In May 2019, the State Administration of market supervision and administration and the National Standardization Administration held a press conference and officially released the core standard of level protection 2.0 (basic requirements for network security level protection of information security technology, evaluation requirements for network security level protection of information security technology, and technical requirements for security design of network security level protection of information security technology), And the equal guarantee 2.0 will be implemented on December 1, 2019.

Protection class 2.0 core standard

Since then, network security level protection has officially entered the era of 2.0. What changes will the era of equal protection 2.0 bring? Today, let's take you to understand Waibao 2.0.

ISO 1.0 review

Before we start talking about warranty 2.0, let's review warranty 1.0. It has been more than 10 years since the release of Waibao 1.0. In these days, people pay more and more attention to network security.

In the early stage of 1.0, as long as the enterprise has safety awareness and can start to do waiting insurance, it will be very good to start evaluation; In the medium term, overall protection, penetration test and compliance are not equal to safety. Industry level protection has been carried out in an all-round way, and waiting protection has gradually taken root in the hearts of the people; In the later stage of 1.0, both the enterprise level and the national level pay more attention to substantive security. Active defense, situational awareness, offensive and defensive confrontation and other security means began to become popular, and cloud security, big data, industrial control security and mobile security began to occupy the main trend.

Equal assurance 1.0 popularizes the concept of equal assurance, strengthens the security awareness, from a single system to a department, to an industry, and then to the national level. From compliance to attack and defense confrontation, it improves the overall network security guarantee ability and technology, and continuously accumulates talents, which provide strong support for equal assurance 2.0.

What will remain unchanged in ISO 2.0?

1. The five levels remain unchanged

From the first level to the fifth level are: user independent protection level, system audit protection level, security mark protection level, structured protection level and access verification protection level.

Five levels of protection

2. The specified action remains unchanged

The specified actions are: grading, filing, construction rectification, grade evaluation, supervision and inspection.

Specified action of level protection

3. The main responsibilities remain unchanged

The main responsibilities of level protection are: the filing, acceptance, supervision and inspection responsibilities of network security for rated objects, the safety evaluation responsibilities of third-party evaluation institutions for rated objects, the safety management responsibilities of superior competent units for subordinate units, and the level protection responsibilities of operation and use units for rated objects.

What changes have been made to ISO 2.0?

1. Changes in system framework and guarantee ideas

The equal protection 1.0 system mainly embodies passive defense, focusing on one central triple protection (firewall, intrusion detection and anti-virus). While isobao 2.0 emphasizes all aspects of active defense, and emphasizes the transformation to the active support system of perceptual early warning, dynamic protection, safety detection and emergency response.

2. Changes of equal assurance objects

In the level protection 1.0 system, the protection objects mainly include all kinds of important information systems and government websites. The protection methods mainly include grading and filing, level evaluation, construction rectification, supervision and inspection, etc.

On this basis, isoprotection 2.0 expands the scope of protected objects, enriches protection methods and adds technical standards. Equal protection 2.0 include network infrastructure, important information systems, large Internet sites, big data centers, cloud computing platforms, Internet of things systems, industrial control systems, public service platforms, etc. into the level of protection objects, and include risk assessment, safety monitoring, notification and early warning, case and event investigation, data protection, disaster backup, emergency disposal, self-control, supply chain security Effect evaluation, comprehensive treatment assessment, safety officer training and other work measures are all incorporated into the hierarchical protection system.

Network security strategic planning objectives

3. Changes in evaluation requirements

Isobao 2.0 gives guidance on the "grading of key information infrastructure shall not be lower than level 3 in principle", the evaluation score shall be increased from 60 points to more than 75 points, and the evaluation of level 3 and above information systems shall be conducted once a year or every half a year.

4. Combination change of equal guarantee requirements

There is a change in the combination of equal assurance requirements in equal assurance 2.0, which is divided into one general requirement and five security extension requirements. Put forward general safety requirements for common safety protection requirements; According to the individual security protection requirements of new technologies and new application fields such as mobile Internet, cloud computing, Internet of things and industrial control, this paper puts forward security expansion requirements, so as to form a new basic requirement standard for network security level protection.

5. Changes in control points and requirements

Compared with isoprotection 1.0, isoprotection 2.0 is basically the same in terms of control points, and redundant items are deleted. However, some important requirements have been added to the general requirements of ISO 2.0. For example, it emphasizes the requirements of intrusion prevention, security audit, malicious code prevention, centralized control and so on.

Hot news