I do not know if you have not heard of such as insurance compliance, the teacher was hacked some websites, have tried to solve a variety of reasons but ultimately to no avail, in fact, you can consider doing it and other security evaluation friends.
First we look at the definition of security such as: insurance, etc. That information security protection, refers to proprietary information on important national information, legal persons and other organizations and citizens as well as public information to implement security in the storage, transmission, processing information division level protection; implementation of information systems for information security products used by class management, information security incident information system graded response and disposal.
First, the law requires
"People's Republic of China Network Security Law" Article [a] national implementation of network security protection system. Network operators should be in accordance with the requirements of the network security level protection system, perform the following security duty to protect the network from interference, destruction or unauthorized access to the network to prevent data leakage or stolen, tampered with.
"Network Security Act People's Republic of China" [Article 31] State of public communication and information services, energy, transportation, water conservancy, finance, public services, e-government and other important industries and fields, as well as other once they are damaged, lost critical information infrastructure functions or data leakage, could seriously endanger national security, people's livelihood, public interest, on the basis of network security protection system, based on special protection. Specific scope and safety measures to protect critical information infrastructures by the State Council.
Second, the "level of protection assessment requirements" of evaluation methods
1, for the application:
① inspection mission-critical application, see the application whether the system has the function of human-machine interface for data input or communication interface input the validity of the test.
② test critical applications systems, human-machine interface for data input of different lengths or formats can see the reaction system, human-machine interface verification system validation function correctly.
③ main application penetration testing system for attempting to bypass operation access control, access control system to verify whether the application there is no obvious weaknesses.
2, for the database system:
① Check the key server operating systems and database management systems critical view Anonymous / default account of whether access has been disabled or restrictions, whether to remove the system redundant, outdated and account sharing.
② Check the key server operating systems and database management systems critical situation permissions settings to see if the security policy based on user rights were restricted.
③ Check the patch critical server operating systems and critical database management system whether it has been to date.
④ Check the key server operating systems and database management systems critical accounts list, see the administrator user name assigned is unique.
⑤ Check the key server operating systems and database management systems critical to see whether the authentication measures, whether their identifying information can not easily be fraudulent characteristics, such as minimum length of the user's login password complexity requirements and replacement cycle and limit.
⑥ check critical database server database administrator and the operating system administrator if held by different administrators.
Third, the service process
Grading system filing system → → → implementation of corrective operation and maintenance inspection system evaluation →
References:
1. Ali clouds and other security solutions ensure compliance
2. Ali cloud security and other security solutions
① grading system: report prepared by grading, grading fill in the record table.
② system for the record: the record table after completed grading, grading material will be submitted to the police for the record review.
③ reform implementation: the system research, conduct gap assessments, program design in accordance with the relevant national standards, equipment procurement and complete the appropriate adjustment, policy configuration debugging, and improve work management systems.
④ evaluation system: please contact your local agency assessment, evaluation of all aspects of the system, access to qualified evaluation score evaluation report after passing the level of protection and ultimately record card.
⑤ operation and maintenance inspection: The system continued operation and maintenance and optimization, and annual inspection in accordance with the relevant requirements.
And Ali cloud provides insurance and other record evidence, the evaluation report's conclusions page rank and customer protection assessment instructions and other materials to assist the tenant cloud security evaluation systems and so on. Meanwhile, in order to facilitate Ali and so the system can quickly meet requirements for security compliance, Ali cloud by building "and ensure compliance ecology", jointly Ali cloud partner advisory body, around the evaluation agencies and the public security organs, to provide Ali cloud customers One-stop, the whole process and other security compliance solutions.
Fourth, Frequently Asked Questions
1, do not do so on site security, a problem will bear any responsibility?
① network operator does not fulfill the obligation to protect network security [The provisions of Article XXI "People's Republic of China Network Security Act", ordered by the competent department of corrections, give a warning; refuse to correct or cause harm network security consequences, at one million yuan to 100,000 yuan fine, the person directly responsible for the fine of 5,000 to 50,000.
②关键信息基础设施的运营者不履行《中华人民共和国网络安全法》【第三十四条】规定的网络安全保护义务的,由有关主管部门责令改正,给予警告;拒不改正或者导致危害网络安全等后果的,处十万元以上一百万元以下罚款,对直接负责的主管人员处一万元以上十万元以下罚款。
2、哪些行业需要做等保?
金融行业、游戏行业、教育行业、电商行业、网贷行业、通讯行业、能源行业、运输行业等。
3、递交的备案资料都包括哪些内容?
①《信息系统安全等级保护备案表》(一式两份)
②《信息系统安全等级保护定级报告》(一个系统一份)
③《系统定级评审意见》(或上级主管部门定级审核意见)
④相关电子数据等
4、整改会不会涉及到要购置设备?如果有些不符合项目不能马上关闭能不能通过备案?
根据《GB T22239-2008信息安全技术信息系统安全等级保护基本要求》,三级系统有如下要求:
①应提供主要网络设备、通信线路和数据处理系统的硬件冗余,保证系统的高可用性;
②应建立备用供电系统;
以上检查项需要购置设备,对二级系统没有此要求,但在二级系统中,构成系统网络安全的必要硬件则必须有;
5、整个周期是多长?其中现场测评时间多长?
① 整个测评周期包括前期调研、现场测评、后期报告编写等,一般情况下一个二级系统会占用3~4周,一个三级系统会占用4~5周(指初次测评,不包括整改和加固时间);
② 其中现场测评(指在被测系统单位现场的测评)的时间根据系统的数量而定:一般一个二级系统会占用3~4个工作日,一个三级系统会占用5~6个工作日(两组同时进行,每组两人)。
6、等保测评检查周期是多长?
二级系统每2年进行一次测评检查,三级系统每年检查一次。