What is the third-level content to be insured? What are the three levels of insurance?
This is an article about insurance level 3, aiming at introducing the concept, content and scope of insurance level 3, and how to pass the certification of insurance level 3. The style of the article is professional and objective, the sentence structure and paragraph structure are diversified, and the keywords and sentences are bold.
The concept of three levels of equal insurance
Three-level equal protection refers to the third level in the network security level protection system, which is the highest level protection certification of domestic non-bank institutions. The Network Security Level Protection System is an important guiding document for China's national information security level protection, which is used to standardize network security protection. According to the importance and security risks of information systems, China divides network security protection into five levels, from level one to level five. The higher the level, the stricter the requirements. Among them, the first and second levels are independent protection levels, the third level is supervision protection level, and the fourth and fifth levels are compulsory protection levels.
Class I and Class III information systems refer to information systems that have been classified and filed and identified as Class III. The destruction of this information system will damage national security, and it is generally applicable to the important systems of portal websites of municipal units and provincial ministries. Through the "three-level insurance" certification, it shows that the information security management ability of enterprises has reached the highest standard in China.
The content of the third level insurance.
The third-level insurance mainly includes technical requirements and management requirements.
Technical requirements refer to the safety technical standards and specifications that information systems should meet in five aspects: physics, network, host, application and data. Details are as follows:
Physical safety: the computer room should be divided into two parts: the main engine room and the monitoring area. The computer room should be equipped with electronic access control system, burglar alarm system and monitoring system; There should be no windows in the computer room, and it should be equipped with special gas fire extinguishing and standby generator;
Network security: draw a topology diagram consistent with the current operation; The configuration of switches, firewalls and other devices should meet the requirements, such as Vlan division and logical isolation, Qos flow control policy, access control policy, IP/MAC binding of important network devices and servers, etc. Should be equipped with network audit equipment, intrusion detection or defense equipment; The authentication mechanism of switch and firewall should meet the same security requirements, such as the complexity strategy of user name and password, the handling mechanism of login access failure, user role and authority control, etc. Network links, core network devices and security devices need to provide redundant design.
Host security: the configuration of the server itself should meet the requirements, such as identity authentication mechanism, access control mechanism, security audit mechanism, anti-virus and so on. If necessary, you can buy a third-party host and database audit equipment; Servers (application and database servers) should be redundant, such as dual-machine hot standby or cluster deployment; Before going online, servers and important network devices need to be scanned and evaluated for vulnerabilities, and there must be no intermediate vulnerabilities (such as windows system vulnerabilities, middleware vulnerabilities such as apache, database software vulnerabilities, other system software and port vulnerabilities, etc.). ); A special log server should be equipped to save the audit logs of the host and database.
Application security: the functions of the application itself should meet the requirements of equal security, such as identity authentication mechanism, audit log, communication and storage encryption; The application department should consider deploying webpage tamper-proof equipment; The security assessment of the application (including application security scanning, penetration testing and risk assessment) should be free from loopholes above intermediate and advanced risks (such as SQL injection, cross-site scripts, website hanging, webpage tampering, sensitive information disclosure, weak passwords and password guessing, and management background loopholes); The logs generated by the application system should be saved on a dedicated log server.
Data security: local backup mechanism should be provided for data, which should be backed up locally every day and stored in different places; If there are core key data in the system, remote data backup function should be provided, and the data should be transmitted to a remote location for backup through the network;
Management requirements refer to the safety management norms and measures that information systems should meet in five aspects: safety management system, safety management organization, personnel safety management, system construction management and system operation and maintenance management. Details are as follows:
Security management system: A security management system meeting the same security requirements shall be formulated and implemented, including but not limited to information system security management regulations, information system security responsibility books, information system security incident handling regulations, information system security audit regulations and information system security inspection regulations.
Safety management organization: A safety management organization meeting Class I safety requirements shall be established and improved, including but not limited to Information System Security Committee, Information System Security Office, Information System Security Administrator, etc.
Personnel safety management: conduct background review and training assessment for personnel involved in the operation and maintenance of information systems, sign confidentiality agreements, implement the principle of hierarchical authorization and minimum authority, conduct regular business and skill training, and establish a system of personnel turnover and handover;
System construction management: according to the requirements of quality assurance, analyze, design, develop, test, accept and put into production the information system to ensure that the information system meets the corresponding technical standards and specifications at all stages;
Management of system operation and maintenance: The daily operation and maintenance of information system should be carried out according to the requirements of quality assurance, including but not limited to regular vulnerability scanning and repair, malicious code protection and removal, data backup and recovery, log audit and analysis, security incident handling and reporting, etc.
The scope of three levels of equal insurance
The scope of tertiary insurance covers national key information infrastructure, financial industry, electric power industry, transportation industry, medical and health industry and many other fields. Details are as follows:
National key information infrastructure: refers to the network facilities and information systems that provide support services for national political, economic and social activities. The damage or loss of their functions will seriously endanger national security, national economy and people's livelihood or public interests. Such as telecommunication network infrastructure, radio and television network infrastructure, Internet infrastructure, etc.
Financial industry: refers to all kinds of financial institutions and their related units engaged in currency issuance and circulation management, financial supervision and services, financial market transactions and settlement. Such as banking financial institutions (including policy banks), securities and futures financial institutions (including certificates)
Securities companies, futures companies, stock exchanges, futures exchanges, etc. ), insurance financial institutions (including insurance companies, insurance asset management companies, insurance intermediaries, etc. ), non-bank payment institutions, internet financial institutions, etc.
Power industry: refers to all kinds of power enterprises and their related units engaged in power production, transmission and distribution, power dispatching, power market trading and other activities. For example, power generation enterprises, transmission and distribution enterprises, dispatching control centers, market operation centers, etc.
Transportation industry: refers to all kinds of transportation enterprises and their related units engaged in various transportation services such as roads, railways, waterways and aviation. For example, road transport enterprises, railway transport enterprises, water transport enterprises, air transport enterprises, port management units, airport management units and so on.
Medical and health industry: refers to all kinds of medical and health institutions and their related units engaged in medical services, public health services and medical supervision services. For example, hospitals, health centers, centers for disease control and prevention, and food and drug administration.
If you need insurance assessment service, you can write privately in the background. Lulu Information Technology integrates the technical advantages of cloud security products, and provides one-stop service for the safety project by combining high-quality safety consulting and safety evaluation cooperation resources, covering the safety level, filing, construction rectification and evaluation stages in an all-round way, efficiently passing the safety evaluation, and implementing the network safety level protection.