称“方案密评”)和信息系统密评(简称“系统密评”);对密码应用安全
事件进行应急处置。
c)密码应用集成服务单位
负责根据信息系统责任单位的委托,依照信息系统密码应用的管理规范和技术标准,协助信息系
统责任单位完成信息系统密码应用的规划、建设、运行及终止阶段的工作(包括但不限于密码应用咨
1
推荐标准
- DB13/T 2591-2017 悬浮式拼装地板有害物质释放量检测方法 2017-11-22
- DB13/T 2586-2017 公路桥梁板式橡胶支座劣化评定标准 2017-11-22
- DB54/T 0018-2018 无公害生猪养殖技术规程 2018-01-09
- DB13/T 2590-2017 果蔬清洗剂中双酚A、双酚F的测定高效液相色谱法 2017-11-22
- DB13/T 2588-2017 被动式室内空气净化产品净化效果测定方法 2017-11-22
- DB13/T 2587-2017 运动场金属围网通用技术要求 2017-11-22
- DB13/T 2584-2017 无螺栓连接型梳形板式桥梁伸缩装置通用技术要求 2017-11-22
- DB13/T 2583-2017 民用清洁燃烧炉具废气排放检测方法 2017-11-22
- DB54/T 0017-2018 外三元猪杂交繁育技术规程 2018-01-08
- DB13/T 2589-2017 工业排放油烟浓度测定方法红外分光光度法 2017-11-22