Basic concepts of information security level protection
Information security level protection is the basic system of national information security guarantee
Network security graded protection refers to the implementation of graded protection and graded supervision of networks (including information systems and data).
Information system security level evaluation is an evaluation process to verify whether an information system meets the corresponding security protection level. Information security level protection requires that information systems with different security levels should have different security protection capabilities.
Classification of information security
At present, according to the importance of the network, information system, data and information on the network, it is divided into five security protection levels, from level one to level five, which are gradually enhanced. Different levels of networks, information systems, and data on the network should have different security protection measures.
first level
After the information system is destroyed, it will cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, but will not damage national security, social order and public interest.
second level
After the information system is destroyed, it will seriously damage the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but will not damage national security.
third level
After the information system is destroyed, it will cause serious damage to social order and public interests, or cause damage to national security.
fourth level
After the information system is destroyed, it will cause particularly serious damage to social order and public interests, or cause serious damage to national security.
fifth level
When an information system is compromised, it can cause particularly serious damage to national security.
Why is information level protection assessment required?
one's own safety
Information system operators and users can discover potential safety hazards and deficiencies within the system by carrying out hierarchical protection work, and can improve the system's security protection capabilities through security rectification and reduce the risk of being attacked.
strengthen competition
When the information system operation unit provides business services to external customers, it can demonstrate the security commitment of the information system to customers and stakeholders through the assessment of equal protection, and enhance the confidence of customers, partners and stakeholders.
by law
The "Network Security Law" and the "Measures for the Administration of Leveled Protection of Information Security" clearly stipulate that information system operators and users should perform security protection obligations in accordance with the requirements of the network security level protection system. If they refuse to do so, they will be punished accordingly.
Information level protection implementation process
1. System Rating
According to the requirements of the superior competent department, the actual situation of the industry and its own business conditions, and in accordance with relevant laws and policies, prepare a grading report and fill in the grading filing form.
2. System filing
After completing the grading record form, submit the grading materials to the public security organ for record review.
3. Construction rectification
Conduct research on the system, carry out gap assessment, carry out copywriting design in accordance with relevant national standards, complete the corresponding equipment procurement and adjustment, strategy configuration and debugging, and improve the management system.
4. System Evaluation
Invite the local evaluation agency to conduct a comprehensive evaluation of the system, and obtain a qualified evaluation report after passing the evaluation and scoring, and finally obtain a graded protection record certificate.
5. Supervision and inspection
The system is continuously improved and optimized, and annual inspections are carried out in accordance with relevant requirements (the second-level system is evaluated and inspected every 2 years, and the third-level system is inspected once a year).
Materials required for information security level protection assessment
01. Filing form and grading report;
02. Emergency contact registration form for classified network security protection;
03. "Information Security Work Management System";
04. List of security products used in the system, certification, and sales license;
05. Unit topology map and instructions;
06. Expert review opinions.