Today we continue to discuss the 1994-2017 graded protection policy and the 2007 policy document of the legal development process. We know the 2007 “Information Security Graded Protection Management Measures” (GongtongziNo. 43) (hereinafter referred to as “Circular 43”) was jointly issued by the Ministry of Public Security, the State Security Administration, and the State Encryption Administration Bureau. This document elaborated on the specific tasks of the public security organs. The Ministry of Public Security takes the lead and, in conjunction with the State Secrecy Bureau, the State Encryption Administration and other departments, organizes units and departments across the country to implement information security level protection. This document also clarifies that the public security organs are responsible for the supervision, inspection, and guidance of information security level protection.
In order to standardize the management of information security level protection, improve the ability and level of information security protection, maintain national security, social stability and public interest, and protect and promote the construction of informatization, in accordance with the “Regulations of the People’s Republic of China on the Protection of Computer Information Systems” (State Council 147 Order) and other relevant laws and regulations, and enacted Circular 43.
The second chapter of Circular 43 is about classification and protection. Article 7 clarifies that the security protection level of information systems is divided into five levels. This five-level is different from the five-level description of Circular 66. Circular 27 also Extending the description of Circular 66, Circular 43 describes changes. Taking the third level as an example, Circular 66 is: The third level is the supervision and protection level, which is suitable for national security, social order, economic construction and public If information and information systems of interest are destroyed, they will cause greater damage to national security, social order, economic construction, and public interests. And Circular 43 is: the third level, after the destruction of the information system, it will cause serious damage to social order and public interests, or cause damage to national security. We can see that the description in Circular 66 “will cause great damage to national security, social order, economic construction and public interests”, while Circular 43 is “causing serious damage to social order and public interests, or “Causing damage to national security”, the description is more detailed, the degree of damage is graded, and the object is also graded. The other three levels describe the differences. You can carefully study the No. 66 document I shared and the No. 43 document I shared next, so I won’t repeat them here. Starting with Circular 43, our grading guidelines have basically followed this document, and the description of our grading report is also described in terms of Circular 43.
Article 8 of Circular 43 clarifies the responsibilities of information system operators and users, and requires that the information system be protected in accordance with Circular 43 and related technical standards, and the relevant national information security regulatory authorities shall supervise and manage their information security level protection work . There are also five levels under this article. The simple description is from the first level of information system operation and user protection, to the guidance of the second level of supervision and management, to the third level of supervision and inspection, and then to the fourth level of compulsory supervision. , Inspection, and finally to the fifth level of special supervision and inspection. In these five levels, information system operations and users are required to perform protection in accordance with relevant national management regulations and technical standards (the fifth level is for business special security requirements).
The third chapter is the implementation and management of hierarchical protection, which talked about the “Guidelines for the Implementation of Information System Security Hierarchical Protection”, “Guidelines for the Grading of Information System Security Hierarchical Protection”, “Computer Information System Security Classification Guidelines” (GB17859-1999), “Basic Requirements for Information System Security Level Protection”, “Information Security Technology Information System General Security Technical Requirements” (GB/T20271-2006), “Information Security Technology Network Basic Security Technical Requirements” (GB/T20270-2006), “Information Security Technology Operating System Security Technical Requirements (GB/T20272-2006), Information Security Technology Database Management System Security Technical Requirements (GB/T20273-2006), Information Security Technology Server Technical Requirements, Information Security Technology Terminal Computer System Security Standards such as “Grade Technical Requirements” (GA/T671-2006), here actually point out the way for us to study the standards. The guarantee is by no means and cannot be limited to the “Basic Requirements for Information System Security Graded Protection”. The standards listed here should be well-designed Grasp it, so we should understand that there are a lot of basic knowledge standards behind these listed standards to support them.
The third-level system is evaluated once a year, which is stipulated in Circular 43. It is written in Article 14 of Circular 43: Level 3 information systems should be evaluated at least once a year, Level 4 information systems should be evaluated at least once every six months, Level 5 information systems should be evaluated based on special security requirements . Here you should see that the third-level system is evaluated at least once a year, and the fourth-level system is evaluated every six months (the fourth-level system is now also evaluated annually). I remember that one time I saw a plan somewhere in which the third-level system was evaluated once a year to the “Cyber Security Law”. Of course, this can also bluff laymen. Look carefully at Circular 43. The following is about self-examination. The frequency of self-examination is consistent with the description of the evaluation frequency, that is, the third-level information system conducts self-examination at least once a year. The end point of graded protection is actually rectification. Whether it is evaluation or self-examination, content such as those that do not meet the requirements of the safety protection grade should be rectified.
Next, we talked about the information system above the second level, which should go through the filing formalities at the local public security organ at or above the districted city level within 30 days after it is put into operation. At work, there are two points to note here. The first point is that I found that some brothers’ evaluation agencies send information to customers that they need to be evaluated before they can go online. This is not correct. I will discuss this issue next. The second operating and user unit needs to go to the public security organs above the city level with “districts” for filing. The simple understanding is to go to the public security organs above the prefecture-level city to handle the filing. For other matters needing attention in filing, please read the original No. 43, and I won’t repeat them here.
When going through the procedures for the filing of information system security protection levels, the “Information System Security Level Protection Recording Form” shall be filled in, and information systems above level 3 shall provide the following materials at the same time:
(1) System topology and description;
(2) System security organization and management system;
(3) The design and implementation plan for system safety protection facilities or the implementation plan for reconstruction;
(4) A list of information security products used in the system and their certification and sales license certificates;
(5) After the evaluation, the technical inspection and evaluation report that meets the system’s safety protection level;
(6) Expert review opinions on the level of information system security protection;
(7) The opinion of the competent authority to review and approve the security protection level of the information system.
The amount of information on the 43rd is relatively large, so I will introduce it here for the time being. One question is that Circular 43 is the “Measures for the Management of Information Security Graded Protection”. The next chapter 4 deals with the management of the graded protection of the state secret information system, and Chapter 5 the password management of the graded protection of information security, the so-called graded protection and What is the relationship between the password evaluation and the level protection supervised by our public security organs?