1. Introduction to level protection
1.1 What is level protection
Network security graded protection refers to the implementation of hierarchical security protection for important national information, proprietary information of legal persons and other organizations and citizens, as well as information and information systems that store, transmit, and process such information, and implement security protection for information security products used in information systems. Manage by level, and respond and deal with information security incidents that occur in the information system by level.
1.2 Development history of graded protection
The first stage (1994-2007, the initiation and exploration of network security level protection):
- February 18, 1994 "Regulations of the People's Republic of China on the Protection of Computer Information System Security" (Decree No. 147 of the State Council)
- September 7, 2003 "Opinions of the National Informatization Leading Group on Strengthening Information Security Work" (Zhong Ban Fa [2003] No. 27)
- September 15, 2004 "Implementation Opinions on Information Security Classified Protection Work"
- June 22, 2007 "Information Security Level Protection Management Measures" (Gongtongzi [2007] No. 43)
- July 16, 2007 "Notice on Carrying out the Grading Work of National Important Information System Security Level Protection" (Gongxinan [2007] No. 861)
Phase II (2007-2016 Network Security Level Protection Standardization and Development)
- GB/T 22239—2008 basic requirements; 22240, 25070, 28448, 28449 and other national standard series standards.
The third stage (2016-2019 network security level protection industry deep cultivation and landing)
- June 1, 2017 "Network Security Law of the People's Republic of China"
- June 27, 2018 "Network Security Level Protection Management Regulations (Draft for Comment)"
The fourth stage (2019 - entering the era of network security level protection 2.0)
- May 13, 2019 "Basic Requirements for Information Security Technology Network Security Level Protection"
- July 22, 2020 "Guiding Opinions on Implementing the Network Security Guarantee System and Customs Security System" (Ministry of Public Security No. 1960)
- On November 1, 2020, the "Information Security Technology Network Security Level Protection Grading Guide GB/T22240-2020" was officially implemented
1.3 Background of MLPS 2.0
Since the "Order No. 147" in 1994, my country has begun to implement hierarchical protection of information systems. For more than ten years, it has been deeply cultivated in many industries such as finance, energy, telecommunications, and medical care. However, with the development of new technologies such as cloud computing, big data, Internet of Things, mobile Internet, and artificial intelligence, level protection 1.0 is no longer possible. To effectively deal with information security risks brought by new technologies, in order to meet new technical challenges, effectively prevent and manage various information technology risks, and improve the security level at the national level, hierarchical protection 2.0 was born in due course. Network security has entered a new stage of development, and many industry authorities require industry customers to carry out hierarchical protection work to avoid risks reasonably. According to the data, companies related to network security include Beijing Times Xinwei, Venus, Blue Shield, etc., among which Times Xinwei is a recommended evaluation institution by the National Security Office (Certificate No.: DJCP2019110192). As a pioneer in the network security level protection industry, network security companies such as Times Newway need to contribute their own strength to ensure information security!
Network Security Resource Sharing
【----Help with online security learning, get all the following learning materials for free! 】
① Mind map of network security learning growth path
② 60+ classic and commonly used toolkits for network security
③ 100+ SRC vulnerability analysis reports
④ 150+ online security attack and defense combat technical e-books
⑤ The most authoritative CISSP certification exam guide + question bank
⑥ More than 1800 pages of CTF combat Skills Manual
⑦ Collection of the latest interview questions of network security companies (including answers)
⑧ APP Client Security Testing Guide (Android+IOS)
2. Changes in Equal Guarantee 2.0
2.1 Legal status confirmed
Article 21 of the "Network Security Law of the People's Republic of China" stipulates that "the state implements a network security level protection system", requiring that "network operators shall perform security protection obligations in accordance with the requirements of the network security level protection system"; Information infrastructure, on the basis of the network security level protection system, implements key protection".
2.2 Levels of protection objects continue to expand
With the continuous emergence of new technologies such as cloud computing, mobile Internet, big data, Internet of Things, and artificial intelligence, the concept of computer information systems can no longer cover all, especially the value of big data brought about by the rapid development of the Internet. Extension will continue to expand.
2.3 Strengthen trusted computing
Network security graded protection 2.0 builds a graded protection core technology system based on trusted computing technology, which strengthens the important idea of a trusted system.
2.4 Changes in general requirements
General requirements include general security requirements, cloud computing security extension requirements, mobile Internet security extension requirements, IoT security extension requirements, and industrial control system security extension requirements. At the heart of the general requirements of Classified Cybersecurity Protection 2.0 is optimization.
New key content: new network attack protection from inside to outside, highlighting operation and maintenance audit, security management center, independent security area, email security protection, operation status monitoring, security audit time requirements, centralized log audit, trusted computing requirements, security Event identification analysis, personal information protection.
2.5 Changes in Extension Requirements
Level Protection 2.0 is split into 1 general requirement and 4 extended requirements. List common security protection requirements as general security requirements, and put forward security expansion requirements for security protection requirements in different fields such as cloud computing, big data, industrial control systems, and mobile Internet technologies. MLPS 2.0 still retains the two dimensions of technology and management. The second-level requirements were changed from 175 to 135, and the third-level requirements were changed from 290 to 211. Technically, physical security, network security, host security, application security, and data security were changed to safe physical environment, safe Communication network, secure area boundary, secure computing environment, and security management center; in terms of management, the structure has not changed much, from the security management system, security management organization, personnel security management, system construction management, system operation and maintenance management, adjustments For the safety management system, safety management organization, safety management personnel, safety construction management, safety operation and maintenance management
(1) Cloud Computing Platform Security Extension Requirements
- The main body of responsibility is divided into two, and the evaluation objects need to be increased.
- Level of guarantee matching
- Cloud computing platforms need to be graded and filed separately
- The cloud computing platform needs to pass the level protection assessment
- The same cloud computing platform can host different levels of information systems
- The cloud computing platform cannot host information systems higher than the platform level
(2) Big data security expansion requirements
- Big data with a unified security responsibility unit should be rated as a whole object.
(3) Internet of Things Security Extension Requirements
- The Internet of Things should be rated as a whole object, mainly including elements of perception layer, network transmission layer and processing application layer.
(4) Security extension requirements for mobile Internet
- Mobile internet technology should be graded as a whole object, elements such as mobile terminal, mobile application and wireless network should not be graded separately, but should be graded together with the application environment and application objects that adopt the protection object of mobile internet technology grade.
(5) Expansion requirements for industrial control systems
- The industrial control system is mainly composed of the production management layer, the field equipment layer, the field control layer and the process monitoring layer. Among them: the principle of determining the grading object of the production management layer is shown in (Other information systems). The equipment layer, field control layer and process monitoring layer should be graded as a whole object, and the elements of each layer should not be graded separately. For large-scale industrial control systems, it can be divided into multiple grading objects according to factors such as system functions, control objects, and manufacturers.
2.6 Increased qualification requirements for assessment
Compared with MLPS 1.0, the evaluation standard of MLPS 2.0 has changed. The evaluation conclusions of MLPS 2.0 are divided into: excellent (90 points and above), good (80 points and above), medium (70 points and above), poor ( Less than 70 points), and above 70 points are considered to basically meet the requirements. The basic score has been raised, and the evaluation requirements are more stringent.
2.7 will keep the three unchanged in 2.0
Compared with 1.0, there are three changes in MLPS 2.0, which are five levels, prescribed actions and main responsibilities. Five levels: the first level (user autonomous protection level), the second level (system audit protection level), the third level (safety mark protection level), the fourth level (structural protection level), the fifth level (access verification protection level); specified actions: grading, filing, construction rectification, level evaluation, supervision and inspection; main responsibilities: network security’s responsibilities for record acceptance and supervision and inspection of grading objects, and third-party evaluation agencies’ security assessment responsibilities for grading objects , The safety management responsibilities of the superior competent unit for the affiliated units, and the level protection responsibilities of the operating and user units for the grading objects.
3. General process of hierarchical protection
3.1 System Rating
In accordance with the "Information Security Level Protection Management Measures" and the "Network Security Level Protection Grading Guidelines", the information system operation and use units preliminarily determine the security protection level of the grading object, and draft the "Network Security Level Protection Grading Report"; , the grading conclusion needs to be reviewed by experts, reviewed by the competent authority and filed.
3.1.1 Determine the grading object
The information system as the object of rating should have the following basic characteristics:
A) Have a definite main body responsible for safety;
B) carry relatively independent business applications;
C) Contains multiple resources that are interrelated.
Note: The main safety responsibility subjects include but are not limited to legal persons such as enterprises, government agencies, and public institutions, as well as other organizations such as social groups that do not have legal person qualifications.
Note: Avoid rating a single system component, such as a server, terminal, or network device.
Note: When determining the grading object, cloud computing platforms/systems, Internet of Things, industrial control systems, and systems using mobile Internet technology must meet the following requirements on the basis of meeting the above basic characteristics:
3.1.2 Classification of grades
After the first-level information system is damaged, it will cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, but will not damage national security, social order and public interest.
If the second-level information system is damaged, it will seriously damage the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but will not damage national security.
When the third-level information system is damaged, it will cause serious damage to social order and public interests, or cause damage to national security
The destruction of the fourth-level information system will cause particularly serious damage to social order and public interests, or cause serious damage to national security
Level 5 information systems compromised would cause particularly serious damage to national security
victimized object
|
degree of harm to the object
—|—
general damage
|
serious damage
|
particularly serious damage
Legal rights of citizens, legal persons and other organizations
|
first level
|
second level
|
second level
social order, public interest
|
second level
|
third level
|
fourth level
National Security
|
third level
|
fourth level
|
fifth level
3.1.3 Interpretation of the object of infringement
Social order: (1) Other matters affecting social order (2) Affecting the normal life order of the public under legal constraints and moral norms, etc. (3) Affecting scientific research and production order of various industries (4) Affecting various types of economic activities Order (5) Affecting the working order of social management and public services of state organs
Public interests: (1) affect members of society's use of public facilities (2) affect members of society's acceptance of public services, etc. (3) affect members of society's access to information resources (4) other matters affecting public interests
National security: (1) Affect the stability of state power and sovereignty integrity
(2) Affect national unity, national unity and social stability (3) Affect national economic order and cultural strength (4) Affect the order of religious activities and anti-terrorism capacity building (5) ) other matters affecting national security
3.1.4 Interpretation of the degree of infringement
General damage: work functions are partially affected, business capabilities are reduced but the execution of main functions is not affected, minor legal problems occur, relatively low property losses, limited adverse social effects, and relatively low damage to other organizations and individuals
Serious damage: work functions are seriously affected, business ability is significantly reduced and the execution of main functions is seriously affected, serious legal problems occur, relatively high property losses, large-scale adverse social effects, and relatively serious damage to other organizations and individuals ;
Particularly serious damage: work functions are particularly seriously affected or incapacitated, business capabilities are severely reduced or functions cannot be performed, extremely serious legal problems arise, extremely high property losses, large-scale adverse social impacts, and other organizations and individuals cause very serious damage
3.1.5 System grading reference at all levels
The first level (self-protection level): It is suitable for small private enterprises, individual enterprises, primary and secondary schools, township-owned information systems, and general information systems in county-level units.
The second level (guidance and protection level): applicable to important information systems in certain units at the county level; general information systems within state agencies, enterprises and institutions above the prefecture and city level. For example, office systems and management systems that do not involve work secrets, business secrets, or sensitive information.
The third level (supervision and protection level): generally applicable to important internal information systems of state agencies, enterprises, and institutions above the prefecture and city level, such as office systems and management systems involving work secrets, business secrets, and sensitive information; cross-provincial or national Important information systems for production, scheduling, management, command, operation, control, etc. that are networked and run, as well as branch systems of such systems in provinces, prefectures and cities; portals and important websites of central ministries and commissions, provinces (districts, cities) ; Network systems connected across provinces, etc.
Level 4 (compulsory protection level): Generally applicable to core systems in important national areas and departments that involve national economy and people's livelihood, national interests, national security, and social stability. For example, power production control system, bank core business system, telecommunications core network, railway ticket system, train command and dispatch system, etc.
The fifth level (special control and protection level): generally applicable to extremely important systems in important national fields and important departments.
3.2 System filing
When the information system security protection level is above the second level, the "Network Security Level Protection Filing Form", the grading report and expert review opinions should be submitted when filing; for the system above the third level, the system topology and description, and the security management system must also be submitted. , safety construction plan, etc.
3.2.1 Filing steps
Apply for filing to the network security department of the public security organ (you can consult with local public security organs by telephone or find the online processing
channel on the official website of the local public security organ) → submit the filing materials after the network security department of the public security organ accepts (the time limit for filing is 30 days after the network security level protection is determined Within days, and 10 working days after acceptance) àThe network security department of the public security organ will issue the "Information System Security Level Protection Filing Certificate" after review and approval
3.2.2 List of filing and submission materials
1. 信息系统安全等级保护备案表,纸质2份,原件;
2. 信息系统安全等级保护自定级报告,纸质1份,原件;
3. 信息安全等级保护定级评审结果(专家评审报告或主管部门审核批准信息系统安全保护等级意见),纸质1份,原件;
4. 信息系统安全相关材料(本单位信息系统安全组织的建立情况、信息系统基本应用情况、、信息系统使用的主要设备、操作系统、数据库、防病毒软件以及网络拓扑图),纸质1份,原件;
5. 信息系统备案电子数据,电子版1份,原件;
6. 测评后符合系统安全保护等级的技术检测评估报告
7. 系统安全保护设施设计实施方案或改建实施方案
8. 办-理信息系统安全保护等级备案手续时,应当填写《信息系统安全等级保护备案表》,第三级以上信息系统应当同时提供以下材料:
- (1) System topology and description;
- (2) System security organization and management system;
- (3) Design implementation plan or reconstruction implementation plan for system security protection facilities;
- (4)系统使用的信息安全产品清单及其认证、销售许可证明;
- (5)测评后符合系统安全保护等级的技术检测评估报告;
- (6)信息系统安全保护等级专家评审意见;
- (7)主管部门审核批准信息系统安全保护等级的意见。
3.3建设整改
依据《网络安全等级保护基本要求》,利用自有或第三方的安全产品和专家服务,对信息系统进行安全建设和整改,同时制定相应的安全管理制度。
此步骤又被称为预测评或差距分析,以安全服务商的角度来看就是对客户的系统进行一次和正式测评相同的流程,减少后续测评整改的工作量。
3.4系统测评
测评机构按照管理规范和技术标准,运用科学的手段和方法,对处理特定应用的信息系统,采用安全技术测评和安全管理测评方式,对保护状况进行初步检测评估,针对安全不符合项提出安全整改建议。
3.5监督检查
对系统初测时的出现的安全问题进行整改加固后由测评机构进行复测,符合则出具测评后符合系统安全保护等级的技术检测评估报告。
四、等级保护控制项解读(三级标准)
注:以下标注是按照等保三级列出,二级及其他系统可以参照文末的标准文件。十个大项后续会分别出一篇文章来详细解读。
4.1安全物理环境
安全通用要求
物理位置选择
|
a)机房场地应选择在具有防震、防风和防雨等能力的建筑内;
b)机房场地应避免设在建筑物的顶层或地下室,否则应加强防水和防潮措施。
物理访问控制
|
a)机房出入口应配置电子门禁系统,控制、鉴别和记录进入的人员。
防盗窃和防破坏
|
a)应将设备或主要部件进行固定,并设置明显的不易除去的标识;
b)应将通信线缆铺设在隐蔽安全处;
c)应设置机房防盗报警系统或设置有专人值守的视频监控系统。
防雷击
|
a)应将各类机柜、设施和设备等通过接地系统安全接地;
b)应采取措施防止感应雷,例如设置防雷保安器或过压保护装置等。
防火
|
a)机房应设置火灾自动消防系统,能够自动检测火情、自动报警,并自动灭火;
b)机房及相关的工作房间和辅助房应采用具有耐火等级的建筑材料;
c)应对机房划分区域进行管理,区域和区域之间设置隔离防火措施。
防水和防潮
|
a) Measures shall be taken to prevent rainwater from penetrating through the windows, roof and walls of the machine room;
b) Measures shall be taken to prevent the condensation of water vapor in the equipment room and the transfer and infiltration of underground water;
c) Water-sensitive detection instruments or components should be installed to perform waterproof detection and alarm for the equipment room.
anti-static
|
a) Anti-static floor or ground shall be adopted and necessary grounding anti-static measures shall be adopted;
b) Measures should be taken to prevent the generation of static electricity, such as using static eliminators, wearing anti-static wrist straps, etc.
Temperature and humidity control
|
a) Temperature and humidity automatic adjustment facilities should be set up so that the temperature and humidity changes in the computer room are within the range allowed by the equipment operation.
electricity supply
|
a) A voltage stabilizer and overvoltage protection equipment should be configured on the power supply line of the computer room;
b) Short-term backup power supply shall be provided, at least to meet the normal operation requirements of the equipment in case of power failure;
c) Redundant or parallel power cable lines shall be provided to supply power to the computer system.
electromagnetic protection
|
a) Power lines and communication cables should be laid separately to avoid mutual interference;
b) Electromagnetic shielding should be implemented for key equipment.
Cloud Computing Security Extension Requirements
infrastructure location
|
a) It should be ensured that the cloud computing infrastructure is located in China.
Mobile internet security extension requirements
Physical location of the wireless access point
|
a) A reasonable location should be selected for the installation of wireless access equipment to avoid excessive coverage and electromagnetic interference.
IoT Security Extension Requirements
Sensing node equipment physical protection
|
a) The physical environment where the sensing node device is located should not cause physical damage to the sensing node device, such as extrusion and strong vibration;
b) The physical environment where the sensing node device is in working state should be able to correctly reflect the environmental state (for example, temperature and humidity sensors cannot be installed in areas exposed to direct sunlight);
c) The physical environment of the sensing node device in the working state should not affect the normal operation of the sensing node device, such as strong interference, blocking shielding, etc.;
d) Key perception node equipment should have power supply for long-term work (key gateway node equipment should have long-lasting and stable power supply capability).
Security extension requirements for industrial control systems
Physical protection of outdoor control equipment
|
a) Outdoor control equipment should be placed and fastened in a box or device made of iron plates or other fireproof materials; the box or device has ventilation, heat dissipation, anti-theft, rainproof and fireproof capabilities, etc.;
b) Outdoor control equipment should be placed away from strong electromagnetic interference, strong heat sources and other environments. If it cannot be avoided, emergency response and maintenance should be done in time to ensure the normal operation of the equipment.
Big Data Security Extension Requirements
Big data platform
|
a) It should be ensured that the equipment room carrying big data storage, processing and analysis is located in China.
4.2 Secure Communication Network
General Safety Requirements
Network Architecture
|
a) It should ensure that the business processing capacity of network equipment meets the needs of business peak hours;
b) The bandwidth of each part of the network should be guaranteed to meet the needs of business peak periods;
c) Different network areas shall be divided, and addresses shall be assigned to each network area in accordance with the principle of convenient management and control;
d) The deployment of important network areas at the border should be avoided, and reliable technical isolation methods should be adopted between important network areas and other network areas;
e) The hardware redundancy of communication lines, key network equipment and key computing equipment shall be provided to ensure the availability of the system.
communication transmission
|
a) Verification technology or cryptographic technology should be used to ensure the integrity of data during communication;
b) Encryption technology should be used to ensure the confidentiality of data during communication.
trusted verification
|
a) Based on the root of trust, the system boot program, system program, important configuration parameters and communication application programs of the communication equipment can be trusted and verified, and the dynamic trusted verification can be carried out in the key execution links of the application program. When the reliability is damaged, an alarm will be issued, and the verification result will be sent to the security management center as an audit record.
Cloud Computing Security Extension Requirements
Network Architecture
|
a) It should be ensured that the cloud computing platform does not carry business application systems higher than its security protection level;
b) The isolation between virtual networks of different cloud service customers shall be realized;
c) It should have the ability to provide security mechanisms such as communication transmission, border protection, and intrusion prevention according to the business needs of cloud service customers;
d) Should have the ability to independently set security policies according to the business needs of cloud service customers, including defining access paths, selecting security components, and configuring security policies;
e) Open interfaces or open security services should be provided to allow cloud service customers to access third-party security products or choose third-party security services on the cloud computing platform.
Industrial System Safety Extension Requirements
Network Architecture
|
a) The industrial control system and other systems of the enterprise should be divided into two areas, and a one-way technical isolation method should be adopted between the areas;
b) The interior of the industrial control system should be divided into different security domains according to business characteristics, and technical isolation methods should be adopted between security domains;
c) Industrial control systems involving real-time control and data transmission should use independent network equipment to form a network to achieve security isolation from other data networks and external public information networks at the physical level.
communication transmission
|
a) If the wide area network is used in the industrial control system for control commands or related data exchange, encryption and authentication technology shall be used to realize identity authentication, access control and encrypted data transmission.
Big Data Security Extension Requirements
Big data platform
|
a) It should be ensured that the big data platform does not carry big data applications higher than its security protection level;
b) It should be ensured that the management traffic of the big data platform is separated from the system business traffic.
4.3 Boundary of safe area
General Safety Requirements
border protection
|
a) It shall ensure that the access and data flow across the border communicate through the controlled interface provided by the border device;
b) It should be able to check or restrict the behavior of unauthorized devices connecting to the internal network;
c) It should be able to check or restrict the unauthorized connection of internal users to external networks;
d) The use of wireless networks should be restricted to ensure that wireless networks are connected to internal networks through controlled border devices.
Access control
|
a) Access control rules should be set according to the access control policy at the network boundary or between areas. By default, the controlled interface denies all communication except for the allowed communication;
b) Redundant or invalid access control rules should be deleted, the access control list should be optimized, and the number of access control rules should be minimized;
c) The source address, destination address, source port, destination port and protocol should be checked to allow/deny data packets to enter and exit;
d) It should be able to provide explicit permission/deny access capabilities for incoming and outgoing data streams based on session state information;
e) Access control based on application protocols and application content should be implemented for data flows entering and exiting the network.
Intrusion Prevention
|
a) Detect, prevent or limit network attacks initiated from the outside at key network nodes;
b) Detect, prevent or limit cyber attacks initiated from within at key network nodes;
c) Technical measures should be taken to analyze network behaviors to realize the analysis of network attacks, especially new network attack behaviors;
d) When an attack is detected, record the attack source IP, attack type, attack target, and attack time, and provide an alarm when a serious intrusion event occurs.
Malicious Code and Spam Prevention
|
a) Malicious codes should be detected and removed at key network nodes, and the upgrade and update of malicious code protection mechanisms should be maintained;
b) Spam should be detected and protected at key network nodes, and upgrades and updates of spam protection mechanisms should be maintained.
security audit
|
a) Security audits should be conducted at network boundaries and important network nodes, covering every user, and auditing important user behaviors and important security events;
b) Audit records should include the date and time of the event, the user, the type of event, whether the event was successful, and other audit-related information;
c) Audit records should be protected and backed up regularly to avoid unexpected deletion, modification or overwriting, etc.;
d) It should be able to independently conduct behavior audit and data analysis on remote access user behavior and Internet access user behavior.
trusted verification
|
a) Based on the root of trust, credible verification can be performed on the system boot program, system program, important configuration parameters, and border protection application programs of the border device, and dynamic credible verification can be performed in the key execution links of the application program. When the credibility is damaged, an alarm will be issued, and the verification result will be sent to the security management center as an audit record.
Cloud Computing Security Extension Requirements
Access control
|
a) An access control mechanism should be deployed at the border of the virtualized network, and access control rules should be set;
b) Access control mechanisms should be deployed at the borders of different levels of network areas, and access control rules should be set.
Intrusion Prevention
|
a) It should be able to detect network attacks initiated by cloud service customers, and record the attack type, attack time, attack traffic, etc.;
b) It should be able to detect network attacks on virtual network nodes, and record attack types, attack time, attack traffic, etc.;
c) It should be able to detect abnormal traffic between the virtual machine and the host machine, and between the virtual machine and the virtual machine;
d) Alarms should be issued when network attacks and abnormal traffic conditions are detected.
security audit
|
a) The privileged commands executed by cloud service providers and cloud service customers during remote management shall be audited, including at least virtual machine deletion and virtual machine restart;
b) It should be ensured that the cloud service provider's operations on the cloud service customer's system and data can be audited by the cloud service customer.
Mobile internet security extension requirements
border protection
|
a) It should ensure that the access and data flow between the wired network and the wireless network border pass through the wireless access gateway device.
Access control
|
a) The wireless access device shall enable the access authentication function, and support authentication using authentication server authentication or a cryptographic module approved by the national cryptographic management agency.
Intrusion Prevention
|
a) It should be able to detect the access behavior of unauthorized wireless access devices and unauthorized mobile terminals;
b) It should be able to detect network scanning, DDoS attacks, key cracking, man-in-the-middle attacks and spoofing attacks targeting wireless access devices;
c) It should be able to detect the activation status of high-risk functions such as SSID broadcast and WPS of wireless access devices;
d) Risky functions of wireless access devices and wireless access gateways should be disabled, such as: SSID broadcast, WEP authentication, etc.;
e) Multiple APs should be prohibited from using the same authentication key;
f) It should be able to block unauthorized wireless access devices or unauthorized mobile terminals.
IoT Security Extension Requirements
access control
|
a) It should be ensured that only authorized sensing nodes can access.
Intrusion Prevention
|
a) It should be able to limit the target address of communication with the sensing node to avoid attacks on unfamiliar addresses;
b) It should be able to limit the target address of communication with the gateway node to avoid attacks on unfamiliar addresses.
Security extension requirements for industrial control systems
Access control
|
a) Access control devices should be deployed between the industrial control system and other systems of the enterprise, access control policies should be configured, and any general network
services such as E-Mail, Web, Telnet, Rlogin, and FTP that cross the border of the area should be prohibited;
b) When the boundary protection mechanism between the security domain and the security domain in the industrial control system fails, an alarm should be issued in time.
dial usage control
|
a) If the industrial control system really needs to use the dial-up access service, the number of users with dial-up access rights shall be limited, and measures such as user identity authentication and access control shall be adopted;
b) Both the dial-up server and the client should use a security-hardened operating system, and take measures such as digital certificate authentication, transmission encryption, and access control.
wireless usage control
|
a) All users (personnel, software processes or equipment) participating in wireless communication shall be provided with unique identification and authentication;
b) All users (personnel, software processes or equipment) participating in wireless communication shall be authorized and restricted to perform use;
c) Security measures for transmission encryption shall be adopted for wireless communication to realize the confidentiality protection of transmission messages;
d) For the industrial control system controlled by wireless communication technology, it should be able to identify unauthorized wireless devices emitted in its physical environment, and report unauthorized attempts to access or interfere with the control system.
4.4 Secure Computing Environment
General Safety Requirements
Identification
|
a) The logged-in user should be identified and authenticated. The identity identification is unique, and the identity authentication information has complexity requirements and should be replaced regularly;
b) It should have a login failure processing function, and relevant measures such as ending the session, limiting the number of illegal logins, and automatically exiting when the login connection times out should be configured and enabled;
c) When performing remote management, necessary measures shall be taken to prevent authentication information from being eavesdropped during network transmission;
d) Two or more combination of authentication techniques such as password, cryptography, and biotechnology should be used to authenticate users, and at least one of the authentication techniques should be implemented using cryptography.
Access control
|
a) Accounts and permissions should be assigned to logged-in users;
b) The default account should be renamed or deleted, and the default password of the default account should be modified;
c) Delete or deactivate redundant and expired accounts in time to avoid the existence of shared accounts;
d) The minimum authority required by the management user shall be granted to realize the separation of authority of the management user;
e) The access control policy should be configured by the authorized subject, and the access control policy stipulates the access rules of the subject to the object;
f) The granularity of access control should be such that the subject is at the user level or process level, and the object is at the file and database table level;
g) Security marks should be set for important subjects and objects, and the subject's access to information resources with security marks should be controlled.
security audit
|
a) The security audit function should be enabled, and the audit covers every user, and audits important user behaviors and important security events;
b) Audit records should include the date and time of the event, the user, the type of event, whether the event was successful, and other audit-related information;
c) Audit records should be protected and backed up regularly to avoid unexpected deletion, modification or overwriting, etc.;
d) The audit process shall be protected against unauthorized interruption.
Intrusion Prevention
|
a) The principle of minimal installation should be followed, and only required components and applications should be installed;
b) Unnecessary system services, default shared and high-risk ports should be closed;
c) The management terminal managed through the network shall be restricted by setting the terminal access method or network address range;
d) The data validity inspection function shall be provided to ensure that the content input through the man-machine interface or through the communication interface meets the system setting requirements;
e) It should be able to discover possible known loopholes, and after full testing and evaluation, patch the loopholes in time;
f) It should be able to detect the behavior of intrusion on important nodes, and provide an alarm when a serious intrusion event occurs.
Malicious code prevention
|
a) Technical measures against malicious code attacks or active immune and trusted verification mechanisms should be adopted to identify intrusions and virus behaviors in a timely manner and effectively block them.
trusted verification
|
a) Based on the root of trust, the system boot program, system program, important configuration parameters and application programs of the computing device can be trusted and verified, and dynamic trusted verification can be carried out in the key execution links of the application. Alarm will be issued after the property is damaged, and the verification result will be sent to the security management center as an audit record.
data integrity
|
a) Verification technology or cryptographic technology should be used to ensure the integrity of important data during transmission, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data, and important personal information;
b) Verification technology or cryptographic technology should be used to ensure the integrity of important data during storage, including but not limited to authentication data, important business data, important audit data, important configuration data, important video data, and important personal information.
data confidentiality
|
a) Encryption technology should be used to ensure the confidentiality of important data during transmission, including but not limited to authentication data, important business data and important personal information, etc.;
b) Encryption technology should be used to ensure the confidentiality of important data during storage, including but not limited to authentication data, important business data, and important personal information.
Data backup and recovery
|
a) Local data backup and recovery functions for important data should be provided;
b) The off-site real-time backup function shall be provided, and the important data shall be backed up to the backup site in real time by using the communication network;
c) Hot redundancy of important data processing systems shall be provided to ensure high availability of the system.
Protection of residual information
|
a) It should be ensured that the storage space where the authentication information is located is completely cleared before being released or reallocated;
b) It should be ensured that the storage space containing sensitive data is completely cleared before being released or reallocated.
General extension requirements for cloud platform management software
Identification
|
a) When remotely managing devices in the cloud computing platform, a two-way authentication mechanism should be established between the management terminal and the cloud computing platform.
Access control
|
a) It should be ensured that when the virtual machine is migrated, the access control policy is migrated with it;
b) Cloud service customers should be allowed to set access control policies between different virtual machines.
Intrusion Prevention
|
a) It should be able to detect the failure of resource isolation between virtual machines and give an alarm;
b) It should be able to detect unauthorized new virtual machines or re-enable virtual machines, and give an alarm;
c) It should be able to detect malicious code infection and spread among virtual machines, and give an alarm.
Mirror and snapshot protection
|
a) Reinforced operating system images or operating system security hardening services shall be provided for important business systems;
b) The virtual machine image and snapshot integrity verification function should be provided to prevent the virtual machine image from being maliciously tampered with;
c) Cryptography or other technical means shall be adopted to prevent illegal access to sensitive resources that may exist in virtual machine images and snapshots.
Data Integrity and Confidentiality
|
a) It should ensure that cloud service customer data, user personal information, etc. are stored in China, and relevant national regulations should be followed if they need to be exported;
b) It should be ensured that only under the authorization of the cloud service customer, the cloud service provider or third party has the management authority of the cloud service customer data;
c) Check code or cryptographic technology should be used to ensure the integrity of important data during virtual machine migration, and necessary recovery measures should be taken when integrity is detected to be compromised;
d) Cloud service customers should be supported to deploy key management solutions to ensure that cloud service customers can realize the encryption and decryption process of data by themselves.
Data backup and recovery
|
a) Cloud service customers should keep backups of their business data locally;
b) The ability to query cloud service customer data and backup storage locations shall be provided;
c) The cloud storage service of the cloud service provider shall ensure that there are several available copies of the cloud service customer data, and the contents of each copy shall be consistent;
d) Provide technical means for cloud service customers to migrate business systems and data to other cloud computing platforms and local systems, and assist in completing the migration process.
Protection of residual information
|
a) It should be ensured that the memory and storage space used by the virtual machine are completely cleared when reclaiming;
b) When a cloud service customer deletes business application data, the cloud computing platform shall delete all copies in the cloud storage.
4.5 Security Management Center
General Safety Requirements
System Management
|
a) System administrators should be authenticated, only allowed to perform system management operations through specific commands or operation interfaces, and audit these operations;
b) System administrators should configure, control and manage system resources and operation, including user identity, system resource configuration, system loading and startup, exception handling of system operation, backup and recovery of data and equipment, etc.
audit management
|
a) Audit administrators should be authenticated, only allowed to perform security audit operations through specific commands or operation interfaces, and audit these operations;
b) Audit records should be analyzed by the audit administrator, and processed according to the analysis results, including storage, management and query of audit records according to security audit policies.
safety management
|
a) Security administrators should be authenticated, only allowed to perform security management operations through specific commands or operation interfaces, and audit these operations;
b) The security policy in the system should be configured through the security administrator, including the setting of security parameters, unified security marking of subjects and objects, authorization of subjects, configuration of trusted verification strategies, etc.
centralized control
|
a) A specific management area should be divided to manage and control the security devices or security components distributed in the network;
b) It should be able to establish a safe information transmission path to manage the safety devices or safety components in the network;
c) Centralized monitoring of the operating status of network links, security equipment, network equipment and servers, etc.;
d) The audit data scattered on each device should be collected, summarized and analyzed in a centralized manner, and the retention time of audit records should be guaranteed to meet the requirements of laws and regulations;
e) Centralized management of security-related matters such as security policies, malicious codes, patch upgrades, etc.;
f) It should be able to identify, alarm and analyze various security events that occur in the network.
Cloud Computing Security Extension Requirements
centralized control
|
a) It should be able to conduct unified management, scheduling and allocation of physical resources and virtual resources according to policies;
b) It should be ensured that the cloud computing platform management traffic is separated from the cloud service customer business traffic;
c) According to the division of responsibilities between cloud service providers and cloud service customers, the audit data of their respective control parts should be collected and their respective centralized audits should be realized;
d) According to the division of responsibilities between cloud service providers and cloud service customers, centralized monitoring of the operating status of their respective control parts, including virtualized networks, virtual machines, and virtualized security devices, should be realized.
4.6 Safety management system
General Safety Requirements
security strategy
|
a) The overall policy and security strategy for network security work should be formulated, and the overall goals, scope, principles and security framework of the organization's security work should be clarified.
Management System
|
a) A safety management system should be established for various management contents in safety management activities;
b) Establish operating procedures for daily management operations performed by managers or operators;
c) A comprehensive safety management system consisting of safety policies, management systems, operating procedures, and record forms should be formed.
formulate and publish
|
a) A special department or person shall be designated or authorized to be responsible for the formulation of the safety management system;
b) The safety management system shall be issued in a formal and effective manner and version controlled.
review and revision
|
a) The rationality and applicability of the safety management system should be demonstrated and verified regularly, and the safety management system that has deficiencies or needs to be improved should be revised.
4.7 Safety Management Organization
General Safety Requirements
job setting
|
a) A committee or leading group shall be established to guide and manage network security work, and its top leader shall be assumed or authorized by the head of the unit;
b) Functional departments for network security management should be established, positions of security supervisors and persons in charge of various aspects of security management should be established, and the responsibilities of each person in charge should be defined;
c) Positions such as system administrators, audit administrators, and security administrators should be established, and the responsibilities of departments and each job position should be defined.
Staffing
|
a) There should be a certain number of system administrators, audit administrators and security administrators;
b) There should be a full-time security administrator, not concurrently.
Authorization and approval
|
a) According to the responsibilities of each department and position, the authorized approval items, approval departments and approvers, etc. should be clearly defined;
b) Approval procedures should be established for system changes, important operations, physical access and system access, etc., and the approval process should be implemented in accordance with the approval procedures, and a level-by-level approval system should be established for important activities;
c) Examination and approval items should be reviewed regularly, and information such as items requiring authorization and approval, approval departments, and approvers should be updated in a timely manner.
communication and cooperation
|
a) The cooperation and communication between various management personnel, internal organizations and network security management departments should be strengthened, and coordination meetings should be held regularly to jointly deal with network security issues;
b) Cooperation and communication with network security functional departments, various suppliers, industry experts and security organizations should be strengthened;
c) A contact list of outreach units should be established, including information such as the name of the outreach unit, content of cooperation, contacts, and contact information.
audit and inspection
|
a) Routine security checks should be carried out regularly, including the daily operation of the system, system vulnerabilities and data backup, etc.;
b) Comprehensive security inspections shall be carried out regularly, including the effectiveness of existing security technical measures, the consistency of security configurations and security strategies, and the implementation of security management systems, etc.;
c) A safety inspection form should be formulated to implement safety inspections, collect safety inspection data, form a safety inspection report, and report the safety inspection results.
4.8 Safety management personnel
General Safety Requirements
Recruitment
|
a) A special department or person shall be designated or authorized to be responsible for the recruitment of personnel;
b) The identity, security background, professional qualifications or qualifications of the hired personnel shall be reviewed, and their technical skills shall be assessed;
c) Sign a confidentiality agreement with the hired personnel, and sign a post responsibility agreement with key post personnel.
Staff leaving
|
a)应及时终止离岗人员的所有访问权限,取回各种身份-证件、钥匙、徽章等以及机构提供的软硬件设备;
b)应办-理严格的调离手续,并承诺调离后的保密义务后方可离开。
安全意识教育和培训
|
a)应对各类人员进行安全意识教育和岗位技能培训,并告知相关的安全责任和惩戒措施;
b)应针对不同岗位制定不同的培训计划,对安全基础知识、岗位操作规程等进行培训;
c)应定期对不同岗位的人员进行技能考核。
外部人员访问管理
|
a)应在外部人员物理访问受控区域前先提出书面申请,批准后由专人全程陪同,并登记备案;
b)应在外部人员接入受控网络访问系统前先提出书面申请,批准后由专人开设账户、分配权限,并登记备案;
c)外部人员离场后应及时清除其所有的访问权限;
d)获得系统访问授权的外部人员应签署保密协议,不得进行非授权操作,不得复制和泄露任何敏感信息。
4.9安全建设管理
安全通用要求
定级和备案
|
a)应以书面的形式说明保护对象的安全保护等级及确定等级的方法和理由;
b)应组织相关部门和有关安全技术专家对定级结果的合理性和正确性进行论证和审定;
c)应保证定级结果经过相关部门的批准;
d)应将备案材料报主管部门和相应公安机关备案。
安全方案设计
|
a)应根据安全保护等级选择基本安全措施,依据风险分析的结果补充和调整安全措施;
b)应根据保护对象的安全保护等级及与其他级别保护对象的关系进行安全整体规划和安全方案设计,设计内容应包含密码技术相关内容,并形成配套文件;
c)应组织相关部门和有关安全专家对安全整体规划及其配套文件的合理性和正确性进行论证和审定,经过批准后才能正式实施。
产品采购和使用
|
a)应确保网络安全产品采购和使用符合国家的有关规定;
b)应确保密码产品与服务的采购和使用符合国家密码管理主管部门的要求;
c)应预先对产品进行选型测试,确定产品的候选范围,并定期审定和更新候选产品名单。
自行-软件开发
|
a)应将开发环境与实际运行环境物理分开,测试数据和测试结果受到控制;
b)应制定软件开发管理制度,明确说明开发过程的控制方法和人员行为准则;
c) Code writing safety specifications should be formulated, and developers are required to write codes according to the specifications;
d) Relevant documents and usage guidelines for software design should be available, and the use of documents should be controlled;
e) It should be ensured that the security is tested during the software development process, and the possible malicious codes are detected before the software is installed;
f) The modification, update and release of the program resource library shall be authorized and approved, and version control shall be strictly carried out;
g) It should be ensured that the developers are full-time personnel, and the development activities of the developers are controlled, monitored and reviewed.
outsourced software development
|
a) The malicious code that may exist in the software should be detected before delivery;
b) The development unit shall be guaranteed to provide software design documents and usage guides;
c) The development unit should be guaranteed to provide the software source code, and review the possible backdoors and covert channels in the software.
Project implementation
|
a) A special department or person shall be designated or authorized to be responsible for the management of the project implementation process;
b) A safety engineering implementation plan shall be formulated to control the engineering implementation process;
c) The implementation process of the project should be controlled by the third-party engineering supervision.
test acceptance
|
a) The test acceptance plan shall be formulated, and the test acceptance shall be implemented according to the test acceptance plan, and the test acceptance report shall be formed;
b) The security test before going online shall be conducted, and a security test report shall be issued. The security test report shall include the content related to the security test of the password application.
system delivery
|
a) A delivery list shall be formulated, and the handed over equipment, software and documents shall be counted according to the delivery list;
b) The technical personnel in charge of operation and maintenance shall be provided with corresponding skill training;
c) Construction process documents and operation and maintenance documents shall be provided.
Grade assessment
|
a) The level evaluation should be carried out regularly, and if it is found that it does not meet the requirements of the corresponding level protection standards, it should be rectified in time;
b) Grade evaluation should be carried out when major changes or grade changes occur;
c) It should be ensured that the selection of assessment institutions complies with relevant national regulations.
Service Provider Selection
|
a) It should ensure that the selection of service providers complies with the relevant national regulations;
b) Relevant agreements should be signed with the selected service provider to clarify the network security-related obligations to be performed by all parties in the entire service supply chain;
c) The services provided by the service provider shall be regularly supervised, reviewed and audited, and the change of service content shall be controlled.
Cloud Computing Security Extension Requirements
Cloud service provider selection
|
a) A security-compliant cloud service provider should be selected, and the cloud computing platform it provides should provide a corresponding level of security protection capabilities for the business application systems it carries;
b) The service content and specific technical indicators of the cloud service shall be stipulated in the service level agreement;
c) The authority and responsibility of the cloud service provider should be specified in the service level agreement, including management scope, division of responsibilities, access authorization, privacy protection, code of conduct, liability for breach of contract, etc.;
d) It shall be stipulated in the service level agreement that when the service contract expires, the cloud service customer data shall be fully provided, and the relevant data shall be cleared on the cloud computing platform;
e) A confidentiality agreement should be signed with the selected cloud service provider, requiring them not to disclose cloud service customer data.
supply chain management
|
a) It should ensure that the selection of suppliers complies with the relevant national regulations;
b) Supply chain security event information or security threat information shall be communicated to cloud service customers in a timely manner;
Mobile internet security extension requirements
Mobile App Purchasing
|
a) It should be ensured that the application software installed and running on the mobile terminal comes from a reliable distribution channel or is signed with a reliable certificate;
b) It should be ensured that the application software installed and running on the mobile terminal is developed by a designated developer.
Mobile App Development
|
a) Qualification examination should be conducted for developers of mobile business application software;
b) The legality of the signature certificate for developing mobile business application software should be guaranteed.
Security extension requirements for industrial control systems
Product purchase and use
|
a) The important equipment of the industrial control system shall be procured and used only after passing the safety test of a professional institution.
outsourced software development
|
a) Restrictive clauses for development units and suppliers should be specified in the outsourcing development contract, including the confidentiality of equipment and systems during the life cycle, prohibition of key technology diffusion, and equipment industry-specific content.
Big Data Security Extension Requirements
Big data platform
|
a) A secure and compliant big data platform should be selected, and the big data platform services it provides should provide corresponding levels of security protection capabilities for the big data applications it carries;
b) The authority and responsibility of the big data platform provider, the content of various services and specific technical indicators, etc., especially the content of security services, should be agreed in writing;
c) The recipients of data exchange and sharing should be clearly bound to protect the data, and ensure that the recipients have sufficient or equivalent security protection capabilities.
4.10 Security Operation and Maintenance Management
General Safety Requirements
environmental management
|
a) A special department or person should be designated to be responsible for the safety of the computer room, manage the access to the computer room, and regularly maintain and manage the facilities such as power supply and distribution, air conditioning, temperature and humidity control, and fire protection in the computer room;
b) A safety management system for the computer room should be established to provide regulations on the management of physical access, items brought in and out, and environmental safety;
c) Visitors should not be received in important areas, and paper files and mobile media containing sensitive information should not be randomly placed.
asset Management
|
a) A list of assets related to the protection object shall be compiled and kept, including the responsible department, importance and location of the assets;
b) Assets should be marked and managed according to their importance, and corresponding management measures should be selected according to their value;
c) Provisions shall be made for information classification and identification methods, and standardized management of information use, transmission and storage shall be carried out.
media management
|
a) The media should be stored in a safe environment, all kinds of media should be controlled and protected, the storage environment should be managed by a special person, and the inventory should be checked regularly according to the catalog list of the archived media;
b) Personnel selection, packaging, and delivery of media during the physical transmission process shall be controlled, and the archiving and query of media shall be registered and recorded.
Equipment maintenance management
|
a) Special departments or personnel should be designated for regular maintenance and management of various equipment (including backup and redundant equipment), lines, etc.;
b) A management system for supporting facilities, software and hardware maintenance should be established to effectively manage their maintenance, including clarifying the responsibilities of maintenance personnel, approval of maintenance and services, and supervision and control of maintenance processes, etc.;
c) Information processing equipment should be approved before being taken out of the computer room or office location, and important data in equipment containing storage media should be encrypted when taken out of the working environment;
d) Devices containing storage media should be completely cleared or overwritten safely before being scrapped or reused to ensure that sensitive data and authorized software on the device cannot be restored and reused.
Vulnerability and Risk Management
|
a) Necessary measures shall be taken to identify security loopholes and hidden dangers, and repair the discovered security loopholes and hidden dangers in a timely manner or after assessing the possible impact;
b) Security assessments should be carried out regularly, a security assessment report should be formed, and measures should be taken to deal with discovered security issues.
Network and System Security Management
|
a) Different administrator roles should be divided for network and system operation and maintenance management, and the responsibilities and permissions of each role should be clarified;
b) Special departments or personnel shall be designated to manage accounts, and control the application for accounts, creation of accounts, deletion of accounts, etc.;
c) A network and system security management system should be established to provide for security policies, account management, configuration management, log management, daily operations, upgrades and patches, and password update cycles;
d) The configuration and operation manual of important equipment shall be formulated, and the equipment shall be safely configured and optimized according to the manual;
e) The operation and maintenance operation log should be recorded in detail, including daily inspection work, operation and maintenance records, parameter setting and modification, etc.;
f) Special departments or personnel should be designated to analyze and count logs, monitoring and alarm data, etc., to detect suspicious behaviors in time;
g) Changeable operation and maintenance should be strictly controlled. Connections, installation of system components, or configuration parameters can only be changed after approval. Unchangeable audit logs should be kept during the operation, and the configuration information database should be updated synchronously after the operation is completed;
h) The use of operation and maintenance tools should be strictly controlled, and operations can only be accessed after approval. Unchangeable audit logs should be kept during the operation process, and sensitive data in the tools should be deleted after the operation is completed;
i) The opening of remote operation and maintenance should be strictly controlled, and the remote operation and maintenance interface or channel can only be opened after approval. During the operation, an unchangeable audit log should be kept, and the interface or channel should be closed immediately after the operation is completed;
j) It should be ensured that all external connections are authorized and approved, and violations of wireless Internet access and other violations of network security policies should be regularly checked.
Malicious Code Defense Management
|
a) Raise the anti-malicious code awareness of all users, and conduct malicious code checks before connecting external computers or storage devices to the system;
b) The effectiveness of technical measures to prevent malicious code attacks should be regularly verified.
configuration management
|
a) Basic configuration information should be recorded and saved, including network topology, software components installed on each device, version and patch information of software components, configuration parameters of each device or software component, etc.;
b) Changes in basic configuration information should be included in the scope of changes, implement control over changes in configuration information, and update the basic configuration information database in a timely manner.
password management
|
a) National and industry standards related to passwords shall be followed;
b) Encryption technologies and products certified and approved by the State Encryption Administration shall be used.
change management
|
a) Change requirements should be clarified, and a change plan should be formulated according to the change requirements before the change, and the change plan can only be implemented after review and approval;
b) Change reporting and approval control procedures shall be established, all changes shall be controlled according to the procedures, and the implementation process of changes shall be recorded;
c) A procedure for suspending changes and recovering from failed changes shall be established, process control methods and personnel responsibilities shall be clarified, and recovery process drills shall be conducted if necessary.
Backup and Recovery Management
|
a) Important business information, system data and software systems that need to be backed up regularly shall be identified;
b) The backup method, backup frequency, storage medium, storage period, etc. of the backup information shall be stipulated;
c) According to the importance of data and the impact of data on system operation, data backup and recovery strategies, backup procedures and recovery procedures, etc. should be formulated.
Handling of security incidents
|
a) Report the discovered security weaknesses and suspicious events to the security management department in a timely manner;
b) A security incident reporting and handling management system should be formulated to clarify the reporting, handling, and response procedures for different security incidents, and specify the management responsibilities for on-site handling of security incidents, incident reporting, and post-recovery, etc.;
c) During the process of security incident reporting and response handling, analyze and identify the cause of the incident, collect evidence, record the handling process, and summarize experience and lessons;
d) Different handling procedures and reporting procedures should be adopted for major security incidents that cause system interruption and information leakage.
Emergency plan management
|
a) A unified emergency plan framework should be stipulated, including the conditions for starting the plan, the composition of the emergency organization, the guarantee of emergency resources, post-event education and training, etc.;
b) Contingency plans for important events should be formulated, including emergency handling procedures, system recovery procedures, etc.;
c) The personnel related to the system should be regularly trained on the emergency plan, and drills of the emergency plan should be carried out;
d) The original emergency plan should be regularly reassessed, revised and improved.
Outsourced operation and maintenance management
|
a) It should ensure that the selection of outsourced operation and maintenance service providers complies with relevant national regulations;
b) Relevant agreements should be signed with the selected outsourced operation and maintenance service provider to clearly stipulate the scope and work content of outsourced operation and maintenance;
c) It should be ensured that the selected outsourced operation and maintenance service provider should have the ability to carry out security operation and maintenance work in accordance with the level of protection requirements in terms of technology and management, and the ability requirements should be specified in the signed agreement;
d) All relevant security requirements should be specified in the agreement signed with the outsourced operation and maintenance service provider, such as access, processing, and storage requirements for sensitive information, and emergency protection requirements for IT infrastructure interruption services.
Cloud Computing Security Extension Requirements
Cloud Computing Environment Management
|
a) The operation and maintenance location of the cloud computing platform should be located in China, and the operation and maintenance of the domestic cloud computing platform should follow the relevant national regulations.
Mobile internet security extension requirements
configuration management
|
a) A legal wireless access device and legal mobile terminal configuration library should be established to identify illegal wireless access devices and illegal mobile terminals.
IoT Security Extension Requirements
Sensing node equipment physical protection
|
a) Personnel should be designated to regularly inspect the deployment environment of sensing node devices and gateway node devices, and record and maintain environmental anomalies that may affect the normal operation of sensing node devices and gateway node devices;
b) The process of warehousing, storage, deployment, carrying, maintenance, loss and scrapping of sensing node equipment and gateway node equipment should be clearly stipulated, and the whole process management should be carried out;
c) The confidentiality management of the deployment environment of sensing node equipment and gateway node equipment should be strengthened, including that personnel responsible for inspection and maintenance should immediately return relevant inspection tools and inspection and maintenance records when they leave their jobs.
Big Data Security Extension Requirements
Big data platform
|
a) A digital asset security management strategy should be established to specify the operating specifications, protection measures, and management personnel responsibilities for the entire data life cycle, including but not limited to data collection, storage, processing, application, flow, and destruction;
b) Data classification and classification protection strategies should be formulated and implemented, and different security protection measures should be formulated for data of different categories and levels;
c) On the basis of data classification and grading, the scope of important digital assets should be divided, and the use scenarios and business processing procedures for automatic desensitization or de-identification of important data should be clarified;
d) The category and level of data should be regularly reviewed. If the category or level of data needs to be changed, the change should be implemented according to the change approval process.
5. Graded protection 2.0 safety equipment recommendation
5.1 Recommended second-class equipment
5.1.1 Requirements for security measures in the computer room (secondary standard)
- Anti-theft alarm system
- Fire extinguishing equipment and automatic fire alarm system
- Water sensitive detector and water leakage detection and alarm system
- Precision Air Conditioning
- backup generator
5.1.2 Security products that need to be deployed at the host and network security level
- Firewall or Intrusion Prevention System
- Internet Behavior Management System
- Network Access System
- Auditing platform or unified monitoring platform (can meet the monitoring requirements of the host, network and application level, if conditions do not allow, at least use database auditing)
- anti-virus software
5.1.3 Security products that need to be deployed at the level of application and data security
- VPN
- Web page anti-tampering system (for website systems)
- Data remote backup storage device
- Hardware redundancy of main network equipment, communication lines and data processing system (dual machine redundancy of key equipment).
5.2 Recommendations for third-level equipment
5.2.1 Requirements for security measures in the computer room (level 3 standard)
- It is necessary to use color steel plates, fire doors, etc. for area isolation
- video surveillance system
- Anti-theft alarm system
- Fire extinguishing equipment and automatic fire alarm system
- Water sensitive detector and water leakage detection and alarm system
- Precision Air Conditioning
- Dehumidifier
- backup generator
- Electromagnetic shielding cabinet
5.2.2 Security products that need to be deployed at the host and network security level
- Intrusion Prevention System
- Internet Behavior Management System
- Network Access System
- Unified monitoring platform (to meet the monitoring needs of the host, network and application level)
- anti-virus software
- Fortress machine
- firewall
- Auditing platform (satisfies the auditing of operating system, database, and network equipment, if conditions do not allow, at least use database auditing)
5.2.3 Security products that need to be deployed at the level of application and data security
- VPN
- Web page anti-tampering system (for website systems)
- Data remote backup storage device
- Hardware redundancy of main network equipment, communication lines and data processing system (dual machine redundancy of key equipment).
- Data encryption software (satisfied with encrypted storage, and the encryption algorithm needs to be approved by the Bureau of Secrecy).
6. Score Calculation Criteria for MLPS 2.0
Note: This article refers to CSDN, the original link: https://blog.csdn.net/oldmao_2001/article/details/119704571
Calculation formula:
Calculation formula:
7. Some problems with the MLPS 2.0
Note: The length of this article is referenced from FreeBuf, the original link: https://www.freebuf.com/articles/security-management/251116.html
7.1 The main problems of Party A
1. The original intention of guarantees: From the perspective of the development of guarantees in various industries, there are very few units and enterprises that carry out guarantees based on the original intention of network security, and most of them are policy requirements, and the specifics can be subdivided for
1) The competent authorities of the industry require the implementation of the guarantee, such as the electric power industry and the financial industry. These two industries have documents requiring the implementation of the guarantee, so many private enterprises are unwilling to do so, but they must.
2) Looking for the scapegoat, some government units are not interested in peer-to-peer insurance, but after being fooled by the sales of such insurance agencies, they think that they can get an "insurance" for themselves by doing so, purely for the purpose of finding the other insurance agency to take the blame for themselves afterwards .
3) Interest relationship. The informatization leaders of some units also want to realize the community of interests through project procurement, so I won’t go into details here.
2. The technical ability is not strong, and the emphasis is on equipment rather than management. Many units of Party A do not have full-time positions for network security management, and are basically staffed by personnel responsible for the network or servers. Except for a few units such as banks and securities, most units The technical level of the technicians is actually not high, and many of them are operated and maintained by outsourcing or integrators. This results in that during the evaluation process, they do not even know all the management accounts and passwords of a certain device, because outsourcers and integrators generally only Give an administrative account or generally no audit administrator account, and network security awareness training is almost non-existent.
3. The understanding of network security is one-sided. Some technicians believe that network security is penetration, excessively touting penetration capabilities, and underestimating evaluation. They think that evaluation is a formality.
7.2 Main Problems of Evaluation Organizations
At present, there are 199 evaluation agencies in China, which are mainly divided into the following categories:
1) Evaluation agencies with national prefixes in Beijing area: Beijing accounts for more than 30 of the 199 evaluation agencies nationwide, almost all of which have the background of national prefixes, and many of them have the names of industries or ministries and commissions. These evaluation agencies are basically not worried Business, also has the ability to attract outstanding graduates, strong technical ability, able to concentrate on technology, and because most of the customers they face are in the industry or ministries, the evaluation process is relatively smooth, so in terms of hardware rectification, it is rejected Almost all testing units are complete. A typical example is that during the training in 2018, a certain teacher in Beijing said that the two-factor authentication of identity authentication should be high-risk, and that it does not meet the requirements if there is no equipment. However, from the perspective of local evaluation agencies, at least Jiangxi cannot do it, because the two-factor authentication requires UKEY hardware cost in addition to the one-time purchase of identity authentication platform hardware equipment, not including the annual certificate renewal fee and labor management cost, which is enough to do it once a year, etc. Guarantee the evaluation, after all, compared with many second- and third-tier places, there is still a big gap between Beijing and many second- and third-tier places, regardless of economic strength and ideological understanding.
2) Evaluation agencies in second- and third-tier cities. Most of these evaluation agencies are local leaders. In addition to evaluation, they basically have other risk assessment and software testing businesses. Therefore, they are relatively well-known in the local provinces and neighboring provinces. Some even extended their business to neighboring provinces.
3) In second- and third-tier cities and newly joined assessment agencies, such assessment agencies are basically on the verge of being eliminated at any time. There was a certain assessment agency in Jiangsu that didn’t even know about proficiency testing and did not participate in the proficiency test every year. The assessment reports were all basic. Yes, no non-compliance. Many of these companies were formerly integrated companies with low technical strength. Most of the companies that were closed for business every year were considered to be driving school training.
The main problems of the assessment institutions are as follows:
1) Malicious competition. Most evaluation agencies with non-national prefixes or state-owned enterprise backgrounds are under increasing pressure in the face of increasingly fierce market competition. Especially because of the epidemic this year, many organizations were unable to carry out evaluations in the first and second quarters. A certain province is also considered to be among the top 3
institutions, but it did not gradually resume business until June. If an evaluation institution with a non-national prefix has no business, it means bankruptcy. After all, the daily tax and labor costs are under great pressure. In the past two years, the barriers to entry have been lowered, a number of new evaluation agencies have been added, and the conditions for remote evaluations have been relaxed, and the pressure of competition has become greater. Therefore, incidents of malicious low-price bid competition have emerged one after another. As a result, the evaluation time is short, the technical level of the evaluation personnel is low, and the evaluation agencies lower the prices of each other. After all, survival is the first priority.
2) Staff mobility is high. At present, the pre-tax salary of assessors in first-tier cities is basically about 7000-9000, and that of second- and third-tier cities is about 5000-6000. To be honest, this is indeed low for a practitioner in the network security industry. This is still relevant work experience Yes, you must know that in a province in the middle of the country where the author is located, the salaries of system integration, manufacturer technical support, software testing and other positions are at least 6,000, and the development work is generally 1W, while the evaluation personnel are under great project pressure, often travel, have high documentation requirements, and technical skills. Ability requirements are high, and it is difficult to attract excellent personnel with this salary. Many personnel who invite interviews are not interested in the evaluation at all, and the salary is not high. Come, or ask to go back to consider after passing the interview, but you will not come after considering it. The author feels that recruitment is particularly difficult this year, and many people who are working have begun to fluctuate because their salaries have not been paid during the epidemic. On the one hand, the cost of evaluation projects is gradually reduced. On the other hand, the cost of evaluation agencies is gradually increasing. To reduce costs, more projects must be done to reduce marginal costs, resulting in inevitable conflicts.
3) Assessment institutions lack long-term development plans
At present, most of the evaluation agencies are non-state-owned enterprises, and some state-owned enterprises are self-sufficient in their profits and losses. A small part may belong to public institutions. However, in the central provinces where the author is located, the evaluation agencies are all private enterprises. The shareholders and management lack long-term planning. Like cutting leeks, especially blindly expanding business, but the technical ability and management level of personnel have not been improved. Enterprises often pay more attention to being bigger, but it is difficult to become stronger. There is no clear development plan, and individuals cannot see the development prospects.
4) Insufficient independence of evaluation agencies
The evaluation agency determines that the evaluation agency cannot be completely neutral for profit, so it is common for many places to expose the situation of spending money to buy reports, and the evaluation management measures are relatively light on the punishment of the evaluation agency. Even if the recommendation certificate is revoked, the original team will be replaced. Companies can start from scratch again. Coupled with the increasingly high requirements of customers, evaluation agencies are bound to favor customers. After all, for most organizations, customers are God.
7.3 Standard System
Since the release of the Waiting Bar 2.0 standard, the Waiting Bar 2.0 series standards have made progress, but at the same time, there are some problems.
1) In the process of formulating standards, manufacturers of safety products are greatly influenced. The author took a rough look and found that most of the top 10
manufacturers in the domestic industry basically participated in the formulation of standards. The specific manufacturer names will not be mentioned. The author believes that the formulation of standards should It is mainly formulated by the Standards Committee. At least on the surface, the Standards Committee has no interest orientation. If manufacturers participate, it is inevitable that they will more or less favor their own products. This is why after the introduction of Waiting Guarantee 2.0, many manufacturers have released articles such as basic packages, standard packages and deluxe packages, etc., making many customer units gradually think that waiting for the guarantee is to spend money to buy equipment, while the country However, the original intention of implementing equal protection assessment is not well understood.
2) The level of standard formulation is worse than 1.0. Among the basic requirements, for example, there are 3 optical log audits. The security area boundary, secure computing environment and security management center all have log audit requirements. Among them, the regional border and secure computing environment are almost Exactly the same, the author, as an "old man" in the evaluation industry, did not understand the meaning of repeated evaluation, let alone how customers understand it. In addition to this, the integrity of the data, the confidentiality of the data, etc. are also the same. In the evaluation requirements, the evaluation objects corresponding to many evaluation indicators obviously cannot be evaluated. For example, the evaluation objects of residual information protection are operating systems, business application systems, database management systems, middleware and system management software in devices such as terminals and servers, and operating systems. It is relatively clear and operable on Windows, but there are many objections on Linux, but there is no detailed explanation on how to evaluate database management systems, middleware, and business application systems. Operability and practicality lead to different evaluation implementation methods in the evaluation process. At present, many client units are also learning the 2.0 series of standards, but many standard evaluation agencies are unable to explain, how to explain to customers. The author believes that the basic requirements can be general and directional, but the evaluation requirements must be operable and understandable, otherwise, what is the meaning of the existence of national standards that even a professional cannot understand.
8. National standard documents for graded protection
The following three are national standard documents, among which the high-risk judgment guidelines are the high-risk items that must be met in the assessment, and if they are not satisfied, the risks need to be reduced according to the solutions in them.
"GBT 22240-2020 Information Security Technology Network Security Classified Protection Grading Guide"
"GBT22239-2019 Basic Requirements for Network Security Level Protection of Information Security Technology"
"Guidelines for High Risk Determination of Network Security Level Protection Evaluation"
Cyber Security Learning Paths & Resources
【----Help with online security learning, get all the following learning materials for free! 】
① Mind map of network security learning growth path
② 60+ classic and commonly used toolkits for network security
③ 100+ SRC vulnerability analysis reports
④ 150+ online security attack and defense combat technical e-books
⑤ The most authoritative CISSP certification exam guide + question bank
⑥ More than 1800 pages of CTF combat Skills Manual
⑦ Collection of the latest interview questions of network security companies (including answers)
⑧ APP Client Security Testing Guide (Android+IOS)
03There is a lot of network security knowledge, how to arrange it scientifically and reasonably?
primary
1. Theoretical knowledge of network security (2 days)
① Understand the relevant background and prospects of the industry, and determine the development direction.
②Learn laws and regulations related to network security.
③The concept of network security operation.
④Multiple guarantee introduction, guarantee regulations, procedures and norms. (Very important)
2. Penetration testing basics (one week)
①Penetration testing process, classification, standard
②Information collection technology: active/passive information collection, Nmap tool, Google Hacking
③Vulnerability scanning, vulnerability utilization, principle, utilization method, tool (MSF), bypassing IDS and anti-virus
reconnaissance④ Host attack and defense drills: MS17-010, MS08-067, MS10-046, MS12-20, etc.
3. Basic operating system (one week)
① Common functions and commands of Windows system
② Common functions and commands of Kali Linux system
③ Operating system security (system intrusion troubleshooting/system reinforcement basis)
4. Basics of computer network (one week)
①Computer network foundation, protocol and architecture
②Network communication principle, OSI model, data forwarding process
③Common protocol analysis (HTTP, TCP/IP, ARP, etc.)
④Network attack technology and network security defense technology
⑤Web vulnerability principle and defense: active/ Passive attack, DDOS attack, CVE vulnerability recurrence
5. Basic database operations (2 days)
①Database foundation
②SQL language foundation
③Database security reinforcement
6. Web penetration (1 week)
①Introduction to HTML, CSS and JavaScript
②OWASP Top10
③Web vulnerability scanning tools
④Web penetration tools: Nmap, BurpSuite, SQLMap, others (chopper, missed scan, etc.)
Congratulations, if you learn this, you can basically work in a network security-related job, such as penetration testing, web penetration, security services, security analysis and other positions; if you learn the security module well, you can also work as a security engineer. Salary range 6k-15k
So far, about a month. You've become a "script kiddie". So do you still want to explore further?
7. Script programming (beginner/intermediate/advanced)
In the field of network security. Programming ability is the essential difference between "script kiddies" and real hackers . In the actual penetration testing process, in the face of a complex and changeable network environment, when the common tools cannot meet the actual needs, it is often necessary to expand the existing tools, or write tools and automated scripts that meet our requirements. Some programming ability is required. In the CTF competition where every second counts, if you want to efficiently use self-made scripting tools to achieve various purposes, you need to have programming skills.
For a zero-based entry, it is recommended to choose one of the scripting languages Python/PHP/Go/Java, and learn programming for common libraries; build a development environment and choose an IDE, Wamp and XAMPP are recommended for the PHP environment, and Sublime is strongly recommended for the IDE; Python programming learning , the learning content includes: common libraries such as grammar, regularization, files, network, multi-threading, etc., "Python Core Programming" is recommended, do not read it; ·Use Python to write vulnerability exploits, and then write a simple web crawler; ·PHP basic syntax Learn and write a simple blog system; Familiar with MVC architecture, and try to learn a PHP framework or Python framework (optional); Understand Bootstrap layout or CSS.
8. Super Hacker
This part of the content is still relatively far away for students with zero foundation, so I won’t go into details, and post a general route. Interested children's shoes can be studied, and if you don't know where to go, you can [click here] add me to fuel consumption, and learn and communicate with me.
Network security engineer enterprise-level learning route
Some
self-study introductory
books
Some video tutorials that I bought myself, and other platforms can’t get free prostitutes:
epilogue
The network security industry is like a river and lake, where people of all colors gather. Compared with many decent families with solid foundations in European and American countries (understand encryption, know how to protect, can dig holes, and are good at engineering), our talents are more heretics (many white hats may not be convinced), so in the future Talent training and In terms of construction, it is necessary to adjust the structure and encourage more people to do "positive" "system and construction" that combines "business" and "data" and "automation" in order to quench the thirst for talents and truly serve the society in an all-round way. Internet provides security.
Special statement:
This tutorial is purely technical sharing! The purpose of this book is by no means to provide and technical support for those with bad motives! Nor does it assume joint and several liability arising from the misuse of technology! The purpose of this book is to maximize everyone's attention to network security and take corresponding security measures to reduce economic losses caused by network security. ! ! !
