Shulou(Shulou.com)06/01 Report--

Catalogue

Level 1 protection FAQ3

1.1 what is hierarchical protection and what is the use? three

1.2 what is the significance and function of the hierarchical protection system of information security? three

1.3 graded protection and graded protection are divided into several levels, what is the corresponding relationship? three

1.4 what are the important information systems (82s) of level protection? four

Who is the authority in charge of level 1.5 protection? four

1.6 what are the responsibilities of the national password administration in hierarchical protection / hierarchical protection? four

1.7 which document is the policy basis for level protection? four

1.8 what is the management mode of hierarchical protection by public security organs, and where is the grading of hierarchical protection for the record? five

1.9 is level protection mandatory? can it not be done? five

1.10 what are the main standards for grade protection and have they been issued as formal national standards? five

1.11 which units can do the evaluation of grade protection? six

1.12 will a certificate of competency be issued after a grade evaluation has been made? six

1.13 is it implemented only in government industries? Is the enterprise also in the category of grade protection and grade protection? six

1.14 who is responsible for the level of protection inspection? seven

2 graded protection FAQ7

2.1 what is hierarchical protection? seven

2.2 who is the competent authority for graded protection? seven

2.3 where can I put on record the grading of protection and classification? seven

2.4 which document is the policy basis for graded protection? seven

2.5 what are the applicable objects of graded protection and graded protection respectively? seven

2.6 what is the interrelationship between the standards of hierarchical protection related to information security? eight

2.7 what is the difference between graded protection and graded protection? eight

2.8 what are the criteria for the construction, scheme design and evaluation of graded protection? eight

2.9 does the hierarchical protection design need to be reviewed and approved, and who will review and approve it? eight

2.10 does the secret-related information system need to be examined and approved before it is put into use? eight

2.11 what is the role of graded protection system evaluation and whether it must be done? nine

2.12 which units can do the evaluation of graded protection, and what are the qualification requirements? nine

2.13 what are the requirements of hierarchical protection for security products used in secret-related systems? nine

2.14 how long does it take to carry out a security check for classified protection of secret-related systems? nine

2.15 what is the relationship between the secrecy bureaus at all levels and the secrecy offices of each unit? ten

2.16 what are the requirements for the qualification of the manufacturer in the system integration of hierarchical protection? ten

2.17 is it necessary to supervise the safety construction of graded protection, and what are the requirements for supervision qualifications? ten

2.18 what specific jobs of graded protection require individual qualifications for manufacturers? ten

3 Comprehensive questions 11

3.1 what is the essential difference between equal insurance and reinsurance? eleven

3.2 what are the levels of equal insurance and reinsurance? eleven

3.3 level protection / graded protection what is the difference between which departments are in management and how to do it? eleven

3.4 which units are reported to the company when there are leaks? eleven

3.5 is the classification filing based on the unit or the system? twelve

3.6 what is the relationship between risk assessment and hierarchical protection? twelve

3.7 is it necessary to apply for approval during the design phase and before implementation? twelve

3.8 are there any requirements for the use of equal insurance products and password products? twelve

Hierarchical protection / graded protection FAQ

Level 1 protection FAQ

1.1 what is hierarchical protection and what is the use?

[explanation]

It is a legal system for the implementation of information security management in China. Order 147 of 1994, document No. 27 of 2003 and document No. 66 of 2004 all clearly stipulate that information system security implements hierarchical protection and hierarchical management.

Hierarchical management is a universally applicable management method, and it is an effective information security management method suitable for the current reality of our country.

Carrying out the work of information security grade protection is the fundamental guarantee to protect the development of informatization and maintain national information security, and it is also the embodiment of the national will in the work of information security.

1.2 what is the significance and function of the hierarchical protection system of information security?

[explanation]

The implementation of information security grade protection system can effectively improve the overall level of information and information system security construction in our country. The implementation of the information security grade protection system is conducive to the simultaneous construction of information security facilities in the process of information construction, ensuring the coordination of information security and information construction, providing systematic, targeted and feasible guidance and services for information system security construction and management, and effectively controlling the cost of information security construction.

We will optimize the allocation of information security resources, protect information systems at different levels, and focus on ensuring the security of basic information networks and important information systems related to national security, economic lifeline, and social stability.

Clarify the responsibility of the state, legal persons and other organizations and citizens for information security, strengthen the management of information security, promote the development of the information security industry, and gradually explore an information security model that adapts to the development of China's socialist market economy.

1.3 graded protection and graded protection are divided into several levels, what is the corresponding relationship?

[explanation]

Grade protection is divided into five levels: level 1 (autonomous protection), level 2 (guided protection), level 3 (supervisory protection), level 4 (compulsory protection) and level 5 (special control protection).

Hierarchical protection is divided into three levels: secret level, secret level (secret enhancement level), top secret level.

The corresponding relationship between hierarchical protection and hierarchical protection: secret level corresponding to level 3, secret level corresponding to level 4, top secret level corresponding to level 5.

1.4 what are the important information systems (82s) of level protection?

[explanation]

Basic information networks such as public communication networks and radio and television transmission networks in telecommunications and radio and television industries, and important information systems of operational public Internet information service units, Internet access service units, data centers and other units.

Railway, banking, customs, taxation, civil aviation, electric power, securities, insurance, diplomacy, science and technology, development and reform, national defense science and technology, public security, personnel, labor and social security, finance, audit, commerce, water conservancy, land and resources, energy, transportation, culture, education, statistics, × ×, postal and other industries, departments of production, dispatching, management, office and other important information systems.

Important websites and office information systems of party and government organs at or above the municipal (prefectural) level.

An information system involving state secrets.

Who is the authority in charge of level 1.5 protection?

[explanation]

The public security organ is the department in charge of the grade protection work, which is responsible for the supervision, inspection and guidance of the information security level protection work. The state secrecy work department and the state password management department are responsible for the supervision, inspection and guidance of the secrecy and password work in the grade protection work, and the offices of the State Information Office and the local information leading group are responsible for the coordination between the grade protection work departments. The supervision and administration of hierarchical protection involving the state secret information system shall be the responsibility of the state secrecy department.

1.6 what are the responsibilities of the national password administration in hierarchical protection / hierarchical protection?

[explanation]

The state password administration department shall be responsible for the supervision, inspection and guidance of secrecy and password work in the work of grade protection / level protection.

1.7 which document is the policy basis for level protection?

[explanation]

Regulations on the Security and Protection of computer Information Systems (order 147, 1994)

Opinions on strengthening Information Security (issued by the Central Office [2003] No. 27)

Opinions on the implementation of Information Security level Protection (Gongtong character [2004] No. 66)

Measures for the Administration of hierarchical Protection of Information Security (Gongtong Zi [2007] No. 43)

Notice on carrying out the work of Security Grade Protection and grading of important Information Systems in the country (Gongxin an [2007] No. 861)

Notice on strengthening Information Security risk Assessment of National E-Government Construction projects (Development and Reform of High Technology [2008] No. 2071).

1.8 what is the management mode of hierarchical protection by public security organs, and where is the grading of hierarchical protection for the record?

[explanation]

The public security organ shall be responsible for accepting and managing the record keeping. After the information system is put on record, the public security organ examines the filing of the information system and issues a certificate for the record of the level of security protection of the information system if it meets the requirements of grade protection. If it is found that it does not comply with the Administrative measures and relevant standards, it shall notify the filing unit to correct it. If it is found that the grading is not accurate, notify the operation and user unit or its competent department for re-examination and determination.

Information systems at or above the second level that have been operated (operated) shall, within 30 days after the determination of the level of security protection, be handled by their operators and users with the public security organs at or above the municipal level where they are located for the record.

For a new information system at or above the second level, within 30 days after it is put into operation, the unit that operates and uses it shall go through the formalities for filing with the public security organ at or above the municipal level where the district is located.

Note: all ministries and commissions in Beijing are reported to the Beijing Evaluation Center for the record.

1.9 is level protection mandatory? can it not be done?

[explanation]

The national information security grade protection adheres to the principle of independent classification and self-protection. The security protection level of the information system is determined according to the importance of the information system in national security, economic construction and social life, the damage to national security, social order, public interests and the legitimate rights and interests of citizens, legal persons and other organizations after the destruction of the information system.

The operators and users of information systems at or above level 2 shall protect the information systems in accordance with the measures for the Administration of Information Security level Protection and relevant technical standards, and the relevant information security supervision departments of the State shall supervise and administer their information security level protection work.

After filing, the level 3 system carries out supervision and inspection once a year, and level 4 carries out supervision and inspection once a year.

1.10 what are the main standards for grade protection and have they been issued as formal national standards?

[explanation]

Basic requirements of Information system Security level Protection (GB/T22239)

Information system Security level Protection rating Guide (GB/T22240)

Guide to the implementation of Information system Security level Protection (National Standard for approval)

Code for Evaluation of Information system Security level Protection (National Standard for approval)

Implementation Guide for Information Security level Protection (trial version)

"computer information system security protection grade classification criteria" (GB 17859-1999).

1.11 which units can do the evaluation of grade protection?

[explanation]

The information system grade protection evaluation institutions at or above the third level shall meet the following conditions:

Registered within the territory of × × (except Hong Kong, Macao and Taiwan)

Enterprises and institutions invested by Chinese citizens, Chinese legal persons or the state (except Hong Kong, Macao and Taiwan)

Engaged in related testing and evaluation for more than two years, no illegal record

The staff is limited to Chinese citizens

Legal persons and major business and technical personnel have no criminal record

The technical equipment and facilities used shall meet the requirements of these measures for information security products.

It has a complete safety management system such as confidentiality management, project management, quality management, personnel management and training education.

It does not pose a threat to national security, social order and public interests.

1.12 will a certificate of competency be issued after a grade evaluation has been made?

[explanation]

At present, the public security organ only examines the filing of the information system, issues a filing certificate for the protection of the security level of the information system if it meets the requirements of grade protection, and notifies the filing unit to correct it if it does not meet the relevant standards. if it is found that the classification is not accurate, notify the filing unit to re-examine and determine. No certificate of qualification for evaluation was issued.

1.13 is it implemented only in government industries? Is the enterprise also in the category of grade protection and grade protection?

[explanation]

Hierarchical protection covers all industries, as long as units with information systems are covered by hierarchical protection (except secret-related systems).

1.14 who is responsible for the level of protection inspection?

[explanation]

Is the public security organ, in the inspection needs to wear the police uniform and wear the valid certificate, cooperate with the technical support unit to the unit inspection. At the same time, all industries are encouraged to carry out self-examination.

2 graded protection FAQ

2.1 what is hierarchical protection?

[explanation]

Secret-related information systems shall implement the enforcement system of classified protection of information security in accordance with the basic requirements of the national information security level protection and in accordance with the management regulations and technical standards of the state security departments concerning the classified protection of secret-related information systems. According to the highest secret level of the information processed, the secret-related information system can be divided into three levels: secret, secret and top secret.

2.2 who is the competent authority for graded protection?

[explanation]

State secrecy departments (* *, provincial secrecy bureaus, prefecture and municipal secrecy bureaus).

2.3 where can I put on record the grading of protection and classification?

[explanation]

The units for the construction and use of secret-related information systems shall report the classification, construction and use of secret-related information systems to the secrecy work agencies of the competent departments and the secrecy departments responsible for system examination and approval for the record, and accept the supervision, inspection and guidance of the secrecy departments.

2.4 which document is the policy basis for graded protection?

[explanation]

Measures for the Administration of hierarchical Protection of Information Systems involving State Secrets (Guobao Fa [2005] No. 16).

2.5 what are the applicable objects of graded protection and graded protection respectively?

[explanation]

Standard system

National standards (GB, GB/T)

National Secret Standard (BMB, Enforcement)

Applicable object

Non-secret information system

Secret information system

2.6 what is the interrelationship between the standards of hierarchical protection related to information security?

[explanation]

BMB17 and BMB20 are the basic basis for the design of hierarchical protection, BMB23 is to implement the technical and management requirements of BMB17 and BMB20, BMB18 is the basis for engineering supervision in the process of system construction and implementation, and BMB22 is the basis for evaluation before system launch and system change.

2.7 what is the difference between graded protection and graded protection?

[explanation]

The classification of grade protection is based on the network, equipment, system and unit properties of the important business system and the bearing service, and the relationship between the subject and object affected by the destruction.

Hierarchical protection classification is to determine the protected level according to the importance of the information and the highest level of information.

2.8 what are the criteria for the construction, scheme design and evaluation of graded protection?

[explanation]

BMB23 is the construction and design basis for the implementation of BMB17 and BMB20 technology and management, and BMB22 is the evaluation basis before system launch and system change.

2.9 does the hierarchical protection design need to be reviewed and approved, and who will review and approve it?

[explanation]

The construction and use unit of the secret-related information system shall examine and demonstrate the system design plan, and the secrecy department shall participate in the examination and demonstration of the scheme, strengthen guidance and strict control on the overall security and confidentiality of the system.

2.10 does the secret-related information system need to be examined and approved before it is put into use?

[explanation]

A secret-related information system must be examined and approved before it is put into use. Secret-related information systems shall not be put into use without the examination and approval of the secrecy work department.

Examination and approval unit:

Responsible for examining and approving secret-related information systems of ministries and commissions of central and state organs and their subordinate units, as well as first-level secret qualification units for scientific research and production of national defense weapons and equipment

Secrecy Bureau of provinces (autonomous regions and municipalities directly under the Central Government): responsible for examining and approving secret-related information systems of provinces, organs and their subordinate units, and second-and third-level secret qualification units for scientific research and production of national defense weapons

Municipal (prefectural) secrecy bureau: responsible for examining and approving the secret-related information systems of municipal (prefectural) organs and their subordinate units and county organs.

2.11 what is the role of graded protection system evaluation and whether it must be done?

[explanation]

The hierarchical protection evaluation of the secret-related system is to comprehensively verify whether the security measures taken can meet the security requirements and security objectives, and provide a basis for the examination and approval of the secret-related information system.

System evaluation is a necessary part of system examination and approval. Without evaluation, the secret-related information system will not be able to pass the examination and approval of putting it into operation.

2.12 which units can do the evaluation of graded protection, and what are the qualification requirements?

[explanation]

At present, the state secrecy work department and the authorized system evaluation institution are responsible for the evaluation, and the evaluation institution should have the individual qualification of computer information system integration risk assessment involving state secrets.

2.13 what are the requirements of hierarchical protection for security products used in secret-related systems?

[explanation]

The information security and confidential products used in secret-related information systems shall, in principle, select domestic products, and shall pass the testing conducted by authorized testing institutions in accordance with the relevant national secrecy standards, and the catalogue of the tested products shall be examined and issued by × ×.

2.14 how long does it take to carry out a security check for classified protection of secret-related systems?

[explanation]

After the secret-related information system is put into operation, the security evaluation shall be carried out by the security department responsible for the examination and approval of the system, in order to test the effectiveness of the system security measures and the adaptability to environmental changes.

Secret and confidential information systems: security assessment or security inspection should be carried out at least once every two years.

Top secret information system: security assessment or security inspection should be carried out at least once a year.

2.15 what is the relationship between the secrecy bureaus at all levels and the secrecy offices of each unit?

[explanation]

Secrecy bureaus at all levels: state secrecy departments, responsible for supervision, inspection and guidance

Secrecy Office of each unit: secrecy work organization, responsible for specific implementation.

2.16 what are the requirements for the qualification of the manufacturer in the system integration of hierarchical protection?

[explanation]

A Class A qualified unit may undertake the planning, design and implementation of secret-related information systems throughout the country, and can only undertake the system services and system consultation of the secret-related information systems constructed by the unit, and shall not engage in other individual qualification business.

A Class B qualified unit may undertake the planning, design and implementation of secret-related information systems within the defined administrative area, and can only undertake the system services and system consultation of secret-related information systems undertaken by its own unit, shall not engage in other individual qualification business.

2.17 is it necessary to supervise the safety construction of graded protection, and what are the requirements for supervision qualifications?

[explanation]

During the construction of the system, the units or organizations with individual qualifications for supervision of secret-related projects should be selected to strengthen supervision and inspection in six aspects: security control, quality control, progress control, cost control, contract management and document management according to the requirements of BMB18-2006.

2.18 what specific jobs of graded protection require individual qualifications for manufacturers?

[explanation]

Individual business: (nationwide, approved business only)

Military industry, software development, integrated wiring, system services, system consulting, risk assessment, project supervision, data recovery, shielding room construction, security monitoring.

3. Comprehensive problems

3.1 what is the essential difference between equal insurance and reinsurance?

[explanation]

The object of hierarchical protection is non-secret information system, and the object of hierarchical protection is secret-related information system.

3.2 what are the levels of equal insurance and reinsurance?

[explanation]

Grade protection is divided into five levels: level 1 (autonomous protection), level 2 (guided protection), level 3 (supervisory protection), level 4 (compulsory protection) and level 5 (special control protection).

Hierarchical protection is divided into three levels: secret level, secret level (secret enhancement level), top secret level.

The corresponding relationship between hierarchical protection and hierarchical protection: secret level corresponding to level 3, secret level corresponding to level 4, top secret level corresponding to level 5.

3.3 level protection / graded protection what is the difference between which departments are in management and how to do it?

[explanation]

Standard system

National standards (GB, GB/T)

National Secret Standard (BMB, Enforcement)

Applicable object

Non-secret information system

Secret information system

The equal insurance standard system is the national standard (GB, GB/T), the reinsurance standard is the national secrecy standard (BMB, enforcement), the object non-secret information system applicable to equal insurance, and the secret-related information system applicable to reinsurance.

The public security organ is the department in charge of grade protection, and the state secrecy department, the state password management department and the information leading group are responsible for coordinating, supervising, inspecting and guiding the work.

The state secrecy department is the department in charge of graded protection, and the provincial and municipal secrecy bureaus are responsible for the supervision, inspection and guidance of the work under their jurisdiction.

3.4 which units are reported to the company when there are leaks?

[explanation]

Grade protection belongs to the 11th Bureau of Public Security, and the internal security in Beijing is usually responsible for the cases involved.

3.5 is the classification filing based on the unit or the system?

[explanation]

The filing of grade protection is based on the system.

3.6 what is the relationship between risk assessment and hierarchical protection?

[explanation]

Risk assessment is an important work in grade protection, developing and reforming Hi-Tech [2008] 2071.

3.7 is it necessary to apply for approval during the design stage and before implementation of the grade protection scheme?

[explanation]

The country is working on the relevant standards and is expected to launch the GB standard within 3 years.

3.8 are there any requirements for the use of equal insurance products and password products?

[explanation]

Password products are not within the scope of grade protection management, and there are no clear requirements for security products. In the development of security products, we can refer to the basic requirements of Information Security Technology and Information system Security level Protection.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.