Why do we need to conduct network security level protection assessment?

What? —What is grade protection evaluation?

Network security level protection refers to the implementation of hierarchical protection and hierarchical supervision of networks (including information systems and data), the implementation of hierarchical management of network security products used in the network, and the hierarchical response and disposal of security incidents that occur in the network. Based on historical and objective reasons, although the names of the information security level protection system, network security level protection, and network and information systems are different, they are essentially the same. "Network" refers to a system composed of computing or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information in accordance with certain rules and procedures, including network facilities, information systems, data resources, etc.

Network security level protection is divided into five security protection levels according to the importance of the information system and the harm after being damaged. (From the first level to the fifth level, the levels increase step by step); after the level is determined, the network of the second level (inclusive) and above shall be registered with the public security agency. The public security agency will review the registration materials and the accuracy of the classification and issue a registration certificate. The registration unit shall carry out security construction rectification according to the security level of the network and in accordance with national standards, build safety facilities, implement security measures, implement security responsibilities, establish and implement a security management system; select an evaluation institution that meets national requirements to carry out registration evaluation; the public security organ shall Provide guidance to the second-level network, and conduct regular supervision and inspection of the third- and fourth-level networks.

The relationship between grading elements and security protection levels
grade	object	Infringement object	degree of infringement	regulatory intensity
first level	general network	legitimate rights and interests	damage	autonomous protection
second level	general network	legitimate rights and interests	serious violation	guide
		social order and public interest	particularly serious infringement
Level 3	important network	legitimate rights and interests	extremely serious damage	supervised check
		social order and public interest	serious damage
		National Security	harm
Level 4	particularly important network	social order and public interest	extremely serious damage	Mandatory supervision and inspection
		National Security	Serious harm
Level 5	extremely important network	National Security	Particularly serious hazard	Special supervision and inspection

Why? —Why do we need to do grade protection evaluation?

laws and regulations Require	Article 21 of the 2017 Cybersecurity Law : Network operators shall, in accordance with the requirements of the network security level protection system, perform the following security protection obligations to protect the network from interference, destruction or unauthorized access, and to prevent network data from being leaked or stolen or tampered with
	Article 38 of the Cybersecurity Law : Operators of critical information infrastructure should conduct testing and assessment of the security and possible risks of their networks at least once a year on their own or by entrusting network security service agencies to do so , and report the testing and evaluation results and improvement measures to the relevant authorities responsible for the security of critical information infrastructure. Department of conservation work.
	Article 59 of the Cybersecurity Law : If a network operator fails to perform its obligations: the relevant competent department shall order it to make corrections and issue a warning; if it refuses to make corrections or causes consequences such as endangering network security, it shall be fined not less than RMB 10,000 but not more than RMB 100,000, and the person in charge directly responsible shall be fined RMB 5,000. A fine of not less than 50,000 yuan but not more than 50,000 yuan is imposed. If the operator of critical information infrastructure fails to perform its obligations: the relevant competent department shall order it to make corrections and issue a warning; if it refuses to make corrections or causes consequences such as endangering network security, it shall be fined not less than RMB 100,000 but not more than RMB 1 million, and the person in charge directly responsible shall be fined. Personnel shall be fined not less than RMB 10,000 but not more than RMB 100,000.
	In 2008, the State Council’s “Three Decisions” plan gave the Ministry of Public Security the legal responsibility of “supervising, inspecting, and guiding information security level protection work.”
	Article 9 of the 1994 "Computer Information System Security Protection Regulations of the People's Republic of China" (State Council Order No. 147) clearly stipulates: "Computer information systems implement security level protection. The standards for classifying security levels and the specific methods for security level protection shall be determined by the public security organs." The Ministry of Finance shall work together with relevant departments to formulate".
	Article 6, Paragraph 12 of the "People's Police Law of the People's Republic of China" stipulates: The people's police perform the duties of "supervising and managing the security protection of computer information systems."
Industry requirements	Industry policies and industry standard guidance for finance, government, electric power, radio and television, education, etc.
Enterprise system security requirements	Information system operators and users can discover security risks and deficiencies within the system by carrying out hierarchical protection work, and can improve the system's security protection capabilities through security rectification and reduce the risk of being attacked.

How? —How to do grade protection evaluation

serial number	process	Responsible party	illustrate
1	Rating	network operator	网络运营者根据《网络安全等级保护定级指南》拟定网络安全保护等级定级报告  组织召开专家评审会，对初步定级结果的合理性进行评审，出具专家评审意见。 将初步定级结果上报行业主管部门进行审核，取得上级主管意见。
2	备案	网络运营者	网络运营者按照当地公安机关的要求，将网络定级备案材料向公安机关备案，公安机关对定级准确符合要求的网络系统发放备案证明。
3	等级测评	测评机构	网络运营者选择符合国家规定条件的测评机构，对第三级以上网络（含国家关键信息基础设施）每年开展登记测评，查找发现问题隐患，提出整改意见。
4	安全建设整改	网络运营者	网络运营者根据网络的安全保护等级，按照国家标准开展安全建设整改。
5	监督检查	公安机关	公安机关每年对网络运营者开展网络安全等级保护工作的情况和网络的安全状况实施执法检查

在这个信息发达的互联网时代，网络几乎是每个企业和个人生活的必需品，***也说过：“网网络安全为人民，网络安全靠人民”，只有每个企业领会网络安全法的精神，从自身做起，管理好自己的信息系统安全，整个国家的网络空间安全就会越来越清朗。