Shulou(Shulou.com)06/01 Report--

I. purpose

In order to reduce or avoid the potential risks caused by the loss, damage, tampering, leakage and other events of the company's important assets, these risks will cause great or heavy losses to the company's reputation, business activities, economic interests, etc., it is necessary to standardize the classification and definition of information assets and the criteria for the level of information secrets, and standardize the corresponding disaster preparedness requirements for all kinds of information assets.

II. Guiding principles for the classification of information assets

1. Existing assets should be classified according to their different forms and properties, and corresponding control measures should be taken according to the characteristics of various assets.

two。 The asset classes of the same form should be classified according to their importance and value, and corresponding protective measures should be taken according to the important level.

3. Each asset shall specify the person in charge or owner of the asset management, security level, technical documentation, location, etc.

4. The inventory of assets should be carried out regularly, the rationality of asset classification should be checked regularly, and the loss of assets should be prevented.

III. Reference documents

In order to ensure consistency with the standards defined by the company, the classification of information assets and the identification of asset value-- reference [brief]

IV. Classification of information assets

Corporate information assets refer to all resources related to the security and interests of the company, such as things, documents, projects and data that are known, operated and maintained by a certain range of personnel within the protection period.

According to the guiding principles, information assets are divided into the following six categories:

Asset classification

Code name

Example

Documents and data

D

1) all kinds of data stored on the information media, including source code, database data, system documentation, operation management procedures, plans, reports, user manuals, etc. (process documents generated in the process of project development)

2) all kinds of paper documents, such as fax, telegram, financial report, development plan, etc. (administrative documents generated in the course of the company's operation)

Software and system

R

System software: operating system, language pack, tool software, various libraries, etc.

Application software: externally purchased application software, outsourced application software

Source code: various shared source code

Hardware and facilities

H

Network equipment: routers, gateways, switches, etc.

Computer equipment: mainframe, minicomputer, server, workstation, desktop computer, mobile computer, etc.

Storage devices: tape drives, disk arrays, magnetic tapes, optical discs, floppy disks, removable hard disks, etc.

Transmission lines: optical fiber, twisted pair, etc.

Safeguard equipment: power support equipment (UPS, substation equipment, etc.), air conditioning, safe, filing cabinet, access control, fire fighting facilities, etc.

Security equipment: firewall, intrusion detection system, identity authentication, etc.

Others: printers, copiers, scanners, fax machines, etc.

Service

S

Office services: a management information system (MIS) developed to improve efficiency, including a variety of internal configuration management, document flow management and other services

Network service: network connection service provided by various network equipment and facilities

Information service: all kinds of services that depend on the system.

Personnel

P

People who have important information and core business, such as mainframe maintenance supervisor, network maintenance supervisor, etc.

Other

O

V. Identification of the value of information assets

5.1 confidentiality assignment

According to the different requirements of confidentiality, assets are divided into five different levels, corresponding to the impact of different degrees of confidentiality or lack of confidentiality on the entire organization, as shown in the table below:

Assignment

Identification

Define

five

Very high

It contains the most important secrets of the organization, which is related to the future and destiny of the future development, and has a decisive impact on the fundamental interests of the organization. If leaked, it will cause catastrophic damage.

four

High

It contains important secrets of the organization, and its disclosure will seriously damage the security and interests of the organization.

three

Medium

The disclosure of the general secret of the organization will damage the security and interests of the organization.

two

Low

The spread of information that can only be disclosed within the organization or within a department of the organization may cause slight damage to the interests of the organization.

one

Very low

Information that can be disclosed to the society, public information processing equipment and system resources, etc.

5.2 Integrity assignment

According to the different requirements of the integrity of assets, they are divided into five different levels, corresponding to the impact on the entire organization when the integrity of assets is missing, as shown in the table below:

Assignment

Identification

Define

five

Very high

The value of integrity is critical, and unauthorized modification or destruction can have a significant or unacceptable impact on the organization, have a significant impact on the business, and may cause serious business disruptions that are irreparable.

four

High

The value of integrity is high, unauthorized modification or damage will have a significant impact on the organization, a serious impact on the business, more difficult to make up for.

three

Medium

The value of integrity is medium, unauthorized modification or damage will have an impact on the organization, the impact on the business is obvious, but can be made up for.

two

Low

The value of integrity is low, unauthorized modification or damage will have a slight impact on the organization, a slight impact on the business, easy to make up for.

one

Very low

The value of integrity is very low, the impact of unauthorized modification or destruction on the organization can be ignored, and the impact on the business can be ignored.

5.3 availability assignment

According to the different requirements of the availability of assets, they are divided into five different levels, corresponding to the different degrees of achievement of the availability of assets, as shown in the following table:

Assignment

Identification

Define

five

Very high

The usability value is very high, and the annual availability of information and information systems by legitimate users is more than 99.9%, or the system does not allow interruption.

four

High

The usability value is high, legal users' availability of information and information system is more than 90% per day, or the system allows interruption time of less than 10 minutes.

three

Medium

The availability value is medium, the legal users' availability of information and information system is more than 70% in normal working hours, or the system allows interruption time of less than 30 minutes.

two

Low

The usability value is low, and the availability of legitimate users to information and information systems is more than 25% in normal working hours, or the system allows interruption time to be less than 60 minutes.

one

Very low

The usability value is negligible, and the availability of information and information systems by legitimate users is less than 25% during normal working hours.

5.4 determine important assets

The importance (value) of assets should be based on the level of confidentiality, integrity and availability of assets. After comprehensive evaluation, the calculation model of asset importance of the company is as follows:

Asset value importance = (confidentiality * 0.5 + integrity * 0.3 + availability * 0.2) rounded according to the different assignment results of the importance of the asset, it is divided into five different levels. Level 3 or above is an important information asset of the company. Information security risk assessment will be carried out on important information assets (see Information Security risk Assessment form for specific assessment process) The classification of the importance of assets is shown in the following table:

Grade

Identification

Description

five

Very high

It is very important that the destruction of its security attributes may cause very serious losses to the organization.

four

High

Important, the destruction of its security attributes may cause serious losses to the organization.

three

Medium

More importantly, the destruction of its security attributes may cause moderate losses to the organization.

two

Low

Less important, the destruction of its security attributes may cause lower losses to the organization.

one

Very low

It is not important, after its security attribute is destroyed, it will cause little loss to the organization, even ignore it.

VI. Importance of assets and disaster preparedness requirements

6-1 server (including virtual machines)

a. For servers with high and very high levels, ensure that dual power supplies are connected and the network has a redundant mechanism (such as bridging between two network cards)

b. For servers with a high or very high level, OS should have redundant mechanisms, such as RAID1

c. Should be integrated into AD management and anti-virus system

d. A performance monitoring mechanism should be established to provide early warning and notification.

e. Update patches regularly, emergency patches coordinate the installation time with the production line

Grade

Identification

Dual power supply

Dual network

OS-RAID

AD management

Anti-virus

Performance monitoring

Patch update

● standard ○ optional ☆ is not required

five

Very high

●

●

RAID1

●

●

●

Coordinate with MP

four

High

●

●

RAID1

●

●

●

Coordinate with MP

three

Medium

○

○

RAID5

●

●

○

Coordinate with MP

two

Low

○

○

☆

●

●

○

Weekend

one

Very low

☆

☆

☆

●

●

☆

Weekend

6-2 DB&WEB& source code

a. For DB&WEB servers with high and high levels, Cluster mechanism should be established.

b. The establishment of a sound backup mechanism should include at least three modes: local backup, centralized backup and offline backup.

c. Depending on the amount of data, backup time and load, the backup method should be defined, such as full backup, incremental backup or differential backup.

d. According to the degree of importance, the time of data loss should be regulated and configured accordingly.

e. The monitoring mechanism of DB&WEB operation should be established.

f. The backup data should be protected by permissions, and the backup should be restored regularly to ensure the integrity and availability of the data.

Grade

Identification

Cluster

Data loss

(local log)

Backup (one for each machine)

Backup center

Backup

Daily

Weekly

Monthly

Daily

Offline

● standard ○ optional ☆ is not required

five

Very high

●

0~15min

●

●

●

●

Daily

four

High

●

15~30min

●

●

●

●

Weekly

three

Medium

○

30min~1h

●

○

○

●

Weekly

two

Low

○

1h~2h

●

○

○

○

○

one

Very low

☆

☆

●

☆

☆

○

○

6-3 network

A. redundancy mechanism should be established in core network

B. the core network should establish protection mechanisms, such as firewall, VLAN partition, etc.

C. the network configuration is archived on a regular basis, and when there are changes, they should be backed up in time.

D. Core network equipment should establish backup equipment, such as floor aggregation layer switch

E. Network real-time traffic monitoring and action monitoring mechanism should be established for early warning.

Grade

Identification

Cluster

Safety protection

Backup (configuration file)

Backup equipment and monitoring

● standard ○ optional ☆ is not required

five

Very high

●

●

Monthly

●

four

High

●

●

Monthly

●

three

Medium

○

●

Season

○

two

Low

○

○

☆

☆

one

Very low

☆

○

☆

☆

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.