Language | concern of network security protection system of the national standard 2.0 officially released on May 13, and will be officially implemented December 1, 2019. Network security exams almost all businesses go through, and how to prepare it? "Cloud plus Community" invited Tencent cloud security expert Wang Yu in the cloud plus micro-channel group in the community to answer them, this article is summarized from the share consolidation (Editor: Tail End). Plus group please pay attention to "the cloud plus Community" public number, reply 'plus group. "
Hello everyone, I am the king over, work for 18 years in information security, today to share with you network security protection system of knowledge about 2.0.
Tencent public cloud cloud cloud platform and the financial platform, since the beginning of 2016.12 in accordance with standards such as security 2.0 trial version and other security record and carry out evaluation work, and, ultimately, on the occasion of the formal implementation of 2017.5 "Network Security Act", a public cloud platform through three, evaluation of four financial cloud platform. Tencent cloud combine the results had been achieved and many years of experience accumulated in compliance services, I will conduct a detailed interpretation of the security operations center angle and encryption management.
First, what is the level of protection?
Information security level protection (hereinafter referred to as insurance, etc.) refers to the proprietary information of state secret information, legal persons and other organizations and citizens as well as public information and the storage, transmission, processing information hierarchical implementation of information systems security, information systems information security products used by the implementation level management, information security incident information system graded response and disposal.
Concern network security protection system of the national standard 2.0 officially released on May 13, and will be officially implemented December 1, 2019. Like Paul 2.0 clear five security levels in the minimum requirements for information systems, that is, the basic safety requirements, covering the basic technical requirements and basic management requirements for security management guidance and supervision of the construction of information systems.
The livelihood of the key industries, such as financial, medical, educational and other authorities have issued relevant documents or notification required level of protection to carry out the work. Release of the standard of information security organization of enterprises, including the impact of cloud security work has been evident.
Second, insurance and other 2.0 What are the major changes?
1. From the "Guide" to "the law"
and other security changes for 1.0 the biggest difference is the nature of phase 2.0.
And other insurance 2.0, the full name of "network security protection system 2.0 standards", is a network and information systems is an important standard protection in accordance with the importance level classification. With 2.0 and other security, network security practitioners and regulators to carry out safety standards and regulations Since then work has to follow. And other insurance 2.0 is an important part to fulfill security obligations, refused to perform if the relevant units, will be punished accordingly, "but Paul is illegal."
From the "Guide" to "the law", rigor rising more than a little bit. Meanwhile, the scope of protection also changed: in addition to the basic requirements of cloud computing, mobile Internet, things, industrial control and new formats without a large additional data. Conditions grading, evaluation and filing processes defined have also been adjusted.
2. "one center, triple protection" for the general idea of network security technology designed for
a central management center that is safe, secure computing environment that is triple protection, border security zones, secure communications network.
Security Management Center requirements implemented in systems management, security management, audit management three aspects of centralized management and control, change from passive protection to active protection, the transition from a static guard to dynamic protection, the transition from a single point of protection to the overall protection, to shift from extensive protection to accurate protection.
Triple protection requires companies to implement authentication and security devices by technical means, access control, intrusion prevention, data integrity, privacy, personal information protection and other security measures to achieve the full range of platform security.
3. Encryption management put forward strict requirements
such as insurance 2.0 clear requirements, from initial design and construction stages of procurement should consider encryption requirements, while transmission network communications, computing environment, authentication, data integrity, data confidentiality using clear encryption technology security requirements, in addition, also proposed strengthening the protection and integrity verification requirements mirroring and snapshots of the cloud, as well as the country's secret cryptographic applications of the proposed definitive purchase standards.
4. establishing the important position of trusted computing technologies
that are security features such as file protection 2.0 emphasized not only the requirements for trusted execution profiles and parameters were validated, and upon detection of integrity issues should also be alert and response.
Third, the evaluation process and other insurance 2.0 What?
The evaluation process and other insurance 2.0 Specifically, mainly includes the following aspects:
1. Make sure the grading
First, the system identification and description of system functions and management information systems division of responsibilities, the degree of violation of the preliminary comprehensive business and system services object to determine its level of system security. There competent authorities, should the approval by the competent authorities. For to be determined for the four or more information systems, it should be reviewed by an expert review.
2. The filing
operation, and use in determining the level and above to the local municipal public security authorities. New secondary and higher information system put into operation within 30 days, secondary and higher information system has been running at levels determined 30 days after filing. Public security organs of the filing of information systems audit, to meet the requirements of the level of protection issued within 10 working days of the record to prove.
3. Conduct classified evaluation
operations, the use of units and the competent authority shall select the compliance assessment bodies, regularly carry out evaluation of the level of information system security level status. Evaluation agency shall issue evaluation reports, and issue a notice of assessment results, express information system security level and the evaluation results.
4. Security system reform and construction
operations using the unit in accordance with the technical standards and management practices, management approach requires selecting information security products, construction conforms to the requirements for information security level, the establishment of security organizations to develop and implement safety management systems. For not reached the level of security protection requirements, operation, and use of rectification should be reported to the public security authorities.
5. supervision and inspection of
public security organs to carry out the work according to the level of protection of information security level protection management practices, supervision and inspection operations using the unit on a regular basis information system security checks. Operating unit shall be subject to security supervision organs of public security, inspection, guidance, and provide relevant materials to the public security organs.
Fourth, how quickly companies such as Bao 2.0 by
almost all businesses need to participate "and Paul", not necessarily related to whether to participate in such as insurance companies and large number of people. Government, finance, telecommunications, electricity ...... bluntly say it, this "final exam" basically covered all enterprises, especially government agencies and the financial industry as the focus of investigation. Examine the contents focus on security technology and enterprise management capabilities.
And other businesses in understanding the basics of insurance 2.0, how to do? "Paul and other 2.0" How exams approaching, a thorough understanding of business unit level protection security system, self-improvement in order to avoid the "make-up" or punish it? Tencent security experts have been ready for the enterprise clearance kit.
1. Examination correct attitude
"out of warranty" is the company with an excellent safety self-test
The most immediate benefit is that we can easily meet the moderator enterprise security compliance requirements together; at the same time, with the "pro forma", enterprise security and defense capability will be enhanced to identify and solve the problem continues, then a more rigorous comprehensive enterprise security system should be a timely, enterprise and healthy development trend for the better.
Even after Paul and so we do not have equal rights licensing
National organizations and other insurance 2.0 is the goal not the means, even if the insurance company had a 2.0 and so on, does not mean you get a license exemption on security. Talking about the division of responsibilities, in the responsibilities cloud platform, consistent with current international standards of mainstream cloud service providers, called "shared responsibility" model.
(See: Tencent cloud security model of shared responsibility: https://cloud.tencent.com/services/security )
In general, the entire cloud computing and the underlying physical infrastructure security environment often provides a unified cloud service providers, and cloud customers to put more time and energy on more refined, professional services, applications, and data security. May each cloud service provider's standard is slightly different, but the general direction is similar. This is a necessary requirement and other national security level protection system to meet the requirements of "insurance and other 2.0."
2. Watch the new test center: a center + triple protection
with respect to security such as 1.0, the security and other adjustments 2.0 pairs of core enterprise security proposed that the "one center, triple protection," the general idea of network security technology design, requiring business from a strategic perspective on the overall security planning and design. The so-called strategic perspective is to pay more attention to safety integrity.
In response to this new requirement, we believe that companies:
A shall establish cloud security operations platform-based enterprise cloud security data to realize the vulnerability intelligence, threat discovery, event handling, baseline compliance, leak detection and risk visualization and other security management to ensure centralized management and control of cloud resources and business security ;
Second is to strengthen key management, building a complete data encryption and key management programs to ensure the security of important data in transmission, storage and use of the process to meet the requirements of multiple protection;
Third, in the cloud security platform construction, general business and closing angle of compliance and safety management from the start, the asset, configuration, and good baseline to build the foundation of safety management, vulnerability and improve operations management, security, penetration testing and security check the improvement mechanism.
3. Focus: personal information, data security
in view of the increasing failure of a single data point defense, we believe that enterprises in the thinking data security protection, a protection technology should increase the level of risk to deal with every aspect of the data stream; the second is through unity governance platform, which is a series of isolated single point guard ability, eliminate blind spots between protection and achieve sustainable management of data; three need to focus on the development of data security management strategy.
Based on this idea, Tencent launched a number of security shield security comprehensive management of enterprise data centers, data assets to help focus on strengthening awareness, security management and joint prevention and control capabilities and other enterprises, with the AI to achieve linkage and integration of each node of the isolated security, practical help enterprises solve the problem of user comprehensive protection, behavior, data stream.
4. The alert "exam" easy "hanging" point
First, adjust the level from the basic requirements for the protection, in addition to the general requirements of the original industry, clarity and other security 2.0 cloud computing, mobile Internet, Internet and networking industry the new areas such as "expansion requirements," the rule is to avoid miscalculation led to an important prerequisite for "make-up" of;
Secondly, in addition to traditional defense to attack, and other insurance 2.0 also requires companies to do before, during, after the defense. Audit will not guard root of the problem had to be found where the problem occurs via traceable afterwards and make ready the next guard. The defense must perceive change early warning, dynamic protection and emergency response to the situation from passive protection;
Furthermore, attention should be paid and other Baoding level of accuracy. Should the grading not accurate, it will be misleading to the construction and subsequent corporate security level evaluation work, directly affect the security and defense of results. The introduction of professional security companies and industry expert services to help complete the construction of service continuity, it achieves the purpose of reducing labor costs and improving efficiency cut.
5. Case Studies
home business, similar to its business network about cars, not prepared in advance. In its initial application when being asked by the level of protection assessment, there are other regulatory review. The company delayed the final result by a certain time and so did Paul, leading business applications on-line overall delay, caused great losses.
There is also a business, looking for a small system integrators, after testing requirements to buy a bunch of safety equipment. Finally, although it took more than 100 million to buy equipment, but did not play to the role of the device.
So, here I recommend looking for a national network of security protection assessment agency recommended directory evaluation mechanism (see Resources below the end of the appendix).
Finally, to remind you one: The exams will be held December 1, 2019 officially opened. Please prepare early to avoid facing ordered rectification, administrative penalty, suspended registration, suspended operations and other "make-up" or "hanging branches" risk.
Fifth, within the group QA
Q: What Tencent cloud can help provide it?
A: Currently, Tencent cloud has passed the level of protection three, Tencent has been protected by the financial cloud level four requirements, compliance can provide a cloud platform for cloud tenants, which is a prerequisite for the tenant service system through evaluation of the level of protection 2.0.
Specific to security products and services, such as insurance for the secondary and tertiary requirements, Tencent has included security web application firewall (WAF), DDOS high defense (also known as Yu), the fortress machine (data security gateways), database auditing from basic security system products, AI can provide one-stop Web-based government and enterprise business operations risk protection, a variety of DDoS solution that combines centralized operation and maintenance of AI artificial Intelligence database security management and auditing system solutions.
At the same time, we also correspondence related products, build out the requirements for the secondary and tertiary levels of basic services including technical expert advice, APP, including the reinforcement of security, information security weaknesses can help companies identify information assets and business processes, and It provides information security risk treatment plan recommendations for information security threats. In addition, there are also special offers systematic channel network security protection and compliance assessment services for the construction of a cloud on the client. Let security building is no longer a burden on businesses.
In addition, we can also provide security services for corporate clients, such as mobile security at the scene. To move the area of security, for example, we have the management and control for the mobile terminal, mobile control applications such as UEM (User Experience Management) products, provide more focused, manageable control terminal for mobile applications customers.
Q: teacher, there are no specific requirements Checklist?
A: We can refer to "GBT22239-2019 information security technology to protect the basic level of network security requirements" (concern "cloud plus Community" public number, reply 'security requirements such as "download PDF version).
Q: If not now ready to start, is not it a little too late [Behind his] will have very serious consequences for you?
A: No, to recognize that is progress, the first ranking for the record, then a gap analysis, step by step up rectification
Q: three and so there is no requirement to retain user identity information stored in the system?
A: desensitization requires encryption or storage.
Q: There are no requirements for data export?
A: As long as the normal use of line, prohibiting illegal use and unauthorized access.
Q: But if it is black, or have been illegally acquired. This will not be a problem.
A: There are. So to encrypt stored ah.
Q: What kind of show on the page need to how to deal with.
A: No. * fight, or what to click to view.
Q: page also shows desensitization is not it?
A: Yes.
If want to continue to consult the relevant issues, you can leave a message at the end of this article.
Sixth, guests Description
Tencent cloud security expert Wang Yu
18-year veteran safety, security and other 100 + hands-on projects. Has a level of protection Evaluators, Certified Information Security Auditor, the International Cloud Security Alliance certification, ISO27001 Lead Auditor, the state registered a number of information security professionals and other qualifications.
appendix
National Network Security Protection evaluation agencies recommended list
http://www.djbh.net/webdev/web/LevelTestOrgAction.do?p=nlbdLv3&id=402885cb35d11a540135d168e41e000c
This article is a "cloud plus Community" micro-channel group in the share consolidation summary from.
Plus group please pay attention to "the cloud plus Community" public number, reply "plus group"
