What does level protection need to do?
Generally speaking, grade protection includes five links: grading, filing, safety construction, grade evaluation, supervision and inspection. Below, I will make a detailed interpretation of the three-level level protection processing flow according to the level 2.0 standard:
1, system classification
The first step of equal protection is to determine the security protection level of enterprise information system. According to the classification guide of Equal Protection 2.0, cloud computing, Internet of Things, industrial control systems, systems using mobile Internet technology, communication network facilities and data resources belong to the category of strong formulation level filing. Non-profit organizations, small and medium-sized private enterprises and other organizations should also be classified for the record in principle.
At the same time, according to the relevant regulations, the rating object has the following three basic characteristics:
(1) The main safety responsibility subject has been determined;
② Carrying relatively independent business applications;
(3) It contains some interrelated resources.
If the enterprise's system has the above characteristics, then even if the system is small, it needs to be filed at different levels. In short, almost all systems on the Internet should be graded and put on record.
So, how to determine the Baoding level? According to the management documents related to level protection, the security protection level of the level protection object is divided into five levels, and gradually increased from level one to level five. The level of the protected object is determined by two hierarchical elements: ① the infringed object; (2) the degree of infringement on the object. For key information infrastructure, "the classification shall not be lower than Level 3 in principle", and information systems with Level 3 and above shall be evaluated once a year or half a year.
Grading process: determine the grading object → preliminarily determine the grade → expert review → examination and approval by the competent department → filing and examination by the public security organ → finally determine the grade.
2, the system for the record
According to the provisions of the Network Security Law:
(a) the information system that has been operated (operated) above Level II shall, within 30 days after the security protection level is determined (the filing time limit has been revised to 10 day according to the relevant standards of Insurance 2.0), be put on record by the operating unit to the local public security organ at or above the municipal level.
(2) The newly-built information system above Grade II shall, within 30 days after it is put into operation (the filing time limit has been revised to 10 day according to the relevant standards of Insurance 2.0), the operating and using unit shall go through the filing formalities with the local public security organ at or above the municipal level.
(3) The information system of the central government-owned units in Beijing, which operates in a unified network across provinces or across the country and is managed by the competent department at different levels, shall be filed with the Ministry of Public Security by the competent department.
(4) Subsystems of inter-provincial or national unified networking information systems operating and applying in various places shall be filed with the local public security organs at or above the municipal level.
After the enterprise finally determines the level of the security object, it can go to the public security organ for the record. The materials needed for filing are mainly information security level protection filing forms, and different levels of information systems need different filing materials. Information systems above level 3 shall provide the following materials: (1) Topological structure and description of the system; (2) System safety organization and management system; (3) Design implementation scheme or transformation implementation scheme of system safety protection facilities; (four) the list of information security products used by the system and their certification and sales license certificates; (five) the technical inspection and evaluation report that meets the system safety protection level after evaluation; (six) expert evaluation opinions on the level of information system security protection; (seven) the examination and approval opinions of the competent department on the level of information system security protection.
3, safe construction (rectification)
The rectification of hierarchical protection is one of the links in the construction of equal protection, which refers to the upgrading of network security of information and information systems according to the requirements of hierarchical protection construction, including technical rectification and management rectification. The ultimate goal of rectification is to improve the security protection ability of enterprise information system and make the enterprise pass the grade evaluation smoothly.
There is no qualification requirement for grade protection rectification. As long as the company can carry out related network security construction according to the requirements of level protection, no one is required to implement it. However, due to the current lack of network security talents in enterprises, enterprises often need to find professional network security service companies for rectification.
Rectification is mainly divided into management rectification and technical rectification. Management rectification mainly includes: defining the competent leaders and responsible departments, implementing safety posts and personnel, analyzing the current situation of safety management, determining safety management strategies and formulating safety management systems. Among them, the safety management strategy and system include personnel safety management event handling, emergency response, daily equipment operation and maintenance, media management and safety monitoring.
Technical rectification mainly refers to the deployment and purchase of products that can meet the same security requirements, such as web page tamper prevention, traffic monitoring, network intrusion monitoring products and so on.
4. Grade evaluation
Grade evaluation refers to the activities of a qualified evaluation institution certified by the Ministry of Public Security, entrusted by relevant units according to the national information security grade protection standards, and in accordance with relevant management norms and technical standards, to detect and evaluate the information system security grade protection status.
According to the regulations, the test of information system security level protection should include two aspects: first, security control evaluation, which mainly evaluates the implementation and configuration of basic security controls required for information security level protection in information systems; The second is the overall evaluation of the system, which mainly evaluates and analyzes the overall security of the information system. Among them, security control evaluation is the basis of the overall security evaluation of information system.
Level 2 and above information systems shall be graded, with a rating score of 70 or above, and no high-risk items shall be deemed as passed. After rating, the rating agency shall issue an assessment report. Enterprises need to submit an evaluation report to the public security organs in order to truly implement the level protection work.
5, supervision and inspection
Enterprises should accept the irregular supervision and inspection of public security organs and improve the problems raised by public security organs.