Shulou(Shulou.com)06/01 Report--

Preface

I have been an IT technician for many years. At the beginning, I had no idea about information security and data security. I only knew that the data was lost and I could not find it. If the system is poisoned, then kill it, even if you can't kill it. Did not stop the occurrence of these situations from the source, and then there are some security devices, so we simply add firewalls, IDS, IPS, WAF and so on, in order to prevent this kind of things from happening. But things go against one's wishes, or this kind of situation happens frequently. Why? The key is that there is not a set of information security prevention system and system.

The state has also set up a central network security and information leading group specially for information security, led by Xi Jinping. It can be seen that because of the degree of attention paid to network information security in the big data era, this group was later changed to China's Central Network Security and Informatization Committee.

So how do we establish our own information security system? Here I will explain from the perspective of an information system integration company. First of all, we understand what the certification body of the national information security system is, so that enterprises can get formal security certification.

China Information Security Certification Center is established with the approval of the Central Establishment Committee, authorized by the Office of Informatization work, the State Certification and Accreditation Supervision and Administration Commission, and in accordance with national laws and regulations on compulsory product certification and information security management, a specialized agency responsible for the implementation of information security certification. China Information Security Certification Center is an institution directly under the AQSIQ. The center is referred to as the Information Certification Center; its full name is China Information Security Certification Center; and its acronym is ISCCC.

In the center, it can carry out different certification of products, systems, services and personnel in order to get the certification results we need. Here I will only introduce information security management, information technology-service management system, information security service qualification certification (information system security integration service, security operation and maintenance service qualification, information security risk assessment, information security emergency response service), information security personnel certification.

As an information system integration enterprise, what kind of certification should we do? I think we should do a good job in the following authentication (standard black part), information security certification architecture diagram:

I. Information Security Management system

(InformationSecurityManagementSystems,ISMS) is a part of the overall management system of an organization, which is based on risk assessment to establish, implement, operate, monitor, review, maintain and continuously improve information security and other management activities. It is a system of information security policies and objectives established by the organization as a whole or within a specific scope, as well as the methods used to achieve these goals.

GB/T22080/ISO/IEC27001 is the standard for establishing and maintaining the information security management system. It requires the organization to go through a series of processes, such as determining the scope of the information security management system, formulating information security policies and strategies, defining management responsibilities, selecting control objectives and control measures based on risk assessment, etc., is a dynamic, systematic, all-staff participation, institutionalized, prevention-oriented information security management mode.

(certificate template)

II. Information technology-service management system

The goal of (InformationTechnologyServiceManagementSystems,ITSMS) is to provide IT services that meet customer quality requirements at an appropriate cost, to improve the efficiency and effectiveness of IT from three aspects of process, personnel and technology, and to coordinate the operational objectives and business needs of the enterprise with the provision of IT services.

GB/T24405.1/ISO/IEC20000-1 is the standard for establishing and maintaining the information technology service management system, which defines the work that IT organizations need to complete in the process of providing IT services and support to their internal and external customers. Through these regulations, the information technology service management system shows a complete set of IT service management processes, which aims to help IT organizations identify and manage the key processes of IT services, and ensure the effective provision of high-quality IT services to business and customers.

(certificate template)

Information technology operation and maintenance service management system:

Section 1 General provisions

1. This system is specially formulated in order to strengthen the security management of the company's information technology operation and maintenance services and ensure the stability of the company's information system operation environment.

2. The information technology operation and maintenance service referred to in this system means that the company entrusts the customer unit to undertake the information technology service by way of signing a contract, it mainly includes information technology consulting services, operation and maintenance services, technical training and other related information construction services.

3. Safety management is for the purpose of safety, carrying out the policy of safety work, the functions of decision-making, planning, organization, command, coordination and control, and the rational and effective use of manpower, financial resources, material resources, time and information, the sum of all kinds of activities carried out to achieve the predetermined security precautions is called safety management.

4. The security management of operation and maintenance services follows all commercial principles on security and appropriate external laws and regulations.

Section 2 scope of operation and maintenance services

5. Operation and maintenance services include information technology consulting services, operation and maintenance services, technical training, etc.

6. Consulting services:

6.1 assist customers to formulate feasible technical implementation plans according to the overall deployment of customer information construction.

6.2 diagnose and evaluate the customer's existing information technology infrastructure, equipment operation status and applications, and propose reasonable solutions.

6.3 propose backup plan and emergency plan according to the actual situation of the customer.

6.4 other information technology consulting services.

7. Run the maintenance service:

7.1 installation and upgrade of hardware and software equipment.

7.2 repair and maintenance of hardware equipment.

7.3 provide functional requirements solutions and execution services for application systems according to customer business changes.

7.4 regular inspection and overall performance evaluation of the system.

7.5 handling of daily business data problems.

7.6 other operation and maintenance services.

8. Technical training: provide relevant technical training according to the actual situation of customers.

Section III Security Management of Operation and maintenance Services

9. Operation and maintenance service safety management should, in accordance with the principle of "safety first, prevention first", take scientific and effective safety management measures, apply technical means to ensure information security, and establish a post responsibility system with clear rights and responsibilities and covering the whole process of informatization. Strict supervision and management of the whole process of informatization to ensure information security.

10. To establish an information outsourcing management organization for leading comrades in charge, to clarify the departments, personnel and responsibilities of information management.

11. Establish a security and confidentiality system for information construction, sign a security agreement or contract with the client, and clearly meet the requirements of security management and other related systems. And educate the service personnel on safety and confidentiality.

12. Formulate operation rules or rules and regulations for information processing process management, acceptance and handover of information achievements, storage media management, etc.

13. The personnel quality, technology and management level of the operation and maintenance service side can meet the requirements of the project to be undertaken, and carry out corresponding safety qualification management.

14. The operation and maintenance service party shall be equipped with special personnel to be responsible for the security and confidentiality work, and to be responsible for the daily information security supervision, inspection and guidance. Conduct security supervision and evaluation of the services provided by the service party, take security measures to control access, and timely deal with and report any problems in accordance with the provisions of the contract to ensure that the services provided meet the customer's internal control requirements.

15. The security status of the operation of the business application system of the operation and maintenance service shall be evaluated regularly, and when major security problems or hidden dangers arise, it shall be re-evaluated and suggestions for improvement shall be put forward until the operation and maintenance service is stopped.

16. If the equipment of the operation and maintenance service party is used, the necessary safety inspection shall be carried out.

17. In important security areas, risk control shall be carried out for each visit of outsiders; if necessary, access of outsiders shall be restricted.

Section IV Supplementary provisions

18. Our company is responsible for explaining this system.

19. This system shall enter into force as of the date of promulgation.

III. Brief introduction to qualification Certification of Information Security Service

With the continuous deepening of informatization and information security in our country, information security services, which mainly include emergency handling, risk assessment, disaster recovery, system assessment, security operation and maintenance, security audit, security training and security consultation, play an increasingly prominent role in information security. Strengthening and standardizing the qualification management of information security services has become an important basic work of information security management.

Our center is approved by the National Certification and Accreditation Supervision and Administration Commission and can be engaged in the qualification certification of information security services ("Certification body approval letter" CNCA-R-2007-138), and has been approved by China National Accreditation Committee for conformity Assessment (certificate number: No. CNAS CO66-V). Service qualification certification is one of the core businesses of our center.

According to the working idea of classification and classification, our center has carried out two kinds of service qualification work: information security emergency handling and risk assessment.

The details of service qualification certification are as follows:

I. basic concepts

Information security service qualification is a kind of qualification for information security service institutions to provide security services, including legal status, resource status, management level, technical ability and so on. The qualification certification of information security service is to evaluate the information security service qualification of information security service institutions according to national laws and regulations, national standards, industry standards and technical specifications, and according to the basic norms and rules of certification.

Emergency handling service is the process of identifying, recording, classifying and dealing with misconduct (events) that affect the security of computer systems and networks until the affected business returns to normal operation. (summarize the contents of each sentence in 1799)

From the point of view of risk management, risk assessment service uses scientific methods and means to systematically analyze the threats faced by networks and information systems and their vulnerabilities, and to assess the degree of harm that may be caused by security events. put forward targeted countermeasures to resist threats and rectification measures, in order to prevent and resolve information security risks, or control the risks at an acceptable level.

Through the qualification certification of the classification and classification of information security services, we can make an authoritative, objective and fair evaluation of the basic qualifications, management capabilities, technical capabilities and service process capabilities of information security service providers, so as to prove their service ability and meet the service selection needs of the society. At the same time, the certification process will also effectively promote service providers to improve their own management system, improve service quality and level, and guide the healthy and standardized development of the industry.

2. With regard to the application for certification:

The basic steps of certification:

Application and acceptance of certification

Document review

On-site audit

Certification decision

Annual supervision and audit.

When applying for service qualification certification for the first time, the applicant shall fill in the certification application form and submit proof materials on qualifications and abilities. Application materials usually include:

Application for service qualification certification

Independent legal person qualification certification materials

Certification of relevant qualifications for information security services

Proof of work secrecy system and corresponding organizational supervision system

Copy of confidentiality agreement signed with information security risk assessment service personnel

Personnel composition and quality proof materials

Proof material of company organizational structure

Proof of fixed office space

Project management system document

Information security service quality management document

Project case and performance proof materials

Information security service capability certification materials, etc.

3. On the basis of certification:

There are specific evaluation criteria for specific types of information security services. For example, the qualification certification of information security emergency response service is based on "Network and Information Security Emergency response Service qualification Assessment method" (YD/T 1799-2008), and the qualification certification of information security risk assessment service is based on "Information Security Technology Information Security risk Assessment Specification (GB/T 20984-2007)" and "Information Security risk Assessment Service qualification Certification implementation rules" (ISCCC-SV-002).

Fourth, about the certification process:

Please refer to the implementation rules of Information Security Service qualification Certification (ISCCC-SV-001) and the certification flow chart on our website. The certification period is generally 10 weeks, including the actual time from the date of formal acceptance of the application to the time when the certification certificate is issued, excluding the time due to the preparation or supplementary materials of the applicant.

3.1 Information system Security Integration Service

It refers to the activities engaged in the definition of security requirements, security design, construction and implementation, and security guarantee of computer application system engineering and network system engineering. The information system security integration includes the activities of considering the information security guarantee factors in the structural design of the newly-built information system, so as to make the completed information system meet the security needs of the builder or user. It also includes the addition of information security subsystem or information security equipment to the existing information system, which is often referred to as security optimization or security reinforcement.

The service qualification level of information system security integration is the yardstick to measure the service ability of service providers. The qualification level is divided into three levels: the first level, the second level and the third level, of which the first level is the highest and the third level is the lowest. The service capabilities of security integration service providers are mainly reflected from the following four aspects: basic qualifications, service management capabilities, service technical capabilities and service process capabilities; the capabilities of service personnel are mainly evaluated from the knowledge they have mastered and the experience of security integration services.

3.2 Security Operation and maintenance Service qualification Certification

Through the security assessment of technical facilities, security reinforcement of technical facilities, security vulnerability patch notification, security incident response and information security operation and maintenance consultation, assist the organization's information system managers to carry out the security operation and maintenance of the information system, in order to find and repair the security hidden dangers in the information system, reduce the possibility of illegal exploitation of security hidden dangers, and respond in time after the security hidden dangers are used.

The qualification certification of security operation and maintenance is to evaluate the basic qualification, management ability, technical ability and process capability of safety operation and maintenance service. Security operation and maintenance service qualification level is the yardstick to measure the service provider's security operation and maintenance service qualification and capability.

The qualification level is divided into three levels: the first level, the second level and the third level, of which the first level is the highest and the third level is the lowest.

3.3 Information Security risk Assessment

It is the basic work and important link of information security, which runs through the whole process of the construction and operation of network and information system. By providing risk assessment services to information systems, service providers systematically analyze the threats faced by networks and information systems and their vulnerabilities, assess the degree of harm that may be caused by security incidents, and put forward targeted protective countermeasures and security rectification measures to resist threats, prevent and eliminate information security risks, or control the risks at an acceptable level. To provide a scientific basis for network and information security.

The service qualification level of information security risk assessment is the yardstick to measure the service ability of service providers. The service capabilities of risk assessment providers are mainly reflected from the following four aspects: basic qualifications, service management capabilities, service technical capabilities and service process capabilities; the capabilities of service personnel are mainly assessed from the knowledge they have mastered and the experience of risk assessment services. The background check of the service provider mainly refers to customer complaints, violations of law and discipline, etc.; the background check of service personnel mainly refers to the necessary review of the personnel engaged in risk assessment services by the competent department of the industry or the user.

The qualification level is divided into three levels: the first level, the second level and the third level, of which the first level is the highest and the third level is the lowest.

3.4 Information Security Emergency response Service

Through the formulation of emergency plans, the security incidents that affect the security of the network and information systems can be responded in time, and once the security incidents occur, they can be identified, recorded, classified and dealt with, until the affected business returns to normal operation. Emergency response service is one of the important means to ensure business continuity, which covers a series of activities to maintain and restore critical business after a security incident.

Information security emergency handling service qualification certification is to evaluate the basic qualifications, management capabilities, technical capabilities and emergency response service process capabilities of emergency response service providers. The information security emergency service qualification level is the yardstick to measure the service provider's emergency response service qualification and capability. the emergency response service qualification is divided into three levels, of which the first level is the highest and the third level is the lowest.

IV. Brief introduction to Certification and training of Information Security personnel

China Information Security Certification Center (ISCCC) is a state-approved professional certification and training institution for information security. The service purpose of ISCCC is to protect national information security, promote the improvement of information security technology and management level of all kinds of organizations, and enhance the social awareness of information security and the professional level of employees. At present, the business of personnel certification and training includes: information security practitioner qualification certification, information security certification practitioners training and information security technology and awareness training.

ISCCC launched "Information Security Practitioner Certification (CISAW)" and "Information Security preliminary Practitioner Certification (CISAC)", in order to promote the construction of the talent team of information security in China, improve the professional quality of employees, and strengthen the training of reserve talents.

ISCCC has carried out training for information security certification practitioners such as information security product certification factory inspectors, information security service qualification certification assessors, information security management system (ISO/IEC27001) certification auditors, IT service management system (ISO/IEC20000-1) certification auditors, information security management system and IT service management consultants. It is expected to further improve the practice level of personnel related to information security certification, so as to ensure the quality of information security certification.

ISCCC has specially developed a series of basic courses for information security technology training and information security awareness education, and on this basis, according to the actual needs of different organizations, carry out personalized training services tailored to improve the information security capability of various organizations and the information security awareness of the whole people.

Personnel certification is divided into 9 categories of three-level certification, preparatory certification, qualification certification, professional certification. Among them, professional certification is divided into professional level and professional level. As shown below:

The other is that the country should have a preliminary understanding of the concept of classified protection of information security and classified protection related to secrets.

V. grading of security and protection of information systems

It is divided into the following five levels:

At the first level, the destruction of the information system will cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, but will not harm national security, social order and public interests.

At the second level, the destruction of the information system will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or to social order and public interests, but not to national security.

At the third level, the destruction of the information system will cause serious damage to social order and public interests, or damage to national security.

At the fourth level, the destruction of the information system will cause particularly serious damage to social order and public interests, or to national security.

At the fifth level, the destruction of information systems will cause particularly serious damage to national security.

5.1 implementation and management of grade protection

I will only extract the main provisions here:

Article 9

Information system operators and users shall implement level protection in accordance with the guidelines for the implementation of Information system Security level Protection.

Article 10

The information system operation and user units shall determine the security protection level of the information system in accordance with these measures and the Information system Security level Protection grading Guide. If there is a competent department, it shall be examined and approved by the competent department.

The level of security protection of an information system operating on a unified network across provinces or across the country may be uniformly determined by the competent department.

For the information system to be determined as the fourth level or above, the operator, user or competent department shall request the expert evaluation committee of the national level of information security protection for evaluation.

Article 11

After the security protection level of the information system has been determined, the operators and users shall, in accordance with the national information security level protection management standards and technical standards, use information technology products that meet the relevant provisions of the state and meet the requirements of the security protection level of the information system, carry out information system security construction or reconstruction.

Article 12

In the process of information system construction, operators and users shall follow the technical standards such as "computer Information system Security Protection level Classification criteria" (GB17859-1999) and "basic requirements of Information system Security level Protection". Referring to "Information Security Technology General Security Technical requirements for Information Systems" (GB/T20271-2006), "Information Security Technology Network basic Security Technical requirements" (GB/T20270-2006), "Information Security Technology operating system Security Technical requirements" (GB/T20272-2006), "Information Security Technology Database Management system Security Technical requirements" (GB/T20273-2006), "Information Security Technology Server Technical requirements", Technical standards such as "Information Security Technology Terminal computer system Security level Technical requirements" (GA/T671-2006) synchronously build information security facilities that meet the requirements of this level.

Article 16

When going through the formalities for filing the information system security protection level, the Information system Security level Protection record form shall be filled in, and the information system at or above the third level shall provide the following materials at the same time:

(1) topological structure and explanation of the system

(2) system security organization and management system

(3) the design and implementation plan or reconstruction implementation plan of the system security protection facilities

(4) list of information security products used in the system and their certification and sales license

(5) the technical inspection and evaluation report that conforms to the safety protection level of the system after evaluation

(6) expert evaluation opinions on the level of security protection of information systems

(7) the opinions of the competent department on examining and approving the security protection level of the information system.

5.2 hierarchical protection management of secret-related information systems

I will only extract the main provisions here:

Article 24

Secret-related information systems shall be protected in accordance with the basic requirements of national information security level protection, in accordance with the management regulations and technical standards of the state secrecy departments on classified protection of secret-related information systems, and in combination with the actual situation of the system.

Non-secret information systems shall not deal with state secret information, etc.

Article 25

According to the highest secret level of the information processed, the secret-related information system can be divided into three levels: secret, secret and top secret.

The construction and use units of secret-related information systems shall, on the basis of information norms and secrecy, determine the level of the system in accordance with the administrative measures for hierarchical protection of secret-related information systems and the national security standard BMB17-2006 "Technical requirements for hierarchical protection of computer information systems involving state secrets". For secret-related information systems containing multiple security domains, each security domain can determine the protection level respectively.

Secrecy departments and institutions shall supervise and guide the units involved in the construction and use of secret-related information systems to accurately and reasonably grade the system.

Article 30

When applying for examination and approval of the system or filing for the record, the units that construct and use secret-related information systems shall submit the following materials:

(1) system design, implementation plan and opinions on examination and demonstration

(2) qualification certification materials of the system contractor

(3) report on system construction and project supervision

(4) system security and security inspection and evaluation report

(5) the organization and management system of system security and secrecy

(6) other relevant materials.

5.3 output corresponding to level protection

The relationship between the whole equal insurance and market demand can be summarized as follows: new requirements-new products-meet grade protection evaluation scores-record success. You can see from the following table that the new requirements focus on * * prevention, malicious code prevention, centralized control, security audit, and so on.

The main methods used in security threat identification are: document review, questionnaire survey, manual verification, tool detection, * sex testing and so on.

(1) Security technology threat verification

Physical environment security

(1) Security measures: location of computer room, physical access control of buildings, prevention of theft and damage, protection against lightning, fire, waterproofing and moistureproof, anti-static, temperature and humidity control, power supply, electromagnetic protection, etc.

(2) Verification method: check and inquire about the current situation of the physical environment on the spot to verify the effectiveness of the safety measures.

network security

(1) Security measures: network topology diagram, vlan partition, network access control, network device protection, security audit, boundary integrity check, * prevention, malicious code prevention, etc.

(2) Verification method: check the network topology diagram, the security policy and configuration of network security devices and other related documents, ask relevant personnel, check the hardware configuration of network devices, manually or automatically view or detect the software installation and configuration of network devices, view and verify security functions such as identity authentication, access control and security audit, and check and analyze network and security device log records. Use tools to detect network topology, scan network security devices for loopholes, detect illegal network access or outreach, test network traffic, network equipment load carrying capacity and network bandwidth, manually or automatically view and detect the use of security measures and verify their effectiveness.

Host system security

(1) Security measures: identity authentication, access control, security audit, remaining information protection, * prevention, malicious code prevention, resource control, etc.

(2) Verification method: manually or automatically check or check the configuration of the host hardware equipment and the installation and configuration of the software system, check the self-startup and operation of the software system, view and verify the security functions such as identity authentication, access control, security audit, view and analyze the historical data (such as authentication information, Internet traces) generated by the operation of the host system, and check and analyze the software system log records. Use tools to scan the vulnerabilities of the host system, test the performance of the host system, manually or automatically check or detect the use of security measures and verify their effectiveness.

Application system security

(1) Security measures: identity authentication, access control, security audit, residual information protection, communication integrity, communication confidentiality, anti-repudiation, software fault tolerance, resource control, etc.

(2) Verification method: consult the requirements, design, testing, running reports and other relevant documents of the application system, check the security of the architecture design of the application system (including the fault tolerance of each functional module of the application system, the security mechanism of each functional module in the interaction process, and the security mechanism of the data interaction interface between multiple application systems, etc.), review the source code of the application system Manually or automatically view or detect the installation and configuration of the application system, view and verify security functions such as identity authentication, access control, security audit, view and analyze the historical data (such as user login, operation records) generated by the operation of the host system, check and analyze the system log records, use scanning tools to detect vulnerabilities in the application system, and test the performance of the application system. Check or detect the use of security measures manually or automatically and verify their effectiveness.

Data security

(1) Security measures: data integrity protection measures, data confidentiality protection measures, backup and recovery, etc.

(2) Verification methods: communication protocol analysis, data cracking, data integrity check, etc.

(2) Safety management threat verification

Security management verification mainly through access to documents, sample surveys and inquiries and other methods, and verify the rationality, integrity and applicability of information security rules and regulations.

Safety management organization

Verification method: check the safety management organization settings, functional department settings, post settings, personnel configuration and other related documents, as well as safety management organization related activity records and other documents.

Security management strategy

Verification method: check whether there is a clear security management policy file, and ask the relevant personnel about the content of the security policy, analyze the effectiveness of the policy, and identify the vulnerability of the security management policy.

Safety management system

Verification methods: review the completion of relevant system documents, check the records of the implementation of the system, ask relevant personnel about the relevant contents of the system, understand the implementation of the system, and comprehensively identify the fragility of the safety management system.

Personnel safety management

Verification method: consult relevant system documents and relevant records, or require relevant personnel to perform certain tasks on site, or visit as outsiders to identify the vulnerability of personnel security management.

System operation and maintenance management

Verification methods: review the relevant system documents, operation manuals, operation and maintenance records of the system operation and maintenance, check the operation and maintenance situation on the spot, interview the operation and maintenance personnel, and let the operation and maintenance personnel demonstrate the relevant operations to identify the vulnerability of the system operation and maintenance management.

A review meeting will be held at the end of the security project, and the participants generally include: assessed organizations, evaluation institutions and experts. The acceptance documents for security projects are as follows:

Working stage

Output document

Document content

Preparation stage

System investigation report

The investigation and understanding of the evaluated system involves the network structure, system situation, business application and so on.

Risk Assessment Programme

According to the investigation and evaluation purpose, determine the goal, scope, object, work plan, main technical route, emergency plan and so on.

Recognition stage

Asset value Analysis report

Asset survey, analysis of asset value, and description of important assets.

Threat Analysis report

Threat investigation, identification of existing threats and their likelihood of occurrence, as well as descriptions of serious threats.

Security Technology vulnerability Analysis report

Vulnerability description of material resources, networks, hosts, applications, data, etc.

Security Management vulnerability Analysis report

Vulnerability description of security organization, security policy, security system, personnel security, system operation and maintenance, etc.

Analysis report on existing Safety measures

Analyze the effectiveness of deployed security measures in an organization or information system, including technical and management security control instructions

Risk analysis.

Risk Assessment report

For the associated calculation, analysis and evaluation of assets, threats, vulnerabilities and other assessment data, the risk analysis model and analysis and calculation methods should be explained.

Risk disposal

Suggestions for Safety rectification and Reform

Give targeted risk disposal suggestions to the security problems found in the assessment.

At this point, I have generally finished the information security content and security management and methods that an integrated company needs to know about information security, of course, there are still many imperfections, but it is not easy to do or understand all the contents mentioned above. Everything starts from scratch. Well, next time I'm going to do a security defense article when I have time, please wait patiently.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.