1. Background overview
随着信息技术的不断发展和应用,对网络安全管理提出了新的挑战。为加强和规范的网络安全工作,提高我单位网络的 整体安全防护水平,实现网络安全的可控、能控、在控,依据国家有关法律、法规的要求,制定本文档。
本文件的目的是为网络安全管理提供一个总体的框架,将指导单位网络安全管理体系的建立。安全管理体系的建立为我单位信息系统的安全管理工作提供参照,以实现统一的安全策略管理,提高整体的网络与网络安全水平,确保安全控制措施落实到位,保障网络通信畅通和业务系统的正常运营。
2. Overall framework
三分技术,七分管理,任何技术措施都需要在完善的管理下才可以发挥最大的作用;木桶效应也可以充分说明,威胁总是会利用最脆弱的方面攻破安全的堡垒。企业网络安全只有做到全面提升,才能有效防控可能发生的安全事件。
在对网络安全等级保护基本要求的内容进行梳理,总结各层面内容的基础上,绘制出了我单位网络安全保障体系架构图(如图1)。此安全架构是在我单位总体方针和安全策略的指引下来规划全面的网络安全管理内容。大的层面分为三个体系,即管理体系、运营体系和技术体系。管理体系主要以机构、人员和具体各方面的管理制度为管理目标;运营体系包括系统建设和系统运维两方面中分别的相关阶段或方面的管理内容;技术体系遵从一个中心,三重防护的理念,对安全物理环境、安全通信网络、安全区域边界、安全计算环境各层面相关控制点进行了梳理总结。
3. Document management
3.1 National laws and regulations
Legal: "Cybersecurity Law of the People's Republic of China"
Regulation: "Regulations of the People's Republic of China on Security Protection of Computer Information Systems"
《关键信息基础设施安全保护条例》
《网络安全等级保护条例》
file class:
"Opinions of the National Informatization Leading Group on Strengthening Information Security Work"
"Implementation Opinions on Information Security Level Protection"
"Notice on Carrying out the Grading Work of National Important Information System Security Level Protection"
"Information Security Level Protection Registration Implementation Rules"
"Guiding Opinions on Carrying out the Rectification Work of Information Security Level Protection and Safety Construction"
"Notice on Strengthening Information Security Risk Assessment of E-government Engineering Construction Projects"
"About Promoting the Construction of Information Security Level Protection Evaluation System"
"Public Security Organs Information Security Level Protection Inspection Work Specifications"
3.2 Company rules and regulations and management measures
信息系统的安全管理需要明确信息系统的安全管理目标和范围,针对涉及国家安全、社会秩序、经济建设和公共利益的信息和信息系统,制定包括系统设施和操作等内容的系统安全目标与范围计划文件。
信息系统安全管理策略包括:制定规划策略、机构策略、人员策略、管理策略、安全技术策略、生命周期策略等,形成体系化的信息系统安全策略。
管理制度包括:根据机构的总体安全策略和业务应用需求,制定信息系统安全管理的规程和制度。涉及到文档管理、管理职责、人员安全管理规定、安全意识与安全技术教育、安全审计管理规定、用户管理规定、风险管理规定、信息分类分级管理规定、安全事件报告规定、事故处理规定、应急管理规定、灾难恢复管理规定、网络安全管理规定、系统安全管理规定、数据安全管理规定、防病毒规定、机房安全管理规定以及相关的操作规定、设备使用管理规定、安全配置、测试和脆弱性评估、系统信息安全备份和相关的操作规程、网络连接检查评估、网络使用授权、网络检测、网络设施(设备和协议)变更控制和相关的操作规程等方面的网络安全管理规定;应用安全评估、应用系统使用授权、应用系统配置管理、应用系统文档管理和相关的操作规程等方面的应用安全管理规定;存储介质管理、第三方访问控制和相关的操作规程等方面的信息安全管理规定等。
3.3 Safe operation rules
安全操作规程是指各项具体活动的步骤或方法,可以是一个操作手册,一个流程表表单或一个实施方法,但必须能够明确体现或执行网络安全策略或网络安全所要求的策略或原则。提供对信息系统进行安全保护的比较完整的系统化安全保护的能力和比较完善的安全管理措施,从整体上保护信息免遭非授权的泄露和破坏,保证信息系统安全正常运行。
需要针对重要等级保护对象中部署的关键网络安全设备、主机操作系统、数据库管理系统等建立安全配置规范。应包含《ORACLE安全配置基线》、《SQL Server 2008安全配置基线》、《Windows 7操作系统安全配置基线》、《Windows Embedded Standard操作系统安全配置基线》、《Windows Server 2012操作系统安全配置基线》、《Windows2008操作系统安全配置基线》、《摩莎MOXA交换安全配置基线》等。
3.4 Ledger management
各类设备、软件或是服务类信息都应建立台账(附件1),以便于查询、利用和管理。各项台账由涉及的责任部门负责对其进行登记、增减、修改,每季度对各项台账进行更新。已录入的信息未经部门领导的审批,不得随意更改数据。由信息中心监督各部门的台账数据的落实工作,确保台账数据的准确性、及时性和完整性。
4. Organizational structure
4.1 Organization description and safety responsibilities
Figure 1: Network security organization chart
4.2 Company level
明确公司网络安全和信息化委员会为网络安全最高领导组织,网络安全和信息化委员会办公室设在公司信息中心。网络依据《网络安全等级保护定级指南》进行自主定级,已定级网络分别在规划设计、建设、使用阶段由相关主管部门对该网络安全负责。
4.3 Sub-branch level
Subsidiaries and branches set up their own information management departments to assist the company's information center in managing the related network security work of subsidiaries and branches.
4.4 System level
Network security responsibilities are based on the principle of "whoever is in charge is responsible, whoever builds is responsible, whoever uses is responsible, and whoever maintains is responsible". Network security responsibilities in different periods are traced to the competent departments of the current period, and the departments themselves determine the responsible persons for each network. . The person in charge of each department shall be the first person responsible for network security in the department.
5. Network security level protection management measures
5.1 Rating
For networks in different periods, the grading work should be carried out by the construction department or operating department with reference to the "Network Security Level Protection Grading Guide", based on the importance of the network in national security, economic construction, and social life, and once it is destroyed, The network level will be determined based on factors such as the degree of harm to national security, social order, public interests, and the legitimate rights and interests of relevant citizens, legal persons, and other organizations after the function is lost or the data is tampered with, leaked, lost, or damaged.
5.2 Filing
针对不同时期的网络,备案材料由承建或运行部门组织编制备案材料,然后统一提交监管部门进行复审,由监管部门负责统一向市公安局进行备案,并指定专人负责与市局的联系。
5.3 Evaluation
The level assessment is based on the "Basic Requirements for Network Security Level Protection" and combined with the company's actual situation to conduct level protection security assessment for networks rated Level 2 and above. The company should entrust an experienced third-party evaluation agency with relevant national technical qualifications and security qualifications to conduct a grade protection evaluation based on the network classification filing status and in strict accordance with network security laws, regulations and standards, and issue a grade protection evaluation report.
During the evaluation process, the department organizing the evaluation work should review the time plan and implementation plan of the grade evaluation work, and be responsible for coordinating the various departments of the system to actively cooperate with the grade evaluation work, and coordinate the smooth progress of the grade evaluation work .
6. Emergency response
应提高处置网络安全突发事件的能力,形成科学、有效、反应迅速的应急工作机制,确保网络的实体安全、运行安全和数据安全,最大限度地减轻网络安全突发事件的危害,保护网络安全,维护公司间的正常通讯渠道。
应急工作应遵守“预防为主、快速反应、分级负责、常备不懈”的原则。应制定安全事件报告和处置管理制度,明确安全事件分级管理、不同安全事件的报告、处置和响应流程,规定安全事件的现场处理、事件报告和后期恢复的管理职责等。应在安全事件报告和响应处理过程中,分析和鉴定事件产生的原因,收集证据,记录处理过程,总结经验教训。
7. Network security protection
7.1 Overall protection
Establish a defense-in-depth system and establish defense, detection, and recovery mechanisms.
(1) Comprehensive and in-depth defense system: The establishment of various protection mechanisms should be as perfect as possible, and there must be defense methods against various attacks, that is, consideration should be given to deploying: network firewalls, intrusion prevention systems, anti-virus gateways, and Internet behavior management/network auditing Establish a comprehensive protection system including system, database firewall, (WEB) application firewall, host firewall, terminal security management, operating system reinforcement, and anti-virus software.
(2) Optimize and strengthen security strategies: sort out network defense lines and defense mechanisms, adopt refined control strategies, and minimize the configuration of the opening, mapping and access policies of various services. By default, except for allowing communication, it is controlled The interface denies all communication, and the control granularity is accurate to the port level.
(3) Monitoring and response mechanism: Comprehensive use of network/host vulnerability scanning, database vulnerability scanning, application vulnerability scanning, penetration testing, intrusion detection system, anti-APT attack system, log analysis system and other scheduled/real-time scanning to detect system security risks/ In the event of an incident, timely reinforcement or emergency mechanisms are implemented, including IP restrictions, connection number or time restrictions, network isolation, system recovery, vulnerability repair, data recovery, etc. (contingency preparations need to be made at any time);
(4) Backup and recovery mechanism: comprehensively adopt line backup, host backup, data backup and recovery, webpage anti-tampering, etc. to restore the damaged system in time.
7.2 Cell protection
Equipment reinforcement to ensure the effectiveness of the defense system
(1) Firmware upgrade and vulnerability repair: Confirm the latest versions and vulnerability information of network equipment, security equipment, operating systems, database systems, middleware systems, and application systems through manufacturer consultation and vulnerability scanning, and upgrade and repair each system. Repair, to ensure that each system is the most secure version and install the latest patches;
(2) Signature database update: update the signature database of intrusion prevention systems, anti-virus gateways, database firewalls, (WEB) application firewalls, anti-virus software, vulnerability scanning systems, intrusion detection systems, etc.;
(3) Equipment control: Improve password security policies for network equipment, security equipment, host operating systems, database systems, middleware systems, and application systems, and enforce password length/complexity (recommended to be more than 8 characters, uppercase and lowercase letters + numbers + Mixed arrangement of special characters), login failure handling (it is recommended not to exceed 5 times, lock the account or limit the connection for no less than 10 minutes), minimum account permissions and other policies. Default accounts and empty/weak passwords are strictly prohibited.
7.3 Others
防止内部操作失误隐患,谨慎点击外来链接,谨慎点击外来文件,严禁外来电脑、U盘接入。
8. Network security check
定期进行常规安全检查,检查内容包括系统日常运行、系统漏洞和数据备份等情况。常规的安全检查一般是半年,一年或者每季度开展,汇总一段时间内的系统状态。
除常规的安全检查外还应每半年或是一年进行全面安全检查,检查内容包括现有安全技术措施的有效性、安全配置与安全策略的一致性、安全管理制度的执行情况等。全面的安全检查可自行组织或通过第三方机构进行,无论哪种方式,检查内容均应涵盖技术和管理各方面安全措施的落实情况。
无论是日常检查还是定期全面的安全检查都需要制定安全检查表格,记录全面检查结果,并形成安全检查报告,同时应将安全检查结果通知给相关人员,尤其是运营层的各岗位管理员。
9.Cybersecurity publicity
9.1 Publicity channels
在全公司范围内集中开展网络安全宣传教育活动,增强员工的网络安全意识,提升基本防护技能,营造安全健康文明的网络环境,保障员工在网络空间的合法权益,切实维护网络安全。
每年九月为网络安全宣传月,在网络安全和信息化委员会领导下,由信息中心牵头,公司各个部门共同举办。公司根据实际举办本公司网络安全宣传教育活动。
(1) Network safety public service advertisements can be pushed on company websites, public accounts, advertising screens, elevators, restaurant TV systems, and building TV systems.
(2) Conduct network security knowledge competitions, set up online network security knowledge answering columns on the website, or organize various types of network security skills competitions.
(3) Distributing network security science popularization materials or organizing experts to give knowledge lectures. Distribute or post cybersecurity promotional materials within the company, including brochures, flyers, posters, popular science books, and small gifts with cybersecurity promotional tips. Hire a cybersecurity expert to run a cybersecurity education campaign.