Official definition: Grade protection is a kind of work to protect information and information carriers according to their importance. It refers to graded security protection for important national information, proprietary information and public information of legal persons, other organizations and citizens, and information systems that store, transmit and process these information, graded management of information security products used in information systems, and graded response and disposal of information security incidents in information systems.
To put it simply, it is to classify the related systems related to the Internet according to certain technical standards, and comprehensively inspect and rectify the systems according to the relevant requirements of the corresponding grades, so as to reduce the system risks as much as possible, enhance the protection and self-rescue capabilities against overseas network viruses, hacker organizations and hostile countries, and realize the security and stability of the Internet system.
Generally speaking, companies or units need to use the Internet, but there are many bad people on the Internet. In order to avoid being cheated, cheated, poisoned, stolen, robbed and attacked, we need to check the courtyard wall (equipment and hardware) of our home to see if there are any gaps. We need to check and evaluate our bodyguards (system software) to see if they can fight, whether there are spies or traitors.
Why do you want to do level protection?
1. From the legal requirements, network security level protection is the basic system, strategy and method of national information security. The Network Security Law of the People's Republic of China clearly stipulates that information system operators and users should fulfill their security protection obligations in accordance with the requirements of the network security level protection system, and those who refuse to do so will be punished accordingly.
In other words, if you don't carry out such insurance work, it's illegal.
2. According to industry requirements, this kind of insurance has become a necessity in many industries. Many industry authorities explicitly require information systems of institutions to carry out such security work, such as finance, electric power, radio and television, medical care, education and other industries.
3. From the perspective of security requirements, information system operators and users can find hidden dangers and deficiencies in the system through maintenance work, and can improve the security protection ability of the system through security rectification and reduce the risk of being attacked.
Grade protection is divided into five processes.
Step 1: System classification. Investigate business, assets, safety technology and safety management, determine the grading system, prepare grading reports, provide grading assistance services, assist users to complete grading reports, and organize expert review.
Step 2: System archiving. Hold the grading report and filing form to the local public security network supervisor for filing. Quanyun Online provides filing guidance services to help users prepare materials and complete filing.
The third step: construction and rectification. According to the classification requirements and standards, the information system is rectified and strengthened. Quanyun Online can help users strengthen the security of the system, help users build a security management system, and provide security products that meet compliance requirements.
Step 4: Grade evaluation. The evaluation institution evaluates the information system level and forms an evaluation report. Quanyun Online provides equal insurance evaluation service, provides Alibaba Cloud platform compliance qualification certificate, and guides users to evaluate and rectify. After the rectification, the evaluation institution will evaluate the compliance at the system level and issue an evaluation report.
Step 5: Compliance supervision and inspection. Submit the evaluation report to the local public security network supervisor, and the user will cooperate to complete the inspection. Quanyun Online will assist customers in inspection and rectification. Finally, the public security organs will supervise and inspect the level protection work.
Among them, "system classification" is divided into five levels, namely: autonomous protection (1 level), guiding protection (level 2), supervision protection (level 3), compulsory protection (level 4) and special control protection (level 5).
Grading factor: the degree of infringement on the infringed object after being infringed.
The objects of infringement are divided into three categories: citizens, legal persons and other organizations; Public order and public interest; National security.
The degree of infringement on the infringed object:
The first level (independent protection level) will harm the legitimate rights and interests of citizens, legal persons and other organizations, but it will not harm national security, social order and public interests.
The second level (guidance and protection level) will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or damage to social order and public interests, but it will not endanger national security.
The third level (supervision and protection level) will cause serious damage to social order and public interests, or damage to national security.
The fourth level (compulsory protection level) will cause particularly serious damage to social order and public interests, or to national security.
The fifth level (exclusive control and protection level) will cause particularly serious damage to national security.
Classification of infringement degree:
General damage: part of the work function is affected, and the business ability is reduced, but the implementation of the main functions is not affected, and minor legal problems occur, with low property losses and limited social adverse effects, and the damage caused to other organizations and individuals is low.
Serious damage: the work function is seriously affected, the business ability is obviously reduced, and the implementation of main functions is seriously affected, resulting in serious legal problems, high property losses, wide social adverse effects, and serious damage to other organizations and individuals.
Particularly serious damage: the work function is seriously affected or the exercise ability is lost, the business ability is seriously reduced or the function cannot be performed, extremely serious legal problems appear, the property loss is extremely high, and the social adverse effects are widespread, causing very serious damage to other organizations and individuals.
The process of grading:
Determine grading objects
Preliminary determination of grading objects
expert review
Approved by the competent department
Filing audit
As the scoring object, the information system should have the following basic characteristics:
Have a clear subject of safety responsibility; Carrying relatively independent business applications; Contains multiple interrelated resources; Industrial control system mainly includes characteristic elements such as field acquisition/execution, field control, process control and production management.
Among them, field acquisition/execution, field control, process control and other elements should be graded as a whole, and each element should not be graded separately; Production management factors can be graded separately.
For large-scale industrial control system, it can be divided into several classification objects according to system function, responsible subject, control object and manufacturer.
Grade protection is like a physical examination.
Some people have a physical examination once in a while, others once a year, once every two years, once every three years or even once every five years. You can't say that the more frequently you do it, the more likely it is to go wrong. It must be that the higher the frequency, the less likely it is to go wrong. This involves different people's requirements for good health.
The corresponding three-level business system evaluation is done once a year, and the two-level business system evaluation is done once every two years.
This is the same as the requirements for network security are extremely high, extremely high, high, average and poor. There are many physical examinations. Find problems in time and solve them as soon as possible.
Then the physical examination will definitely check the physics, application, data, host and network corresponding to our insurance. You can't say that these are not important, so the importance can be imagined.
Why wait for insurance? This is the same reason you want a physical examination.
You are worried about your health, so you have to spend money to take the initiative to have a physical examination. What about waiting for insurance? To be insured means that the state expressly stipulates that you should have a physical examination. It's illegal not to have a medical examination. If you break the law, you will be punished. After the punishment, you still need a physical examination.
Workflow:
Make an appointment for registration (pre-evaluation)-See a doctor to describe the symptoms clearly (arranged by information system)-The doctor can judge the symptoms according to the description (expert evaluation link)-Check where there is a problem (evaluation agency can see where the problem is)-Establish a medical record (exit the evaluation report)-Whether to be hospitalized for observation (gap rectification stage).
After passing the insurance, there will be an annual review record to prove it.
From a certain day of a month to a certain day of a month, make an annual grade evaluation of the secondary or tertiary information system of a certain unit.
The filing certificate and the annual filing certificate are sealed by the Ministry of Public Security, and individuals cannot check their filing and evaluation online. Only the appraisal company can be entrusted for inquiry.
If you need insurance assessment service, you can write privately in the background. Lulu Technology integrates the technical advantages of cloud security products, and combines high-quality equal security consulting and equal security evaluation cooperation resources to provide one-stop service for equal security projects, covering the equal security level, filing, construction rectification and evaluation stages in an all-round way, effectively passing the equal security evaluation and implementing the network security level protection work.