Classified Protection (2) - Classified Protection Project Process
Table of contents
Classified Protection (2) - Classified Protection Project Process
Classification protection project process
Phase 2: Information system asset research and analysis
The third stage: information system grading and filing
Phase 4: Security Gap Analysis Risk Assessment
The fifth stage: security reinforcement and rectification assistance
Stage 8: The rectification response passes the evaluation
Classification protection project process
- Assessment object: Information system (business system)
- Evaluation points: secure physical environment, secure communication network, secure area boundary, secure computing environment, security management center
- Evaluation purpose: pass level protection
- Main processes: grading, filing, rating guarantee evaluation, construction rectification, supervision and inspection
Phase One: Project Start
Organize safety system documents and training documents
1. Business trip plan:
- The project manager dispatches tasks (projects), contacts Party A personnel to confirm tasks and materials, and business computer room managers
- Confirm business trip time and location
- Reimbursement system
- Travel mode: Didi, train, bus/bus
- Accommodation (proximity principle): ID card, etc.
- weather
2. Prepare project materials:
- You need a computer room topology, asset table (that is, the account and password of the device), and computer room administrator table
- Console cable, network cable, USB flash drive (may not be available, but must be prepared)
- Maybe ask the other party what the computer room information system is used for.
- Equipment manual corresponding to the computer room (can be viewed on the official website)
- Manufacturer’s after-sales service: usually starts with 400. Generally, you need to leave contact information-email, WeChat ID, product serial number
Phase 2: Information system asset research and analysis
- Collect equipment information, collect system information, and form for computer room managers
- If the other party does not have a complete asset table and topology diagram of the relay, you need to help the customer draw a diagram and supplement the asset table.
- Be sure to confirm whether each account in the asset table can be successfully logged in (on-site login)
The third stage: information system grading and filing
1. Rating
Network operators should determine future security protection levels during the planning and design stage
When major changes occur in network functions, service scope, service objects, and outgoing data, network operators should change the security protection level of the network in accordance with the law.
Network grading should be carried out in accordance with the process of network operator’s formulation of network grade, expert review, approval by competent authorities, and review by public security agencies.
The final grade is determined by experts
- At the first level, damage to the information system will cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, but will not damage national security, social order and public interests;
- Level 2: After the information system is damaged, it will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or damage to social order and public interests, but will not damage national security;
- Level 3: After the information system is damaged, it will cause particularly serious damage to citizens, legal persons and other organizations, cause serious damage to social order and public interests, or cause damage to national security;
- Level 4: After the information system is damaged, it will cause particularly serious damage to social order and public interests, or cause serious damage to national security;
- Level 5: After the information system is damaged, it will cause particularly serious damage to national security.
For Level 2 projects, you only need to pass the MLPS assessment once when it goes online (in fact, in theory, it is still once every two years)
After the third-level project is evaluated online, it needs to be evaluated once a year.
2. Filing
The Ministry of Cyber Security gets a preliminary registration number, and you can only get a real registration number after passing the assessment.
Phase 4: Security Gap Analysis Risk Assessment
(Similar to a mock exam)
Gap assessment: According to the evaluation company's ideas, the equipment and environment are evaluated, a gap assessment report is obtained, and security reinforcement and rectification are carried out through the gap assessment report.
Gap analysis does not affect the final on-site evaluation results. Basically, the first evaluation is not good, mainly self-assessment.
The fifth stage: security reinforcement and rectification assistance
- It’s just a matter of security reinforcement and asking the manufacturer to come over and solve the problem (to avoid taking the blame, for existing business systems, it’s best not to change the configuration yourself to avoid system operation errors)
- Enable the audit function, update the audit module, firewalls, routers, switches, and trunk links. It is best not to configure the device ports yourself. If possible, ask the manufacturer to change it.
- For independently contracted projects, please discuss with the computer room administrator
- If the equipment has not been under maintenance (maintenance and protection time), try to call the safety manufacturer’s engineers to come and operate it. We only need to provide guidance.
- If the maintenance is over and the owner needs to pay for repairs, it is best to call the manufacturer if you can. (Before this, you can do some reinforcement (such as password policy, log backup, etc.) in advance based on the gap risk assessment, which will not affect the backbone chain. Road, if it will affect it, try not to do it yourself. If you attach a side device or a redundant device, it will be fine.)
Phase Six: Security Review
(Second mock test, generally not encountered)
Stage 7: On-site evaluation
Use the preliminary registration number obtained from the grading filing, and invite seven evaluation companies in (Fujian) Province to come over and do the evaluation.
Only qualified companies can conduct evaluations and make a detailed assessment of the on-site environment.
Level 3 projects start with on-site assessment in the second year
Stage 8: The rectification response passes the evaluation
According to the evaluation report issued by the evaluation company, if it does not reach 70 points, then corrections will be made until the score reaches 70 points or more and there are no high-risk items to pass. If the assessment directly reaches 70 points, it will be passed directly.
High-risk items---veto power
After passing the assessment, you will get a paper assessment report issued by the assessment company (usually 2-3 copies. One for the company, one for the Ministry of Public Security, and one for yourself)
Stage 9: Project Acceptance
The evaluation report is finally submitted to the network security department --> get the final results --> registration number --> the information system is allowed to go online