What? —What is grade protection evaluation?
Network security level protection refers to the implementation of hierarchical protection and hierarchical supervision of networks (including information systems and data), the implementation of hierarchical management of network security products used in the network, and the hierarchical response and disposal of security incidents that occur in the network. Based on historical and objective reasons, although the names of the information security level protection system, network security level protection, and network and information systems are different, they are essentially the same. "Network" refers to a system composed of computing or other information terminals and related equipment that collects, stores, transmits, exchanges, and processes information in accordance with certain rules and procedures, including network facilities, information systems, data resources, etc.
Network security level protection is divided into five security protection levels according to the importance of the information system and the harm after being damaged. (From the first level to the fifth level, the levels increase step by step); after the level is determined, the network of the second level (inclusive) and above shall be registered with the public security agency. The public security agency will review the registration materials and the accuracy of the classification and issue a registration certificate. The registration unit shall carry out security construction rectification according to the security level of the network and in accordance with national standards, build safety facilities, implement security measures, implement security responsibilities, establish and implement a security management system; select an evaluation institution that meets national requirements to carry out registration evaluation; the public security organ shall Provide guidance to the second-level network, and conduct regular supervision and inspection of the third- and fourth-level networks.
The relationship between grading elements and security protection levels |
||||
grade |
object |
Infringement object |
degree of infringement |
regulatory intensity |
first level |
general network |
legitimate rights and interests |
damage |
autonomous protection |
second level |
general network |
legitimate rights and interests |
serious violation |
guide |
social order and public interest |
particularly serious infringement |
|||
Level 3 |
important network |
legitimate rights and interests |
extremely serious damage |
supervised check |
social order and public interest |
serious damage |
|||
National Security |
harm |
|||
Level 4 |
particularly important network |
social order and public interest |
extremely serious damage |
Mandatory supervision and inspection |
National Security |
Serious harm |
|||
Level 5 |
extremely important network |
National Security |
Particularly serious hazard |
Special supervision and inspection |
Why? —Why do we need to do grade protection evaluation?
laws and regulations Require |
Article 21 of the 2017 Cybersecurity Law :
|
Article 38 of the Cybersecurity Law :
|
|
Article 59 of the Cybersecurity Law :
|
|
In 2008, the State Council’s “Three Decisions” plan gave the Ministry of Public Security the legal responsibility of “supervising, inspecting, and guiding information security level protection work.” |
|
Article 9 of the 1994 "Computer Information System Security Protection Regulations of the People's Republic of China" (State Council Order No. 147) clearly stipulates: "Computer information systems implement security level protection. The standards for classifying security levels and the specific methods for security level protection shall be determined by the public security organs." The Ministry of Finance shall work together with relevant departments to formulate". |
|
Article 6, Paragraph 12 of the "People's Police Law of the People's Republic of China" stipulates: The people's police perform the duties of "supervising and managing the security protection of computer information systems." |
|
Industry requirements |
Industry policies and industry standard guidance for finance, government, electric power, radio and television, education, etc. |
Enterprise system security requirements |
Information system operators and users can discover security risks and deficiencies within the system by carrying out hierarchical protection work, and can |
How? —How to do grade protection evaluation
serial number |
process |
Responsible party |
illustrate |
1 |
Rating |
network operator |
|
2 |
备案 |
网络运营者 |
网络运营者按照当地公安机关的要求,将网络定级备案材料向公安机关备案,公安机关对定级准确符合要求的网络系统发放备案证明。 |
3 |
等级测评 |
测评机构 |
网络运营者选择符合国家规定条件的测评机构,对第三级以上网络(含国家关键信息基础设施)每年开展登记测评,查找发现问题隐患,提出整改意见。 |
4 |
安全建设整改 |
网络运营者 |
网络运营者根据网络的安全保护等级,按照国家标准开展安全建设整改。 |
5 |
监督检查 |
公安机关 |
公安机关每年对网络运营者开展网络安全等级保护工作的情况和网络的安全状况实施执法检查 |
在这个信息发达的互联网时代,网络几乎是每个企业和个人生活的必需品,***也说过:“网网络安全为人民,网络安全靠人民”,只有每个企业领会网络安全法的精神,从自身做起,管理好自己的信息系统安全,整个国家的网络空间安全就会越来越清朗。