Article 21 of the Cybersecurity Law of the People's Republic of China stipulates that "the State shall implement a classified network security protection system" and requires that "network operators shall perform security protection obligations in accordance with the requirements of the classified network security protection system".Article 31 stipulates that "for national critical information infrastructure, key protection shall be implemented on the basis of the graded network security protection system".
With the continuous emergence of new technologies such as cloud computing, mobile Internet, big data, Internet of Things, and artificial intelligence, the concept of computer information system can no longer cover all, especially the rapid development of the Internet has brought about the value of big data, and the extension of classified protection objects will continue to expand.
Cyber Security Graded Protection 20The core technology system of hierarchical protection based on trusted computing technology is constructed, which strengthens the important idea of trusted system.
General requirements include general security requirements, cloud computing security extension requirements, mobile Internet security extension requirements, Internet of Things security extension requirements, and industrial control system security extension requirements. Cyber Security Graded Protection 2The core of the 0 general requirement is optimization.
New key contents: New network attack protection from the inside out, highlighting operation and maintenance audit, security management center, independent security area, email security protection, operation status monitoring, security audit time requirements, centralized diary audit, trusted computing requirements, security event identification and analysis, and personal information protection.
Grade Protection 20 is split into 1 general requirement and 4 extended requirements. The common security protection requirements are listed as general security requirements, and the security expansion requirements are put forward for the security protection requirements in different fields such as cloud computing, big data, industrial control systems, and mobile Internet technology. DJCP 20 still retains the two dimensions of technology and management. The second-level requirements have been changed from 175 to 135, and the ** requirements have been changed from 290 to 211In terms of management, there is not much change in the structure, from the safety management system, safety management organization, personnel safety management, system construction management, system operation and maintenance management, adjusted to safety management system, safety management organization, safety management personnel, safety construction management, safety operation and maintenance management.
1) Cloud computing platform security extension requirements.
The main body of responsibility is divided into two, and the number of assessment objects needs to be increased.
The classified protection level is matched.
Cloud computing platforms need to be separately classified and recorded.
Cloud computing platforms need to pass the MLPS assessment.
The same cloud computing platform can carry different levels of information systems.
A cloud computing platform cannot carry information systems higher than the platform level.
2) Big data security extension requirements.
Big data with a unified security responsibility unit should be rated as an overall object.
3) IoT security extension requirements.
The Internet of Things should be graded as an overall object, mainly including the perception layer, the network transmission layer, and the processing application layer.
4) Security extension requirements for mobile Internet.
Mobile Internet technology should be rated as a whole object, and elements such as mobile terminals, mobile applications, and wireless networks should not be graded separately, but should be graded together with the application environment and application objects that adopt the graded protection of mobile Internet technology.
5) Industrial control system expansion requirements.
The industrial control system is mainly composed of the production management layer, the field equipment layer, the field control layer and the process monitoring layer, wherein: the principle of determining the grading object of the production management layer is shown in (other information systems). The equipment layer, the on-site control layer and the process monitoring layer should be rated as a whole object, and the elements of each level should not be graded separately. For large-scale industrial control systems, they can be divided into multiple grading objects according to factors such as system functions, control objects, and manufacturers.