What are the requirements for information security classification protection of information systems in the financial industry? The most comprehensive financial Equal protection 2.0 Explain in detail. The hierarchical protection system of information security is a basic system for the country to improve the ability and level of information security assurance, maintain national security, social stability and public interests, and ensure and promote the healthy development of information construction in the process of the development of national economy and social informatization. What are the requirements for information security classification protection of financial industry information systems? Here comes the full explanation of Financial Guarantee 2.0! Today, Micronet, which focuses on the evaluation of network information security level protection, will take you to have a look, hoping to help you.

In accordance with the relevant national requirements, the People's Bank of China has formulated the standards for classified protection of the financial industry from two aspects: first, implement the national requirements for classified protection of information security.

The document Opinions of the National Informatization Leading Group on Strengthening Information Security Assurance requires that "the competent department of the industry should urge, inspect and guide the industry and the department to carry out the work of graded protection"; The document Guiding Opinions on the Rectification of Security Construction of Classified Protection of Information Security requires that "competent departments of information systems in key industries can formulate industry standards and specifications to guide the rectification of security construction of information systems in their own industries". Therefore, the development of a series of standards for the classified protection of information security in the financial industry is an important measure to implement the relevant requirements of national information security.

The second is to strengthen the internal requirements of information security management and technical protection in the financial industry. The important information system of the financial industry is related to the national economy and the people's livelihood, and is the key protection object of national information security. Since most financial industry information systems are characterized by centralized data, complex network structure, and involving a large number of capital transactions, the financial industry needs a hierarchical protection standard system suitable for the characteristics of financial industry information systems as the support and basis to carry out the construction, evaluation and rectification of information security hierarchical protection of information systems, To standardize and guide the development of the graded protection of the financial industry.    

To this end, the People's Bank of China has organized experts and relevant technicians in the field of information security level protection to prepare a series of practical and feasible information security level protection standards for financial industry information systems (hereinafter referred to as financial industry level protection standards) that are consistent with the characteristics of the financial industry in accordance with the relevant national systems and standards on information security level protection. The standards for equal protection of financial industry include JR/T 0071-2012 Guidelines for the Implementation of Classified Protection of Information Security of Financial Industry Information System (hereinafter referred to as the Implementation Guidelines), JR/T 0072-2012 Guidelines for the Evaluation of Classified Protection of Information Security of Financial Industry Information System (hereinafter referred to as the Evaluation Guidelines) And JR/T 0073-2012 Security Guidelines for Classified Protection Evaluation Service of Information Security in Financial Industry (hereinafter referred to as "Security Guidelines").

1、 Overview of standards The preparation of equivalent insurance standards in the financial industry follows the following three principles: (1) consistency with national standards. The security standards of the financial industry are prepared in strict accordance with the Basic Requirements for Classified Protection of Information System Security (hereinafter referred to as the Basic Requirements), Technical Requirements for Security Design of Classified Protection of Information System and other relevant standards to ensure the standardization, ease of use and readability of the standards and maintain a high degree of consistency with national standards.

(2) Inheritance and development. The financial industry's equal protection standards refer to the People's Bank of China's graded protection specifications and other "one bank, three committees", a total of 26 system standards, and in combination with the actual situation of the industry, according to the contents of the Basic Requirements, the system architecture, security evaluation requirements, inspection forms and other contents are refined, supplemented and adjusted. The first is to supplement architecture design, defense in depth, information system lifecycle management and other contents. Second, combining the actual security needs of the financial industry and information security protection experience, refine and supplement the security protection category of the financial industry. The third is to supplement the best practices of the financial industry in implementing the requirements for classified protection in recent years, and the directly usable inspection forms for evaluation of classified protection.

(3) Comprehensiveness and practicality. The preparation of equivalent security standards in the financial industry summarizes the security requirements and business characteristics of the application system in the financial industry for many years, and refers to the relevant international and domestic information security standards and industry standards, puts forward security requirements and countermeasures for the construction, deployment, management and other aspects of the information system, which is a normative document with practical guiding significance and can be operated.    

The Implementation Guidelines are mainly used to guide the system owners to build and rectify, the Evaluation Guidelines are mainly used to guide the system owners to carry out self evaluation of hierarchical protection or the evaluation institutions to carry out external evaluation of the information system, and the Security Guidelines are used to confirm the service level ability of the system owners to the institutions that carry out protection evaluation in the financial industry. The main contents and characteristics of the three standards are summarized as follows.    

（1） In combination with the characteristics of the financial industry and the needs of information system security construction, the Implementation Guide adopts a sub regional design for the information security architecture of the financial industry, and elaborates the specific requirements for different levels of information systems from two aspects of security technology and security management. Security technology puts forward requirements from physical security, network security, host security, application security, data security and backup recovery; The safety management puts forward requirements from the aspects of safety management system, safety management organization, personnel safety management, system construction management and system operation and maintenance management.    

The Implementation Guidelines are used to supplement and refine the implementation of national level protection standards, and put forward requirements for establishing an information security architecture and systematic protection. According to the characteristics of the financial industry, the Implementation Guide refines and supplements the level II requirements, level III requirements and level IV requirements of the National Basic Requirements, and adds the enhanced security protection category of the financial industry (category F), which is distributed in the requirements of category S, A and G as the enhanced security requirements of the financial industry.    

The technical system in the information security architecture, by combining the technical requirements of security design for hierarchical protection, the international standard Information Assurance Technology Framework (IATF), and the characteristics of the financial industry itself, designs a technical system that meets the security architecture of the financial industry's information system. In the design of the management system, by combining the process improvement of the international standard 27001 management life cycle, create a set of management systems that meet the needs of information security management and systems in the financial industry.    

（2） The Evaluation Guide puts forward specific and operable evaluation methods for the evaluation requirements in the Implementation Guide. It includes two aspects: first, security control evaluation, mainly evaluating the implementation and configuration of basic security control points required by information security level protection in the information system. The second is the overall evaluation of the system, which mainly evaluates and analyzes the overall security of the information system. Among them, the security control evaluation is the basis of the overall security evaluation of the information system.    

（3） The Security Guidelines summarize the security requirements and business characteristics of the application system in the financial industry for many years, and refer to the relevant international and domestic information security standards and industry standards to clarify the basic requirements for the security of the graded protection evaluation service organization, personnel security, process security, evaluation object security, tool security, etc.

2、 Standard application and promotion The financial industry equivalent insurance standard was officially released on July 10, 2012. In order to better promote and guide the banking financial institutions to use the security standards of the financial industry and implement the requirements of the national level protection policy, the People's Bank of China issued the Notice of the People's Bank of China on Further Promoting the Classified Protection of Banking Information Security on July 19, 2012, requiring all banking financial institutions to carry out the classification and filing of the level protection as soon as possible, The assessment and rectification of classified protection shall be carried out in accordance with the standards of financial industry and relevant national standards. After nearly two years of promotion and application, the equivalent insurance standards in the financial industry have achieved good results.    

（1） The financial industry equivalent protection standard effectively improves the level of information system defense. According to the annual summary report of the banking financial institutions in 2012 and 2013, most of the banking financial institutions have formulated or improved their own information security inspection system and relevant operating rules by reference to the financial industry equivalent protection standard, According to the security domain systematic protection, security domain risk identification and analysis mechanism and the management mechanism dynamically improved and updated by PDCA in the security standards of the financial industry, the security protection of the network, host, application and data was strengthened, and the management system was improved and perfected, thus improving the security defense level of the entire operation and production environment as a whole, It is no longer the reinforcement and rectification of a single grading system, which effectively reduces the related risks faced by the whole system and improves the continuous and stable operation level of the information system.  

（2） According to relevant statistics, by the end of 2013, the average compliance rate of classified protection of banking information systems had reached more than 90%, and the average compliance rate of classified protection of securities and insurance information systems had also reached more than 80%. The compliance rate of classified protection of financial industry information system is higher than the average compliance rate of classified protection of all industries in China.    

The above data shows that the security standards of the financial industry play an important role in improving the information security protection level of important networks and information systems in the financial industry. In recent years, with the comprehensive development of the financial industry business, hostile forces and criminals are increasingly rampant in attacks, sabotage and terrorist activities. The information security work of the financial industry is facing a more serious situation than ever before. Therefore, how to combine the national level protection requirements with the specific work of the industry and the unit, How to implement the relevant requirements of national level protection into the planning, construction, testing, production, operation and maintenance of the information system, and gradually form a long-term information security working mechanism and normalization work, as well as establish a cross sectoral financial industry level protection coordination and information security protection mechanism still needs to be explored and tried. The People's Bank of China will continue to implement the requirements of the national hierarchical protection system, actively supervise and guide the banking industry's classification, filing, evaluation and rectification work, continuously improve the banking industry's information security assurance capability, comprehensively implement the People's Bank's responsibility of guiding and coordinating information security in the financial industry, and meet future challenges with advanced, efficient, safe and stable informatization work.   

The above is what Micronet introduces to you about the requirements of information security level protection of financial industry information systems. I hope it will be helpful for you. Micronet focuses on network security level protection evaluation services. At present, it has provided many enterprises with secondary and tertiary protection evaluation services, It is a professional network security rating protection evaluation service provider in Jiangsu Province. It provides services such as second level and third level rating protection evaluation services, and also has professional security equipment to provide you with one-stop convenient services, so that your rating protection evaluation is unimpeded. If necessary, you can click online customer service to contact Micronet, and Micronet will serve you wholeheartedly.

Evaluation of three-level guarantee: hopechilam.com