DB11/T 145-2002 政务公开网站通用安全技术要求
DB11/T 145-2002 Common security technical requirements for government openness websites
基本信息
发布历史
-
2002年01月
研制信息
- 起草单位:
- 起草人:
- 出版信息:
- 页数:41页 | 字数:- | 开本: -
内容描述
����������
���
备案号�������������
北京市地方标准
���������������
政务公开网站�
通用安全技术要求
����一��一��发布����一�����实施
北京市质量技术监督局发布
���������������
目次
前言··,··················································································································。·····⋯⋯�
引言···························································································································⋯⋯�
�范围························································································。·······⋯⋯‘·················⋯⋯�
�术语和定义···············································································································⋯⋯�
�系统概述··················································································································⋯⋯�
�安全环境··················································································································⋯⋯�
���资产····················。································································································⋯⋯�
�����系统内的数据······································································································⋯⋯�
�����系统软件··············································。·····························································⋯⋯�
�����系统硬件············································································································⋯⋯�
���系统具备的前提条件································································································⋯⋯�
�����系统设备维护����������������··············································································⋯⋯�
�����系统软件安装维护���������������������·······························································⋯⋯�
�����系统管理员能力�������������������··································································⋯⋯�
�����系统管理员不会滥用权限���������������������···················································⋯⋯�
�����系统数据毁坏�����������������������··································································⋯⋯�
�����远程用户�����������������·················································································⋯⋯�
�����可信用户����������������····················································································⋯⋯�
�����物理访问�����������������������········································································⋯⋯�
�����掉电保护�����������������������···········································································⋯⋯�
���对系统的威胁······································································································⋯⋯�
�����管理错误��������������������···········································································⋯⋯�
�����管理疏忽������������������··············································································⋯⋯�
�����威胁主体的能力����������������···········································································⋯⋯�
�����未授权的访问��������������··············································································⋯⋯�
�����攻击者尝试使资源拒绝服务���������������������··················································⋯⋯’�
�����传输错误�������������·······················································································⋯⋯�
�����关键系统组件失效���������������������·······························································⋯⋯�
�����恶意代码������������������·················································································⋯⋯�
���系统组织安全策略···································································································⋯⋯�
�����安全设备选型或采购控制��������������··································································⋯⋯�
�����网络隔离����������������····················································································⋯⋯�
�����站点监控与审计���������������������··································································⋯⋯�
�����漏洞扫描��������·····························································································⋯⋯�
�����入侵检测���������������������···························。···············································⋯⋯�
���������������
���������页面监测与自动修复������������������������················································⋯⋯�
�����系统备份����������··························································································⋯⋯�
�安全目的············································································································⋯⋯�
���系统安全目的······································································································⋯⋯�
�����安全角色������������������·················································································⋯⋯�
�����安全功能管理行为���������������������·······························································⋯⋯�
�����安全相关配置管理������������������������····························································⋯⋯�
�����管理安全属性���������������������·····································································⋯⋯�
�����管理安全关键数据��������������������·······························································⋯⋯�
�����远程可信系统的可信通道������������������������················································⋯⋯�
�����用户标识和鉴别�������·················。··································································⋯⋯�
�����系统访问控制��������····················································································⋯⋯�
�����保护系统安全功能�����������������������···················,········································⋯⋯�
������采用补丁程序修改代码��������������������·······································。··············⋯⋯�
������限定用户和服务的资源�������������������·························································⋯⋯�
������保护和维护安全的系统状态����������������·························································⋯⋯�
������系统功能运行的完整性测试����������������������···················································⋯⋯�
������对已发现的攻击的响应�����������������������···················································⋯⋯�
������主页的完整性监视与恢复������������������������················································⋯⋯�
������控制系统数据的输入��������������������···················································,·········,·⋯�
������系统数据内部传递的完整性����������������������················································⋯⋯�
������识别对接收信息的修改�����������������·························································⋯⋯�
������恢复对接收信息的修改�������������������······················································⋯⋯�
������识别对发布信息的修改�����������������····························································⋯⋯�
������支持在发布信息被修改后的恢复������������������··········································⋯⋯�
������关键组件失效时保持安全状态���������������·························································⋯⋯�
������关键组件运行错误容限�������������������····························································⋯⋯�
������出现恶意代码时能恢复对象和数据���������������������·······································⋯⋯�
������审计管理角色��������������������··································································⋯⋯�
������标识审计记录�������������������·····································································⋯⋯�
������对可能丢失所保存的审计记录作出响应����������������������·············。···················⋯⋯�
������保护存储的审计记录�����������������··································································⋯⋯�
������确保可用的审计存储空间�����������������������················································⋯⋯�
������审计系统访问减少误用����������������������······················································⋯⋯�
������系统备份��������������������···········································································⋯⋯�
������检测备份硬件、固件、软件的修改���������������������·······································⋯⋯�
������网络隔离����������������·············,················。··················································⋯⋯�
���环境安全目的·····························································································。········⋯⋯�
�����安装与操作控制������������·············································································,···⋯⋯�
�����物理控制��������������····················································································⋯⋯�
�����授权管理员培训����������·················································································⋯⋯�
���������������
�����防自然灾害���������������������········································································⋯⋯�
�����电磁兼容��������··························································································⋯⋯�
�安全功能要求····························································�·················�··�··��·��·���������������⋯⋯�
���用户数据保护······································································································⋯⋯�
�����访问控制策略���������··············································································�··⋯⋯�
�����访问控制功能���������·················································································⋯⋯��
�����向安全功能控制之外输出���������·····································································⋯⋯��
�����信息流控制策略���������·······························································,·············,···⋯⋯��
�����信息流控制功能���������······。··。·······································································⋯⋯��
�����从安全功能控制之外输入���������·····································································⋯⋯��
�����存储数据的完整性���������··············································································⋯⋯��
�����安全功能间用户数据传输完整性保护���������······················································⋯⋯��
���标识和鉴别······················································。··。··········································�··��⋯⋯��
�����用户标识���������··························································································⋯⋯��
�����用户属性定义���������····················································································⋯⋯��
�����秘密的规范��������·······················································································⋯⋯��
�����用户鉴别���������············。··································································,··,····⋯⋯��
�����鉴别失败���������··························································································⋯⋯��
�����用户一主体绑定���������·················································································⋯⋯��
���安全功能保护···················································································,····,····,········⋯⋯��
�����失效保护���������·······················································································⋯⋯��
�����安全功能数据输出的保密性���������··································································⋯⋯��
�����系统内部安全功能数据传输���������··································································⋯⋯��
�����可信恢复���������···············································································�··��·��⋯⋯��
�����参照仲裁���������·······················································································⋯⋯��
�����安全功能域分离���������···············································,······························⋯⋯��
�����安全功能自检���������·················································································⋯⋯��
���系统访问·······································································································�⋯⋯��
�����多重并发会话限定���������···········································································⋯⋯��
���安全审计·········································································································⋯⋯��
�����安全审计自动响应���������···········································································⋯⋯��
�����安全审计数据产生��������·················,·········,·······,·······································⋯⋯��
�����安全审计分析��������·················································································⋯⋯��
�����安全审计查阅��������·················································································⋯⋯��
�����安全审计事件存储��������·,·········································································⋯⋯��
���安全管理类·········································································································⋯⋯��
�����系统中功能的管理���������········································································。··⋯⋯��
�����安全属性的管理���������·········································································,····⋯⋯��
�����系统数据的管理���������··············································································⋯⋯��
�����安全管理角色���������·················································································�⋯⋯��
���可信路径�通道····················,········,··································································⋯⋯��
���������������
�����系统间可信信道���������··············································································⋯⋯��
���资源利用············································································································⋯⋯��
�����容错���������·····························································································⋯⋯��
�����资源分配��������最高配额···········································································⋯⋯��
�安全保证要求······························································,··········································⋯⋯��
���配置管理············································································································⋯⋯��
���。�配置项�����������····,··················································································⋯⋯��
���交付和操作·········································································································⋯⋯��
�����交付程序�����������···················。································································⋯⋯��
�����安装、生成和启动程序�����������·····································································⋯⋯��
���开发··················································································································⋯⋯��
�����非形式化功能规范�����������···········································································⋯⋯��
�����描述性高层设计�����������···········································································⋯⋯��
�����非形式化相关性阐明�����������·····································································⋯⋯��
���指导性文档·······················································································�·····�·····�··���⋯⋯��
�����管理员指南�����������·················································································⋯⋯��
�����用户指南�����������···················。································································⋯⋯��
���测试··················································································································⋯⋯��
�����范��证据�����������··········································,·········································⋯⋯��
�����功能测试������··········································,·························,···············⋯⋯��
�����独立性测试—抽样�����������·······································································一��
���脆弱性评定·········································································································⋯⋯��
�����系统安全功能强度评估����������···············································。··················⋯⋯��
�����开发者脆弱性分析�����������········································································⋯⋯��
�环境安全要求·········································································································⋯⋯��
���备份和恢复·········································································································⋯⋯��
���操作系统安全···································································································⋯⋯��
���数据库安全···································。·····································································⋯⋯��
���病毒防范·。·······································································································⋯⋯��
�基本原理·························································,··················································⋯⋯��
���安全目的基本原理······················,·······················································,·················⋯⋯��
���安全要求基本原理································································································⋯⋯��
���满足依赖关系基本原理·······················································································⋯⋯��
���������������
日
定制服务
推荐标准
- SY 5158-1991 石油勘探数字测井仪技术条件 1991-07-19
- QB 1433.6-1992 饼干 夹心饼干 1992-02-21
- SY 5288-1991 钻井提升设备主要连接尺寸 1991-07-19
- HG 2192-1991 喷砂橡胶软管 1991-12-23
- QB/T 1475-1992 渔线轮 1992-04-14
- JC 463-1992 水泥工业用提升泵 1992-02-26
- JB 5610-1991 双频激光干涉仪 1991-07-16
- SH/T 0422-1992 石油沥青灰分测定法 2025-07-11
- JC 460.2-1992 水泥工业用胶带斗式提升机技术条件 1992-02-26
- JB 1757-1991 卡套 1991-07-22