After Insurance 2.0, it is all classified by experts, that is, when the local public security network supervision department records insurance, it conducts classified evaluation. Generally follow the following principles:
Answer: Refer to the basic requirement item GBT 22239 and the evaluation item GBT 28448;; Indicators of equal insurance; In principle, the basic requirements and evaluation items that can be realized through configuration and self-adjustment do not need to be compensated by purchasing additional software and hardware. If it is too expensive to realize it through self-adjustment of resources, the fastest and most commonly used way is to buy third-party software, hardware and services to realize the demand.
A: The scope of level protection covers all non-confidential systems in China, and all systems need to be protected on the intranet or the Internet.
Answer: Level protection is based on the whole information system, not on the company or department.
For example, if a company has 10 information systems, there are five besides the unimportant ones.
A, there are many data interactions between the two information systems, so it can be guaranteed as a whole;
B. If there is little or no data interaction, it is recommended to score separately.
A: Secondary insurance is held every two years. There is no clear standard description, but it is generally recommended to do it every two years.
Three-level insurance needs to be done once a year. Please refer to the Administrative Measures for Information Security Level Protection (G.T.Z. [2007] No.43), also known as Article 14 of Document No.43. ..
/ztk/hlwxx/02/09/document/533639/533639 . htm
The state implements a network security level protection system. Network operators shall, in accordance with the requirements of the network security level protection system, fulfill the obligations of network security protection, protect the network from interference, destruction or unauthorized access, and prevent network data from being leaked, stolen or tampered with.
If your information system is not guaranteed, it will be attacked and will have a certain impact. First, you have not fulfilled your network security obligations, and second, hackers have violated the law, both of which will be severely punished.
Key information infrastructure, referred to as "Guan Bao" for short, refers to important industries and fields such as public communication and information services, energy, transportation, water conservancy, finance, public services, e-government, national defense science and technology industry, and other important network facilities and information systems that may seriously endanger national security, national economy and people's livelihood and public interests once they are destroyed, lost their functions or leaked data.
The difference between hierarchical protection and key information infrastructure protection is that "customs protection" is to implement key protection on the basis of network security hierarchical protection system. The second section of Chapter III of the Cyber Security Law of the People's Republic of China stipulates the operational security of key information infrastructure, including the scope of key information infrastructure and the main contents of protection.
At present, the basic requirements, evaluation guidelines and high-risk cases of "customs protection" have been completed, and related work has been started. Equality insurance has a wider audience than customs insurance. Usually, the main body of equal security construction has to do it, and what it wants to do is not necessarily done. Customs insurance construction is aimed at important industries and fields, based on equal insurance.
Article 21 of the Network Security Law of the People's Republic of China stipulates that network operators shall perform relevant security protection obligations in accordance with the requirements of the network security level protection system. Meanwhile, Article 76 defines network operators as network owners, managers and network service providers.
Hierarchical protection is the basic measure to ensure China's network security. At present, all units need to carry out level protection according to the importance of their industries and protected objects, the requirements of network security law and relevant departments, and the principle of "synchronous planning, synchronous construction and synchronous use".
The total duration of the secondary or tertiary system is 1-2 months.
The on-site evaluation cycle is generally around 1 week, and the specific time will increase or decrease according to the number and scale of information systems and the cooperation between the appraiser and the appraised party.
Small-scale safety rectification (technical rectification of management system and strategy configuration) takes 2-3 weeks, and the reporting time is 1-2 weeks.
At present, according to the situation of their respective provinces or cities, there are still separate provisions on the implementation period of evaluation. In general, the appraisal report must be issued 3-6 months after the signing of the appraisal contract.
Grade protection belongs to territorial management, and the assessment fee is not uniform throughout the country. Each province has a reference quotation standard for evaluation fees. Due to the size of the business system and whether it involves extended function testing, the overall evaluation cost is also different.
For example, the reference quotation of a province is: the second-level system evaluation fee is 50 thousand, and the third-level system evaluation fee is 90 thousand.
Grade protection adopts filing evaluation mechanism instead of authentication mechanism, and there is no so-called outsourcing. Blindly adopting products and service packages packaged by service providers is often not the most cost-effective solution. Network operators can consult professional third-party security consulting service institutions to carry out construction work in combination with their actual security needs and the expected score of equal security assessment.
There is no certificate after evaluation. Grade protection adopts filing evaluation mechanism instead of authentication mechanism. After filing the local network security, you can get the filing certificate of information system security level protection, and after the assessment is completed, you will receive the legally effective Assessment Report (at least stamped with the official seal of the assessment agency and the special seal for assessment).
There are differences in the management of network police in different provinces of China. Generally, after the filing process is submitted, if the information is complete, the filing certificate can be obtained within 15 working days after the audit is successfully passed.
Grade protection 2.0 evaluation results include score and conclusion evaluation; Score 100%, passing line 70; Conclusion The evaluation is divided into four grades: excellent, good, fair and poor.
As two independent legal entities, different companies must define a unique filing subject and cannot be regarded as a system. The business system of the same company can be counted as a system. If it is really transformed, its entrance, background, business association and importance meet the requirements of GB/T 22240-2020 information system security network security protection classification guide.
Select appraisal companies with appraisal qualifications, and give priority to local appraisal companies. You can refer to the "Recommended Catalogue of National Network Security Level Protection Evaluation Institutions" published by China Network Security Level Protection Network (djbh.net) to select several companies for bidding, and at the same time pay attention to whether the relevant evaluation companies are involved in the rectification announcement of the Office of the National Network Security Level Protection Coordination Group published by this network.
Classified protection involves a wide range, and many related safety standards, norms and guidelines are still being compiled or revised. General specifications and standards include but are not limited to the following:
No. The conclusion of rating protection assessment is "poor", which means that the information system has high risk or poor overall security and does not meet the requirements of the corresponding standards. However, this does not mean that the level protection work has been done in vain. Even if you have a non-conforming assessment report, the competent unit admits that the grade protection work of your unit has been carried out this year, but there are many problems at present, which do not meet the corresponding standards and need to be rectified quickly.
Generally speaking, it is the record certificate and evaluation report, and the evaluation report should be stamped with the official seal of the evaluation institution and the special seal for evaluation.
Do it. There are many kinds of business clouds, such as public cloud, private cloud and private cloud, which use different services such as IaaS, PaaS, SaaS and IDC hosting. Although the boundary of security responsibility has changed, the security responsibility of network operators will not shift. According to the principle of "whoever operates is responsible, whoever uses it is responsible, and whoever is in charge is responsible", we should assume the responsibility of network security for hierarchical protection.
Many people think that everything will be fine after completing the insurance assessment. Actually, it is not. The evaluation standard of equal safety is only the requirement of baseline. Most security risks can be avoided by evaluating, rectifying and implementing the hierarchical protection system. However, security is a dynamic rather than static process, and it cannot be done once and for all by an assessment.
Enterprises can basically realize the safe and stable operation of the system by implementing the same safety requirements and strictly implementing various safety management rules and regulations. But still can't 100% guarantee the security of the system. Therefore, it is necessary to carry out hierarchical protection evaluation, and take "one center, three protections" and "three transformations and six defenses" as the guidance to continuously improve the network attack and defense capabilities.
First of all, it is a continuous process to evaluate insurance regularly; Even if opportunism passes this year, it will still be evaluated next year and the year after.
Secondly, you don't have to buy it yourself, you can provide relevant service certificates, and the lease contract can also be used.
First of all, it is stated that there is no explicit requirement to purchase third-party software and hardware, and the third-party software and hardware are only used as compensation measures; In the case that the application system itself can not meet the same protection requirements, some compensation measures can be adopted to make up for the deficiency of the application system, so that the application system can meet the relevant requirements of the grade protection evaluation project.
Vulnerability scanning: Vulnerability scanning is recommended for basically all levels of security.
The third-level guarantee of penetration test must be done, and the second-level guarantee is not mandatory, but it is recommended to do it for the first time.
Baseline verification: insurance is not required, but it is convenient for rectification; If the baseline verification work is done well before the evaluation, it will be much more convenient to rectify.
The fastest week depends on the review progress of the local network supervision department.