Article Directory
This time, we will sort out the main steps involved in Dianbao 2.0:
Dianbao overview, grade filing, gap assessment, planning and design, safety rectification, and test and acceptance.
This section mainly talks about grading and filing related content, covering some processes and the knowledge of filling in specific grading and filing forms.
level
Before grading the objects of the waiting guarantee, you must first know how many grades of the waiting guarantee, which are the same between the waiting guarantee 2.0 and 1.0, or five levels. Generally speaking, the system of 2 or 3 is the main one, and the 4 and Level 5 is generally not encountered, and level 1 independent management is not required, so as long as the waiting insurance is done, the second and third levels are the main ones. The description of each level is organized into the following table according to the description of the GB 17859-1999 standard:
| Equal guarantee level | Supervision intensity | Common guarantee objects |
|---|---|---|
| The first level: user independent protection level | Self-protection | SME non-business system: website |
| Level 2: System audit protection level | Guide protection | Municipal non-core system |
| Level 3: Security mark protection level | Supervision and protection (actually doing spot checks) | Provincial systems, municipal core business systems, and industry-regulated systems, such as securities, banks |
| Level 4: Structured protection level | Mandatory protection | National core system: power grid, communication, etc. |
| Level 5: Access verification protection level | Exclusive control protection | National defense and military system |
For specific grading, please refer to the relevant regulations or standards of the industry or higher-level departments. For example, there was a photovoltaic power plant before. Looking at the topological structure, it was all complicated. I thought it was a three-level system, but how many power plants below KW are regulated by the industry? It should be set at the second level, and the result is to be set at the second level. In addition, if the main body of responsibility has opinions on the level given by the expert, it can be redefined. This situation is relatively rare, but it cannot be said that there is no such situation.
The grading must be given the correct level according to the grading matrix. Many grading report covers are assigned level two, and then the matrix corresponds to the level three, which is inconsistent. This requires rework.
The rating matrix is easy to remember. It is a combination of three infringed objects and three levels of infringement to get a 3×3 matrix
| Victimized object | Degree of infringement on the object | ||
| General damage | Serious damage | Particularly severe damage | |
| The legal rights of citizens, legal persons and other organizations | 1 | 2 | 2 |
| Social order, public interest | 2 | 3 | 4 |
| National Security | 3 | 4 | 5 |
The following content comes from the intermediate tester training course, which is about the object and the degree of infringement. It is more subjective and not quantified. Just understand it.
Objects of Violation
According to the "Chinese People and National Security Law", the violations of national security mainly include the following aspects:
affecting the stability of state power and territorial sovereignty, the integrity of maritime rights and interests
;
affecting national unity, national unity and social stability; affecting national socialism Market economic order and cultural strength;
other matters affecting national security.
According to the "Public Security Administration Punishment Law of the People's Republic of China," matters that violate social order mainly include the following:
affecting the production order, business order, teaching and research order, medical and health order of state agencies, enterprises, institutions, and social organizations; and
affecting public places Order of activities and public transportation;
affect the life order of the people;
other matters that affect social order.
Public interests usually refer to long-term interests enjoyed by unspecified members of society and protected by laws and regulations. Matters that infringe on public interests mainly include the following:
affecting members of society in using public facilities;
affecting members of society in accessing public information resources;
affecting members of society Receiving public services, etc.;
other matters affecting public interests.
The legal rights and interests of citizens, legal persons and other organizations refer to the social rights and benefits enjoyed by citizens, legal persons and other organizations protected by law, such as property, corporate reputation and personal reputation.
Degree of
Infringement The qualitative description of the three degrees of infringement is as follows. Industry and local standards can be further refined and quantified according to the actual situation:
General damage: job functions are partially affected, and business capabilities are reduced but do not affect the performance of main functions. Legal issues, low property losses, limited social adverse effects, and low damage to other organizations and individuals;
Serious damage: work functions are severely affected, business capabilities are significantly reduced and the performance of main functions is severely affected, serious legal problems occur, high property losses, large-scale social adverse effects, and serious damage to other organizations and individuals ;
Particularly severe damage: work functions are particularly severely affected or lose their ability to perform, business capabilities are severely reduced and or functions cannot be performed, extremely serious legal problems occur, extremely high property losses, large-scale social adverse effects, and other organizations and Personally caused very serious damage.
Process
The process was drawn before and posted directly:
Note here:
1. In the above process, if the expert review, the competent authority’s approval or the filing review fails, the operator of the rating object should re-start the rating work (as shown by the dotted arrow in the above figure) Show).
2. The safety protection level is preliminarily determined as the first level protection object, and its operators shall determine the safety protection level by themselves according to the standard requirements. Except for the first level, all should be in place according to the process in the above figure.
Determine the rating object
This piece has been written before and will not be repeated. You can see here for regular grading objects . For special systems such as industrial control, cloud platform, Internet of Things, mobile Internet technology, communication network facilities, and big data, there are their own division principles. Here is a brief summary:
| Object type | Grading principle | Exception |
|---|---|---|
| Industrial Control System | Industrial control systems mainly include feature elements such as on-site acquisition/execution, on-site control, process control, and production management. These elements should be graded as a whole object, and each element is not graded separately; but production management elements can be graded separately. | For large-scale industrial control systems, it can be divided into multiple rating objects according to factors such as system functions, responsible subjects, control objects, and manufacturers. |
| Cloud computing platform | In the cloud computing environment, the cloud service client-side grading protection objects and the cloud computing platform/system on the cloud service provider’s side should be classified as separate grading objects, and the classification should be based on different service models (SaaS, PaaS, laaS) The cloud computing platform/system is divided into different grading objects. (Note: This is a common test site for intermediate major questions) | For large-scale cloud computing platforms, cloud computing infrastructure and related auxiliary service systems should be divided into different grading objects. |
| Internet of Things | The Internet of Things mainly includes characteristic elements such as perception, network transmission, and processing applications. The above elements should be rated as a whole object, and each element should not be rated separately. | |
| System using mobile internet technology | The system using mobile internet technology mainly includes characteristic elements such as mobile terminals, mobile applications, and wireless networks, which can be graded independently as a whole or together with related business systems. Each element is not graded separately. | |
| Communication network facilities | For communication network facilities such as telecommunications networks and radio and television transmission networks, they should be classified into different grading objects according to factors such as security responsibility subjects, service types, and service regions. | The special communication network of trans-provincial industries or units can be classified as a whole object, or divided into several classification objects by region. |
| Data resource | When the security responsibility subjects are the same, the big data and big data platform/system should be rated as a whole object; when the security responsibility subjects are different, the big data should be independently rated. | For big data and big data platforms, in principle, the level of security protection is not lower than the third level. |
Preliminary level determination
Generally, the level of your own system can be estimated based on similar systems, but it must be correctly reflected in the rating report. Specifically, the level must be accurately mapped to the matrix above, but the security of the rating objects in that matrix is divided into Business information security and system service security, so the matrix decomposition is:
| Objects violated when business information security is breached | Degree of infringement on the object | ||
| General damage | Serious damage | Particularly severe damage | |
| The legal rights of citizens, legal persons and other organizations | 1 | 2 | 2 |
| Social order, public interest | 2 | 3 | 4 |
| National Security | 3 | 4 | 5 |
| Objects violated when system service security is breached | Degree of infringement on the object | ||
| General damage | Serious damage | Particularly severe damage | |
| The legal rights of citizens, legal persons and other organizations | 1 | 2 | 2 |
| Social order, public interest | 2 | 3 | 4 |
| National Security | 3 | 4 | 5 |
Note that the two matrices here may correspond to different results, and the final result is the maximum of the two. However, when corresponding to the basic requirements of equal protection, the corresponding safety requirements standards shall be corresponding to the two levels respectively. Dig the hole first, and then talk about GB/T 22239 in detail.
After setting the level, you can fill in two forms: the grading report and the filing form. Level 2 and Level 3 are not the same. Level 3 has more content and can be downloaded from the website of local public agencies. Generally, this matter is also done by the evaluation agency and not carried out.
Mainly prepare the company profile, system business introduction, network topology diagram, and safety equipment list.
Expert review and rating approval
In this step, the expert review is a new requirement put forward by Waiting for Guarantee 2.0. Of course, there were also experts for review before 1.0. However, this review is not a prescribed action. According to the standard, operators who are initially determined to be rated objects of level 2 or higher should Organize network security level protection experts to review the rationality of the preliminary grading results; if there is an industry supervisor (regulatory) department, the preliminary grading result should also be reported to the industry supervisor (supervisory) department for approval (this step can not be omitted).
In layman's terms, hiring experts generally costs extra money. Generally, companies can save money. Therefore, the matter of hiring experts is handed over to the municipal party committee's competent department (Economic and Information Commission) to ask experts to review.
During the review, a copy of the materials to be submitted to the public security agency should be obtained, and then an expert review opinion form should be added. The content of the form roughly includes:
filling time, information system operation/use unit name, information system operation/use unit address, project Responsible person, contact phone number, email address, grading object name (there can be more than one), initial security level (there can be more than one), expert review suggestion level (there can be more than one), review expert group opinions and signatures.
Record review
Finally, the operator of the grading object should submit the preliminary grading result to the public security organ for filing and review in accordance with relevant management regulations, and finally determine its safety protection level after passing. Here you will get a record certificate, which varies from place to place. There are paper versions and electronic versions. The most important thing is the record number. The evaluation report number should be generated based on this number.
There is no need to re-file for retesting of systems above Level 3.