Waiting Guarantee 1.0
In the early days of 1.0, as long as companies have a sense of security, they can start waiting for guarantees, and start evaluations are already very good; in the mid-term, overall protection, penetration testing, Compliance begins to equal safety. Industry-level protection is fully carried out, and the waiting insurance gradually gains popularity; in the later period of 1.0, both the enterprise level and the national level pay more attention to substantive security. Active defense, situational awareness, offensive and defensive confrontation and other security methods have become popular, and cloud security, big data, industrial control security and mobile security have begun to occupy the main trends.
Equal Guarantee 2.0
The full name of Equal Protection 2.0 is the Network Security Graded Protection 2.0 System, which is the basic national policy and basic system in the field of network security in my country. On the basis of the 1.0 era standard, the graded protection standard focuses on active defense, from passive defense to pre-, during, and post-event security, credibility, dynamic perception, and comprehensive auditing. Computation, big data, Internet of Things, mobile Internet and industrial control information system level protection objects are fully covered.
In addition to the general requirements in the new standard "Iso-Guarantee 2.0", each level also adds 5 additional requirements: cloud computing security, mobile internet security, IoT security, industrial control system security, and big data security. , In order to respond to the security needs of emerging technologies.
Compared with "Equal Guarantee 1.0", which uniformly defines the rating object as an information system, the "Guidelines for the Rating of Network Security Level Protection" refines the specific scope of the rating object according to the expanded requirements:
In terms of cloud computing platform: the grading objects will be divided into service providers and tenants;
In terms of the Internet of Things: characteristic factors such as perception, network transmission and processing applications are not graded separately, and will be assessed as a whole;
Mobile Internet: mobile terminals, mobile applications, wireless networks, related wired network business systems, etc. will also be unified;
In terms of big data: Platforms and applications with the same security responsibility subject will be rated as a whole, except that they will be rated separately.
When implementing the rating work, the network operator should first determine the basic characteristics that it satisfies as a rating object. If it is engaged in services in specific fields such as basic information network, industrial control system, cloud computing, Internet of Things, big data, etc., Should meet the corresponding requirements.
What's the change of Equal Guarantee 2.0 compared to Equal Guarantee 1.0?
First , The name changes. Daibao 2.0 changed the original standard "Information Security Technology Information System Security Level Protection Basic Requirements" to "Information Security Technology Network Security Level Protection Basic Requirements, consistent with the Cyber Security Law.
Second , The grading object changes. The grading object of such guarantee 1.0 is information system. Now 2.0 is more extensive, including: information system, basic information network, cloud computing platform, Big data platforms, Internet of Things systems, industrial control systems, networks using mobile internet technology, etc.
third , Security requirements change. The content of the basic requirements has changed from security requirements to security general requirements and security extension requirements (including cloud computing, mobile Internet, Internet of Things, industrial control ).
Fourth , Changes in the classification structure of control measures. Daibao 2.0 still retains the two dimensions of technology and management.
In technical From physical security, network security, host security, application security, data security, to a secure physical environment, a secure communication network, and a secure area Border, secure computing environment, security management center;
In management There is not much change in the structure, from safety management system, safety management organization, personnel safety management, system construction management, system operation and maintenance Management, adjusted to safety management system, safety management organization, safety management personnel, safety construction management, and safety operation and maintenance management.
Fifth , Content changes. From the five prescribed actions of Dengbao 1.0’s rating, filing, construction rectification, level evaluation and supervision and inspection, changed to five prescribed actions+ New safety requirements (risk assessment, safety monitoring, notification and early warning, situational awareness, etc.).
Dengbao 2.0 fully embodies the idea of "one central triple defense". A center refers to the "security management center", and triple defense refers to "secure computing environment, secure area boundaries, and secure network communications". At the same time, Equal Guarantee 2.0 strengthens the use of trusted computing security technology requirements. From passive defense to active defense.