Such as insurance | level protection study notes
In the process of communicating with many customers, many customers will put forward a question: how to build network security is safe?This question is actually difficult to answer. Network security is dynamic. The means of attack change with each passing day and emerge in endlessly, and the protection measures are upgraded accordingly.So the question is, since there is no end to cyber security, what is the starting point?The answer was in sight.Level protection provides security construction guidance for network operators from two aspects of security technology and security management, and sets the lowest security baseline for customers of different scales.The starting point of safety construction is to wait for compliance.This paper mainly records the notes and thoughts in the learning process of grade protection.The protection requirements for different industry levels will be updated in the future. You can leave a message for the files mentioned in this document.Hierarchical protection was first proposed in the Regulations of the People’s Republic of China on Computer Information System Security Protection issued by The State Council in 1994 (Decree No. 147 of The State Council), in which “Article 9 computer information systems shall be protected by hierarchical security.The Ministry of Public Security shall, jointly with relevant departments, formulate standards for the classification of safety levels and specific measures for the protection of safety levels.””Chapter III Security Supervision” also points out that “computer information system security protection work” is supervised, inspected and guided by the public security department, and “Chapter IV legal responsibility” points out the law enforcement content of the public security organ.As there is no supporting implementation rules, no. 147 has not been well implemented after the promulgation.During the next few years developed a part of the file: in 1999, the Ministry of Public Security is put forward, and the north, the Chinese Academy of Sciences jointly compiled code of the computer information system safety protection hierarchy GB17859-1999 (refer to the trusted computer system evaluation criteria, trusted computer network system), the first level protection is divided into five level;In 2003, the General Office of the CPC Central Committee and The General Office of the State Council issued the Opinions of the National Informatization Leading Group on Strengthening the Work of Information Security (the General Office of the CPC Central Committee issued 27) clearly pointed out that “the implementation of information security level protection”;In 2006, the four ministries and commissions countersigned on the issuance of “information security level protection management Measures” (Public word 7);In 2007, four departments jointly issued the information safety protection measures for the administration of grade, specifies the level of protection system basic content, procedures and work requirement, information system level, for the record, safe construction rectification, level and its implementation and management, and information security products such as selection and evaluation institutions, provides specification for information security rank protection work safeguard;In 2007, the four departments jointly promulgated the “Notice on the Development of the National Important information System security grade protection grading work”;In 2008, the Ministry of Public Security information security level protection evaluation center drafted and released the “information security technology information system security level protection basic requirements (GB/T 22239-2008)” and supporting related standards, the implementation of level protection with technical support;In 2010, the Ministry of Public Security issued the Notice on Promoting the Construction of information Security Grade Protection Evaluation System and carrying out grade evaluation work, which proposed the phased goals of grade protection work.At this point, information security level protection in the domestic formally began to implement, promotion.With the continuous improvement of the level of information technology, new technologies such as cloud and object movement are springing up continuously, and the original equity-protection standards are not applicable in many technologies and scenarios.In October 10, 2016, the fifth Session of the National Information security level protection technology conference held, the Ministry of Public Security network security Protection Bureau Guo Qiquan chief engineer pointed out that “the state of network security level protection system put forward new requirements, level protection system has entered the 2.0 era”.In the same year, the Cyber Security Law of the People’s Republic of China was formally promulgated, “Article 21 The State implements the hierarchical network security protection system.Network operators shall, in accordance with the requirements of the network security hierarchy protection system, fulfill the following security protection obligations to protect the network from interference, destruction or unauthorized access and prevent network data leakage, theft or tampering “.The promulgation of the Network security Law marks a new era of hierarchical protection, and we often hear the slogan “do not wait for protection, is illegal.”In 2017, January-February security Standards Committee issued network security level protection technical requirements series standards and evaluation requirements series standards;In May, the Ministry of Public Security issued the Guidelines for Grading network Security Protection.June 1, the Cyber Security Law of the People’s Republic of China was formally implemented.After a number of internal modifications and adjustments, May 13, 2019 “Information security technology network security level protection basic requirements” (GB/T22239-2019) was officially released, the official implementation of December 1, 2019, supporting standards are also released in the same year.In 2021, the assessment standard of grade protection will change in June, which is mainly reflected in the calculation formula of comprehensive score.In November, the recommended catalogue of grade protection assessment institutions was no longer published, and the qualification certification of grade protection assessment institutions was incorporated into the national certification system.2. The level of protection the five processes of four departments jointly issued in 2007 “information security rank protection measures for the administration regulation level protection five standard action and have been in use today, such as confirmed on the basis of the five standard action 2.0 adds to the risk assessment action, such as the primary record I understand the content of the five standard action.2.1 Grading During the implementation of grading, two dimensions are mainly referred to: S business information security level and A system service security level.According to the degree of damage to different objects, it is divided into 1-5 levels.S and A are graded separately, adopting the principle of high not low (S3A2 and S2A3 are equal protection level three).There is also a parameter G: common security service level.In the actual operation process, it is difficult to define the degree of infringement on objects such as the state and society, so the classification is generally conducted in accordance with the requirements of the industry or the grading situation of customers of the same industry and scale.Such as secondary to spontaneous grading, such as insurance level 3 after a preliminary grading need organization expert evaluation, the department in charge of audit, including expert panels by the lowest is composed of three information security experts and business experts, senior evaluation division one of them should be level protection, information security experts generally choose from local it expert database.The general grading process is as follows: 2.2 Archival Filing According to the Implementation Rules for The Archival filing of Information Security Classification Protection (Gongxin ‘an  No. 1360) : 1) The public information network security supervision departments of prefecty-level or above public security organs accept the archival filing of the units within their jurisdiction.2) The information system of cross-local (city) network operation belonging to provincial filing units shall be accepted and filed by the public information network security supervision department of provincial public security organs.3) Information systems belonging to the central government in Beijing that operate in a unified network across provinces or across the country and are uniformly graded by the competent authorities shall be accepted and filed by the Public information network security Supervision Bureau of the Ministry of Public Security, and other information systems shall be accepted and filed by the public information network security supervision Department of the Beijing Municipal Public Security Bureau.4) The information system of non-Beijing units subordinate to the central government shall be accepted and put on record by the public information network security supervision department of the local provincial public security organ (or the designated prefecture-level public security organ public information network security supervision department).5) Branch systems (including information systems graded by superior competent authorities and applied locally) of information systems that operate and are uniformly networked across provinces or across the country and are uniformly graded by competent authorities shall be accepted for filing by the public information network security supervision departments of the local public security organs at or above the prefecture level.Filing process should prepare the following materials (reference) : 1) the attachment 1: XX system security rank protection for the record table (table 1, 2, 3, 4) 2) attachment 2: XX system network security rank protection grading report 3) attachment 3: XX system topology and 4) annex 4: XX system safety organization and management system of 5) annex 5:XX system reconstruction plan implementation of safety protection facilities design implementation plan or 6) annex 6: XX system using list of information security products and their certification, sales permit 7) annex 7: XX system security protection level expert evaluation opinions 8) annex 8: approval of the competent department in charge of the views of the information system security protection grade 9) annex 9:XX system security level assessment Report 10) Annex 10: XX unit network security level protection working group list after the completion of the overall process, the public security organ will issue a record certificate, some places will be issued after the guarantee assessment.2.3 Construction/Rectification Grade Protection construction can be carried out by referring to the suggestions of the safety manufacturer or the forecast evaluation and rectification report of the evaluation company.Level 2 recommended products: firewall, log audit, fortress machine, host antivirus and other level 3 recommended products:Firewall support (antivirus), Internet behavior management, log audit, fortress machine, database audit, host, antivirus, vulnerability scanning, situational awareness 2.4 assessment evaluation institutions may, according to the national level to protect network security work coordination group office recommended list, according to the information security rank protection assessment agencies record detailed rules for the implementation of a long distance,Grade protection assessment institutions shall carry out their work within the recommended areas. If grade assessment projects are carried out outside the recommended areas, they shall go through the filing procedures at the assessment places.According to the latest requirements of the national network security level protection coordination group, the recommendation list will no longer be published, and the qualification certification of grade protection evaluation institutions will be incorporated into the national certification system.The scoring method of the insurance evaluation will change from June 2021, with different implementation conditions in different regions, but it will be implemented in accordance with this standard one after another. The scoring calculation formula is as follows: Compared with the “shortest distance method” of the 2019 version, the formula of the 2021 version is changed to the defect deduction method.The proportion of technology and management is no longer equal to 50%. The management department of hierarchical protection can adjust the proportion of technology and management by giving the coefficient of concern (Y).Evaluation indicators are subdivided into general, important and critical. 3 times of benchmark points will be deducted if the key evaluation indicators do not meet the criteria, and 2 times of benchmark points will be deducted if the important evaluation indicators do not meet the criteria.From the point of view of network and information system operators, the main focus of this revision is on key evaluation indicators, important evaluation indicators and how to evaluate data resources.There are 211 indicators in the three-level general standard, of which 137 are key indicators, accounting for 65%.71 important indicators, accounting for 34%;There were 3 general indicators, accounting for 1%.Overall, if more than a third of the key indicators are not met, the assessment may score a “0”.From 137 identified key indicators combined with the actual situation of customers carrying out equal-protection construction work, this revision is to highlight the strengthening of the following aspects in the process of equal-protection construction: situation awareness, advanced threat detection, database security (database audit, database encryption, database desensitization, database firewall, etc.).2.5 Supervision and Inspection The public security department shall lead the inspection.3. Main differences between equal-guarantee 1.0 and 2.0 Compared with equal-guarantee 2.0, equal-guarantee 1.0 has five major changes: 3.1 Changes in the name The name is changed from “information system security level protection” to “network security level protection”.3.2 Different legal effects Article 21 of the Network Security Law stipulates that “the state implements the network security rating protection system, requiring network operators to fulfill security protection obligations in accordance with the requirements of the network security rating protection system”.It has become a legal obligation to implement the system of graded cybersecurity protection.3.3 Extended Protection for Protected Objects 1.0 Is mainly for information systems.The network infrastructure (broadcasting power grid, telecommunication network, private communication network, etc.), cloud computing platform/system, system using mobile Internet technology, Internet of things, industrial control system, etc., are included in the scope of classified protection.3.4 control measures classify different insurance 1.0 according to the requirements of technical and management of the five aspects of classification, technical requirements are divided into physical security, network security, host, security, application security, data security and backup recovery and management requirements are divided into safety management system, safety management organization, personnel, security management, system management and operations management system.Equal-insurance 2.0 is a big change.Technical requirements are divided into security physical environment, security communication network, security area boundary, security computing environment and security management center. Management requirements are divided into security management system, security management organization, security personnel management, security construction management and security operation and maintenance management.In addition, the framework of basic requirements, evaluation requirements and safety design technical requirements of Isobo 2.0 has maintained consistency, that is, “one center, three protection”.3.5 The content has been expanded and so on. 1.0 has five prescribed actions, including grading, filing, construction and rectification, grade evaluation and supervision and inspection.In addition to grading, filing, construction and rectification, grade evaluation and supervision and inspection, etc., etc. 2.0 includes risk assessment, safety monitoring, notification and early warning, case investigation, data protection, disaster backup, emergency response and so on.