The Classification Guidelines stipulate the classification methods and processes for classified protection objects that do not involve state secrets, and provide guidance to network operators on the reasonable division of classified objects and the accurate determination of the security protection level, laying a good foundation for the subsequent rectification of security constructions and the work of class assessment.
The new version of the grading guide in the level of protection 1.0 grading guide on the basis of a new definition of the level of protection objects, added to the cloud, big things, such as moving the workers and other scenarios of the description, modified the grading process to adapt to the new situation of the level of protection work needs, and vigorously promote the development of the level of protection work. So what points do we need to pay attention to after the official implementation of the 2.0 grading guide?
New definition of hierarchical protection objects
The hierarchical protection objects mainly include: information systems, communication network facilities and data resources.
The information system is that we are in the 1.0 time of the classification object, refers to all kinds of information systems;
Communication network facilities refers to the flow of information, network operation, etc. to play a role in the basic support of the network equipment and facilities, including telecommunication networks, broadcasting and television transmission networks and industry or unit of the special communications network, so you have to pay attention to their own unit of the special network has to be classified, in particular Carrying an important information system or private network larger network;
Data resources refers to a collection of data that has or is expected to have value, data resources are mainly a large number of various types of valuable data, then these units need to protect these data resources, the natural need for the data resources to be graded, we can imagine that this kind of data are: social data, health insurance data, provident fund data, personal property data (bank), personal property data (bank), personal property data (bank), personal property data (bank), personal property data (bank), personal property data (bank) and so on. data, personal property data (banking, real estate, insurance, etc.) and other information.
New relationship between rating elements and security protection level
According to the definition of security protection level, rating should take into account the "level of protection of the object of national security, economic construction, the degree of importance of social life, as well as once suffered damage, loss of functionality, or data has been tampered with, leaked, lost, damaged, national security, social order, public *** interests, as well as citizens. , public **** interests and the legitimate rights and interests of citizens, legal persons and other organizations of the degree of infringement and other factors". Therefore, this standard in the clear level of protection of the object of grading elements for two, respectively, " the infringed object " and " the degree of infringement on the object ".
The relationship between the grading elements and the level of security protection is as follows.
What are the manifestations of the infringed object
The objects infringed upon when the graded object is damaged include national security, social order, public interest, and citizens, legal persons and other organizations.
The infringement of national security matters include the following:
1. affect the stability of state power and territorial sovereignty, maritime rights and interests of the integrity;
2. affect national unity, national unity and social stability;
3. affect the order of the state's socialist market economy and the strength of the cultural power;
4. other matters affecting national security.
Matters affecting social order include the following:
1. Affecting the order of production, operation, teaching and research, medical and health care of state organs, enterprises, institutions and social organizations; affecting the order of activities in public **** places. Public **** traffic order;
2. Affect the people's living order;
3. Other matters affecting social order.
Matters that infringe on the interests of the public **** include the following :
1. affecting the use of public **** facilities by members of the community;?
2. affecting members of the community's access to open data resources;
3. affecting members of the community's acceptance of public **** services and other aspects;
4. other matters affecting public **** interests.
Business information security and system service security has been damaged, may produce the following consequences of infringement:
1. affect the exercise of work functions;
2. lead to a decline in business capacity;
3. cause legal disputes;
4. lead to property damage;
5. resulting in adverse social impact;
6. Damage to other organizations and individuals;
7. Other effects.
Infringement of the legitimate rights and interests of citizens, legal persons and other organizations refers to the legally protected citizens. Legal persons and other organizations enjoy the social rights and interests, etc. are damaged.
When determining the object of infringement. First determine whether to infringe on national security, and then determine whether to infringe on social order or public interest. Finally, whether to infringe on the legitimate rights and interests of citizens, legal persons and other organizations.
New Characteristics of Objects of Hierarchical Protection
Networks that are the objects of hierarchical protection should have the following basic characteristics:
Have the main security responsibility;
Carry relatively independent business applications;
Contain multiple interrelated resources.
In determining the target for grading, cloud computing platforms/systems, Internet of Things, industrial control systems, and systems using mobile Internet technology need to meet the following requirements on the basis of the above basic characteristics.
New process of grading
For the new network, the operator should be in accordance with the requirements of the relevant laws and regulations on level protection and this standard, in the planning and design stage to determine the level of security protection; for the inter-provincial or national unified network operation of the network can be unified by the industry competent (regulatory) departments to organize the grading work. Security protection level initially identified as the second level and above the level of protection objects, its operators should be based on the standard requirements for expert review, approval of the competent authorities and public security organs for the record audit, and ultimately determine the level of security protection.
Expert review: the operation of the classification object, the use of units should be organized information security experts and business experts, such as the reasonableness of the preliminary classification results of the review, and issue expert review comments.
Approval of the competent authorities: the operation of the classification object, the use of units should be reported to the industry in charge of the results of the classification (supervision) department for approval, and issued the approval opinion.
Review of public security organs: the classification of the object of operation, the use of units should be in accordance with the relevant provisions of the management of the preliminary results of the classification submitted to the public security organs for the record review, the review did not pass, the operation of its use of the unit should be organized to re-classify; the review passed the final determination of the object of the final classification of the security level of protection.