With the release and implementation of Equal Protection 2.0 and the continuous deepening of the announcement of China's network level protection system has entered a brand new era, but also let the "over Equal Protection" has become the key words of the user network security compliance construction.
Network security level protection 2.0
I, what is the level of protection
The level of protection is network security level protection, level protection system is the basic system of network security in China. Level protection refers to the national important information, legal persons and other organizations and citizens of the proprietary information, as well as public information and storage, transmission, processing of such information information information system in a hierarchy of security protection, information security products used in the information system to implement the management of the level of information security events occurring in the information system in a hierarchy of response, disposal.
Two, why do level protection
1. National legal requirements: national laws and regulations and industry regulatory policies require level protection work. Such as "Network Security Law" and "Information Security Level Protection Management Measures" clearly stipulates that the information system operation, the use of units should be in accordance with the requirements of the network security level protection system, to fulfill the obligation of security protection, if you refuse to fulfill, will be punished accordingly.
2. Industry Customer Service Requirements: When providing business services to external customers, information system operators can demonstrate their commitment to information system security to customers and stakeholders through the equal protection assessment, and enhance the confidence of customers, partners and stakeholders.
3. The enterprise's own security requirements: information system operations, the use of units through the level of protection work can be found within the system of hidden security problems and deficiencies, through security rectification to enhance the system's security protection capabilities, reduce the risk of attack.
Three, level protection level division
Network security level protection is based on the information system in national security, economic construction, the degree of importance of social life, as well as information systems were damaged on national security, social order, public **** interests, as well as citizens, legal persons and other organizations of the legitimate rights and interests of the degree of harm and other factors, the information system security level from low to high. is divided into five levels.
Systems at all levels of grading reference:
The first level (autonomous protection level): for small private, individual enterprises, primary and secondary schools, information systems belonging to townships, county-level units of the general information system.
The second level (guided protection level): applies to important information systems in certain units at the county level; general information systems within state organs, enterprises and institutions above the prefecture level. For example, office systems and management systems that do not involve work secrets, commercial secrets, or sensitive information.
The third level (supervisory protection level): generally applicable to important information systems within state organs, enterprises and institutions above the prefectural and municipal levels, such as office systems and management systems involving work secrets, commercial secrets and sensitive information; important information systems used for production, scheduling, management, command, operation, control, etc., which are operated across the provincial or national networks, as well as the branch systems of such systems in the provinces, prefectures and municipalities; the central ministries and commissions, and the provincial and municipal branch systems; the central ministries and commissions, and the provincial and municipal branches. branch systems; portals and important websites of central ministries and commissions, provinces (autonomous regions and municipalities); and network systems connected across provinces.
The fourth level (mandatory protection level): generally applies to the core systems in important national fields and sectors involving national economy and livelihood, national interests, national security, and affecting social stability. For example, electric power production control system, banking core business system, telecommunication core network, railroad passenger ticket system, train command and dispatch system.
The fifth level (special control protection level): generally applicable to the national important areas, important sectors in the extremely important system.
Four, what is equal protection 2.0
"Level protection 2.0" or "equal protection 2.0" is an agreed term, referring to the new level of protection standards and specifications to carry out the work of the general term. It is usually considered to be proposed after the promulgation and implementation of the "Chinese People's **** and State Network Security Law", with the official implementation of the "GB/T 22239-2019 Information Security Technology Basic Requirements for Network Security Level Protection" on December 1, 2019, as a symbolic sign.
Equivalent protection 2.0 standards in the 1.0 era standards on the basis of more emphasis on active defense, from passive defense to the whole process of security and credibility before, during and after the event, dynamic perception and comprehensive audit, not only to achieve the level of protection of the traditional information systems, basic information networks, but also to achieve the level of protection of cloud computing, big data, Internet of Things, mobile Internet and industrial control information systems The full coverage of the object.
V. Industries involved in Level Protection 2.0:
1. Finance, especially Internet finance (not to do iso-protection is not allowed to operate, the most stringent regulation)
2. Healthcare (major hospitals must do iso-protection system, Internet healthcare in order to go online to obtain the online diagnosis and treatment qualification must be iso-protection)
3. Education (211, 985 universities must do iso-protection). Education (211, 985 universities must do isobuild, Internet + education, such as student management system, school website and other important systems must do isobuild)
4. Energy (the higher authorities require)
5. Communication (the higher authorities require)
6. Transportation (the higher authorities require)
7. Governmental agencies, enterprises, institutions, central enterprises (isobuild and the person in charge of the performance evaluation)
8. Credit industry (the industry requires to do the equal insurance)
9. Software development (the industry or the party requires to do the equal insurance)
10. Internet of things (the industry or the party requires to do the equal insurance)
11. Industrial data security (the industry or the party requires to do the equal insurance)
12. Big data (the industry or the party requires to do the equal insurance)
12. Big data (industry or party requirements must do iso)
13. cloud computing (ali cloud, huawei cloud, cloud phone, cloud video, cloud services, etc.)
14. courier industry (can not do iso can not apply for a license)
15. hotel industry (industry requirements)
Sixth iso 2.0 rating
Iso 2.0 along the lines of the traditional The "5 levels" of level protection. In terms of coverage, the 2.0 level of protection extends from information systems to network infrastructure, cloud computing platforms, big data platforms, and the Internet of Things (IoT). In terms of the grading process, independent grading has become a thing of the past, and the 2.0 requires that system grading must be reviewed by experts and audited by the competent authorities before it can be filed with the public security authorities, making the overall grading more stringent.
The evaluation cycle, etc. 2.0 requires that systems above the third level carry out an evaluation once a year, modifying the original requirement that systems above the fourth level carry out an evaluation once every six months.
The result of the assessment is required to reach 75 points or more to be considered as basic compliance.
Equal Protection 2.0 evaluation criteria
VII. What are the steps or processes for level protection?
According to the information system level protection related standards, the level protection work total **** divided into five stages, namely: system classification, system filing, security construction / rectification, level assessment, competent / supervisory unit to carry out regular supervision and inspection.
If you need equal protection assessment services, you can contact us by private message. Lulu Information Technology, integrating the technical advantages of cloud security products, combined with high-quality equal protection consulting, equal protection assessment cooperation resources, to provide one-stop services for equal protection projects, comprehensive coverage of equal protection leveling, filing, construction and rectification, as well as the assessment stage, the high efficiency of the equal protection assessment, the implementation of network security level protection work.