Shulou(Shulou.com)06/01 Report--

Compliance, in short, is to comply with laws, regulations, policies and relevant rules and standards. In the field of information security, hierarchical protection, hierarchical protection, Sarbanes Act, computer security product sales license, password management and so on are typical compliance requirements.

The compliance evaluation of information security is required by the state, and the operation and use units of information systems or their competent departments must, after the completion of the construction and transformation of the system, select qualified evaluation institutions and, in accordance with the requirements of information security compliance, the activity of testing and evaluating the compliance of the information system. Information security compliance assessment is mandatory and periodic (periodic testing), which is an important means for the national information security department to supervise the implementation of compliance requirements and ensure information security.

I. Information security compliance requirements

1. Grade protection

Hierarchical protection divides the information system into five levels according to the value of the basic resources and information resources of the value system, the size of user access rights, and the importance of each subsystem in the large system. Its classification, sub-region, classification and stage-by-stage are the premise of national information security protection. Grade protection shall be carried out in accordance with the opinions on the implementation of Information Security Grade Protection and the measures for the Administration of Information Security Grade Protection jointly issued by the Ministry of Public Security, × × ×, × × × and the State Information Office.

2. Graded protection

The classified protection is aimed at the secret-related information system, according to the secret-related information level, the importance of the secret-related information system, and the harm to the national economy and people's livelihood after it is destroyed. and the security protection level that the secret-related information system must achieve can be divided into three levels: secret level, secret level and top secret level. × × has specially formulated a series of management methods and technical standards on how to carry out hierarchical protection of secret-related information systems. at present, the two national secrecy standards being implemented are BMB17 "Technical requirements for hierarchical Protection of Information Systems involving State Secrets" and BMB20 "Management Standards for hierarchical Protection of Information Systems involving State Secrets".

The National Secret Science and Technology Evaluation Center is the only secret information system security evaluation organization in China. Shandong Province Software Evaluation Center is a sub-center set up by the National Secret Science and Technology Evaluation Center in Shandong Province.

3. Sarbanes Act

In response to Enron, WorldCom and other financial fraud, the United States Congress issued the Public Company Accounting Reform and Investor Protection Act of 2002. The bill is jointly proposed by Oxley, chairman of the Financial Services Committee of the US House of Representatives, and Sebastian, chairman of the Senate Banking Committee, and is also known as the Sarbanes-Oxley Act of 2002 (abbreviated as the Sarbanes Act). The bill has made many amendments to the Securities Act of 1933 and the Securities Exchange Act of 1934, and made many new provisions in accounting professional supervision, corporate governance, securities market supervision and so on.

The Sarbanes Act has become an insurmountable hurdle for companies listed in the United States. It stipulates that the financial report of a listed company must include an internal control report, and clearly stipulates that the management of the company has full responsibility for establishing and maintaining the internal control system of the financial report and the corresponding control process; in addition, the financial report must be accompanied by an annual evaluation of the effectiveness of its internal control system and corresponding processes. Its introduction means that companies listed in the United States should not only ensure the accuracy of their financial statements, but also ensure that the internal control system can pass the relevant audit.

4. Sales license of special products for computer information system security

The sales license of computer information system security special products is a license issued by the Public Information Network Security Supervision Bureau of the Ministry of Public Security in order to strengthen the management of computer information system security special products and ensure the security function of computer information system security special products.

Basis for handling:

(1). Regulations on the Security and Protection of computer Information Systems (issued by order 147 on February 18, 1994).

(2) measures for the Administration of testing and Sale licenses of Special products for computer Information system Security (decree No. 32 of the Ministry of Public Security on December 1, 1997).

(3) measures for the Prevention and Control of computer viruses (decree No. 51 of the Ministry of Public Security on April 26, 2000).

Approval process:

(1) Product testing. The applicant shall send the sample to the designated testing institution for testing.

(2), apply for × ×. After passing the test, the applicant shall submit the relevant materials of the certificate application in accordance with the regulations.

(3) examination and approval and issuance of certificates. Public information network security supervision bureau of the ministry of public security.

5. Password security management of information system

In order to promote the development of commercial passwords and ensure the password security of national important information systems, institutions qualified for detection shall, in accordance with the measures for the Administration of Commercial passwords for Information Security level Protection, the implementation requirements for Commercial password Technology for Information Security level Protection, and the basic requirements for Information system Security level Protection, the commercial cryptographic systems in information systems with information security levels above level 3 (including level 3) are evaluated. The evaluation of commercial cryptographic system security level protection is divided into the following three stages: evaluation application stage, on-site inspection stage, report and conclusion stage.

Among the requirements of information security compliance, hierarchical protection and hierarchical protection have become the focus and difficulty of information security compliance evaluation because of their wide scope and highly specialized and complex implementation. the following articles will focus on the interpretation of these two concepts.

Second, distinguish between information security level protection and level protection.

As we know from the above, information security grade protection and hierarchical protection are two very important concepts in information security compliance evaluation, and they are closely related and different. Combined with the specific practice of hierarchical protection evaluation and graded protection evaluation, Shandong Software Evaluation Center introduces hierarchical protection and hierarchical protection in detail and clarifies the relationship between them.

1. Information system grade protection

Because the information system structure is designed and established to meet the needs of social development, social life and work, and is the reflection of social composition and administrative organization system, this system structure is hierarchical and grade. among them, various information systems have important social and economic value, and different systems have different values. The objective embodiment of the level is the value of system basic resources and information resources, the size of user access rights, and the difference of the importance of each subsystem in the large system. Information security protection must be in line with the law of objective existence and development, and its classification, sub-regional, classification and stage-by-stage are the prerequisites for national information security protection.

Information system security level protection divides the regulatory level of security protection into five levels:

The first level: the user self-protection level is entirely up to the user to decide how to protect the resources and how to protect them.

The second level: the security protection mechanism of the system audit protection level is guided by the information system level protection, which supports users to have stronger independent protection ability, especially the access audit ability.

The third level: the security tag protection level not only has all the functions of the second level system audit protection level, but also requires mandatory access control to visitors and access objects, and can be recorded in order to supervise and audit afterwards.

The fourth level: the structured protection level extends the security protection capabilities of the first three levels to all visitors and access objects, and supports formal security protection policies.

Level 5: access verification protection level this level not only has all the functions of the first four levels, but also specially adds the access verification function, which is responsible for arbitrating all the access activities of the visitors to the access objects. arbitration visitors can access certain objects to exercise exclusive control over access objects, and protect information from unauthorized access.

In the actual operation of hierarchical protection, it is emphasized to protect from five parts, namely:

Physical part: including surrounding environment, access control inspection, fire prevention, waterproof, moistureproof, rodent, pest and lightning protection, electromagnetic leakage and interference, power backup and management, equipment identification, use, storage and management, etc.

Support system: including computer system, operating system, database system and communication system

Network part: including network topology, network wiring and protection, network equipment management and alarm, network monitoring and processing.

Application system: including system login, rights division and identification, data backup and disaster recovery processing, operation management and access control, password protection mechanism and information storage management

Management system: including management organization and responsibility, authority division and accountability system at all levels, personnel management and training, education system, equipment management and introduction, withdrawal system, environmental management and monitoring, security and inspection system, emergency response system and procedures, control procedures for the establishment, change and repeal of rules and regulations.

The overall security control mechanism of the system is composed of the security control mechanism of these five parts.

2. Classified protection of secret-related information system

In order to implement hierarchical protection for secret-related information systems, we must first determine the protection level of information security according to the classified level of secret-related information, the importance of secret-related information systems, and the harm to the national economy and people's livelihood caused by destruction, as well as the level of security protection that secret-related information systems must achieve; the core of classified protection of secret-related information systems is to reasonably classify the security of information systems, build, manage and supervise them according to standards. × × has specially formulated a series of management methods and technical standards on how to carry out hierarchical protection of secret-related information systems. at present, the two national secrecy standards being implemented are BMB17 "Technical requirements for hierarchical Protection of Information Systems involving State Secrets" and BMB20 "Management Standards for hierarchical Protection of Information Systems involving State Secrets". There are clear hierarchical protection measures for different levels of secret-related information systems from the aspects of physical security, information security, operation security and security management, and solve the problem of hierarchical protection of secret-related information systems from two aspects of technical requirements and management standards.

Classified security protection of secret-related information system can be divided into three levels: secret level, secret level, secret level (enhanced) and top secret level according to the highest secret level of information processed by its secret-related information system.

Secret level: the information system contains state secrets with the highest secret level, its protection level is not lower than the national information security level protection level III requirements, and must also meet the secrecy technical requirements of hierarchical protection.

Level of confidentiality: the information system contains state secrets at the highest secret level, and its protection level is not lower than the requirements of level IV of national information security protection, and must also meet the technical requirements of classified protection. Secret-level information systems belonging to one of the following situations should choose the requirements of secret-level (enhanced):

(1) the users of the information system are party and government heads at or above the vice-provincial level, as well as key departments such as national defense, foreign affairs, national security and military industry.

(2) there is a high content or quantity of confidential information in the information system.

(3) the users of information systems are highly dependent on information systems.

Top secret level: the information system contains the highest top secret state secrets, its protection level is not lower than the requirements of national information security level protection level 5, and must also meet the secrecy technical requirements of hierarchical protection. Top secret information systems should be limited to closed, secure and controllable independent buildings and cannot be associated with metropolitan area networks or wide area networks.

The secret-related information system should be designed according to the standard of hierarchical protection and the actual situation of the application of the secret-related information system. The classification of secret-related information system follows the principle of "who builds, who classifies". It can be divided into different security domains according to information secret level, system importance and security strategy, and different levels are determined according to different security domains. And carry on the corresponding protection. Examination and approval shall be carried out after the completion of the construction; before examination and approval, the system evaluation shall be carried out by the secret-related information system evaluation institution authorized by × × (Shandong Software Evaluation Center is the only secret-related information system testing institution in Shandong Province). To determine whether the classified protection requirements of secret-related information systems are met at the technical level.

3. The relationship between hierarchical protection and hierarchical protection.

The key protection objects of national security information level protection are important information systems and communication basic information systems related to the national economy and people's livelihood, regardless of whether they are classified or not. Such as: the national affairs processing information system (the office system of party and government organs); the information system of infrastructure facilities such as finance, taxation, industry and commerce, customs, energy, transportation, social security, education, etc.; the information system of national defense industry and enterprises, scientific research and other units.

Classified protection of secret-related information systems is aimed at all information systems involving state secrets, with emphasis on party and government organs, the army and military industrial units. Secrecy departments at all levels shall exercise supervision and management according to the level of protection of secret-related information systems, ensure the security of the system and information, and ensure that state secrets are not disclosed.

The grade protection of national information security is the way for the country to solve the problem of national information security as a whole and fundamentally, which further determines the main line and central task of the development of information security, and puts forward the overall requirements. The implementation of hierarchical protection of information system is a national legal system and basic national policy, an effective way to carry out information security protection work, and the development direction of information security protection work. The classified protection of secret-related information system is an important part of the national information security grade protection, and it is the concrete embodiment of the grade protection in the secret-related field.

III. Main contents of grade compliance assessment

1. Unit evaluation. From the aspects of information security management system, information security management organization, personnel security management, information system construction management, information system operation and maintenance management, physical security, network security, host security, application security, data security, etc., the unit evaluation evaluates the implementation and configuration of the basic security control in the information system required by the basic requirements of Information system Security level Protection (GB/T 22239-2008).

2. Overall evaluation. The overall evaluation mainly evaluates and analyzes the overall security of the information system. In terms of content, it mainly includes the safety evaluation of the interaction between security control rooms, layers and regions, as well as the safety evaluation of the system structure, which is the further evaluation and analysis on the basis of unit evaluation.

IV. The important role of Grade Compliance Evaluation

1. Grade compliance evaluation is an important link in the implementation of information security grade protection system.

During the construction, rectification and reform of the information system, the operators and users of the information system analyze the current situation through grade evaluation, determine the current situation of system security protection and existing security problems, and on this basis determine the rectification and reform security requirements of the system. The grading of information system is the beginning of the whole hierarchical protection work, and the basic requirement of hierarchical protection is the basis of hierarchical protection for different levels of information systems. Customers can grade the information system based on the grading guidelines and implement protection measures based on the basic requirements of grade protection, so as to effectively implement the national institutional requirements and document spirit of grade protection.

2. The grade evaluation report is not only an important guiding document for the rectification and reinforcement of the information system, but also an important attachment material for the information system record.

If the conclusion of the grade evaluation is that the information system does not reach the corresponding level of basic security protection capability, the operators and users shall, according to the grade evaluation report, formulate a plan for rectification and reform, so as to achieve the corresponding level of security protection capability as soon as possible.

3. grade evaluation enables the whole organization to carry out grade evaluation work in a standardized and consistent manner.

Based on the characteristics of the customer's organizational structure and mode of operation, the compliance assessment formulates the grading guidelines for information system security protection, and defines the principles, methods and processes for carrying out the grading work within the organization, so that the customer rating work can be carried out consistently throughout the organization.

4. To ensure that the key protection objects are highlighted and properly protected.

The basic requirements of information system security level protection clearly define the technical requirements and management requirements of different levels of information systems. Based on the basic requirements of information system security level protection, compliance assessment can enable customers to take corresponding level protection measures for different levels of information systems on the premise of meeting the requirements of national laws and regulations, so as to ensure key points, appropriate protection and save IT investment.

5. grade evaluation to improve the internal staff's awareness of information security.

In the process of compliance assessment, the third-party consulting experts will work closely with the personnel of the served unit. Through targeted exchanges with the personnel of the serviced units and well-designed questionnaires, the management, business, technical and other personnel of the serviced units will gradually raise their awareness of information security compliance and strengthen their awareness of information security. put an end to illegal operations.

As a third-party evaluation institution, Shandong Software Evaluation Center believes that grade compliance assessment can guide users to take a variety of protection measures at all levels to protect the security of network and security domain boundaries, network and infrastructure, terminal computing environment, and the construction of supporting security facilities such as security operation centers.

Fifth, the operation process of grade compliance evaluation

In order to give full play to the role of grade evaluation in ensuring information security, it is necessary to operate in accordance with scientific processes and methods. According to the relevant requirements of grade evaluation, Shandong Software Evaluation Center divides the grade evaluation process into four basic evaluation activities: evaluation preparation activities, program preparation activities, on-site evaluation activities, analysis and report preparation activities. The communication and negotiation between the two sides should run through the whole process of grade evaluation. The specific process is as follows:

1. Preparatory activities for evaluation

This activity is the premise and basis of carrying out the grade evaluation work, and is the guarantee of the effectiveness of the whole grade evaluation process. The adequacy of the preparatory work for the evaluation is directly related to the smooth development of the follow-up work. The main task of this activity is to grasp the details of the system under test, prepare the test tools, and prepare for the preparation of the evaluation plan.

2. Programming activities

This activity is a key activity to carry out grade evaluation, providing the most basic documents and guidance for on-site evaluation. The main task of this activity is to determine the evaluation objects, evaluation indicators and evaluation contents that are suitable for the tested information system, and to reuse or develop the evaluation instructions according to the needs to form the evaluation scheme.

3. On-site evaluation activities

This activity is the core activity to carry out grade evaluation. The main task of this activity is to strictly implement the evaluation instructions in accordance with the overall requirements of the evaluation scheme, and implement all the evaluation projects step by step, including unit evaluation and overall evaluation, in order to understand the real protection of the system, obtain sufficient evidence and find out the security problems existing in the system.

4. Analysis and report preparation activities

This activity is an activity to give the results of the grade evaluation work, and it is a comprehensive evaluation activity to summarize the overall safety protection capability of the system under test. According to the results of on-site evaluation and the relevant requirements of "basic requirements of Information Security Grade Protection", the main task of this activity is to find out the gap between the current situation of security protection of the whole system and the corresponding level of protection requirements by means of individual evaluation results, unit evaluation results, overall evaluation and risk analysis, and analyze the risks faced by the tested system, so as to give the conclusion of grade evaluation. Form the text of the evaluation report.

VI. Key points of Grade Compliance Evaluation

The determination of the specific process of grade evaluation has laid a solid foundation for the evaluation work, but we should also pay attention to the key elements in the specific links, which have a significant impact on the effectiveness of the evaluation work.

1. The method and intensity of grade evaluation

The basic methods of grade evaluation generally include interview, inspection and testing.

The interview is for the evaluators to know the relevant information about the security technology and security management of the tested information system by talking and inquiring with the relevant personnel of the tested unit, in order to confirm the content of the evaluation.

Inspection is a method for evaluators to obtain evaluation evidence through simple comparison or professional knowledge analysis, including review, verification, review, observation, research and analysis.

Testing refers to the methods that evaluators verify and evaluate the information system by using relevant technical tools, including functional testing, performance testing, * testing and so on.

The rating evaluation institution shall select the appropriate evaluation intensity according to the actual situation of the information system to be tested. The intensity of the evaluation can be described by the depth and breadth of the evaluation. The depth of the interview is reflected in the strictness and detail of the interview process, and the breadth is reflected in the composition and number of the interviewees; the depth of the inspection is reflected in the strictness and detail of the inspection process, and the breadth is reflected in the type (document, mechanism, etc.) and quantity of the objects examined. The depth of testing is reflected in the type of test performed (functional / performance testing and * * testing), and the breadth is reflected in the type and number of mechanisms used in testing.

2. The object of grade evaluation

The evaluation object is the specific system component that realizes the security function corresponding to the specific evaluation index in the tested information system. The correct selection of the type and number of evaluation objects is an important guarantee that the whole grade evaluation work can obtain sufficient evidence and understand the real security and protection status of the system under test.

The evaluation objects are generally determined by sampling the representative components in the information system. The balance between work input and result output should be taken into account in the determination of evaluation objects.

VII. Indicators for grade compliance evaluation

In order to carry out grade evaluation activities, the corresponding level of security requirements should be selected as the basic evaluation index from the basic requirements of Information system Security level Protection (GB/T 22239-2008).

1. The second-level information system grade evaluation index, in addition to the 66 basic requirements (177 control points) of physical security, network security, host security, application security, data security, management system, management organization, personnel security management, system construction security management and system operation and maintenance management stipulated in the basic requirements of Information system Security level Protection. Reference should also be made to the 83 control points in the General Technical requirements of Information system, 70 control points in the Information system Security Management requirements, 51 control points in the Information system Security Engineering Management requirements and other control points specified in the industry evaluation standards. the combination of different grading results is determined.

2. The third-level information system grade evaluation index is determined, except for the 73 basic requirements (290 control points) of physical security, network security, host security, application security, data security, management system, management organization, personnel security management, system construction security management and system operation and maintenance management stipulated in the basic requirements of Information system Security level Protection. It should also refer to 109 control points in the General Technical requirements of Information system, 104 control points in the Information system Security Management requirements, 42 control points in the Information system Security Engineering Management requirements and other control points specified in the industry evaluation standards. the combination of different grading results is determined.

3. The fourth level of information system grade evaluation index is determined, except in accordance with the 77 basic requirements (317 control points) of physical security, network security, host security, application security, data security, management system, management organization, personnel security management, system construction security management and system operation and maintenance management stipulated in the basic requirements of Information system Security level Protection. It should also refer to the 120 control points in the General Technical requirements of Information system, 104 control points in the Information system Security Management requirements, 35 control points in the Information system Security Engineering Management requirements and other control points specified in the industry evaluation standards. the combination of different grading results is determined.

4. For the tested system, which is composed of several different levels of information systems, the evaluation indexes of each graded object should be determined respectively. If multiple grading objects share the physical environment or management system, and the evaluation indicators can not be separated, then the evaluation indicators that can not be separated should adopt the principle of high.

VIII. Matters needing attention in the evaluation of high efficiency grades

In order to ensure that the grade evaluation can achieve real results, it needs to be carefully prepared before the evaluation, and the management should be strengthened in accordance with the relevant regulations in the evaluation process. At the same time, the relevant principles of grade evaluation should be strictly followed in the process of evaluation operation. The above experience has been verified in the practice of Shandong Software Evaluation Center and achieved remarkable results.

1. Do a good job in the quality assurance of grade evaluation.

Before carrying out the evaluation, the rating evaluation institution shall jointly set up a grade evaluation working group with the entrusting unit to establish a smooth communication mechanism to ensure the smooth development of the grade evaluation activities.

When carrying out grade evaluation, grade evaluation institutions must ensure that there are enough grade evaluators for on-site evaluation.

When carrying out the level evaluation activities of the second-level information system, the evaluation institution shall at least have one intermediate level evaluator, one management grade evaluator and two technical grade evaluators to participate in the grade evaluation activities. When carrying out the grade evaluation activities of the third-level information system, the evaluation institution shall at least one senior level evaluator, two intermediate grade evaluators, two management grade evaluators and three technical grade evaluators to participate in the grade evaluation activities. When carrying out the level evaluation activities of the fourth-level information system, the evaluation institution shall at least two senior level evaluators, two intermediate grade evaluators, two management grade evaluators and more than four technical grade evaluators participate in the grade evaluation activities.

When a rating evaluation institution conducts a grade evaluation, it shall invest in functional testing, performance testing, * testing tools and necessary transportation and communication equipment, such as topology discovery equipment, network security configuration verification equipment, network protocol analysis equipment, vulnerability scanning equipment, * integrated equipment, etc.

Grade evaluation activities include four basic stages: evaluation preparation, plan preparation, on-site evaluation, analysis and report preparation. The whole process of grade evaluation of a single business system of the second-level information system is generally not less than 5 working days. The whole process of grade evaluation of a single business system of the third-level information system is generally not less than 10 working days. The whole process of grade evaluation of a single business system of the fourth-level information system is generally not less than 20 working days.

In the grade evaluation activities, the evaluation organization needs to submit not less than the following paper documents to the client: project plan, fairness statement, confidentiality agreement, grade evaluation scheme, on-site evaluation record, grade evaluation report, safety construction rectification opinions.

2. Strict management of grade evaluation

The operators, users or competent departments of information systems shall select evaluation institutions that pass the annual examination and regularly evaluate the security status of information systems in accordance with the technical standards such as the requirements for Evaluation of Information system Security level Protection.

The third-level information system shall carry out a grade evaluation once a year, and the fourth-level information system shall conduct a grade evaluation every half a year. The important second-level information system can be evaluated with reference to the evaluation requirements of the third-level information system. When major changes take place in newly built or expanded information systems and information systems that meet the requirements for evaluation, grade evaluation shall be arranged in a timely manner. After the end of the rating evaluation activities, the evaluation institution shall, within 15 working days, provide the rating evaluation report to the operator and user of the evaluated information system, and shall submit the grade evaluation report of the information system at or above the third level to the provincial and municipal insurance offices at the same time. If the security status of the evaluated information system does not meet the requirements of the information security grade protection system, the grade evaluation institution shall put forward suggestions for the rectification and reform of the security construction, and the operation and user units shall formulate a plan in time for rectification and reform.

In principle, the grade evaluation of the information system in the province shall be completed by the provincial grade evaluation institutions. When special industry grade evaluation institutions or other grade evaluation institutions outside the province carry out grade evaluation activities in the province, they shall go through the formalities of registration and filing in the provincial and other insurance offices, carry out grade evaluation activities in accordance with this standard, and accept the supervision and management of the provincial insurance offices.

Evaluation institutions and their personnel shall strictly implement the relevant management norms and technical standards and carry out objective, fair and safe evaluation services. Evaluation institutions may engage in grade evaluation activities and technical support for information system security grade protection and grading, security construction rectification and reform suggestions, information security grade protection publicity and education, etc., but shall not engage in the following activities:

(1) affect the normal operation of the evaluated information system and endanger the security of the evaluated information system.

(2) divulging the sensitive information and working secrets of the tested unit and the tested information system

(3) deliberately concealing the safety problems found in the process of evaluation, or practicing fraud in the process of evaluation, and failing to issue a grade evaluation report truthfully.

(4) failing to issue a grade evaluation report in accordance with the prescribed format

(5) relevant materials and data files obtained in unauthorized possession and use grade evaluation activities

(6), subcontract or subcontract grade evaluation project

(7) engaged in information security product development, sales and information system security integration

(8) limit the units being tested to purchase and use their designated information security products.

(9) other activities that endanger national security, social order, public interests and the interests of the units under test.

IX. Five principles that should be strictly followed in grade compliance evaluation

1. The principle of objectivity and fairness. Evaluation personnel shall, without prejudice and minimum subjective judgment, carry out evaluation activities in accordance with the evaluation plan mutually agreed by both parties and based on the clearly defined evaluation method and process.

2. The principle of adequacy. In order to objectively reflect the security status of the evaluated information system, the evaluation activities should ensure the necessary breadth and depth to meet the requirements of the evaluation indicators of national standards and industry standards.

3. The principle of economy. Evaluation activities should reduce the cost and investment as much as possible. Based on the evaluation cost and work complexity, the evaluation work is encouraged to use the existing evaluation results that reflect the current security status of the information system, including the commercial security product evaluation results and the existing security evaluation results of the information system.

4. The principle of consistency of results. For the grade evaluation of the same information system, the evaluation results obtained by different evaluation institutions based on the same evaluation scheme and evaluation method should be consistent, and the results obtained by the same evaluation institution repeatedly implementing the same evaluation process should be consistent.

5. Safety principle. In the evaluation activities, the evaluation institutions and personnel shall perform the obligation of safety and confidentiality, bear the corresponding legal responsibilities, and ensure the safe operation of the information system to be evaluated and the users' work secrets and trade secrets will not be disclosed.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.