In order to promote the construction of the verification index system and evaluation method for the service capability test of the identification analysis node of the industrial Internet, Beijing Software Center Co., Ltd. Institutions, facing the national top-level nodes, second-level nodes, and enterprise nodes for industrial Internet identification analysis, carry out tests and experiments based on index systems such as service provision capabilities, business capabilities, operational capabilities, security capabilities, and data application capabilities to form industrial Internet identification analysis node services The ability test verifies and evaluates the evaluation method, and was released by the China Software Industry Association in May 2021, including "Industrial Internet Identification Analysis Top Node Service Capability Maturity Model", "Industrial Internet Identification Analysis Top Node Service Capability Maturity Evaluation Method", "Industrial Internet Service Capability Maturity Model of Identification Analysis Secondary Nodes, "Industrial Internet Identification Analysis Secondary Node Service Capability Maturity Evaluation Method", "Industrial Internet Identification Analysis Enterprise Node Service Capability Maturity Model", "Industrial Internet Identification Analysis Enterprise Node Service Capability Maturity Evaluation Methods》Six evaluation models and evaluation methods.

2. Project purpose

In order to implement the State Council's "Key Information Infrastructure Security Protection Regulations", in order to more efficiently ensure the safe and stable operation of national key information infrastructure, promote the healthy and orderly development of the industrial Internet identification analysis system, and strengthen the security assurance and supervision and management of key information infrastructure, The China Software Industry Association carries out the evaluation of the service capability maturity of industrial Internet analysis nodes at all levels according to the Industrial Internet logo analysis node service capability maturity system standard at all levels.

3. User object

Intention declaration unit user, system administrator user

2. Functional requirements of the front desk

Front-end users are mainly registered companies. When users enter the page, they first enter the home page. If they are not logged in, they can view system announcements, use the system to inquire about evaluation agencies and service agency certificates. Logged-in users can also use the above functions, and can also enter the personal center to perform system functions such as basic information modification, organization information authentication, evaluation, and password modification.

1. Register and log in

First of all, when you enter the system, you can see the login panel in the upper right corner of the home page, which mainly includes three functions: login, registration, and forgotten password.

1.1 Login

The front-end user logs in by entering the correct user name and password to log in. After successful login, refresh the page and enter the personal center function page. If you enter a wrong user name or password, a prompt will be given.

The administrator user logs in by entering the correct user name and password to log in. After the login is successful, refresh the page and enter the background function page. If you enter a wrong user name or password, a prompt will be given.

1.2 Forgot password

If the user forgets his user password, he can click the 'Forgot Password' button below to enter the 'Retrieve Password' page. By entering the user's mobile phone number, obtaining the SMS verification code, and entering the new password, after confirming the password twice, you can submit the modification and retrieve the password. After returning to the home page, the user can log in to the system with the new password.

1.3 Registration

If you do not have a system account, you can click the 'Register' button. The system jumps to the registration page to perform system registration. Users to be registered need to enter the following information to register, including: user name, gender, password, location, unit name, unit detailed address, unit social unified credit code, name, and mobile phone number.

Among them, the password needs to meet: the length of the password is 8-20 characters, and at least contains numbers, lowercase letters, and uppercase letters. The unified social credit code needs to meet the following requirements: 18 digits of Arabic numerals or uppercase English letters, which are 1-digit registration management department code, 1-digit institution category code, 6-digit registration management agency administrative division code, 9-digit entity identification code, and 1-digit school check code. Just fill in the unit code.

After entering the user's mobile phone number, obtain the verification code information, and then complete the registration process and return to login.

2. Home page

The home page displays several functions commonly used by users: online announcements, evaluation institution qualification inquiry, service identification institution certificate inquiry, and friendship links. These four functions can be used without logging into the system. Users who log in to the system can also click on the title of the homepage to enter.

2.1 Online announcement

The online announcement function mainly displays the relevant announcements issued by the service capability maturity level evaluation management platform of industrial Internet identification analysis and identification service agencies. Announcements are displayed in reverse order of release time.

Click a corresponding announcement, and the system page will jump to the announcement details page. The details page mainly describes the details of the entire announcement.

For announcements that require additional files, users can click to view the details of the document, or click to download the document.

2.2 Qualification Inquiry of Assessment Institutions

On the homepage of the system, click 'Inquiry about the qualification of evaluation institution' to enter the inquiry page of the qualification of the evaluation institution, and you can see the information of the evaluation institution, including: legal representative, contact name, contact email, contact phone number, evaluator number and other information.

2.3 Inquiry about the certificate of the identification service organization

Click 'Identification Service Organization Certificate Query' on the home page of the system to enter the identification service organization certificate query page, and you can see the certificate information, including: certificate number, certificate name, company name, node type, service capability and other information. Enter the company name or project number to be queried, and click the Query button to display all the information. The query supports fuzzy query.

2.4 Friendship Links

This system provides links to other three related platforms, which can be quickly accessed by clicking. They are: Industrial Internet Monitoring and Service Platform, Industrial Internet Logo Analysis Evaluation Expert, Military and Civilian Dual-use Software Association.

3. Personal center

3.1 Basic information

On the basic information page, the basic information filled in by the user during registration is mainly displayed, and the user can view it here. It mainly includes: name, user name, nickname, gender, birthday, email address, mobile phone number, job title. The information not filled in during registration can be supplemented here, and other information can be modified at the same time. Click the 'Confirm Modification' button to submit the modification information. After submitting, it prompts 'basic information modified successfully' to complete the modification.

3.2 Agency Certification Information

Enterprise users who have just registered and logged in need to fill in the organization information to obtain authentication. The information that needs to be filled in includes: organization name, node prefix, organization code, business license, contact person, mobile phone number, address and other information.

After entering the information and clicking Submit, you can see that the submitted application is under review by the background administrator. There are three main states on this page that are related to the review by the background administrator, namely: 'under review', 'review failed', and 'approved'.

Users who are 'Pending Review' cannot use the 'Assess Now' function, and need to wait for the background administrator to review it before using it.
Users who 'failed to pass the review' need to resubmit the relevant file information and wait for the review
Only the 'approved' users can use the subsequent functions of the system for evaluation.

3.3 Change password

On this page, the user enters the user name and old password to confirm the identity, and then enters the password twice to reset the password. After resetting, you need to log in to the system again.
4. Evaluation report

The function of this page is the core function of the system, mainly for evaluation submission.

4.1 View the report list

On this page you can view submitted assessments. The main information includes: node identification prefix, node classification, standard version number, application test level, submission date, self-assessment result, audit status, report release status and other information, and can be operated.

In the query column above, you can query and view the evaluation reports that the user has applied for based on the application test level, review status, and release status.

Click the 'Publish' button, and the 'Report Release Status' will be modified and displayed.

Click the Modify button to modify the information. And can carry out subsequent submit document operation. Click the View button, it cannot be edited.

4.2 Immediate evaluation

(1) Select the node type

Users who have not completed the organization certification information click 'Evaluate Now', it will be displayed that they need to complete the organization audit first, and the function can be used only after the audit is passed.

Users who have completed institutional certification can choose node types, mainly including: national top-level nodes, second-level nodes, and enterprise nodes. After selecting, click the 'Next' button.

(2) Select the assessment level

The main evaluation levels are generated according to the previous node types, mainly including: the first level of capability maturity (initial level), the second level of capability maturity (managed level), and the third level of capability maturity (stable level) , The fourth level of capability maturity (quantitative management level), the fifth level of capability maturity (optimization level). After selecting, click 'Next'.

(3) Fill in the form

A self-assessment report needs to be filled in, mainly including the self-assessment results. By evaluating and filling in the evaluation indicators, the indicator items are configured by the background management. After filling in, click the 'Save' button.

The system will return the results according to the evaluation. If you fail to pass, you need to fill in and submit again. If you pass, you can go to the next step. Click 'Export Report' to download the evaluation report to the local. Click 'Next' to proceed to the final step.

(4) Submit for review

The user uploads the stamped PDF file to complete the submission

3. Background management system requirements

The background management system administrator user can log in to the system to maintain the system, mainly including: organization information review, evaluation report review, index item management, carousel map management, announcement management, unified user management, certificate management and other functions.

1. Institution information review

The organization information review page displays the organization information list submitted by the front-end users, and can perform search, review and view function operations. Administrators can be searched by organization name, mobile phone number, and audit status.

The administrator clicks the 'Review' button to review and modify the organization information. After the review is passed, the front desk will display it, and the corresponding users can perform other operations. The front desk users who fail the review need to return to modify.

Click the View button to view detailed information

2 Evaluation report review

Evaluation report review is mainly to review and publish the reports submitted by front-end users in the "Immediate Evaluation" function, display the review list, and you can view the company name, node identification prefix, node classification, application evaluation level, submission time, and report release time , release time, review status. It can be queried through enterprise name, audit status, node identification prefix, node classification, and application evaluation level.

For unapproved reports, you can review them; for approved reports, you can view them directly.

Click the 'Review' button, and the pop-up box displays the information submitted by the user in the foreground, mainly including: node information and audit information. The node information covers the stamped version of the evaluation report submitted by the front-end user, which can be downloaded by clicking the button, and the evaluation results and other information can be seen at the same time.

Auditors select the audit results 'approved' and 'return for modification' to complete the report audit.

For those that have been audited, a viewing function is provided.

3. Index item management

The index item management function mainly manages the background index items. Involves the evaluation report in the "Assess Now" module of the front desk. The administrator can view the index item list information, including: ability classification, evaluation description, and veto right. And can view and delete functions, does not provide modification functions.

The administrator can add indicator items, click 'Add' to edit the information in the pop-up box, which mainly includes the selection of capabilities and the description of evaluation items. Among them, capabilities mainly include: business capabilities, operational capabilities, security capabilities, service provision capabilities, and data application capabilities. After choosing whether to have a veto right, click OK to create a new one successfully.

4. Carousel management

The carousel map management mainly manages the carousel map on the front page. Users can add and upload carousel pictures according to system needs, and edit and manage them. The list mainly displays the carousel title, last modified person, modification time, and status. Provides edit, delete, publish and unpublish functions. It also provides query operations filtered by title and status filters.

The administrator clicks the 'Add' button, and the editing page pops up. Edit the title of the carousel and upload the picture of the carousel to complete the creation. If you need to publish a carousel, click the publish button, and a carousel will be added to the front page.

5. Announcement management

The announcement management function mainly implements the announcement management on the front page, and provides a list viewing function, which can view: announcement title, abstract, status. The main function of the status is that the administrator can add a new announcement, but it can be released when needed, and canceled when it is not needed. Only the published announcement can be seen by the front desk, and the unpublished announcement cannot be viewed by the front desk.

When an administrator user adds an announcement, click the 'Add' button. A pop-up box pops up the information that needs to be filled in. It mainly includes: announcement title, announcement summary, announcement date, announcement content, and announcement attachments. The system administrator can arbitrarily specify the release date, and the announcement will be released according to the required time. The announcement content provides rich text, which can support editing such as bold, italic, and color. Click the 'OK' button to complete the addition.

Click Modify to perform secondary editing of the announcement.

6. Statistics user management

6.1 User Management

User management, display user information list, can search, add, edit, authorize operations. Administrators can be searched by name, status, role. Role statuses are 'invalid' and 'valid'. Role status is divided into 'foreground user' and 'background technology service'.

The administrator clicks the 'Add' button to bring up a pop-up box, and enters the following information to add a new user: user name, password, name, gender, authority role, region, detailed address, and mobile phone number. Click the 'Save' button to add the user's background administrator.

Click View to view user information, but cannot edit it.

6.2 Role Management

The system provides different roles, and the administrator can manage the roles. The role list mainly shows: role name, description, review results, and can be viewed and edited.

Click the 'Edit' button to modify the role information and modify whether the role status is valid, and the invalid status cannot be used in the system.

Click the New button and enter information to create a new role.

7. Certificate Management

7.1 Certificate Management of Identification Service Agency

The management of identification service organization certificates is mainly related to the function of "identification service organization certificate query" in the foreground. The background administrator can manage these certificates, so as to realize the query of front-end users. The list mainly displays the following information: certificate number, certificate name, company name, node type, service capability, and provides operations for creating, modifying, and deleting.

Click the 'Add' button to enter the information in the pop-up box. It mainly includes: node type, service capability, certificate number, certificate name, company name, certification basis, certificate issuance date, validity period, evaluation agency, certification agency and other information. After completion, click 'OK' to create a new file successfully.

7.2 Evaluation agency certificate management

The management of evaluation institution certificates is mainly related to the function of "evaluation institution certificate query" in the front desk. The background administrator can manage these certificates, so as to realize the query of front-end users. The list mainly displays the following information: evaluation agency name, legal representative, contact name, contact email, etc., and provides operations for creating, modifying, and deleting.

Click the Add button, fill in the following information: name of evaluation institution, legal representative, contact name, contact email, contact phone number, number of assessors, and click the Save button to submit and save.

5. Non-functional requirements

1. User Interface Requirements

Requirement name

Detailed requirements

The interface requires interactivity

The system interface is simple and friendly, and the image is intuitive, which is convenient for users to operate.

2. Product quality requirements

Requirement name	Detailed requirements
compatibility	Compatible with mainstream and existing servers in the market (Inspur, Huawei, Sugon and other domestic servers, the existing server Think Server RD450), database (supports sqlserver, mysql and other common databases), operating system (server side is windows 2008/2012 Server, The client is windows7/Win10), browser (Google Chrome (chrome), Firefox (Firefox), IE9/10/11 version);
high speed	The query of the system page and statistical report has a relatively fast response speed, the query speed of the page is 1-3 seconds, and the query speed of the statistical report is 3-6 seconds;
Practical	Achieve the combination of peacetime and wartime, and peacetime disaster compatibility, and improve the daily utilization rate;
stability	The system is stable, continuous operation without downtime, and the average failure rate of the command system and application software is ≤0.03%;

3. Security requirements

3.1 Host security

safety class	security function
identification	Identity identification and authentication should be carried out for users who log in to the operating system and database system
	The operating system and database system management user IDs should have the characteristics that are not easy to be used by fraudulent use, passwords should have complexity requirements, and should be changed regularly
	The login failure processing function should be enabled, and measures such as ending the session can be taken
	Different user names should be assigned to different users of the operating system and database system to ensure that the user names are unique
Access control	The access control function should be enabled to control user access to resources according to security policies
	The separation of privileges between operating system and database system privileged users should be realized
	Access to default accounts should be restricted, system default accounts should be renamed, and default passwords for these accounts should be changed
	Redundant and expired accounts should be deleted in time to avoid the existence of shared accounts
System Security Record	Records should cover every operating system user and database user on the server
	The recorded content should include important security-related events in the system, such as important user behaviors, abnormal use of system resources, and use of important system commands.
	Records should include the date, time, type, subject identification, object identification and result of the event, etc.
	System security records shall be protected from unexpected deletion, modification or overwriting, etc.
Intrusion Prevention	The operating system should follow the principle of minimal installation, install only required components and applications, and keep system patches updated in a timely manner by setting up an upgrade server, etc.
Malicious code guard against	Anti-malicious code software should be installed, and the anti-malicious code software version and malicious code library should be updated in time
Malicious code guard against	Unified management of anti-malicious code should be supported
resource control	The operation timeout lock of the login terminal should be set according to the security policy
resource control	Individual users should be limited to maximum or minimum usage of system resources

3.2 Application Security and Data Security

security function	Remark
Application Access Control
Has user- or role-based rights management
Administrators can grant different permissions according to users or roles
The password is not displayed on the screen when the user enters it
The user re-logs in after the connection timeout, the connection timeout time is determined according to the actual situation of the system
System and database account usage
The application program cannot use database administrator accounts such as sa and dba to connect to the database, and different database account connections should be established for different program applications
Account passwords such as databases used by applications should be complex passwords, that is, the password length should be no less than 8 characters, including at least 3 types of uppercase letters, lowercase letters, numbers, and symbols
Account passwords such as databases used by applications can be modified, that is, account passwords cannot be fixed in the program
Remote login services such as rlogin cannot be used between systems
Data Security
User password information encrypted storage
Apply transactional control to associated data write operations to maintain data integrity
According to the actual situation of the system, encrypt and store important data
Prevent SQL injection
Provide local data backup and recovery functions
Key Activity Log
Account and authority management, including account creation, password modification, account authorization, authority change, etc.
The system administrator has successfully logged in
System administrator login failed
Record the access log of the Web service and keep it for at least 3 months
User operation log
According to the actual situation of the system, put forward backup requirements for key activity logs, formulate backup strategies, and require the operation department to meet
Input and output validation
User data input range verification, according to the actual situation, the input data is required to be within a specific range (for example, limit the length, or numbers, letters, mailboxes, etc.)
User data input illegal character validation, convert or filter special characters ( < , > , % , & , ;, single quotes, double quotes, etc.) or ensure that the program can treat all input as a whole as text.

Industrial Internet identification analysis and identification service organization service capability maturity level evaluation management platform [requirement specification / user manual]

I. Overview

1. Project background