Yesterday we briefly talked about Document No. 27, and today we will continue to follow the “1994-2017 Class Protection Policy and Legal Development History” compiled by me.
Today, let’s take a look at Gongtong word along the historical timeline of waiting for guaranteeNo. 66, that is, the “Implementation Opinions on Information Security Graded Protection”. Through reading and learning, we can conclude that this document is to implement the State Council’s Order No. 147 and the Central Office Document No. 27, and it is also written in the relevant training materials. Yes, that’s what the teachers interpret during the evaluator training exam. The document was jointly signed and issued by four ministries and commissions including the Ministry of Public Security, the State Security Bureau, the State Cryptography Administration, and the former State Council Information Office. The basic principles of the security level protection system, the basic content, work requirements and implementation plans of the level protection work, as well as the division of work responsibilities of various departments.
This document tells us the importance of carrying out the information security level protection work. Here, the document boils down to five “benefits”. When I first entered the level protection, I was rather stupid and took a lot of effort to recite it. I have read these five “benefits” several times, and now I look back on these five “benefits” and feel very cordial, but I have almost forgotten them. The document mentions that the implementation of information security level protection can effectively improve the overall level of my country’s information and information system security construction, which is conducive to the simultaneous construction of information security facilities in the process of informatization construction, and ensures the coordination of information security and informatization construction; It is beneficial to provide systematic, targeted and feasible guidance and services for the construction and management of information system security, and effectively control the cost of information security construction; it is beneficial to optimize the allocation of information security resources, implement hierarchical protection of information systems, and focus on ensuring basic information networks and the security of important information systems related to national security, economic lifeline, social stability, etc.; it is conducive to clarifying the information security responsibilities of the state, legal persons, other organizations, and citizens, and strengthening information security management; it is conducive to promoting the development of the information security industry, gradually Explore an information security model that adapts to the development of the socialist market economy.
From these five “benefits”, it is not difficult to see that the direction of our country’s development of the hierarchical protection system is clear, and this document really guides the development of our hierarchical protection. Therefore, after we have discussed Circular No. 27, we will discuss 66 The number document is gradually expanded, following the development of China’s hierarchical protection system, and realizing the gradual progress. Looking at it day by day, it seems that little changes have been made, but after reading these documents and looking at the present, we will find that we have made great progress, and we have to admire the superiority of our system. We can focus on the present and have a long-term development strategy . Returning to Document No. 66, the above mentioned five “favorables”, and the next document discussed the principles of the information security level protection system.
Document No. 66 mentioned that the core of information security level protection is to classify information security, build, manage and supervise it according to the standards. Follow the following four principles: clarify responsibilities and jointly protect; follow standards, self-protect; synchronous construction, dynamic adjustment; guidance and supervision, key protection. These four principles are of course very important, and not only the above 32 words, each principle is interpreted in the document, friends who need to know the details, you can download the sharing from the original link.
After talking about the principles, it enters the basic content chapter of the information security graded protection system. This part mentions that according to the importance of information and information systems in national security, economic construction, and social life; The degree of harm to social order, public interests and the legitimate rights and interests of citizens, legal persons and other organizations; for the confidentiality, integrity and availability requirements of information and the basic level of security protection that information systems must achieve, information and information systems There are five levels of security protection. The classification of these five levels is still somewhat different from the classification discussed at the time of filing. Now the five levels when we go to the police for filing come from the document No. 43, which is the “Administrative Measures for the Level Protection of Information Security”. Defined, so everyone should pay attention to the difference when looking at the file.
The first level of Document No. 66 is the autonomous protection level, the second level is the guidance protection level, the third level is the supervisory protection level, the fourth level is the compulsory protection level, and the fifth level is the exclusive control protection level, with a total of five levels. At the same time, the document also mentions that the state implements hierarchical management of the use of information security products. Next, the document clarifies the division of responsibilities for information security graded protection work. The public security organs are responsible for the supervision, inspection and guidance of information security graded protection work. The dominance of agencies in hierarchical protection is emphasized again. Next, it talks about the requirements for implementing information security level protection.
The requirements for implementing the classified protection of information security emphasize that the following six aspects should be done well: improve standards and provide classified guidance; scientific grading and strict filing; construction rectification and implementation measures; self-examination and self-correction to implement requirements; ; Supervision and inspection, perfect protection. These six aspects actually perform their own duties and must be supervised and inspected. Perfect protection means that the public security organs focus on the security levels of the third and fourth levels of information and information systems in accordance with the requirements of the management norms and technical standards for level protection. Supervision and inspection of protection status. If it is found that the determined security protection level does not conform to the management norms and technical standards of graded protection, the competent department of information and information systems and the operating and user units shall be notified to make rectification; If required, rectification shall be made within a time limit to make the security protection measures for information and information systems more complete. Supervise and inspect the level of information security products used in information systems. In other aspects, you can read it carefully through the original text I shared. Here, details are not repeated here.
The last thing I talked about is the implementation plan for the classified protection of information security. Of course, this document was talking about the future at that time, and it is already in the past tense today. However, we can compare whether the plans of the year have been implemented and whether they should be verified.
The document mentioned that it was planned to implement the information security level protection system in three phases nationwide in about three years. There are three stages in total: preparation stage, key implementation stage, and full implementation stage. These three stages have basically all been realized. After three years of hard work, the information security level protection system has been gradually implemented in all aspects of information security planning, construction, evaluation, operation and maintenance, etc., so that my country’s information security guarantee situation has been basically improved. From the training materials for the security protection, we can see that three years later, when the 2008 Beijing Olympic Games was held, all important information systems related to the Olympic Games strictly implemented the national information security level protection system, and organized information system classification, filing, security evaluation and penetration. Sexual attack testing, risk assessment, timely discovery of loopholes, security risks and problems, and urging relevant departments to make rectifications, improving the security protection capability of the Olympic-related information network. Thus, it is proved that implementing the hierarchical protection system and carrying out risk assessment are effective measures to improve the security and defense capabilities of important information systems and resist attacks.