1, level protection
Classified protection of information security refers to classified security protection of state secret information, proprietary information of legal persons, other organizations and citizens, and information systems that disclose information and store, transmit and process these information, classified management of security products used in information systems, and classified response and disposal of information security incidents in information systems.
Note: The information system referred to here refers to a system or network consisting of computers and their related and supported equipment and facilities, which stores, transmits and processes information according to certain application objectives and rules. Information refers to the digital information stored, transmitted and processed in the information system.
Put forward the background:
1The Regulations on Security Protection of Computer Information Systems in People's Republic of China (PRC) promulgated in February, 1994 stipulates that computer information systems shall be protected by security levels, and the standards for security level classification and specific measures for security level protection shall be formulated by the Ministry of Public Security jointly with relevant departments.
1999, the Ministry of Public Security organized and drafted the Classification Standard of Computer Information System Security Protection Levels (GB 17859- 1999), which stipulated five levels of computer information system security protection capability, namely the first level: user independent protection level; The second level: system audit protection level; Level 3: protection level of safety signs; The fourth level: structured protection level; Level 5: Access authentication protection level. The classification in GB 17859 is a kind of technical classification, that is, the classification of the safety protection technical ability level objectively possessed by the system.
On July 8, 2002, the Ministry of Public Security issued and implemented five new GA standards based on GB 17859. They are: GA/T 387-2002 computer information system security level protection network technical requirements, GA 388-2002 computer information system security level protection operating system technical requirements, GA/T 389-2002 computer information system security level protection database management system technical requirements and GA/T 390-2002 computer information system security level protection general technology. These standards are a part of the series standards of computer information system security protection level in China.
In 2004, in the Notice on the Implementation Opinions of Information Security Level Protection (referred to as Document No.66), the security protection levels of information and information systems were divided into five levels, namely, the first level: independent protection level; The second level: guidance and protection level; The third level: supervision and protection level; The fourth level: compulsory protection level; Level 5: Special control and protection level. It is particularly emphasized that the classification in No.66 is mainly based on the business importance and damage of information and information systems, which is the security business level that the system must include from the application requirements, rather than the security technology level that the system has defined in GB 17859.
2. Risk assessment
Information security risk assessment refers to the process of analyzing the asset value, potential threats, weak links and protective measures of information systems with reference to risk assessment standards and management norms, judging the probability of security incidents and possible losses, and proposing risk management measures.
Put forward the background:
Risk assessment is not a new concept, and there are risks and risk assessment needs in many fields such as finance and e-commerce. The application of risk assessment to IT field is the risk assessment of information security. In recent years, the research on information security risk assessment in China has made rapid progress, and the specific assessment methods are constantly improving. Risk assessment has gradually changed from simple vulnerability scanning, manual auditing and penetration testing to widely used methods such as BS7799, OCTAVE, NIST SP800-26, NIST SP800-30, AS/NZS4360, SSE-CMM, etc., which fully embodies the assets as the starting point, threats as the trigger and technology/management/operation as the means.
In 2004, the State Council Information Office organized the drafting of the draft standards of Information Security Risk Assessment Guide and Information Security Risk Management Guide, which stipulated the workflow, assessment content, assessment method and risk judgment standard of information security risk assessment, which has a good guiding significance for standardizing the practice of information security risk assessment in China.
3. System security assessment
An authoritative organization with detection technology capability and government authorization qualification conducts scientific and fair comprehensive testing and evaluation activities on the information system security guarantee capability according to national standards, industry standards, local standards or relevant technical specifications, so as to help system operating units analyze the current security operation status of the system, find existing security problems, and put forward security improvement suggestions to minimize the security risks of the system.
Note: Certification is to confirm whether the evaluation activities meet the requirements of standardization and quality management, and certification is based on standards and evaluation results.
Put forward the background:
Although China's system certification started earlier, the number of system certification is still very small due to various reasons such as certification cycle and construction differences. In China, China Information Security Product Evaluation and Certification Center (CNITSEC) is an influential institution that carried out system security evaluation and certification earlier.
The Notice on Establishing National Information Security Product Certification and Accreditation System (Order No.57 for short) jointly issued by CNCA and other eight ministries and commissions clearly stipulates that information security products shall implement "unified standards, technical specifications and conformity assessment procedures; Unified certification catalogue; Unified certification mark; "Four unifications" certification requirements for unified charging standards. In most cases, the results of system security assessment can be directly used as the basis for the competent authorities to identify system security before CNCA's specific opinions on information system security certification are issued.
Second, the connection and difference between the three.
Hierarchical protection is a basic management system to guide the construction of China's information security system, and risk assessment and system assessment are two specific, different but related research and analysis methods to evaluate the security of information and information systems under hierarchical protection system. In this sense, hierarchical protection is higher than risk assessment and system assessment.
For example, if hierarchical protection is the constitution that guides the construction of information security, then risk assessment and security assessment are special laws for system security assessment or qualification determination.