What is DJCP 2 0? Basic requirements for DJCP 2 0

Classified protection is called the network security classified protection system standard (hereinafter referred to as the classified protection standard), which came into effect on December 1, 2019; The classified network security protection system is the basic national policy, basic system and basic method in the field of national network security. With the development of information technology and the changes in the cybersecurity situation; on the basis of classified protection standards; Focus on all-round active defense, dynamic defense, overall prevention and control and precise protection; It has achieved full coverage of cloud computing, big data, Internet of Things, mobile Internet and industrial control information systems. and full coverage of areas except for personal and family self-built networks; the issuance of classified protection standards; to strengthen China's network security work; It is of great significance to improve the ability of network security protection.

Which industries need to carry out classified protection? **Units, financial industry, medical industry, education industry, public safety industry, energy industry, enterprise units, and other industries and units with information system grading needs are all within the scope of classified protection.

Why do enterprises need to do MLP? National laws and regulations and industry regulatory policies all require graded protection. For example, Article 17 of the Cybersecurity Law of the People's Republic of China promulgated on June 1, 2017 requires that the state implement a graded cybersecurity protection system; Article 21 requires that network operators shall formulate emergency response plans for network security incidents; Article 31 requires that critical information infrastructure be protected on the basis of the graded network security protection system.

The GBT22239-2019 Basic Requirements for Classified Cybersecurity Protection of Information Security Technology promulgated on December 1, 2019 clearly stipulates that the operation and use of information systems shall perform security protection obligations in accordance with the requirements of the classified cybersecurity protection system, and will be punished accordingly if they refuse to perform.

What is DJP?

DJCP is an upgrade of DJCP, that is, network security.

Classified protection. At present, China's information systems (including networks) are divided into five levels of security protection according to the degree of infringement of the object of infringement according to the business information and system services of the information system.

When did DJCP come into effect?

May 13, 2019, State Administration for Market Regulation.

Hold a press conference.

The version of the Basic Requirements for Classified Cybersecurity Protection of Information Security Technology was officially released, and the classified protection was officially implemented on December 1, 2019. The implementation of classified protection is a major event in the process of implementing the classified network security protection system in China, and it is of milestone significance.

A brief introduction to the four characteristics of classified protection.

01. The new standard for graded protection changes the scope of objects from the original information system to the object of graded protection (information system, communication network facilities and data resources, etc.). The objects of classified protection include network infrastructure (radio and television networks, telecommunication networks, private communication networks, etc.) and cloud computing.

Platform systems, big data platform systems, Internet of Things, industrial control systems, systems using mobile Internet technology, etc.

02. The new standard of graded protection has been optimized on the basis of the standard, and at the same time for cloud computing, mobile Internet, Internet of Things, and industrial control systems.

and new technologies and new application fields such as big data, which put forward new requirements, and formed the standard requirements composed of general security requirements + new application security extension requirements.

03. The new standard for classified protection unifies the architecture of the three standards of "GB T 22239-2019", "GB T 25070-2019" and "GB T28448-2019", adopts the protection concept and classification structure of "one center, three protections", and strengthens the idea of establishing a defense-in-depth and fine defense system.

04. The new standard of classified protection strengthens cryptography technology and trusted computing.

The use of technology includes trusted verification at all levels, and puts forward the main trusted verification requirements of each link step by step, emphasizing the use of cryptography, trusted verification, security audit and situational awareness.

and so on.

Cybersecurity. The MLP standard officially started on December 1, 2019.

Reduce information security risks, improve the security protection capabilities of information systems, and enhance the attention of unit leaders to information security through classified protection.

The basic requirements of classified protection have the following three characteristics:

1. Graded protection.

The basic requirements, evaluation requirements and safety design technical requirements framework are unified, that is, the triple protection structure framework supported by the security management center;

2. General security requirements + new application security extension requirements, including cloud computing, mobile Internet, Internet of Things, industrial control systems, etc.

3. Include trusted verification in the main functional requirements of each level and link.

The type of rating object.

In the era of classified protection, the objects of protection have expanded from traditional networks and information systems to "cloud migration and material engineering", such as basic networks, important information systems, the Internet, big data centers, and cloud computing.

Internet of Things system, mobile Internet.

Industrial control systems and public service platforms are included in the scope of classified protection.

Typical changes in classified protection.

1.Trusted computing.

The basic idea of trusted computing is to first build a root of trust in the computer system, and the trustworthiness of the root of trust is ensured by physical security, technical security, and management security. Then establish a chain of trust, starting from the root of trust to the software and hardware platform, to the operating system, and then to the application, a level of measurement and authentication, a level of trust, and extend this trust to the entire computer system, so as to ensure the trustworthiness of the entire computer system. At present, domestic trusted computing has entered the era.

2.Safety monitoring capabilities.

With information security events as the core, through the real-time collection of network and security device logs, system operation data and other information, correlation analysis.

and other ways to realize the risk identification of monitoring objects.

Real-time alerting and visualization of threat discovery and security events. It includes dimensions such as system, device, traffic, link, threat, attack, and audit.

3.Notification and early warning capabilities.

Cybersecurity Law.

and the Regulations on the Security Protection of Critical Information Infrastructure.

At the same time, it is required to establish a network security monitoring, early warning and information notification system to timely grasp the operation status and security risks of key information infrastructure facilities in the industry and field.

Technical requirements for classified protection assessment.

1. Technical requirements:

1.**Traders should grasp and understand the specific requirements of the state for this type of project, and have a deep understanding of the relevant policies and standards of graded protection.

2.**The assessment team of the business group must be equipped with at least 4 evaluators, and the evaluation team leader should be a senior evaluator. The assessment team consists of at least 1 senior evaluator and 1 intermediate evaluator.

3.**The contractor should have a complete work process, carry out the assessment work in a planned and step-by-step manner, and ensure that every aspect of the assessment activity is effectively controlled.

4.**The business should have a complete emergency process and rapid emergency response services to ensure that the normal operation of the information system of the Hunger Center will not be affected during the whole project process.

5.**The business should have a complete assessment plan, including physical security, host security, network security, application security, data backup and recovery, management security, etc.

6.**Merchants must submit the graded protection evaluation report in the format and standard prescribed by the state in the classified protection project, and use this as the acceptance standard.

7.**The business should have good quality control capabilities and quality management system, with GB T19001 series of ISO9001 series management system certification, the scope of which includes information security technical consulting services and classified protection evaluation services.

1. Graded protection.

The basic requirements, evaluation requirements and safety design technical requirements are unified, namely: the triple protection structure frame supported by the safety management center; 2. General security requirements + new application security extension requirements, cloud computing.

Mobile Internet, Internet of Things, industrial control systems, etc. are included in the standard specifications; 3. Include trusted verification in the main functional requirements of each level and link.

Legal basis: Social Insurance Law of the People's Republic of China.

Article 12 An employer shall pay the basic endowment insurance premiums in accordance with the proportion of the total wages of its employees stipulated by the state, and it shall be credited to the basic endowment insurance plan.

Employees shall pay basic pension insurance premiums in accordance with the proportion of their wages stipulated by the state, which shall be credited to their personal accounts.

Sole proprietorship without employees.

Part-time employees who do not participate in basic pension insurance at the employer.

Employees and other people in flexible employment.

Shouxun who participates in the basic endowment insurance shall pay the basic endowment insurance premiums in accordance with the provisions of the state, which shall be credited to the basic endowment insurance co-ordination and personal accounts respectively.

Article 23 Workers and workers shall participate in the basic medical insurance for employees, and the employer and the workers shall jointly pay the basic medical insurance premiums in accordance with the provisions of the state.

Individually-owned businesses without employees, part-time employees who have not participated in the basic medical insurance for employees in the employer, and other flexibly employed persons may participate in the basic medical insurance for employees, and the individual shall pay the basic medical insurance premiums in accordance with the provisions of the state.

Article 35 An employer shall pay work-related injury insurance premiums according to the total wages of its employees and employees at the rate determined by the social insurance agency.

Article 44 Workers and workers shall participate in unemployment insurance.

Employers and employees shall jointly pay unemployment insurance premiums in accordance with state regulations.

Article 53 Employees shall participate in maternity insurance, and the employer shall pay maternity insurance premiums in accordance with state regulations, and employees shall not pay maternity insurance premiums.

The objects of classified protection include networks, information systems, and cloud platforms.

Internet of Things, industrial control system, big data, mobile Internet and other technical applications.

Classified protection is richer than the standard, and the Ministry of Public Security has a network security.

Guo Qiquan, chief engineer of the Security Bureau, said that the national network security level protection in the new era.

The system has distinctive characteristics, covering all regions, units, departments, enterprises, and institutions, that is, covering the whole society;

Covering all protected objects, such as networks, information systems, cloud platforms, Internet of Things, industrial control systems, big data, mobile Internet and other technical applications, without exception, the implementation of the graded protection system, these two full coverage is its core, is the top priority.

The hierarchical protection system is referred to as classified protection.

The hierarchical protection system is the basic system of China's network security. Hierarchical protection refers to the hierarchical implementation of security protection for important national information, proprietary information of legal persons and other organizations and citizens, as well as information systems that disclose information and store, transmit and process such information, implement hierarchical management of information security products used in information systems, and respond to and dispose of information security incidents in information systems at different levels.

Classified protection or "classified protection" is a conventional term that refers to the work carried out in accordance with the new classified protection standards and specifications. It is generally considered to be proposed after the promulgation and implementation of the Cybersecurity Law of the People's Republic of China, and on December 1, 2019, the "GB T 22239-2019 Information Security Technology - Basic Requirements for Classified Cybersecurity Protection" was officially implemented as a symbolic symbol.

The above is the classified protection and classified protection, I hope it will be useful to you.

First: name change.

The Basic Requirements for Classified Security Protection of Information Systems was changed to: Basic Requirements for Classified Protection of Cybersecurity, which is consistent with the Cybersecurity Law.

Second: changes in rating objects.

The classification object of classified protection is information system, which is now more extensive, including: information system, basic information network, cloud computing platform, big data platform, Internet of Things system, industrial control system, network using mobile Internet technology, etc.

Third: changes in safety requirements.

Classified protection has evolved from a separate basic requirement to general security requirements + new technology security extension requirements, in which the general security requirements are the requirements that must be met regardless of the form of the classified protection object, and special requirements are put forward for cloud computing, mobile Internet, Internet of Things and industrial control systems, which are called security extension requirements.

Cloud computing security extension requirements include aspects such as infrastructure location, virtualization security, image and snapshot protection, cloud service provider selection, and cloud computing environment management.

The requirements for mobile Internet security expansion include the geographical location of wireless access points, mobile terminal control, mobile application control, mobile application software procurement, and mobile application software development.

The security expansion requirements of the IoT include the physical protection of the sensing node, the security of the sensing node device, the device security of the sensing gateway node, the management of the sensing node and the data fusion processing.

The extended security requirements of industrial control systems include outdoor control equipment protection, industrial control system network architecture security, dial-up usage control, wireless usage control, and control equipment security.

Fourth: changes in the classification structure of control measures.

DJCP still retains two dimensions: technology and management.

Technology: From physical security, network security, host security, application security, and data security, to a secure physical environment, a secure communication network, a secure area boundary, a secure computing environment, and a security management center.

Management: There is no big change in the structure, from the safety management system, safety management organization, personnel safety management, system construction management, system operation and maintenance management, adjusted to safety management system, safety management organization, safety management personnel, safety construction management, safety operation and maintenance management.

Fifth: changes in work content.

The classified protection not only further clarifies the prescribed actions of the era such as grading, filing, security construction, grade evaluation, supervision and inspection, etc., but also includes all measures such as security inspection, notification and early warning, and case investigation into the classified protection system and implements them.