Safe operation and maintenance management
Environmental management
a) A special department or person should be designated to be responsible for the safety of the computer room, manage the access to the computer room, and regularly maintain and manage the power supply and distribution, air conditioning, temperature and humidity control, and fire fighting facilities of the computer room;
b) A computer room safety management system should be established, and regulations should be made for the management of physical access, entry and exit of items, and environmental safety;
c) Do not receive visitors in important areas, and do not randomly place paper files and mobile media containing sensitive information.
asset Management
a) A list of assets related to the protected objects should be compiled and kept, including the assets responsible department, importance and location, etc.;
b) Assets should be identified and managed according to the importance of the assets, and corresponding management measures should be selected according to the value of the assets;
c) Provisions should be made for information classification and identification methods, and standardized management of the use, transmission and storage of information should be carried out.
Media management
a) The media should be stored in a safe environment, all types of media should be controlled and protected, the storage media should be managed by a dedicated person, and regular inventory should be based on the directory list of the archived media;
b) The personnel selection, packaging, and delivery of the media during the physical transmission process should be controlled, and the filing and query of the media should be registered and recorded.
Equipment maintenance and management
a) All kinds of equipment (including backup and redundant equipment), lines and other designated special departments or personnel should be regularly maintained and managed;
b) A management system for supporting facilities, hardware and software maintenance should be established to effectively manage their maintenance, including clarifying the responsibilities of maintenance personnel, the approval of maintenance and services, and the supervision and control of the maintenance process;
c) Information processing equipment must be approved before it can be taken out of the computer room or office. When equipment containing storage media is taken out of the work environment, important data must be encrypted;
d) Before the equipment containing storage media is scrapped or reused, it should be completely removed or safely covered to ensure that the sensitive data and authorized software on the equipment cannot be recovered and reused.
Vulnerability and risk management
a) Necessary measures shall be taken to identify security vulnerabilities and hidden dangers, and the discovered security vulnerabilities and hidden dangers shall be repaired in time or after evaluating the possible impact;
b) Safety evaluation should be carried out regularly, a safety evaluation report should be formed, and measures should be taken to deal with the safety problems found.
Network and system security management
a) Different administrator roles should be divided for network and system operation and maintenance management, and the responsibilities and permissions of each role should be clarified;
b) Special departments or personnel should be designated for account management, and control of account application, account creation, account deletion, etc.;
c) A network and system security management system should be established, and regulations should be made on security strategies, account management, configuration management, log management, daily operations, upgrades and patches, password update cycles, etc.;
d) The configuration and operation manuals of important equipment should be formulated, and the equipment should be safely configured and optimized according to the manuals;
e) Operation and maintenance operation logs shall be recorded in detail, including daily inspection work, operation and maintenance records, parameter setting and modification, etc.;
f) Special departments or personnel should be designated to analyze and count log, monitoring and alarm data, etc., and find suspicious behavior in time;
g) Change operation and maintenance should be strictly controlled. Only after approval can the connection, installation of system components or adjustment of configuration parameters be changed, the unchangeable audit log should be kept during the operation, and the configuration information database should be updated synchronously after the operation is completed;
h) The use of operation and maintenance tools should be strictly controlled, and they can only be accessed for operation after approval. Unchangeable audit logs should be kept during the operation, and sensitive data in the tools should be deleted after the operation is completed;
i) The opening of remote operation and maintenance should be strictly controlled, and the remote operation and maintenance interface or channel can be opened after approval, and the unchangeable audit log should be kept during the operation, and the interface or channel should be closed immediately after the operation is completed;
j) It should be ensured that all connections to the outside are authorized and approved, and wireless Internet access violations and other violations of network security policies should be regularly checked.
Malicious code prevention and management
a) All users' awareness of anti-malware codes should be improved, and malicious code inspections should be carried out before external computers or storage devices are connected to the system;
b) The effectiveness of technical measures to prevent malicious code attacks should be verified regularly.
Configuration management
a) Basic configuration information should be recorded and saved, including network topology, software components installed in each device, software component version and patch information, configuration parameters of each device or software component, etc.;
b) The basic configuration information change should be included in the scope of change, the control of the configuration information change should be implemented, and the basic configuration information database should be updated in time.
Password management
a) National standards and industry standards related to cryptography shall be followed;
b) The cryptographic technology and products certified and approved by the national cryptographic management authority shall be used.
Change management
a) The change requirements should be clarified, and the change plan should be formulated according to the change requirements before the change, and the change plan can be implemented after review and approval;
b) Change reporting and approval control procedures should be established, all changes should be controlled according to the procedures, and the implementation process of changes should be recorded;
c) Procedures for suspending changes and recovering from failed changes should be established, process control methods and personnel responsibilities should be clarified, and the recovery process should be drilled if necessary.
Backup and recovery management
a) Important business information, system data and software systems that need to be backed up regularly should be identified;
b) The backup method, frequency, storage medium, storage period, etc. of the backup information shall be specified;
c) According to the importance of the data and the impact of the data on the operation of the system, the data backup strategy and recovery strategy, backup procedures and recovery procedures should be formulated.
Security incident handling
a) The discovered security weaknesses and suspicious incidents should be reported to the security management department in a timely manner;
b) A security incident reporting and handling management system shall be formulated, clarifying the reporting, handling and response processes of different security incidents, and stipulating the management responsibilities of on-site handling of security incidents, incident reports and subsequent recovery, etc.;
c) During the process of security incident reporting and response processing, analyze and identify the cause of the incident, collect evidence, record the processing process, and summarize experience and lessons;
d) Different handling procedures and reporting procedures should be adopted for major security incidents that cause system interruption and information leakage.
Emergency plan management
a) A unified emergency plan framework should be specified, including the conditions for starting the plan, emergency organization composition, emergency resource guarantee, post-event education and training, etc.;
b) Emergency plans for important events should be formulated, including emergency handling procedures, system recovery procedures, etc.;
c) The personnel involved in the system shall be trained on emergency plans on a regular basis, and emergency plan drills shall be carried out;
d) The original emergency plan should be re-evaluated and revised regularly.
Outsourcing operation and maintenance management
a) It should be ensured that the selection of outsourcing operation and maintenance service providers conforms to relevant national regulations;
b) Relevant agreements should be signed with selected outsourcing operation and maintenance service providers to clearly stipulate the scope and work content of outsourcing operation and maintenance;
c) It shall be ensured that the selected outsourcing operation and maintenance service provider shall have the ability to carry out safe operation and maintenance work in accordance with the requirements of level protection in terms of technology and management, and the capability requirements shall be specified in the signed agreement;
d) All relevant security requirements should be specified in the agreement signed with the outsourcing operation and maintenance service provider, such as the requirements for access, processing, and storage of sensitive information, and emergency protection requirements for IT infrastructure interruption services.
、