GB/Z 41290-2022 Information security techniques—Guidelines for mobile internet security audit
1 Scope
This document provides guidance and recommendations on role responsibilities, audit scope, and audit content for mobile Internet security auditing activities, and gives information on the framework of security auditing activities, functional tasks, and their specific content.
This document applies to the activities related to mobile Internet security auditing.
2 Normative references
The contents of the following documents constitute the essential provisions of this document through the normative references in the text. Among them, the reference document with the date, only the version corresponding to the date is applicable to this document; the reference document without the date, its latest version (including all revision sheets) is applicable to this document.
GB/ T 17143.6 -1997 Information Technology Open System Interconnection System Management Part 6: Log Control Function
GB 17859 1999 Computer information system security protection level classification guidelines
GB/ T 18336.2 -2015 Information Technology Security Technology Information Technology Security Assessment Guidelines Part 2: Security Function Components
GB/ T 25069 Information security technical terms
GB/ T 35281 2017 Information security technology mobile Internet application server security technical requirements
3 Terminology and definitions
GB/ T 17143. 6-1997, GB 17859-1999, GB/ T 18336. 2 -2015, GB/ T 25069 and GB/ T 35281-2017 defined as well as the following terms and definitions apply to this document.
3. 1
mobile internet
The open basic telecommunication network where users use mobile terminals (including cell phones, Internet cards, tablet PCs, smartbooks, etc.) to obtain mobile communication network services and Internet services through the mobile network.
[来源 :GB/ T 35281-2017 , 3.1.1]
3.2
mobile internet security audit
Events are recorded and analyzed, and actions are taken for specific events to compare accordingly.
[来源 :GB/ T 20945 2013 , 3.2 ]
3.3
security audit domain
In information systems and networks, the pooling of entities that are responsible for auditing under a single security audit policy for security audit subjects.
3.4
private data
Data that is privately enjoyed by the subject of the security audit and needs to be protected.
GB/ Z 4 1290-2022
Note: Improper use or unauthorized modification of this data by someone can compromise the auditor's interests.
4 Abbreviations
The following abbreviations apply to files.
FTP:File Transfer Protocol ID :Identification
P2P:Peer to Peer
URL Scheme:Uniform Resource Location Scheme)
5 Audit activities
5. 1 Overview
Mobile Internet security audit is an activity of enterprises to audit the security-related behaviors of mobile terminals wandering inside and outside the security audit domain, with the purpose of protecting private data and preventing violations. The scope of mobile Internet security audit activities involves the entire mobile Internet, and is a comprehensive application of multiple levels and information security technologies, including terminal, network, and application security, each divided into three layers: device/environment security, business application security, and information security. The focus includes security audit of mobile terminal access to internal data within the domain, security audit of mobile terminal access to external networks within the domain, and security audit of private data output outside the domain.
The mobile Internet security audit architecture is based on the idea of "distributed collection and centralized management", which realizes in- and post-event audits inside and outside the security audit domain without changing the existing internal network structure and configuration and without affecting the network operation efficiency.
Mobile Internet security audit services cannot correspond to a particular security service, and need to use other security services to support security audit activities.
5.2 Security audit domain
The scope of the security audit domain is outside the confidential domain, which is less than or equal to the scope of the wireless LAN. When entering the security audit domain, mobile terminal users can choose whether to accept the audit or not. Only those who accept the audit and comply with the audit rules defined by the security audit policy can access the security audit domain. The audit in the security audit domain includes general behavior audit, private data online operation audit, private data local operation audit and private data extra-domain operation record afterwards; the audit outside the security audit domain is mainly private data online operation audit and private data local operation record afterwards.
When the mobile terminal is in the security audit domain, it is appropriate to divide into the following cases.
a) user behavior within the scope of the audit rules can be submitted directly from the mobile application through the audit trail in real time to the security audit center for an audit in progress, the audit center will return the audit results to the audit trail, if it passes continue to execute, if not interrupt the execution and alarm;.
b ) When the mobile terminal wants to download private data, it needs to install the security audit agent first, otherwise the download is rejected.
c) When operating private data online, it is submitted to the security audit center in real time through the audit trail for in-service audit, and the security audit center judges the legality of the behavior.
d ) When operating private data locally, the audit agent audits the operation and judges whether it is legal; if it is legal, the operation is allowed to continue, and if it is not legal, the local operation of private data is interrupted and reported to the security audit center.
e) The audit records related to private data outside the security audit domain are uploaded to the security audit center for record through audit trail at the first time after the mobile terminal enters the security domain.
When the mobile terminal is outside the security audit domain, the behavior of the mobile application is not subject to security audit, and only the private data related to the security audit subject
GB/Z 41290-2022 Information security techniques—Guidelines for mobile internet security audit
1 Scope
This document provides guidance and recommendations on role responsibilities, audit scope, and audit content for mobile Internet security auditing activities, and gives information on the framework of security auditing activities, functional tasks, and their specific content.
This document applies to the activities related to mobile Internet security auditing.
2 Normative references
The contents of the following documents constitute the essential provisions of this document through the normative references in the text. Among them, the reference document with the date, only the version corresponding to the date is applicable to this document; the reference document without the date, its latest version (including all revision sheets) is applicable to this document.
GB/ T 17143.6 -1997 Information Technology Open System Interconnection System Management Part 6: Log Control Function
GB 17859 1999 Computer information system security protection level classification guidelines
GB/ T 18336.2 -2015 Information Technology Security Technology Information Technology Security Assessment Guidelines Part 2: Security Function Components
GB/ T 25069 Information security technical terms
GB/ T 35281 2017 Information security technology mobile Internet application server security technical requirements
3 Terminology and definitions
GB/ T 17143. 6-1997, GB 17859-1999, GB/ T 18336. 2 -2015, GB/ T 25069 and GB/ T 35281-2017 defined as well as the following terms and definitions apply to this document.
3. 1
mobile internet
The open basic telecommunication network where users use mobile terminals (including cell phones, Internet cards, tablet PCs, smartbooks, etc.) to obtain mobile communication network services and Internet services through the mobile network.
[来源 :GB/ T 35281-2017 , 3.1.1]
3.2
mobile internet security audit
Events are recorded and analyzed, and actions are taken for specific events to compare accordingly.
[来源 :GB/ T 20945 2013 , 3.2 ]
3.3
security audit domain
In information systems and networks, the pooling of entities that are responsible for auditing under a single security audit policy for security audit subjects.
3.4
private data
Data that is privately enjoyed by the subject of the security audit and needs to be protected.
GB/ Z 4 1290-2022
Note: Improper use or unauthorized modification of this data by someone can compromise the auditor's interests.
4 Abbreviations
The following abbreviations apply to files.
FTP:File Transfer Protocol ID :Identification
P2P:Peer to Peer
URL Scheme:Uniform Resource Location Scheme)
5 Audit activities
5. 1 Overview
Mobile Internet security audit is an activity of enterprises to audit the security-related behaviors of mobile terminals wandering inside and outside the security audit domain, with the purpose of protecting private data and preventing violations. The scope of mobile Internet security audit activities involves the entire mobile Internet, and is a comprehensive application of multiple levels and information security technologies, including terminal, network, and application security, each divided into three layers: device/environment security, business application security, and information security. The focus includes security audit of mobile terminal access to internal data within the domain, security audit of mobile terminal access to external networks within the domain, and security audit of private data output outside the domain.
The mobile Internet security audit architecture is based on the idea of "distributed collection and centralized management", which realizes in- and post-event audits inside and outside the security audit domain without changing the existing internal network structure and configuration and without affecting the network operation efficiency.
Mobile Internet security audit services cannot correspond to a particular security service, and need to use other security services to support security audit activities.
5.2 Security audit domain
The scope of the security audit domain is outside the confidential domain, which is less than or equal to the scope of the wireless LAN. When entering the security audit domain, mobile terminal users can choose whether to accept the audit or not. Only those who accept the audit and comply with the audit rules defined by the security audit policy can access the security audit domain. The audit in the security audit domain includes general behavior audit, private data online operation audit, private data local operation audit and private data extra-domain operation record afterwards; the audit outside the security audit domain is mainly private data online operation audit and private data local operation record afterwards.
When the mobile terminal is in the security audit domain, it is appropriate to divide into the following cases.
a) user behavior within the scope of the audit rules can be submitted directly from the mobile application through the audit trail in real time to the security audit center for an audit in progress, the audit center will return the audit results to the audit trail, if it passes continue to execute, if not interrupt the execution and alarm;.
b ) When the mobile terminal wants to download private data, it needs to install the security audit agent first, otherwise the download is rejected.
c) When operating private data online, it is submitted to the security audit center in real time through the audit trail for in-service audit, and the security audit center judges the legality of the behavior.
d ) When operating private data locally, the audit agent audits the operation and judges whether it is legal; if it is legal, the operation is allowed to continue, and if it is not legal, the local operation of private data is interrupted and reported to the security audit center.
e) The audit records related to private data outside the security audit domain are uploaded to the security audit center for record through audit trail at the first time after the mobile terminal enters the security domain.
When the mobile terminal is outside the security audit domain, the behavior of the mobile application is not subject to security audit, and only the private data related to the security audit subject
