I. Technical requirements
1, personal safety
1. 1 physical location selection
The computer room and office space should be selected in buildings with earthquake resistance, wind resistance and rain resistance;
1.2 physical access control
(1) The entrance and exit of the computer room should be attended by special personnel to identify and register the personnel entering;
(2) Visitors entering the computer room should be approved, and their activities should be restricted and monitored.
1.3 anti-theft and vandalism
(1) The main equipment shall be placed within the physically limited scope;
(2) The equipment or main components should be fixed, and obvious indelible signs should be set;
(3) Communication cables should be laid in hidden places, such as underground or pipelines;
(4) The media should be classified and identified and stored in the media library or archives room;
(5) Install necessary anti-theft alarm facilities to prevent theft and damage from entering the computer room.
1.4 lightning protection
(1) The computer room building shall be equipped with lightning protection devices;
(2) AC power grounding wire should be set.
1.5 fire control
Fire extinguishing equipment and automatic fire alarm system shall be set up and kept in good condition.
1.6 Waterproof and moistureproof
(1) Water pipes shall not be installed under roofs and raised floors;
(2) Necessary protective measures should be taken for water pipes passing through walls and floors, such as casing;
(3) Measures should be taken to prevent rainwater from penetrating the roof and walls;
(4) Measures should be taken to prevent indoor water vapor condensation and groundwater transfer and infiltration.
1.7 antistatic
Necessary anti-static measures should be taken, such as grounding.
1.8 temperature and humidity control
Automatic temperature and humidity adjustment facilities should be set up to make the temperature and humidity change in the machine room within the allowable range of equipment operation.
1.9 power supply
(1) The power supply of the computer system should be separated from other power supplies;
(2) Voltage regulator and overvoltage protection equipment shall be provided;
(3) Short-term standby power supply (such as UPS equipment) shall be provided.
1. 10 electromagnetic protection
(1) grounding to prevent external electromagnetic interference and parasitic coupling interference of equipment;
(2) The power cord and communication cable should be isolated to avoid mutual interference.
2. Network security
2. 1 Structural security and network segment division
(1) The business processing capacity of network equipment should have redundant space to meet the needs of business peak;
(2) Design and draw a network topology diagram consistent with the current operation;
(3) The network bandwidth should be designed reasonably according to the business characteristics of the institution and on the basis of meeting the demand of business peak hours;
(4) Route control should be carried out between the server and the service server to establish a safe access path;
(5) Different subnets or network segments should be divided according to the job functions, the importance of each department and the importance of the information involved, and address segments should be allocated to each subnet and network segment according to the principle of easy management and control;
(6) For important network segments, measures should be taken to bind the network layer address with the data link layer address to prevent address fraud.
2.2 access control
(1) It should be able to provide clear access permission/denial capability for data streams according to session state information (including source address, destination address, source port number, destination port number, protocol, access interface, session serial number, host name of outbound information, etc.). );
(2) Based on the rules that remote users are allowed to access the system based on security attributes, users are allowed or denied to access all resources of the system, and the control granularity should be a single user;
(3) The number of users with dial-up access rights should be limited.
2.3 security audit
(1) Record the network equipment operation, network traffic, user behavior and other events in the network system;
(2) For each event, the audit record shall include: date and time of the event, user, event type, whether the event was successful or not, and other information related to the audit.
2.4 Boundary integrity check
It should be able to detect the unauthorized connection of internal users to external networks (that is, "illegal outreach" behavior).
2.5 Intrusion Prevention
The following attacks should be monitored at the network boundary: port scanning, brute force attack, Trojan backdoor attack, denial of service attack, buffer overflow attack, IP fragmentation attack, network worm attack and other intrusion events.
2.6 malicious code prevention
(1) Malicious codes should be detected and removed at network boundaries and core business segments;
(2) Upgrade the malicious code base and update the detection system;
(3) Unified management of malicious code prevention should be supported.
2.7 network equipment protection
(1) Users logging in to network devices should be authenticated;
(2) Restrict the login address of network equipment manager;
(3) The identification of network equipment users should be unique;
(4) Identity authentication information should have characteristics that are not easy to be fraudulently used, such as password length, complexity, periodic update, etc.
(5) It should have login failure handling functions, such as ending the session, limiting the number of illegal logins, and automatically quitting the network login connection after overtime.
3. Host security
3. 1 certification
(1) The identities of users of operating system and database management system should be unique;
(2) Identify and identify users who log in to the operating system and database management system;
(3) The identity authentication information of operating system and database management system should have the characteristics that it is not easy to be fraudulently used, such as password length, complexity, periodic update, etc.
(4) It should have login failure handling functions, such as ending the session, limiting the number of illegal logins, and automatically quitting the login connection after overtime.
3.2 Access control
(1) The access of the subject to the object should be controlled according to the security policy;
(2) The coverage of discretionary access control should include subjects and objects directly related to information security and its operation;
(3) The granularity of discretionary access control should reach the user level as the main body and the file and database table level as the object;
(4) The authorized subject should set the right of access and operation to the object;
(5) Access rights of default users should be strictly restricted.
3.3 Safety audit
(1) The security audit should cover every operating system user and database user on the server;
(2) The security audit should record important security-related events in the system, including important user behaviors and the use of important system commands;
(3) Records of safety-related events shall include date and time, type, subject identification, object identification, event results, etc.
(4) Audit records shall be protected to prevent accidental deletion, modification or overwriting.
3.4 Protection of Residual Information
(1) Ensure that the storage space of authentication information of users of operating system and database management system is completely emptied before being released or redistributed to other users, regardless of whether the information is stored in hard disk or memory;
(2) Ensure that the storage space of files, directories, database records and other resources in the system is completely emptied before being released or redistributed to other users.
3.5 system protection
The system should provide the ability to run in the management and maintenance state, which can only be used by the system administrator.
3.6 Preventing malicious code
(1) Servers and important terminal devices (including mobile devices) shall be equipped with software products for real-time detection and killing of malicious codes;
(2) The anti-malicious code product of the host system should have a malicious code base different from that of the network anti-malicious code product;
3.7 Resource control
(1) You should limit the number of sessions for a single user;
(2) Terminal login should be restricted by setting conditions such as terminal access mode and network address range.
4. Application security
4. 1 certification
(1) The identity of application system users should be unique;
(2) identify and identify the login user;
(3) The user authentication information of the system should have the characteristics that it is not easy to be fraudulently used, such as password length, complexity, periodic update, etc.
4.2 Access control
(1) Users' access to objects should be controlled according to security policies;
(4) The authorized subject should set the user's operating system function and access to data;
(5) Privileges of privileged users of application systems should be separated, for example, privileges of management and auditing should be allocated to different users of application systems;
(6) The principle of minimum authorization should be adopted in the separation of authority, and different users should be given the minimum authority needed to complete their respective tasks, thus forming a mutually restrictive relationship;
(7) Access rights of default users should be strictly restricted.
4.3 Safety audit
(1) The security audit should cover every user of the application system;
(2) The security audit should record important security-related events of the application system, including important user behaviors and the execution of important system functions;
(4) Audit records shall be protected to prevent accidental deletion, modification or overwriting.
4.4 Protection of Residual Information
Ensure that the storage space where the user's authentication information is located is completely emptied before being released or redistributed to other users, regardless of whether the information is stored on the hard disk or in memory.
4.5 Communication Integrity
Both communication parties shall agree on a one-way check code algorithm to calculate the check code of communication data messages, and both communication parties shall judge the validity of each other's messages according to the check code.
4.6 Communication confidentiality
(1) When one of the two communication parties fails to respond within a period of time, the other party should be able to automatically end the conversation;
(2) Before the communication parties establish a connection, the session initialization is verified by using cryptographic technology;
(3) In the process of communication, sensitive information fields should be encrypted.
4.7 Software Fault Tolerance
(1) Check the validity of data input through man-machine interface or communication interface;
(2) For the operations conducted through the man-machine interface, a "rollback" function should be provided, that is, the operations can be rolled back according to the sequence of operations;
(3) In case of failure, some functions should be provided continuously to ensure that necessary measures can be implemented.
4.8 Resource control
(1) Multiple concurrent sessions of a single user should be restricted;
(2) The maximum number of concurrent session connections of the application system should be limited;
(3) The number of possible concurrent session connections in a period of time should be limited.
4.9 Code Security
(1) malicious static code analysis should be performed on the application code;
(2) Analyze the security vulnerabilities of application code.
5, data security and backup recovery
5. 1 data integrity
(1) It shall be able to detect that the integrity of system management data, authentication information and user data is destroyed during transmission;
(2) It should be able to detect that the integrity of system management data, authentication information and user data is destroyed during storage.
5.2 Data confidentiality
(1) The authentication information, sensitive system management data and sensitive user data of network equipment, operating system, database management system and application system shall be encrypted or other effective measures shall be taken to realize transmission confidentiality;
(2) When using portable and mobile devices, sensitive information should be encrypted or stored on removable disks.
5.3 Backup and Recovery
(1) An automatic mechanism shall be provided to make selective data backup of important information;
(2) The function of restoring important information should be provided;
(3) Hardware redundancy of important network equipment, communication lines and servers shall be provided.
Second, the management requirements
1, safety management agency
1. 1 post setting
(1) An information security management functional department shall be set up, and the positions of security supervisor and personnel responsible for all aspects of security management shall be set up, and the responsibilities of each person in charge shall be defined;
(2) Set up the posts of system administrator, network administrator and security administrator, and define the responsibilities of each post;
(3) Documents shall be formulated to clarify the responsibilities, division of labor and skill requirements of all departments and posts of the safety management organization.
1.2 staffing
(1) equipped with a certain number of system administrators, network administrators and security administrators;
(2) Security administrators cannot be network administrators, system administrators, database administrators, etc.
1.3 authorization and approval
(1) Authorize the examination and approval department and approver to examine and approve key activities;
(2) The examination and approval items, examination and approval departments and approvers shall be listed.
1.4 communication and cooperation
(1) Cooperation and communication between various managers and internal organizations should be strengthened, and coordination meetings should be held regularly or irregularly to help deal with information security issues;
(2) The information security functional department shall convene relevant departments and personnel to hold safety work meetings regularly or irregularly to coordinate the implementation of safety work;
(3) Strengthen cooperation and communication with brother units, public security organs and telecommunications companies in order to get timely support in case of security incidents.
1.5 audit and inspection
Security managers should conduct regular security checks, including user accounts, system vulnerabilities, system audits, etc.
2. Safety management system
2. 1 management system
(1) The general guidelines, policy documents and security strategies for information security work should be formulated, and the overall objectives, scope, guidelines, principles and responsibilities of the organization's security work should be explained;
(2) According to the important management contents in safety management activities, establish a safety management system to standardize safety management activities and restrain personnel behavior;
(3) Establish operation rules for important management operations that need to be performed by managers or operators, so as to standardize operation behaviors and prevent operation errors.
2.2 formulation and release
(1) The information security functional department shall take the overall responsibility and organize relevant personnel to formulate it;
(2) Ensure that the safety management system has a unified format and style, and carry out version control;
(3) Organize relevant personnel to demonstrate and review the formulated safety management;
(4) The safety management system shall be issued by the management and in the form of documents according to certain procedures.
2.3 Review and revision
The safety management system should be reviewed and revised regularly, and the safety management system that is insufficient or needs improvement should be revised.
3, personnel safety management
3. 1 Recruitment
(1) Ensure that the hired personnel have basic professional technical level and safety management knowledge;
(2) Review the identity, background, professional qualifications and post qualifications of the employed personnel;
(3) Assessing the technical skills of the employees;
(4) Explain the roles and responsibilities of employees;
(5) sign a confidentiality agreement.
3.2 Resignation
(1) All access rights of employees who are about to leave for various reasons shall be terminated immediately;
(2) Various identification documents, keys, badges, etc. , as well as the software and hardware equipment provided by the organization, should be searched;
(3) The personnel department of public institutions should go through strict transfer procedures before leaving their posts, and promise the confidentiality obligation after the transfer.
3.3 Personnel evaluation
(1) Regularly assess the safety skills and safety awareness of personnel in each position;
(2) Conduct a comprehensive and strict safety review for personnel in key positions;
(3) Punish those who violate safety policies and regulations.
3.4 Safety awareness education and training
(1) Conduct safety awareness education for all kinds of personnel;
(2) Inform employees of relevant safety responsibilities and disciplinary measures;
(3) A safety education and training plan should be made to train the basic knowledge of information security and post operation procedures;
(4) The situation and results of safety education and training should be recorded and archived.
3.5 Access Management of Third Party Personnel
(1) Third-party personnel should sign a safety responsibility contract or confidentiality agreement with the organization before visiting;
(2) Access to important areas must be approved by the relevant person in charge, accompanied or supervised by special personnel, and recorded for the record.
4, system construction management
4. 1 system classification
(1) The division method of information system should be clear;
(2) Determine the security level of the information system;
(3) The attributes of an information system with defined security level should be defined in written form, including tasks, services, networks, hardware, software, data, boundaries, personnel, etc.
(4) Ensure that the grading results of the information system are approved by relevant departments.
4.2 Safety Scheme Design
(1) Basic security measures should be selected according to the security level of the system, and the security measures should be supplemented and adjusted according to the results of risk analysis;
(2) The safety protection requirements, strategies and safety measures of the system shall be described in written form to form the safety scheme of the system;
(3) Refine the safety scheme and form a detailed design scheme to guide the construction of safety system and the procurement of safety products;
(4) Organize relevant departments and relevant safety technical experts to demonstrate and review the rationality and correctness of the safety design scheme;
(5) Ensure that the safety design scheme must be approved before it can be formally implemented.
4.3 product procurement
(1) Ensure that the use of safety products conforms to relevant national regulations;
(two) to ensure that the use of password products meets the requirements of the national password authorities;
(3) A special department shall be designated or authorized to be responsible for the procurement of products.
4.4 Self-developed software
(1) Ensure that the development environment is physically separated from the actual operation environment;
(2) Ensure to provide relevant documents and descriptions of software design;
(3) Ensure that the system development documents are kept by special personnel and the use of the system development documents is controlled.
4.5 Outsourcing software development
(1) should sign an agreement with the software development unit to clarify the ownership of intellectual property rights and security requirements;
(2) The software quality shall be tested according to the requirements of the agreement;
(3) The possible malicious code in the software package should be detected before the software installation;
(4) Ensure to provide relevant documents and descriptions of software design.
4.6 Project implementation
(1) Sign a safety-related agreement with the project implementation unit to constrain the behavior of the project implementation unit;
(2) Designate or authorize specialized personnel or departments to be responsible for the management of the project implementation process;
(3) A detailed project implementation plan should be made to control the implementation process.
4.7 Test acceptance
(1) Conduct safety test and acceptance of the system;
(2) Before the test acceptance, the test acceptance scheme shall be formulated according to the design scheme or contract requirements, and the test acceptance results shall be recorded in detail during the test acceptance process to form a test acceptance report;
(3) Organize relevant departments and personnel to examine and approve the system test acceptance report, and both parties shall sign it after it is confirmed.
4.8 System Delivery
(1) The handover procedure of the system shall be defined, and the handover shall be completed according to the handover procedure;
(2) The system builder completes the training of operation and maintenance technicians entrusted by the developer;
(3) The system builder shall submit the documents in the process of system construction and the documents guiding users to operate and maintain the system;
(4) The system builder shall make a service commitment and submit a service commitment letter to ensure the support for system operation and maintenance.
4.9 Selection of Security Service Providers
It is necessary to ensure that the selection of security service providers conforms to the relevant provisions of the state.
5. System operation and maintenance management
5. 1 environmental management
(1) Power supply and distribution, air conditioning, temperature and humidity control and other facilities in the machine room shall be maintained and managed by designated personnel or special departments on a regular basis;
(2) Should be equipped with computer room security management personnel, access to the computer room, server startup or shutdown, etc. ;
(3) A computer room safety management system should be established to standardize the management of physical access, goods access and environmental safety of the computer room;
(4) Register and file visitors to the computer room, and restrict visitors' activities;
(5) Strengthen the confidential management of the office environment, including returning the office keys immediately when the staff are transferred from the office, and the office area shall not receive visitors.
5.2 Asset management
(1) Establish an asset safety management system, and specify the person or department responsible for asset management of information systems;
(2) An asset list containing information related to the information system, such as asset ownership, security level and location, should be compiled and kept;
(3) Assign and manage assets qualitatively according to their importance, and choose corresponding management measures according to their value.
5.3 Media management
(1) Ensure that the media are stored in a safe environment, control and protect all kinds of media, and prevent information from being stolen, destroyed, modified without authorization and illegally leaked;
(2) There should be records of storage, archiving, registration and inquiry of media, and regular inventory should be made according to the list of directories of backup and archiving media;
(3) For the media that need to be repaired or destroyed, sensitive data in the media should be removed first to prevent illegal information from leaking;
(4) Media should be classified and labeled according to the importance of data and software, and the storage environment should be managed by special personnel.
5.4 Equipment management
(1) Designate a special person or special department to regularly maintain and manage various facilities, equipment and lines related to the information system;
(2) Establish a management system based on declaration and approval, and assign special personnel to be responsible for the selection, procurement, distribution or requisition of all kinds of software and hardware equipment of the information system;
(3) standardize the operation and use of terminal computers, workstations, notebook computers, systems and networks;
(4) Control the information processing equipment taken away from the computer room or office;
(5) Start/stop, power on/off, etc. The log file management of the server should be implemented in accordance with the operating procedures, and the monitoring and management of the server operation should be strengthened. The network and equipment should be configured according to the requirements of security policy and checked regularly.
5.5 Monitoring and management
You should know the CPU, memory, process and disk usage of the server.
5.6 Network Security Management
(1) Designate a special person to manage the network, be responsible for the daily maintenance of operation logs and network monitoring records, and the analysis and processing of alarm information;
(2) Establish a network security management system, and specify the network security configuration and log;
(3) The network equipment should be updated according to the software upgrade version provided by the manufacturer, and the existing important files should be backed up before updating;
(4) The network system vulnerabilities should be scanned and the discovered network system security vulnerabilities should be repaired in time;
(5) Ensure that all connections with external systems are authorized and approved;
(6) Specific requirements should be made for the security policy, authorized access, minimum service, upgrade and patch, and maintenance records and logs of network equipment;
(7) The storage time of network audit logs should be specified to support the investigation of possible security incidents.
5.7 System Security Management
(1) Designate a special person to manage the system, and delete or disable the system default account that is not used;
(2) A system security management system should be established, which specifies the system security configuration, system accounts and audit logs;
(3) The latest system patches should be installed regularly, the loopholes provided by the manufacturers that may harm the computer should be repaired in time, and the existing important files should be backed up before installing the system patches;
(4) The access control strategy of the system should be determined according to the business requirements and system security analysis, and the system access control strategy is used to control the access rights of distributed information systems, files and services;
(5) System accounts should be managed by classification, and the permission setting should follow the minimum authorization requirements;
(6) Specific requirements should be made for the security policy, authorized access, minimum service, upgrade and patch, and maintenance records and logs of the system;
(7) The storage time of system audit logs should be specified to support the investigation of possible security incidents;
(8) Scan system vulnerabilities and timely repair the found system security vulnerabilities.
5.8 malicious code prevention management
(1) users should improve their anti-virus awareness and inform them to upgrade their anti-virus software in time;
(2) Before reading the data on mobile storage devices (such as floppy disks, mobile hard disks and CD-ROMs) and receiving files or emails on the network, virus inspection should be carried out first, and virus inspection should also be carried out before foreign computers or storage devices are connected to the network system;
(3) Designate a special person to detect malicious codes on the network and the host, and keep the detection records;
(4) Clearly stipulate the authorized use of anti-malicious code software, upgrade of malicious code base and regular report.
5.9 Password management
The use of cryptographic algorithms and keys shall comply with the national password management regulations.
5. 10 change management
(1) Confirm the changes that need to be made in the system and make a change plan;
(2) Establish a change management system. Before major system changes, an application shall be submitted to the competent leader, which can be implemented only after approval;
(3) All relevant personnel shall be informed of system changes.
5. 1 1 Backup and recovery management
(1) Identify important business information, system data and software systems that need to be backed up regularly;
(2) Backup method (such as incremental backup or full backup). ), backup frequency (such as daily or weekly, etc. ), storage medium, storage period, etc. The quantity of backup information should be specified;
(3) According to the importance of data and its influence on system operation, the backup strategy and recovery strategy of data should be formulated, and the backup strategy should indicate the location of backup data, file naming rules, media replacement frequency and data transmission methods in different places;
(4) The corresponding person in charge shall be appointed to regularly maintain and check the status of backup and redundant equipment to ensure normal operation when access to the system is required;
(5) According to the backup method, specify the installation, configuration and startup process of the corresponding equipment.
5. 12 security incident handling
(1) All users are responsible for reporting the security vulnerabilities and suspicious events they find, but under no circumstances should users try to verify the vulnerabilities;
(2) Formulate the management system of safety incident reporting and disposal, and define the management responsibilities of on-site handling of safety incidents, incident reporting and recovery afterwards;
(3) We should analyze the types of information systems, the characteristics of network connections and the characteristics of information system users, understand the security incidents that have occurred in this system and similar systems, and identify the security incidents that this system needs to guard against, which may come from attacks, errors, failures, accidents or disasters;
(4) The computer security incidents in this system should be classified according to the classification method of computer security incidents of relevant state administrative departments and the influence degree of security incidents on this system;
(5) All reported security weaknesses and suspicious events should be recorded and saved, the causes of the events should be analyzed, the development of the situation should be monitored, and measures should be taken to avoid the occurrence of security incidents.
5. 13 emergency plan management
(1) Emergency plans for different events should be formulated under a unified emergency plan framework, including the conditions for starting the emergency plan, emergency handling procedures, system recovery procedures, post-event education and training, etc.
(2) Train relevant personnel of the system to know how and when to use the control measures and recovery strategies in the emergency plan, and the training of the emergency plan shall be held at least once a year.
If you need insurance assessment service, you can write privately in the background. Lulu Information Technology integrates the technical advantages of cloud security products, and provides one-stop service for the safety project by combining high-quality safety consulting and safety evaluation cooperation resources, covering the safety level, filing, construction rectification and evaluation stages in an all-round way, efficiently passing the safety evaluation, and implementing the network safety level protection.