Shulou(Shulou.com)06/01 Report--

The third chapter of the Network Security Law, which was formally implemented on June 1, 2017, devoted nearly 1/3 of the space to standardizing the security of network operation, with special emphasis on ensuring the operation security of critical information infrastructure. It is emphasized that key information infrastructure should be protected on the basis of the network security level protection system, and it is clear that the operators of key information infrastructure have more security protection obligations. it is accompanied by legal measures such as national security review and mandatory local storage of important data to ensure the safe operation of critical information infrastructure. It can be seen that it is the unshirkable network security obligation of enterprises to carry out hierarchical protection.

Which industries need to carry out grade protection evaluation?

Government organs: major ministries, provincial government agencies, prefectural and municipal government organs, institutions, etc.

Financial industry: financial regulators, major banks, securities, insurance companies, etc.

Telecommunications industry: major telecom operators, provincial telecom companies, prefectural and municipal telecom companies, various telecom service providers, etc.

Energy industry: power companies, oil companies, tobacco companies

Enterprise units: large and medium-sized enterprises, central enterprises, listed companies, etc.

Other industries and units that have the need for information system grading.

Which systems in the unit need to be evaluated for grade protection?

Each unit has a lot of information systems, the big principle is: determined as secondary and above information systems need to do equal protection evaluation.

So what are the second-level and above information systems within the unit?

The secondary system is mainly the following systems: the important information system at the district and county level, and the general information system at the prefectural, municipal and provincial level. the general information system here refers to the information system that does not involve sensitive and important information. These systems can be defined as secondary systems.

The three-level system mainly includes the following systems: provincial unit portal websites, influential unit portal websites of prefecture-level cities, and important business websites of prefecture-level cities and above need to be designated as level III. For office systems at and above the prefectural and municipal level that involve work secrets, sensitive information, and important information, the management system needs to be set at three levels, and cross-provincial branch systems for production, dispatching, management, and command in provinces and cities need to be set at three levels. the network system connected across provinces should be set at level 3 (this is generally a national operation of the special network system).

Of course, when we grade the system, we still have to make the actual grading combined with the importance of the system, and we must not be rigid. For example, we have stored millions of population information, housing information and other sensitive information in a system in a certain district. Although such a system is in the district and county, it has to be set to level 3.

What are the benefits of conducting grade protection assessment?

In enterprises-the implementation of information security grade protection evaluation can effectively improve the overall level of information and information system security construction of units, and effectively control the cost of enterprise information security construction; it is helpful to clarify the information security responsibilities of the state, legal persons and other organizations and citizens, and strengthen the management of enterprise information security.

In the information system-through the grade protection evaluation, the security situation of the information system can be found in time and a plan can be made for rectification and reform. when the information system fully meets the requirements of security protection capability, the information system can basically achieve "can not enter, can not take away, can not change, can not understand, can not run, can be audited, can not be broken".

In short, the protection work can not be limited to a classification and filing work, step up evaluation and follow-up safety rectification, find the problem, solve the problem is the fundamental.

Which institutions can do grade protection assessment?

In order to do the grade protection evaluation, it is necessary to find the grade protection evaluation institutions that meet the prescribed requirements. What kind of evaluation institutions meet the requirements? Which one is the evaluation agency looking for? Do not look for Lanxiang, only find grade protection evaluation institutions that meet the prescribed requirements.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.