1.3 Cyberspace Security Policies and Standards

Enterprise 2023-08-02 08:17:08 views: null

Data reference: CISP official 

Table of contents

  • National Cyber ​​Security Strategy
  • Network Security Standard System
  • Network Security Level Protection
  • Cyber ​​Security Ethics

1. National Cyber ​​Security Strategy

 1. National Guidance Policy

  •  "Network Security Law of the People's Republic of China": This law was promulgated in 2016 and came into effect on June 1, 2017. It is the basic law in the field of cybersecurity in China and aims to strengthen the supervision and protection of cybersecurity.

  • "Information Security Technology Personal Information Security Specification" ( GB/T 35273): This specification was officially issued in 2018 and came into effect on May 1, 2018. It is a technical specification that guides the protection and security of personal information, and provides powerful guidance for organizations and individuals.

  • "Encryption Law of the People's Republic of China": This law was voted and passed at the 14th meeting of the Standing Committee of the Thirteenth National People's Congress on October 26, 2019, and will come into effect on January 1, 2020. It mainly stipulates the use, management and protection of passwords.

  • "Data Security Law": This law was voted and passed at the 29th meeting of the Standing Committee of the Thirteenth National People's Congress on June 10, 2021, and will take effect from September 1, 2021. This law mainly involves data classification, security assessment, data cross-border transmission, etc., and strengthens the protection and management of data security.

  • "Data Export Management Measures" and "Important Data Management Measures" are being designated and will be promulgated soon

  • The "Regulations of the People's Republic of China on the Protection of Computer Information System Security" stipulates that computer systems can achieve security level protection,

  • GB 17859 formally refines the hierarchical protection requirements and divides them into five levels: user independent protection, system audit protection, security mark protection, structured protection, and access verification protection.

  • The "Notice on the Implementation Opinions on Information Security Hierarchical Protection Work" stipulates the guiding ideology, principles and requirements of hierarchical protection. The rating starts from the business importance of information and information systems and the impact of damage

  • The Network Security Law clarifies that my country implements a network security level protection system

2. Comparison of cyberspace security development at home and abroad

3. Computer crime

Trends in Computer Crime

  • From unconsciousness to organization: With the popularization of computer technology and the development of the Internet, computer crime has gradually changed from unconscious individual behavior to an organized form of crime. An obvious example is APT (Advanced Persistent Threat) attacks, which are launched by highly specialized and organized hacker groups with the goal of obtaining sensitive information or infiltrating and attacking specific targets.

  • From Individual Violations to Nation Threats: In the past, computer crimes have primarily targeted individuals or small groups with limited reach. However, with the advancement of technology and the globalization of networks, some large-scale computer crimes, such as the Stuxnet incident and the Ukrainian thermal power station incident, have surpassed individual violations and posed a serious threat to the network infrastructure and security of the entire country.

  • Ability to execute beyond the computer itself: Computer crimes are not limited to attacking the computer system itself, but using social engineering and other methods to attack at the personnel and social levels. Social engineering is the use of psychological manipulation and deception to obtain personal information or compel it to take adverse action. This ability to implement beyond the computer itself makes the attack method more complex and difficult to prevent.

  • Younger age poses legal constraints: "script kiddies" refer to relatively low-skilled but aggressive teenage hackers. They often engage in computer crimes motivated by personal interest, thrill or fame. However, for young computer criminals, legal constraints face some challenges, such as how to balance accountability and education, and how to distinguish hoaxes from real crimes.

4. Security incidents in recent years

Stuxnet 2010

It is said that the attacker is the United States, to be investigated.

Ukrainian power station incident - 2015

        The Ukrainian power station incident refers to a cyber attack that occurred in Ukraine on December 23, 2015.

        In this incident, the power supply system of Ukraine's Blek Power Station and the surrounding area was subjected to a cyber attack, resulting in a large-scale blackout. This is the first successful cyberattack on an electrical power system to date.

        The attackers used advanced attack techniques to compromise the control and monitoring system by remotely invading the control center of the power system. The attack caused the Black Power Station and dozens of substations scattered across the area to temporarily lose power, affecting about 220,000 residential and business customers.

        The incident was investigated by the Ukrainian government, the energy sector, as well as domestic and foreign experts. Findings indicate that the attack involved the dissemination and execution of malware, utilizing social engineering techniques and carefully planned attack routes, as well as direct attacks on SCADA (Supervisory Control and Data Acquisition) systems used by power systems.

        While the exact attackers have not been publicly identified, many experts believe the incident was carried out by Russian hackers or related groups. The incident has sparked global concern about the security of critical infrastructure and the threat of cyberattacks. The Ukrainian power station incident has also become one of the important cases to study and strengthen network security protection.

ZTE Leaks - 2016

TSMC suffers ransomware attack - 2018

2. Network security standard system

1. The concept of standard

1) standard

  • A standard is a normative document that is jointly used and reused in order to obtain the best order within a certain range, formulated by consensus and approved by a recognized institution

2) Types of standards

  • International Standard : A standard formulated and published by the International Organization for Standardization (ISO), reached through international cooperation and consensus, applicable to various countries and regions around the world . International Standards are intended to facilitate international trade, technical exchange and cooperation, and to provide common industry guidance.

  • National Standard (National Standard): Standards formulated and issued by standardization organizations or standard-setting organizations in various countries . National standards apply to relevant industries or fields in a specific country and are formulated in accordance with local laws, regulations and needs. Standards may vary in different countries.

  • Industry Standard : A standard formulated by a specific industry organization or association to guide and regulate products, services and operations within that industry . Industry standards primarily address the needs and best practices of a particular industry, and are often developed and adopted jointly by professional practitioners and industry stakeholders.

  • Local Standard : A standard formulated and implemented by a specific region or local government . Local standards often apply to the needs and regulations of a specific geographic area or a specific community to meet the requirements of local circumstances, resources and regulations.

Note: If other standards conflict with the national standard, the national standard shall prevail

3) Standardization

Standardization: In order to obtain the best order within a certain range, the activity of formulating the terms of common use and repeated use for practical or potential problems

Basic features of standardization:

  • Standardization is an activity : Standardization is a systematic activity that involves developing, developing, implementing and updating various standards

  • Standardized objects : Standardized objects can be material products, processes, services, management processes, test methods, norms, and behaviors in various aspects ( things, things, people ).

  • Standardization is a dynamic concept : Standardization is not static. As technology, environment and needs change, standards need to be regularly revised and updated to maintain their effectiveness and adaptability.

  • Standardization is a relative concept : standardization is relative to the best order within a certain range. The formulation and application of standards need to take into account differences in different regions, industries, cultures and laws and regulations.

  • The benefits of standardization can only be realized after application : the purpose of formulating standards is to enable all parties to meet common requirements and expectations, and the true value and benefits of standards can only be brought into play in practical applications.

  • Principles of standardization work : Standardization work follows some basic principles, including simplification , even if the standards are concise and clear, easy to understand and implement; unification , to ensure the consistency and coordination among standards; coordination , to connect with existing regulations and standards; optimization , for All parties provide the best technical and economic benefits.

4) Standardization organization

major standardization organizations

  • International Organization for Standardization (ISO): ISO is the main organization in the field of international standardization, headquartered in Geneva, Switzerland. It is composed of standardization organizations in various countries, aiming to develop and promote various standards, covering various fields and industries.

  • International Electrotechnical Commission (International Electrotechnical Commission, IEC): IEC is an international organization responsible for the standardization of electrical and electronic technologies. Its members include standardization bodies and related industry organizations from different countries.

  • Internet Engineering Task Force (IETF): IETF is an open international organization dedicated to the research and standardization of Internet-related technologies. Its members are composed of network engineers and experts who jointly develop and promote Internet protocols.

  • International Telecommunication Union (International Telecommunication Union, ITU): ITU is a specialized agency under the United Nations, responsible for the standardization and coordination of global telecommunications and information and communication technologies. Under the ITU, there is the International Telecommunication Union Telecommunication Standardization Sector (ITU-T), which is responsible for formulating standards and specifications related to telecommunication.

National Standards Organization (USA) 

  • National Standards Body : Different countries have their own standardization bodies, such as the American National Standards Institute ( ANSI ), the Standardization Administration of China (SAC), etc. These agencies are responsible for developing and promoting relevant standards in the country, and cooperate with the International Organization for Standardization.
  • National Institute of Standards and Technology (NIST): NIST is a standardization and technology research institution in the United States, responsible for formulating and promoting standards and measurement methods in various fields.

These organizations play an important role in the field of standardization, promote global technical exchanges and cooperation, and promote development and innovation in various fields.

my country's standardization organization

 China National Standardization Administration

  • It is the highest level national standards organization in my country

National Information Security Standardization Technical Committee ( TC260 )

  • In 1984, the Data Encryption Technology Subcommittee was established, which was later changed to the Information Technology Security Subcommittee
  • In April 2002, in order to strengthen the coordination of information security standards, the National Standards Committee decided to establish the National Information Security Standardization Technical Committee ( Xinan Standardization Committee , TC260), which is directly led by the National Standards Committee and corresponds to ISO/IEC JTC1 SC27
  • The National Standardization Management Committee Gaoxin Letter [2004] No. 1 decision: From January 2004, when all relevant departments declare the national information security standard plan project, they must submit work opinions through the Information Security Standards Committee, and the information will be released after coordination. The Security Standards Committee organizes the declaration; in the process of formulating national standards, the standard working group or the main drafting unit must actively cooperate with the Information Security Standards Committee, and the Information Security Standards Committee completes the submission of national standards for review and approval

2. National Information Security Standardization Technical Committee

TC260 organizational structure

3. my country's standard classification

GB mandatory national standard: GB standard is a Chinese national standard (Guo Biao), which is a mandatory national standard .

  • Once the GB standard is promulgated, it must be implemented by all relevant parties . Violation of GB standards may constitute economic or legal responsibilities, and may bear corresponding legal consequences depending on the specific circumstances.

GB/T recommended national standard: GB/T standard is recommended national standard .

  • These standards are voluntary and they provide a technical basis for mutual compliance. Although it is not mandatory, in practice, many enterprises and organizations will voluntarily adopt GB/T standards to regulate their products, services and management processes.

GB/Z national standard guiding technical document: GB/Z standard is a national standard guiding technical document.

  • These documents are documents that may be agreed upon in the future by consensus during technical development or for other reasons. They provide guiding technical methods or suggestions to support the development and application of specific fields.
  • Guiding technical documents must be reviewed within 3 years of implementation to ensure that they continue to adapt to changes in technology and the market.

3. Network security level protection

 1. Definition of level protection

According to the provisions of the "Network Security Law", hierarchical protection is the basic system for information security in my country

The twentieth provision of the "Network Security Law" stipulates that the state implements a level of protection for network security. Network operators should fulfill the following full protection obligations in accordance with the requirements of the network security level protection system: protect the network from interference, destruction or unauthorized access; prevent network data from being leaked or stolen or tampered with

Equal 1.0

  • MLPS 1.0: MLPS 1.0 refers to the "Administrative Measures for Information Security Level Protection" issued in 2007 and the "Basic Requirements for Information Security Technology and Information System Security Level Protection" issued in 2008.
  • The formulation of Class Guarantee 1.0 is to standardize and guide the security protection work of information systems, and to establish corresponding security classification criteria and protection requirements.

Equal 2.0 

  • MLB 2.0: MLB 2.0 is an upgraded version of MLB 1.0.

  • MLPS 2.0 updates and adjusts the original standard "Basic Requirements for Information Security Technology Information System Security Level Protection" to adapt to the development of information technology and changes in security requirements.

  • Class Guarantee 2.0 further enhances the requirements for information system security, and revises and improves the old content.

The introduction of MLPS 2.0 is to improve the security of my country's information systems and better meet the ever-evolving cybersecurity threats and challenges. Through the scope and requirements of Class Security 2.0, the standardization and standardization of information system security level protection can be promoted, and a higher level of information security protection can be provided.

2. Equal protection development process

3. Information security level protection standard system

4. Hierarchical protection workflow

  1. Grading : Determine the corresponding protection level according to the importance and sensitivity of the information. This can be determined against standards provided by the country, industry or organization.

  2. Recording : record the relevant information of the level protection. This includes identification of protection levels, designation of relevant responsible persons and listing of specific information to be protected.

  3. Gap Analysis : Conduct a comprehensive security risk assessment to identify and assess gaps and weaknesses in existing security measures. This can include a vulnerability assessment of information systems, a security assessment of physical facilities and an analysis of security training needs for employees.

  4. Construction rectification : According to the results of gap analysis, formulate improvement plans and carry out corresponding construction and rectification work. This may involve strengthening the security of information systems, improving protection measures for physical facilities, providing staff training and enhancing monitoring, etc.

  5. Acceptance evaluation : After the construction rectification is completed, the acceptance evaluation is carried out to ensure the effectiveness of safety measures and meet the expected safety requirements. This can be done through internal audits, external assessments or third-party certification.

  6. Regular review : Establish a regular review mechanism to ensure that security measures continue to be effective. Regular review should include evaluating the effectiveness of security measures, discovering new security threats and risks, and making corresponding updates and improvements.

This process is a cyclical process, through continuous analysis, improvement and review, to maintain the continuous effectiveness and adaptability of the hierarchical protection work. Please note that the specific hierarchical protection workflow may vary depending on the organization and industry, and the specific steps and operations can be adjusted according to the specific situation.

5. The core idea of ​​hierarchical protection

The core idea of ​​hierarchical protection

  • According to the importance and sensitivity of the protected objects, they are divided into grades and constructed, managed and supervised according to the corresponding standards.

Basic principles of hierarchical protection:

  • The principle of independent protection : The responsible unit of the protected object should take the initiative to undertake the protection responsibility, and formulate corresponding protection measures according to its own characteristics and needs. The principle of independent protection emphasizes the autonomy and initiative of the protected object .

  • The principle of key protection : according to the importance and sensitivity of the protected objects, key resources and information should be protected. The principle of key protection ensures that limited resources and energy can be allocated to the most important objects first .

  • Simultaneous construction principle : hierarchical protection work should be carried out simultaneously with the construction and development of protected objects, and protection measures should be updated synchronously with the changes and evolution of protected objects. The principle of simultaneous construction ensures that conservation efforts are aligned with the needs of those being protected .

  • Principle of dynamic adjustment : The hierarchical protection work should be dynamically adjusted according to changes in protected objects, evolution of security threats, and technological progress. The principle of dynamic adjustment ensures the flexibility and adaptability of hierarchical protection work .

6. Classification

classification

  • It is divided into five levels, with level one being the lowest and level five the highest .
  • It is suitable for guiding the security construction and supervision and management of classified non-secret-related objects.
  • ·The fifth-level object is a very important supervision and management object, which has special management mode and safety requirements, which are not described in this standard. ·

Grading elements

  • Infringed object : the object to be protected, which can be information system, equipment, data, etc. Different objects may differ in security and importance.
  • The degree of damage to the object : refers to the degree of damage that may be caused to the object. This includes information leaks, system crashes, business interruptions, etc. Different degrees of infringement correspond to different grades.

7. Level of protection

The first level: user self-protection level

  • After the information system is destroyed, it may cause damage to the legitimate rights and interests of citizens, legal persons and other organizations , but it will not damage national security, social order and public interest .

Level 2: System Audit Protection Level

  • After the information system is destroyed, it may seriously damage the legitimate rights and interests of citizens, legal persons and other organizations , or cause damage to social order and public interests, but it will not damage national security .

The third level: security mark protection level

  • After the information system is destroyed, it may cause serious damage to social order and public interests , or cause damage to national security .

The fourth level: structured protection level

  • After the information system is damaged, it may cause particularly serious damage to social order and public interests , or cause serious damage to national security.

The fifth level: access verification protection level

  • When an information system is compromised, it may cause particularly serious damage to national security .

8. Level 2.0 standard comparison

 9. Extended Requirements for Class Guarantee 2.0

4. Network security professional ethics

1. The concept of morality

The concept of morality:

  • A code of conduct used by a certain society or class to adjust the interests of people
  • Standards for judging people's good and bad behavior

The difference between morality and law:

  • The law has a strict logic and structural system, which is the embodiment of the unity of the will of the country
  • Morality lacks a rigorous structural system

Moral constraints:

  • Built on a sound legal basis
  • The law plays a certain role in moral restraint
  • Organizations can restrict the behavior of organizational members through punitive clauses in the management system

Ways to raise moral awareness:

  • Training and education is an important way
  • Communicate ethics and values ​​to employees through training and education
  • Enhance the moral quality of employees

2. Network Security Professional Ethics Guidelines

The concept of professional ethics

Code of Ethics for the Computing Profession

  • ACM Code of Ethics, British Computing Society Code of Ethics, Ten Commandments of Computer Ethics

Cybersecurity Code of Ethics

  • Maintain the information security of the country, society and the public
  • Honest and trustworthy, law-abiding
  • work hard and conscientiously
  • Develop yourself, maintain honor 

Guess you like

Origin blog.csdn.net/weixin_43263566/article/details/131985438
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com