The content of the three levels of equal protection refers to the level of security protection for information systems related to national security, society and public interest according to the requirements of the Network Security Law. The three levels of protection mainly include the following aspects: first, the requirement of strict control and management of the operating environment of the information system to ensure that the physical security of the system; second, the requirement of security configuration and management of the system, including operating systems, databases, applications, and other security settings and updates, to prevent potential loopholes; once again, the requirement of security monitoring and logging of the system to detect and respond to security incidents in a timely manner.
What is Level 3? What are the three levels of content that are included?
This is an article on Issue 3, which aims to introduce the concept, content and scope of Issue 3, as well as how to be compliant with Issue 3 certification. The style of the article is professional and objective, using a diverse sentence structure and paragraph structure, with key words and phrases bolded.
Concept of Equal Protection Level 3
Equal Protection Level 3 refers to the third level in the Cybersecurity Level Protection System, which is China's highest level of protection certification for non-banking organizations. The network security level protection system is an important guiding document for China's national information technology security level protection, which is used to standardize network security protection. According to the importance and security risk of information systems, China divides network security protection into five levels, from Level I to Level V. The higher the level, the stricter the requirements. Among them, Level 1 and Level 2 are autonomous protection levels, Level 3 is supervisory protection level, and Level 4 and Level 5 are mandatory protection levels.
The information systems graded as equal protection level three are those that are determined to be level three after grading and filing. This type of information system can cause damage to the national security damage, generally applicable to municipal units of important systems, provincial ministries and commissions of the portal site. Through the "three levels of equal protection" certification, indicating that the enterprise's information security management capabilities to meet the highest domestic standards.
The content of the three levels of security
The content of the three levels of security mainly includes technical requirements and management requirements.
Technical requirements refer to the security technical standards and specifications that the information system should meet at the five levels of physical, network, host, application and data. Specifically as follows:
Physical security: the server room should be regionally divided into at least two parts of the host room and monitoring area; the server room should be equipped with electronic access control system, anti-theft alarm system, monitoring system; the server room should not have windows, should be equipped with a special gas fire extinguishing, standby generators;
Network security: should be drawn with the current operation of the topology map; switches, firewalls and other equipment Configuration should meet the requirements, such as Vlan division and logical isolation of each Vlan, should be configured with Qos traffic control policy, should be equipped with access control policy, important network equipment and servers should be IP/MAC binding, etc.; should be equipped with network auditing equipment, intrusion detection or defense equipment; switches and firewalls to meet the requirements of the identity authentication mechanism and other security requirements, such as user name and password complexity strategy The switch and firewall identity authentication mechanism should meet the requirements of equal security, such as user name and password complexity policy, login access failure processing mechanism, user roles and privilege control, etc.; network links, core network equipment and security equipment, redundancy design needs to be provided.
Host security: the server's own configuration should meet the requirements, such as identity authentication mechanism, access control mechanism, security auditing mechanism, anti-virus, etc., if necessary, you can purchase a third-party host and database auditing equipment; servers (application and database servers) should have redundancy, for example, the need for dual-machine hot standby or clustered deployment, etc.; servers and important network equipment need to be carried out before going online. Vulnerability scanning and assessment, there should be no intermediate and high-level vulnerabilities (such as windows system vulnerabilities, middleware vulnerabilities such as apache, database software vulnerabilities, other system software and port vulnerabilities, etc.); should be equipped with a dedicated logging server to save the host and database audit logs.
Application security: the application's own functions should meet the requirements of equal protection, such as identity authentication mechanism, audit logs, communication and storage encryption, etc.; the application should consider deploying web page tampering equipment; application security assessment (including application security scanning, penetration testing and risk assessment), there should be no intermediate to high risk of vulnerabilities (such as SQL injection, cross-site scripting, website horse, web page tampering, leakage of sensitive information, risk assessment), should not have more than medium and high risk vulnerabilities (e.g. SQL injection, cross-site scripting, web site, etc.). tampering, leakage of sensitive information, weak passwords and password guessing, management background vulnerabilities, etc.); logs generated by the application system should be saved to a dedicated log server.
Data security: a local backup mechanism for data should be provided, with daily backups to the local area and off-site storage; if there is core critical data in the system, an off-site data backup function should be provided, with data transferred to an off-site location for backup through the network, etc.
Management requirements refer to the five levels that information systems should satisfy at the levels of security management system, security management organization, personnel security management, system construction management and system operation and maintenance management. Operation and maintenance management of five levels should meet the security management specifications and measures. Specifically as follows:
Security management system: the security management system shall be formulated and implemented in accordance with the requirements of equal protection, including but not limited to information system security management regulations, information system security responsibility, information system security incident disposal regulations, information system security audit regulations, information system security inspection regulations, etc.
Security management organization: the security management organization shall be set up and perfected in accordance with the requirements of equal protection, including but not limited to the requirements of equal protection, security management organization, including but not limited to the requirements of equal protection. Security management institutions, including but not limited to information system security committee, information system security office, information system security administrator, etc.;
Personnel security management: personnel involved in information system operation and maintenance should be background checks and training and assessment, signing confidentiality agreements, implementation of hierarchical authorization and the principle of least privilege, regular training in business and skills, and the establishment of the system of personnel leaving the transition;
System construction: the system should be built and perfected to meet the requirements of equal protection. /p>
System construction management: the information system should be carried out in accordance with the requirements of the equal warranty for demand analysis, design and development, testing and acceptance, and on-line operation, to ensure that the information system meets the corresponding technical standards and specifications at all stages;
System operation and maintenance management: the information system should be carried out in accordance with the requirements of the equal warranty for the day-to-day operation and maintenance of the information system, including, but not limited to, regular vulnerability scanning and repair, malicious code protection and removal, data backup and recovery, and the maintenance of the information system.
System Operation and Maintenance Management: The daily operation and maintenance of the information system shall be carried out in accordance with the requirements of the warranty, including but not limited to regular vulnerability scanning and repair, malicious code protection and removal, data backup and recovery, log auditing and analyzing, and disposal and reporting of security incidents.
Scope of Equalization Level 3
The scope of Equalization Level 3 covers a wide range of areas such as the national key information infrastructure, the financial industry, the electric power industry, the transportation industry, and the healthcare industry. The details are as follows:
National Key Information Infrastructure: refers to the network facilities and information systems that provide support services for national political, economic and social activities, and whose damage or loss of functionality would seriously jeopardize national security, national livelihood or public **** interests. For example, telecommunications network infrastructure, radio and television network infrastructure, Internet infrastructure.
Financial industry: refers to all types of financial institutions and their related units engaged in the management of currency issuance and circulation, financial supervision and services, as well as financial market transactions and settlement activities. For example, banking financial institutions (including policy banks), financial institutions in the securities and futures industry (including securities companies, futures companies, stock exchanges, futures exchanges, etc.), financial institutions in the insurance industry (including insurance companies, insurance asset management companies, insurance intermediaries, etc.), non-banking payment institutions, Internet financial institutions, etc.
Electric power industry: refers to all types of electric power enterprises and their related units engaged in activities such as power production, transmission and distribution, power dispatch, and power market transactions. For example, power generation enterprises, power transmission and distribution enterprises, dispatch control centers, market operation centers and so on.
Transportation industry: refers to all types of transportation enterprises and their related units engaged in highway, railroad, waterway, aviation and other types of transportation services. For example, road transport enterprises, railroad transport enterprises, water transport enterprises, air transport enterprises, port management units, airport management units.
Medical and health industry: refers to the medical services, public **** health services, medical supervision services and other activities of various types of medical and health institutions and their related units. For example, hospitals, health centers, CDC, Pharmacovigilance and so on.
If you need equal security assessment services, you can contact us by private message in the background.
LuLu Information Technology, integrating the technical advantages of cloud security products, combined with high-quality equal protection consulting, equal protection assessment cooperation resources, to provide one-stop services for equal protection projects, comprehensive coverage of equal protection leveling, filing, construction and rectification, as well as the assessment stage, the high efficiency of the equal protection assessment, the implementation of the work of the network security level protection.