Update on the IT Security Standards in China

(“Information Security and Cryptography” in Chinese Calligraphy)

In this article, we provide an up-to-date overview regarding IT security standards as well as the current situation of IT security testing and certification in China. It also covers the topics related to security assessment and compliance in the financial industry.

Security standards are established to support organizations improving the information security baseline and mitigating potential risks. As shown in the figure below, an organization may establish its own information security policy including appropriate security controls, by considering the compliance requirements from regulators and partners, as well as its own business and technical requirements. These controls can be defined based on the best practice, such as industry standards, national standards, international standards, or regulations.

Figure 1: Standards viewed from an organization perspective

The situation may be similar to every organization in the world, although the standardization processes and methods may vary in different countries and regions. The focus of this discussion is on the situation in China.

First, a high-level structure of security national standards in China is given.

Overview of information security national standards in China
In China, the National Information Security Standardization Technical Committee (“TC260”) is responsible for organizing technical work engaged in information security standardization. Currently, the following working groups are focusing on different areas of information security:

WG1 – Information security standard system and coordination
WG3 – Cryptographic technology
WG4 – Authentication and authorization
WG5 – Information security evaluation
WG6 – Communication security standard
WG7 – Information security management
WG8 – Big data security standard

According to the official TC260 website, there are 339 national security standards issued as of 7 June 2022. The high-level classification and structure of information security national standards are as follows:

1. Basic standards
   • Glossary: GB/T 25069 “information security technology – Glossary”
   • Framework and model: e.g., GB/Z 29830 “a framework for IT security assurance,” which is identical to ISO/IEC 15443
2. Technology and mechanism standards
   • Cryptographic algorithms and technology: e.g., GB/T 32905 “Information security techniques – SM3 cryptographic hash algorithm”; GB/T 32907 “Information security technology – SM4 block cipher algorithm”; GB/T 32918 “Information security technology – SM2 based on elliptic curves”
   • Security identification: e.g., GB/T 36629 “Information security technology – Security technique requirements for citizen cyber electronic identity”
   • Authentication and Authorization: e.g., GB/T 15843 “Information technology – Security techniques – Entity authentication,” which is identical to ISO/IEC 9798
   • Trusted computing: e.g., GB/T 36639 “Information security technology – Trusted computing specification – Trusted support platform for server”
   • Biometric recognition: e.g., GB/T 36651 “Information security techniques – Biometric authentication protocol framework based on trusted environment”
   • Identification management: e.g., GB/T 31504 “Information security technology – Authentication and authorization – Digital identity information service framework specification”
3. Security management standards
   • Information security management system: e.g., GB/T 22080 “Information technology – security techniques – information security management systems – requirements,” which is identical to ISO/IEC 27001; GB/T 22081, which is identical to ISO/IEC 27002; GB/T 25067, which is identical to ISO/IEC 27006, etc.
   • Risk management: e.g., GB/T 31509 “Information security risk assessment implementation guide”
   • Operation management: e.g., GB/T 36626 “Information system security operation and management guide”
   • Incident management: e.g., GB/T 20985 “Information security incident management,” which is identical to ISO/IEC 27035
4. Security testing standards
   • Testing criteria: e.g., GB/T 18336, which is identical to ISO/IEC 15408; GB/Z 20283 “Guide for the production of Protection Profiles and Security Targets,” which is identical to ISO/IEC 15446
   • Testing methodology: e.g., GB/T 30270 “Information technology – security technology – methodology for IT security evaluation,” which is identical to ISO/IEC 18045
5. Products and Services standards
   • Components: e.g., GB/T 37092 “Information security technology – security requirements for cryptographic modules”
   • Security products: e.g., GB/T 33131 “Information security technology – Specification for IP storage network security based on IPSec”
   • IT Products: e.g., GB/T 36950 “Information security technology – Security technical requirements of smart card (EAL4+)”
   • Network critical equipment: e.g., GB/T 25063 “Information security technology – Testing and evaluation requirement for server security”
   • Network security dedicated products: e.g., GB/T 36635-2018 “Information security technology – Basic requirements and implementation guide of network security monitoring”
   • Network services: e.g., GB/T 32914 “Information security technology – Information security service provider management requirements”
6. Network and System standards
   • Information system: e.g., GB 17859 “Classified criteria for security protection of Computer information system”; GB/T 20274 “Information security technology – evaluation framework for information systems security assurance”; GB/T 22239 “Information security technology – Baseline for classified protection of cybersecurity”; GB/T 36959 “Information security technology – Capability requirements and evaluation specification for assessment organization of classified protection of cybersecurity”
   • Office system: e.g., GB/T 35282 “Information security technology – Security technology specifications of mobile e-government system”
   • Communication network: e.g., GB/T 33562 “Information security technology – Secure domain name system deployment guide”
   • Industrial control system: e.g., GB/T 32919 “Information security technology – Application guide to industrial control system security control”
7. Data security standards
   • Personal information: e.g., GB/Z 28828 “Information security technology – Guideline for personal information protection within information system for public and commercial services”; GB/T 35273 “Information security technology – Personal information security specification”
8. Organization management standard
   • Organization: e.g., GB/T 35289 “Information security technology – Specification on the service quality of certification authority”
   • Personnel: e.g., GB/T 35288 “Information security technology – Specification on the job skills of certificate authority employees”
   • Supervision: e.g., GB/T 32926 “Information security technology – Information security management specification for government information technology service outsourcing”
   • Supply Chain: e.g., GB/T 36637 “Information security technology – Guidelines for the information and communication technology supply chain risk management”
9. New technology and application security standards:
   • Cloud computing: e.g., GB/T 34942 “Information security technology – The assessment method for security capability of cloud computing service”; GB/T 35279 “Information security technology – Security reference architecture of cloud computing”
   • Big data: e.g., GB/T 35274-2017 “Information security technology – Security capability requirements for big data services”
   • Internet of things: e.g., GB/T 36951 “Information security technology – Security technical requirements for application of sensing terminals in internet of things”; GB/T 37025 “Information security technology－Security technical requirements of data transmission for internet of things”
   • Mobile: e.g., GB/T 33565 “Information security technology – Security technology requirements for wireless local area network (WLAN) access system (EAL2+)”
   • Critical information infrastructure:
     • Information sharing: e.g., GB/T 36643 “Information security technology – Cyber security threat information format”
     • Monitoring and early warning: e.g., GB/T 32924 “Information security technology – Guideline for cyber security warning”
     • Incident emergency response: e.g., GB/T 24363 “Information security technology – Specifications of emergency response plan for information security”

For these Chinese national standards, a series number follows the prefix “GB,” “GB/T,” or “GB/Z.” Mandatory national standards are prefixed with “GB.” Based on current index information (as of 7 June 2022) published by TC260, GB 17859-1999 is the only mandatory standard. GB standards are the basis for the product testing that products must undergo during the China Compulsory Certificate (CCC or 3C) certification. If there is no corresponding GB Standard, CCC is not required.

Recommended national standards are prefixed with “GB/T,” and related organizations are encouraged to implement the standards voluntarily. As we can see from the list above, most of the Chinese standards in information security area are recommended standards.

“GB/Z“ means the standard is for guidance only.

A few organizations in China related to IT security testing, evaluation, and/or certification are introduced in the next section.

Organizations related to IT security testing, evaluation, and/or certification
The Chinese national standards could be used to perform IT security testing, evaluation, and/or certification related to products, services, management systems, etc.

Figure 2: Organizations related to IT security testing, evaluation, and/or certification

As shown in the above figure, there are two high-level dimensions considering cyber security testing and/or certification: one is the certification and accreditation, and another one is related to cyber security.

From the dimension of certification and accreditation, the China National Accreditation Service for Conformity Assessment (“CNAS“ for short) is the national accreditation body of China responsible for the accreditation of certification bodies, laboratories, and inspection bodies, which is established under the approval of the Certification and Accreditation Administration of the People’s Republic of China (CNCA) and authorized by CNCA in accordance with the regulations. For instance, atsec is one of the global IT security evaluation facilities with an office in China since February 2006, and atsec China was accredited by CNAS in accordance with ISO/IEC 17025 General Requirements for the competence of testing and calibration laboratories (CNAS-CL01) initially on 24 December 2010.

As shown in the above figure, the China Cybersecurity Review Technology and Certification Center (“CCRC“ for short), with former name ISCCC (Information security certification center of China), is one of the important certification bodies in China to carry out security certification on products, management systems, services, etc., in order to better address the regulation defined in the national cyber security law issued in 2016 and enforced in 2017. ISCCC was established in 2006, with the approval of the China central government, and authorized by eight government authorities and ministries including CNCA.

In China, commercial cryptography is regulated by the department of State Cryptography Administration. I will not introduce the Chinese commercial cryptographic scheme in this article, and another article related to this topic could be published by atsec at a later time.

In addition to these national standards, some industry standards are adopted and implemented in different industry areas, e.g., financial industry, telecommunication industry, etc. I will emphasize a little more on industry security standards and programs in the financial industry in the next section.

Security standards and programs in the financial industry
In China, more and more financial organizations, including banks, payment service providers, and merchants who implement financial payment systems, have placed their attention on or been compliant with global standards and/or related validation programs, for instance ISO/IEC 27001, PCI standards, the security controls defined in SWIFT Customer Security Program (CSP), etc. Although these compliances are not mandatory by local regulators, in some cases, they are requested by global and/or local business partners. In addition, since more and more organizations have realized the importance of security implementation and compliance, they are voluntarily investing and putting effort into the improvement of information security. The compliance result can also provide more confidence during the business cooperation and is valuable for their brand reputation and marketing activities as well.

1. PCI standards
In the payment industry, various standards and programs (as shown in the figure below) are developed and maintained by PCI SSC (Payment Card Industry Security Standards Council), covering the security of data environment (PCI DSS: Data Security Standard), software security (PCI SSF: Secure Software Framework), security scanning and testing (ASV – approved scanning vendor program), Card Production (physical and logical security), P2PE (Point to Point Encryption), PCI 3DS, PIN Security, PFI (PCI Forensic Investigation), and so on. atsec offers a full range of services to support organizations in achieving PCI compliance.

Figure 3: Overview of PCI security standards and programs

As shown in the above figure, PCI DSS is the most important (and also the first) standard within the PCI standards family. PCI DSS version 4.0, as the next evolution of the standard, has been released in the first quarter of 2022. Industry organizations will have two years to become familiar with the new version and plan for and implement the changes needed. On 31 March 2024, the old version of PCI DSS (v3.2.1) will be formally retired.

Figure 4: PCI DSS v4.0 (source from PCI SSC website [3])

2. SWIFT CSP program
Similar to the PCI industry, the Customer Security Programme (CSP) was launched in 2016 by SWIFT (Society for Worldwide Interbank Financial Telecommunication, a global provider on secure financial messaging services) and designed to reinforce the security of the SWIFT community. Whether directly or indirectly connected, it complies with the SWIFT Customer Security Controls Framework (CSCF) to enhance the security of the local environment of each financial organization and helps protect the whole community. The financial institutes (e.g., banks) are required to comply with at least the mandatory controls to build a SWIFT infrastructure. The security controls are applicable to all users and recommended for the whole transaction chain, beyond the in-scope environment, and they are mapped against recognized international standards, e.g., NIST, PCI DSS, and ISO/IEC 27002.

As one of the independent security assessment providers, atsec has worked with quite a few banks in China to meet the security controls defined by SWIFT CSP.

3. Technical Certification of Payment Business Facilities of Non-Bank Payment Institutions
In addition to the global security standards and assessment programs, the local requirements are mainly proposed and regulated by the PBOC (People’s Bank of China) in the financial industry in China. One example is the “Technical Certification of Payment Business Facilities of Non-Bank Payment Institutions,” which was initially launched in 2010. Currently, the certification activities can be performed by CCRC as one of the certification bodies in China, and PBOC can issue and maintain the “Payment Business Licenses” to these payment institutions based on the testing and certification results.

The focuses of this testing and certification are on functional testing, performance testing, risk monitoring and anti-money laundering detection, as well as security testing.

Global industry communication
Global communication and collaboration in the technical and industry communities between China and the rest of the world never stop, not even during the pandemic in recent years. I will mention some observations during my work at atsec:

• China UnionPay joined the PCI industry as one of the PCI SSC Strategic Members in 2020; as one of the six leading payment card brands in the world, UnionPay will communicate more with the payment industry and better adopt the PCI standards.
• More Chinese vendors got the certificates based on global security standards, for instance:
  • Oppo Find X5 Pro obtained the Common Criteria certificate (issued by CSEC) in March 2022
  • Huawei Mate 40 Pro obtained the Common Criteria certificate (issued by OCSI) in January 2022
  • Huawei Mobile Devices (P40 series) obtained the Common Criteria certificate (issued by OCSI) in October 2021
  • OPPO Find X3 Pro obtained the Common Criteria certificate (issued by CSEC) in October 2021
  • Cryptographic Server HSM (produced by Beijing Lianshi Networks Technology Co., Ltd.) obtained the FIPS 140-2 certificate in February 2022
  • Sansec HSM Cryptographic Module (produced by Sansec Technology Co., Ltd.) obtained the FIPS 140-2 certificate in September 2021
  • TASS Crypto Engine (produced by Beijing JN TASS Technology Co., Ltd.) obtained the FIPS 140-2 certificate in April 2021
  • Inspur Power Commercial Systems Co., Ltd. obtained the O-TTPS (ISO/IEC 20243) certificate in October 2021
  • The AxKMS Certification Authority and AxKMS Key Injection Facilities (provided by Fujian Landi Commercial Equipment Co., Ltd.) passed PCI P2PE validation in January 2021
  • MoreFun KIF (provided by Fujian Morefun Electronic Technology Co., Ltd.) passed PCI P2PE validation in June 2020
  • (All above-mentioned evaluations and assessments are performed by atsec, and the information is based on the public information released by related certification/validation bodies)
• We have also seen more involvement and voices from Chinese vendors in global standard technical communities, e.g., PCI, CCUF, EUCC, etc.
• More and more organizations, such as the payment service providers, started to develop business globally, and being in compliance with the global standards is one of the important tasks. Some of these organizations (e.g., 99bill) have joined the PCI industry participating organizations and make contributions to the industry.
• TC260 delegations and experts actively participate in the standardization work organized by ISO/IEC JTC1/SC 27. A few ISO standards (e.g., ISO/IEC 27071, ISO/IEC 27565) proposed by Chinese delegations have been drafted in the working group.
• On the other hand, as shown in the first section, many international standards have been adopted as national standards in the information security area, and more will come.

This article briefly introduces the current situation of security standards and their certification schemes in China, and how the security standards (global or local) are adopted for industry organizations to enhance the security worldwide. We can feel the importance of global involvement and cooperation in the technical community, and I believe more collaboration will happen in the future.

References
[1] TC260: https://www.tc260.org.cn/
[2] CCRC: www.isccc.gov.cn
[3] PCI SSC: www.pcisecuritystandards.org
[4] SWIFT: https://www.swift.com/myswift/customer-security-programme-csp
[5] atsec: www.atsec.com