Protection level evaluation Overview

Protection level evaluation Overview

Level protection assessment is the evaluation mechanism based on national information security protection systems and regulations, subject to the relevant units commissioned in accordance with relevant management practices and technical standards, the use of scientific means and methods to deal with the specific application of information systems, the use of security technology evaluation and safety management testing methods, the conservation status of the detection assessment, judging by the technical and management level measurement system with the degree of compliance level of security requirements set by the proposed safety corrective recommendations based on the degree of compliance given meets the security level of the conclusions set out, for the safety nonconformance .
Scientific means and methods of
rating protection assessment using six kinds of ways, the gradual deepening of the means test
-survey interviews (business, assets, security technology and safety management);
* View Profile (management systems, security policy);
· field observation (physical environment , physical deployment);
· View configuration (host, network, security equipment);
· technical tests (vulnerability scanning);
and evaluation (safety assessment, conformity assessment).
Safety Evaluation :
Safety evaluation include: physical security, network security, host security, application security, data security.
Security Assessment :
security management evaluation include: safety management systems, safety management organization, personnel security management, system construction management, system operation and maintenance management.

Information system life cycle
information system life cycle is divided into "information classification system, the overall security planning, security design and implementation, safe operation and maintenance, information systems terminated" five stages.
Information systems classification
rating for the record is the most important part of protecting information security level. Information classification system shall work"Independent grading, expert evaluation, authorities for approval, the public security authorities for examination" principle. The level of protection work, information systems operations using the unit and the competent authorities in accordance with the "Who's in charge who is responsible, who is the operator who is responsible" principle to work, and accept the supervision of regulatory authorities for the information security level of protection to carry out the work.
The overall security planning
goals overall security planning phase is based on the division of information systems, grading, the information systems business information systems carrying case, a clear analysis of information system security requirements, reasonable design, meet the overall level of security protection program requirements and to develop security implementation plan to guide the subsequent construction of information system security implementation. It should first analyze the gap between the current situation and the level of protection required to protect the security of information systems for judgment has been operating (running) information systems, needs analysis.
Security design and implementation of
target security design and implementation stages in accordance with the requirements of security overall program information system that combines information system security construction projects planned, phased step by step implementation of security measures for
safe operation and maintenance of
safe operation and maintenance of a level of protection implementation process to ensure that information a necessary part of the normal operation of the system, covering more, including the establishment of safe operation and maintenance of the security agencies and the operation and maintenance mechanisms, regulatory environment management, assets, equipment, media, network, system, passwords, key management , run, change management, security status monitoring and security incident handling, safety audits and safety inspections and so on. This standard does not affect all of the above described process management, control and want to fully understand the safe operation and maintenance phase user of this standard can be found in other kinds of process criteria or guidance
information system terminates
the information system level protection is the termination phase of the implementation process the last link. When the system information is transferred, terminated or abandoned, properly handle sensitive information within the system to ensure the security of the organization's information assets is critical. In the information system life cycle, some systems are not abandoned in the true sense, but improved technology or change to a new business information systems, information systems for the termination process should ensure that the transfer of information, equipment relocation and destruction and other media security
the basic process of implementation
In the safe operation and maintenance phase, information systems for reasons such as changes in demand led to partial adjustment, and the degree of protection that the system has not changed, should the safe operation and maintenance phase into the secure design and implementation phase, re-design, adjustment and implementation of security measures, ensure that it meets the requirements of the level of protection; but the information systems lead to significant changes to the security system when the protection level changes, should the safe operation and maintenance of information systems classification stage to stage, to start a process of implementation of information security level protection.

And other security evaluation workflow
preparatory phase
project start
-established evaluation team.
· Preparation of project proposals.
Identify data evaluation commissioned units to be provided.
Information collection and analysis
· inspection rating report describing file system, security system design, level of self-examination or the last evaluation report (if done or asset level evaluation) and other information.
· Adjust according to the contents of the questionnaire to review the system case.
· Distributed questionnaires to the evaluation of the requester.
Tools and forms ready
-assessment tool for debugging.
· Build a simulation test system evaluation environment.
Analog evaluation.
* Ready to print the form.
Stage programming
evaluation to determine the object
-recognition system under test rating.
Identify overall configuration of the system under test.
• Identify the boundaries of the system under test.
Identify area network system under test.
Evaluation indicators identified
• Identify business information system under test and system services security level.
• Select the corresponding level of ASG three security requirements as the evaluation index.
Note: ASG
A: Continuous protection system normal operation, from unauthorized modification of the system, resulting in the destruction of the system can not guarantee the service requirements for the class; - power supply, resource control, software fault tolerance.
S: protect data from being leaked in the storage, transmission, processing, and damage from unauthorized modification of the information requirements of the security class; - physical access control, border integrity check authentication, communication integrity, confidentiality, etc. .
G: General requirements security class. - class technology security audit, management systems and so on.
Test tools AP determined
· In the evaluation, the need to use the testing tool, testing tools may be used vulnerability scanners, penetration testing tools, protocol analyzers.
Determine the need for evaluation of the test subject.
• Select test path.
· The test path, the test tool for the access point.
Assessment Guideline Development
Assessment guide book is a document specific guidance on how to carry out evaluation of personnel evaluation activities, a detailed description of tools, methods, and procedures such as site evaluation, and evaluation activities is the fundamental guarantee specifications. The book can select the corresponding evaluation object from the existing assessment guidance manual.
Assessment programming
test plan is the basis for the implementation of job evaluation rating guide level evaluation work on-site implementation activities. Evaluation program should include, but are not limited to : project overview, evaluation objects, evaluation indicators, evaluation of content, evaluation methods.
Site evaluation stage
site evaluation stage through communication and coordination with the evaluation commission the unit, lay a good foundation for the smooth conduct on-site evaluation, according to evaluation of program implementation on-site evaluation work, the evaluation plan and evaluation methods and so the concrete implementation of the on-site evaluation activities. On-site evaluation work should obtain sufficient evidence and information required for reporting activities.
Site preparation evaluation
· risk assessment authorized agencies to confirm the signing of this book, understand the security risk assessment process exists, make the appropriate emergency and backup work.
· Holding will start evaluation site, evaluation agencies on-site evaluation of the organization of work, the two sides to communicate the content and methods of assessment and evaluation program evaluation scheme.
· Both sides confirmed with the people, the environment and other resources.
On-site evaluation and results recording
· Evaluation based on evaluation of the implementation of instructions.
· Record assessment evidence information acquired information.
· Summary assessment records, if necessary, a supplemental assessment.

Implementation assessment
· Interview
- Interview evaluation refers to the exchange of personnel and information system by the persons concerned (individual / group), to discuss other activities, access to relevant evidence to indicate whether a method of information system security protection measures for effective implementation. In the interview scope should cover all basic types of security-related personnel, the number can be sampled.
• Check
- Check means the evaluation of personnel by observing the object of evaluation, inspection, analysis and other activities, access to relevant evidence to prove whether a method of information system security protection measures for effective implementation. On the inspection range, should cover substantially all of the target type (equipment, documents, mechanisms, etc.), the number may be sampled.
· Testing
- testing is the evaluation of personnel for the evaluation of the object according to a predetermined method / tool to produce a specific response by viewing and analyzing the output response, a way to obtain evidence to prove whether the information systems security measures for the effective implementation of . In the test range, it should substantially cover different types of mechanisms can be sampled in number.

The results confirm the data and return
-end will be held on-site evaluation.
· Assessment commissioned units confirm the correctness of the information and evidence obtained during the evaluation, signature recognition.
· Evaluation of various persons to return borrowed materials.

Report preparation stage
at the end of the work-site evaluation, site evaluation mechanism to deal with the evaluation results obtained are summarized evaluation and analysis, the level of evaluation findings and prepare evaluation reports.

Individual assessment results to determine
· Analysis Evaluation of the presence of a threat item confrontation.
· Analyze the situation more in line with the evaluation results of individual evaluation items corresponding.

Evaluation result of the determination unit
· summarized assessment of each individual subject in the evaluation results of each evaluation unit.
And judging means evaluation results of each evaluation object.

Overall assessment
analysis and partial evaluation does not comply with other terms in line with the assessment items (including within units, between levels, interregional) relationship between the case and the impact on the results.

Risk analysis
the possibility of security problems result of the evaluation unit · overall evaluation summary judgment in part-conformity or nonconformity is generated using the threat of (the range of high, medium, low).
· After the security unit evaluation results are summarized in part after the judge the overall evaluation of conformance or non-conformance is generated by using the threat of the impact of business information systems security and information system security service under test caused, the impact value range as high, medium, low.
· Combine the results of two steps, the security risks faced by information systems evaluation assignment, the range of risk values for high, medium and low.
· Combined with the degree of protection of information systems under test and evaluate the results of the risk analysis, namely risk to national security, public order, public interests and the legitimate rights and interests of citizens, legal persons and other organizations responsible.

Rating assessment conclusions reached
individual statistical summary of the survey results once again after partial compliance with a number of items and does not conform, grade evaluation form conclusions.

Evaluation report prepared
evaluation report should include: an overview of project evaluation, information systems under test, the level and scope of the evaluation method, the evaluation unit, the overall evaluation, the evaluation results summary, risk analysis and evaluation, classified evaluation conclusions, building security and other corrective recommendations.

And other insurance plans to implement

evaluation content and methods of

physical security
physical security evaluation content and methods: