2022-06-17 15:17
After entering the "Multiple Protection 2.0 Era", my country's requirements for hierarchical protection are more stringent and specific. Therefore, the three words of graded protection, risk assessment and safety assessment always appear in people's field of vision and are always confused. So what are the three? How to distinguish them? Is there any connection between them? Take everyone to find out today.
Class protection
concept
Hierarchical protection of information security refers to the hierarchical security protection of state secret information, proprietary information of legal persons and other organizations and citizens, public information, and information systems that store, transmit, and process such information. According to level management, level response and disposal of information security incidents occurred in the information system.
Note: The information system referred to here refers to a system or network composed of computers and related and supporting equipment and facilities, which stores, transmits and processes information according to certain application objectives and rules. Information refers to digital information stored, transmitted, and processed in information systems.
background
Figure | Hierarchical protection policy standard system
The "Regulations of the People's Republic of China on the Security Protection of Computer Information Systems" promulgated in February 1994 stipulates that computer information systems implement security level protection, and the classification standards of security levels and specific measures for security level protection shall be formulated by the Ministry of Public Security in conjunction with relevant departments.
In 1999, the Ministry of Public Security organized the drafting of the "Computer Information System Security Protection Level Classification Criteria" (GB 17859-1999) , which stipulated five levels of computer information system security protection capabilities, namely the first level: user independent protection level; the second level Level: system audit protection level; third level: security mark protection level; fourth level: structured protection level; fifth level: access verification protection level. The grading in GB17859 is a kind of technical grading, that is, the division of the security protection technical capability level that the system possesses objectively.
On July 18, 2002, the Ministry of Public Security released and implemented five new GA standards on the basis of GB17859, namely: GA/T 387-2002 "Technical Requirements for Computer Information System Security Level Protection Network", GA 388-2002 "Technical Requirements for Computer Information System Security Level Protection Operating System", GA/T 389-2002 "Technical Requirements for Computer Information System Security Level Protection Database Management System", GA/T 390-2002 "General Technical Requirements for Computer Information System Security Level Protection" , GA 391-2002 "Computer Information System Security Level Protection Management Requirements". These standards are part of a series of standards for the security protection level of computer information systems in my country.
In 2004, in the "Notice on the Implementation Opinions on Information Security Level Protection" (referred to as No. 66 Document), the security protection level of information and information systems was divided into five levels, that is, the first level: independent protection level; the second level Level: guidance protection level; third level: supervision protection level; fourth level: mandatory protection level; fifth level: special control protection level. It is particularly emphasized that the grading in Circular 66 is mainly based on the business importance of information and information systems and the impact of damage, and is the security business level that the system must incorporate based on application requirements, not the system defined in GB17859 The level of safety technology already in place.
risk assessment
concept
Information security risk assessment is to analyze the asset value, potential threats, weak links, and protective measures of the information system with reference to risk assessment standards and management norms, to judge the probability of security incidents and possible losses, and to propose risk management measures. process of measures.
background
Risk assessment is not a new concept. There are risks and risk assessment needs in many fields such as finance and e-commerce. When risk assessment is applied to the IT field, it is a risk assessment of information security. Domestic research on information security risk assessment has progressed rapidly in recent years, and specific assessment methods have also been continuously improved. Risk assessment has also gradually transitioned from purely technical operations such as early simple vulnerability scanning, manual auditing, and penetration testing to the current widespread use of BS7799, OCTAVE, NIST SP800-26, NIST SP800-30, AS/NZS4360, SSE- CMM and other methods fully embody the comprehensive method and operation model of information security risk assessment with assets as the starting point, threats as triggers, and vulnerabilities in technology/management/operation as incentives.
In 2004, the Informatization Work Office of the State Council organized and completed the formulation of the draft standards of "Guidelines for Information Security Risk Assessment" and "Guidelines for Information Security Risk Management", which stipulated the work process, content, methods and methods of information security risk assessment. Risk judgment criteria, which have good guiding significance for standardizing the practice of information security risk assessment in my country.
System Security Evaluation
concept
It is a scientific and impartial comprehensive test and evaluation activity conducted by an authoritative organization with inspection technical capabilities and government-authorized qualifications, based on national standards, industry standards, local standards or related technical specifications, and strict procedures on the security capabilities of information systems to help the system The operating unit analyzes the current security operation status of the system, finds out the existing security problems, and provides suggestions for security improvement, thereby minimizing the security risks of the system.
Note: Certification is the confirmation of whether the assessment activities meet the requirements of standardization and quality management. Certification is based on standards and assessment results.
background
Although my country's system certification started earlier, due to various reasons such as certification cycle and construction differences, the number of current system certifications is still very small. In my country, the China Information Security Product Evaluation and Certification Center (CNITSEC for short) is an earlier and more influential institution that carries out system security evaluation and certification.
The "Notice on Establishing a National Information Security Product Certification and Accreditation System" (referred to as No. 57 Document) jointly issued by 8 ministries and commissions including the National Certification and Accreditation Administration clearly stipulates that information security products should be "unified standards, technical specifications and conformity assessment procedures; unified Certification catalog; Unified certification mark; Unified charging standard" of the "four unified" certification requirements. Before the National Certification and Accreditation Administration has issued specific opinions on the security certification of information systems, in most cases, the results of system security assessments can be directly used as the basis for system security approval by competent authorities.
Relationships and differences among graded protection, risk assessment, and system assessment
Hierarchical protection is a basic management system to guide the construction of my country's information security system.
Risk assessment and system evaluation are two specific, differentiated but related different research and analysis methods for evaluating the security of information and information systems under the hierarchical protection system.
In this sense, hierarchical protection is higher than risk assessment and system evaluation.
How is graded protection different from risk assessment?
The premise of graded protection is to grade the system. The system grade is determined according to the confidentiality, integrity and availability of system information, that is, to clarify various types of information-determine the security category of each type of information-determine the system The final rating of the system is carried out in three steps according to the security category.
The idea of system classification and grading in hierarchical protection is basically the same as the importance grading of information assets in risk assessment. The difference is that the level of hierarchical protection is based on the business requirements of the system or the characteristics of CIA, and defines the security services that the system should have. The final risk level in the risk assessment is the comprehensive assessment result after comprehensively considering the importance of information, the effectiveness of the existing security control measures of the system, and the current operating status. That is to say, in the risk assessment, CIA has a high value Information assets do not necessarily have a high risk level.
Level protection is actually to help users analyze and evaluate the level of information systems, so that different levels of security protection can be carried out according to different levels in later work; risk assessment is to help users understand the current security status, so as to carry out overall security protection in the later stage Safety planning and construction. We can use the method of risk assessment to check the implementation and implementation of graded protection, and use the results of risk assessment as the starting point and reference for implementing graded protection and graded safety construction.
Note: In the information security level protection work, the security level of the information system is divided according to the confidentiality (Confidentiality), integrity (Integrity), and availability (Availability) of the information system. The three properties are referred to as CIA.
After reading today's popular science, I believe everyone has some basic understanding of hierarchical protection, risk assessment and system evaluation. In 2022, various laws and policies will become more and more perfect, and regular security inspections and risk assessments have become the basic requirements of the country for related industries. Under the hierarchical protection system, risk assessment and system assessment work should be done well, and network security reviews should be implemented. It is the responsibility of every industry enterprise and network security manufacturer to require and establish a sound network security monitoring, early warning and information sharing mechanism. Understanding relevant knowledge can also help us better contribute to the security protection of key information infrastructure.