From the 27th, it is required to pay attention to information security emergency response work, to Article 25 of the “Cyber Security Law”, which clearly states that “Network operators shall formulate emergency plans for network security incidents, and promptly deal with system vulnerabilities, computer viruses, network attacks, and network intrusions. and other security risks; in the event of an event jeopardizing network security, an emergency plan should be activated immediately, corresponding remedial measures should be taken, and reports should be reported to the relevant competent authorities in accordance with regulations.”
Require network operators to take measures to prevent network intrusion attacks, computer virus outbreaks, hidden dangers of system vulnerabilities and other network security incidents; formulate emergency plans for various network security incidents, establish emergency response mechanisms, and organize emergency response teams. When a network security incident occurs , start the plan in time, and carry out emergency response decisively to minimize the harm; when a network security incident occurs, it is required to protect the scene and evidence, and report to the public security organ, industry competent department and relevant departments.
When a major cybersecurity incident occurs, the relevant departments shall carry out emergency response in accordance with the requirements of the national cybersecurity incident emergency plan. Critical information infrastructure protection units also need to formulate contingency plans for cyber security incidents and conduct regular drills.
These are the responsibilities and obligations of network operators clearly defined in the Cybersecurity Law. However, emergency response work is not isolated, internal departments need to work together, and external departments need to strengthen cooperation in order to be more efficient in emergency response.
Public security organs shall handle network security incidents in accordance with relevant regulations, conduct incident investigations, determine responsibility for incidents, and investigate and deal with illegal and criminal activities that endanger network security.
Telecommunications business operators and Internet service providers shall provide support and assistance for the handling and recovery of major cybersecurity incidents.
Emergency response and support can be divided into four stages: emergency preparedness, emergency monitoring and response, post-assessment and improvement, and emergency support.
Phase 1: Emergency Preparedness
For emergency preparedness, it is necessary to input the organizational structure and division of responsibilities of the operation and user units, the list of various safety events, etc., and establish a sound emergency organization system to ensure that the emergency rescue work responds quickly and is coordinated and orderly. By analyzing the level of security incidents, formulating contingency plans for different security incidents under a unified contingency plan framework, and organizing emergency drills for grade-protected objects, it can effectively test the network security emergency response capability and provide solutions for eliminating or reducing these hidden dangers and problems. Valuable reference information to test the integrity of the emergency plan system, the operability of the emergency plan, the execution and coordination capabilities of agencies and emergency personnel, and the preparation of emergency support resources, etc., thus helping to improve the overall emergency response capability. The final output of the emergency organization chart, the division of responsibilities of the emergency organization, the internal and external contact forms of the emergency organization, the safety incident reporting procedure, various special emergency plans, the emergency drill script, the emergency drill summary, etc.
Attention should be paid to the establishment of an emergency response organization: according to the needs of emergency rescue, an emergency response organization should be established. Emergency organizations are generally divided into five core emergency function agencies, namely command, operations, planning, logistics and finance.
Attention should be paid to clarifying the responsibilities of emergency work: clarifying the leading agencies, offices, special emergency command agencies, grass-roots emergency agencies, and emergency expert groups that make up the departments or personnel, responsibilities and authorities for emergency management.
When classifying and grading security incidents, it should be noted that the establishment of an emergency response organization refers to the National Emergency Response Plan for Cybersecurity Incidents and GB/Z20986-2007. Classify and grade the possible security incidents of the level-protected objects, and formulate corresponding security incident reporting procedures for different categories and levels.
When determining the objects of the emergency plan, attention should be paid to: for different categories and levels of security events, consider the possibility of their occurrence and their impact on the system and business, and determine the objects for which emergency plans need to be formulated.
When determining responsibilities and emergency coordination methods, attention should be paid to: under the framework of a unified emergency plan, the responsibilities of each department in the emergency plan should be clarified, as well as the cooperation and division of labor between departments.
When formulating emergency plan procedures and their execution conditions, attention should be paid to: formulate emergency plan procedures and their execution conditions. Develop corresponding emergency plan procedures for different levels and categories of security incidents, and determine the scope, extent and extent of response and disposal of different levels and categories of incidents. Applicable management system, stating the conditions for activating the emergency plan, and the procedures and measures to be taken after a security incident occurs.
Attention should be paid to the training publicity: formulate a special training plan for the departments and personnel involved in the emergency plan, and the training publicity content includes emergency responsibilities, cooperation and division of labor, conditions and procedures for starting the emergency plan, etc.
Attention should be paid to emergency drills: clarify the scale, method, scope, content, organization, assessment, summary, etc. of emergency plan drills, and conduct regular drills in accordance with the plan.
Note: In the group standard “Guidelines for High Risk Determination of Network Security Level Protection Evaluation” T/ISEAA 001-2020, if the emergency plan is not trained and drilled, as a system above the third level, it is determined as a “high risk” item. Specific requirements should be regularly (recommended at least once a year) to conduct emergency plan training for relevant personnel, conduct drills according to different emergency plans, and provide emergency plan training and drill records.
Phase 2: Emergency Monitoring and Response
In the emergency monitoring and response stage, network traffic, log information, performance information, security incident reporting procedures, various special emergency plans, network security incident reporting forms, security incident reporting procedures, etc., need to be input to monitor the security status of the level-protected objects. And according to the emergency plan activation conditions to determine whether to activate the emergency procedures. Appropriate methods shall be taken to pre-treat the monitored security incidents, the impact degree and level of security incidents shall be analyzed, emergency plans of corresponding levels shall be activated, and emergency response and disposal work shall be carried out. The final output of network security incident reporting form, security status analysis report, security incident handling report.
Attention should be paid to the collection of abnormal status information: collect various status information from monitoring objects, which may include network traffic, log information, security alarms and performance status, or information about changes in security standards and laws and regulations from the external environment.
Attention should be paid to the analysis of abnormal state: analyze the safety state information, discover dangers, hidden dangers or safety events in time, record these safety events, analyze their development trend and the impact of these changes on the safety state, and determine whether it is necessary by judging their impact. respond.
Attention should be paid to the reporting and sharing of security incidents: based on the results of security status analysis and impact analysis, analyze possible security incidents, clarify the level, impact, and priority of security incidents, and form security status analysis reports and network security incident reporting forms. Report according to the security event level and security event reporting procedure, and share security events to specific objects according to regulations.
Attention should be paid to the handling of security incidents: For security incidents for which emergency plans should be activated, the security incidents should be handled in accordance with the emergency plan response mechanism. For the handling of unknown security incidents, a security incident handling plan should be formulated according to the level of the security incident, including security incident handling methods and measures to be taken, and security incidents should be handled according to the security incident handling process and plan.
Attention should be paid to the summary and reporting of security incidents: once the security incident is resolved, record the unknown security incident, analyze the recorded information and supplement the required information, make the security incident a known incident, and document it; carry out the security incident handling process. Summarize, develop a security incident handling report, and save it.
Stage 3: Post-assessment and improvement
In the later evaluation and improvement, it is necessary to enter the security incident reporting procedure, various special emergency plans, and security incident disposal reports, conduct investigation and analysis on the cause and disposal process of the security incident, and identify responsibilities and formulate preventive measures for improvement according to the analysis results. The final output security incident summary report, security incident improvement report, emergency plan.
Attention should be paid to the investigation and evaluation: Investigate the emergency response process, and evaluate the compliance of the emergency process and the timeliness of disposal. Investigate the cause of network security incidents through incident recurrence, trace security responsibilities, and form a network security investigation and evaluation report.
Attention should be paid to improvement and prevention: investigation and evaluation, based on the investigation and evaluation report of network security incidents, formulate improvement and preventive measures, revise the corresponding emergency plan, implement it according to the actual situation, and organize and carry out training related to the emergency plan.
Stage 4: Emergency Support
Emergency support needs to input the overall emergency plan and various special emergency plans, and then establish and improve the emergency support system, realize the scientific support of the emergency plan, and finally output the list of emergency support materials.
Analyze various special emergency plans, and formulate the communication, equipment, data, team, transportation, funds and security guarantees required for the implementation of the emergency plan.
The work in the emergency preparation stage is jointly completed by the competent department, operation and user units, and the other three stages are completed by the operation and user units.
Article 59 of the “Cyber Security Law” If a network operator fails to perform the network security protection obligations stipulated in Articles 21 and 25 of this Law, the relevant competent department shall order it to make corrections and issue a warning; refuse to make corrections or cause Those who endanger network security and other consequences shall be fined not less than 10,000 yuan but not more than 100,000 yuan, and the person in charge who is directly responsible shall be fined not less than 5,000 yuan but not more than 50,000 yuan.
Article 25 of the “Cyber Security Law” stipulates that network operators have emergency plans for network security incidents, and promptly deal with security risks such as system vulnerabilities, computer viruses, network attacks, and network intrusions; Start the emergency plan, take corresponding remedial measures, and report to the relevant competent authorities in accordance with the requirements. Therefore, in the process of operation and maintenance, emergency support is also a key point.
Failure to do a good job in emergency protection work can be punished in accordance with Article 59 of the Cybersecurity Law, just like failure to implement the network security level protection system and relevant technical and management measures. Of course, we also know that punishment is not the purpose, but the purpose is to protect network security to the greatest extent, safeguard social public interests, protect national security, and make ordinary people feel more fulfilled in the online world by improving the ability of network security emergency response.
As a network operator, it is necessary to treat and implement it with the same level of importance as hierarchical protection.
This article mainly involves a process context of emergency work, which is a contextual work, but lacks specific technical implementation. It is necessary to refer to the “National Network Security Incident Emergency Response Plan”, “Network Security Incident Emergency Drill Guide” and “Information Security Emergency Response Plan Specification” “Operation and Maintenance Part 3: Emergency Response Specifications” and other national policy documents and standards are formulated.
Similar LCD Inverter
World Peace Group launched a DMS solution based on OmniVision products
What do you think of the 48V technical solution for automotive electronics?
Qualcomm and Zhanrui chips jointly launched 5G chip commercialization and entered the “Warring States Era”