Read 6 hours of dry goods in 5 minutes: a comprehensive interpretation of corporate compliance
Posted May 27, 2020 • 11 min read
New technologies and new architectures such as 5G, AI, cloud computing, and the Internet of Things are becoming the "keywords" for social development. Under the wave of new infrastructure, industrial digital upgrading has become a top priority. The connotation of network level protection work continues to expand, and in the face of the common security protection of all walks of life, general security requirements are put forward. On May 13, 2019, the Cyber Security Level Protection 2.0 standard was officially released, and was officially implemented on December 1, the same year.
The first anniversary of the release of Waiting for Guarantee 2.0 has become the only way for companies to operate in compliance. At the Tencent Security Joint Security Media FreeBuf held the "Industrial Security Open Class · Waiting for Security 2.0 Special Session", security experts from Tencent Security, Shenzhen Convinced, Shenzhen Internet Security, and Ding Xuan revolved around policies and regulations related to network security, from different From the perspective of sharing the policy interpretation and practical experience of Equal Insurance 2.0 to all walks of life. In the previous article, Tencent Security has successively exported to readers the dimensions of security policy, security experience, passwords, data security and other dimensions. Today we re-extract and condense the dry goods and essence of six security experts. Help enterprise customers to read and understand the insurance 2.0 in one stop.
_ Lesson 1:Learning benchmark *For the first time to reveal the experience of Tencent s over-guarantee * _
The "One Center, Triple Protection" security concept adopted by the Equal Protection 2.0 standard requires the defense center of the enterprise security system to change from a passive defense to a dynamic defense system of pre-defense, in-response, and post-event audit. Especially for companies that are experiencing or in the early stages of digital transformation, this change in defense focus has further exacerbated security challenges. How to pass grade protection quickly, smoothly and efficiently has become the focus of attention of large and small enterprises.
Especially for large companies that have deep access to Internet technology, their experience of overwriting insurance is particularly precious. As a company with more than 60,000 employees and 100+ lines of business, how does a company like Tencent get such a guarantee? Huang Chao, deputy director of the Standard Management Center of Tencent Security Management Department, brought the story of Tencent and the level of protection and the first-hand practical dry goods.
Huang Chao said in the class that the top management of the company attaches great importance to network security and determines the level of execution and security strategy of the company's network security related work. ** With the direct attention of Tencent s senior management and the support of a solid security team, Tencent s approach is called to strengthen the company s strength to consolidate the Great Wall of Safety a hierarchical protection working group was established to gather more than 100 members, to promote the implementation of such work.
In addition to continuous internal policy advocacy and standard training, Tencent also invites industry experts to train new technologies and new scenarios in Baozhong, to fill in vacancies for the company's self-developed business and occasionally hold "loophole rewards" Special security project to speed up the development of security work.
_ Second lesson:Leveraging security How Tencent Security can help companies enter the path of compliance _
Almost all enterprises have to pass the security examinations such as cyber security, especially in key industries related to national economy and people's livelihood, such as finance, medical care, education, etc. The relevant competent departments have issued detailed work to carry out knowledge and comprehensive insurance standards. Industrial Security Open Class · The second lesson of the special security 2.0 special session, Wang Yu, the head of Tencent Security s grade protection compliance service, shared with customers how Tencent can help enterprises pass grade protection, detailing the cooperation in network security construction and grade protection Throughout the entire life cycle of regulatory construction, how does Tencent provide network operators with fast-guaranteed products, services, solutions and best practice experience.
Tencent Security has sorted out and summarized the network security compliance working methods and methods in the 2.0 era from the practice of various industries, with "one center, triple protection" as the core, and aims at cloud platform compliance, technical support, expert services, etc. It is helping to improve the enterprise's network security capabilities and avoid and mitigate enterprise risks.
On the one hand, Tencent Cloud has passed Level 3 Protection and Tencent Financial Cloud has passed Level 4 Protection requirements, which can provide cloud tenants with a compliant cloud platform; on the other hand, Tencent Security integrates identity security, network security, and terminal security , Application security, data security, business security, security management and security services and other related product and service advantages, to provide enterprises with a more systematic and standardized security protection design, so that the overall protection is more collaborative and efficient, and through The collaborative mechanism of technology, process and people forms a closed loop to meet the security compliance requirements in different scenarios. In addition, for the critical service stage, Tencent Security Expert Services can provide companies with a more systematic and standardized security protection design, making the overall protection more collaborative and efficient, and forming a closed loop through technology, process, and human collaboration mechanisms. On the basis of compliance, we will continue to improve our security operations.
_ Lesson 3:Business Security and Equilibrium Compliance "Double Wheel" Drive Commercial Password Application _
As the core technology and basic support for the construction of cyberspace security guarantees and trust mechanisms, cryptography is an important strategic resource for national security and an important breakthrough point for the country to achieve safe and controllable information technology system overtaking in corners. In order to solve the outstanding problems of current password applications, the state promulgated and implemented a series of laws and regulations such as the "Network Security Law", "Password Law" and "Network Security Review Measures", all of which put forward requirements for password application security evaluation, hoping to pass password application security Sexual assessment promotes the use and management of commercial passwords.
To this end, the Industrial Security Open Class · Class 3 of the Waiting for Security 2.0 special session, Zou Chao, Deputy Director of the Security Evaluation Department of the country s first third-party commercial cryptographic testing agency, Dingxuan, in "Analysis of Key Points of Information System Password Application Design, Transformation and Evaluation" In the course, the password requirements were interpreted and shared according to laws and regulations. ? 5 minutes to see the best password evaluation [" __ 10 basic questions you must know about password evaluation __ "]( http://mp .weixin.qq.com/s? __ biz = Mzg5OTE4NTczMQ == & mid = 2247487121 & idx = 1 & sn = 8c0566272b546afa55dce4a747b61833 & chksm = c05663bdf721eaab21cbb3f94240dabaa51beeff30d99b856f3d010f941 # d4
Zou Chao said that operators should fully use commercial passwords to protect business and data during the construction of enterprise information systems. Especially for social service-oriented government information systems, key infrastructures of information systems involving national economy, people's livelihood and basic information resources, networks and information systems in important areas such as third-level security, etc. At the beginning of construction, relevant cryptographic equipment should be fully planned and configured And services, enable the configuration of business secret algorithms/protocols and other functions to ensure the safe and stable development of business.
Tencent Security has created an end-to-end cloud data full life cycle security system, centered on the "Data Security Center" to ensure the safety of data in the process of identification, use and consumption. Based on the Tencent Security Cloud Data Security Center, Tencent Security focuses on data encryption software and hardware systems, key management systems, credential management systems, and cloud data encryption proxy gateways to achieve data acquisition, data processing and retrieval, data analysis and services, Safe and compliant password protection during data access and consumption.
_ Lesson 4:Critical Information Infrastructure The top priority of the insurance 2.0 _
The protection of critical information infrastructure is directly related to national security, national economy, people's livelihood and public interests, and is the focus of hierarchical protection. The relationship between critical information infrastructure protection and network security hierarchical protection is inseparable. Yang Fanfan, a security solution expert from Shenzhen Convince, shared the research and rating of Shenzhen Convince based on network security level protection policies and standards in the fourth session of the "Industrial Security Open Class" and other security 2.0 special lesson "Interpretation of Key Information Infrastructure Protection Related Policies" Extensive practical experience in the field of protection.
Yang Fanfan said in the course that the determination of critical information infrastructure usually includes three steps, one is to determine the key business, the other is to determine the information system or industrial control system that supports the critical business, and the third is to determine the information system or The critical information infrastructure is identified as the degree of dependence of the industrial control system and the possible loss caused by cyber security incidents in the information system.
The key information infrastructure security protection is divided into five links. Among them, identification is the first step, which is the basis for carrying out safety protection inspection, supervision, early warning and disposal, and safety protection is the implementation of safety protection measures on the basis of identification, detection and evaluation links to check the effectiveness of safety protection measures, and analysis of potential safety risks The monitoring and early warning link provides early warning for network events that have occurred or may occur. The final event handling link mainly implements countermeasures for problems that occur in the detection and evaluation and monitoring and early warning links to ensure business continuity of critical information infrastructure.
_ Lesson 5:Launching a full-stack solution Achieving high-precision, efficient and precise strike construction _
In recent years, enterprise-level security construction has faced the introduction of comprehensive and complex scenarios such as hybrid cloud, DevSecOps, zero-trust system, and agile development requirements. Enterprise-level security issues have emerged from new forms different from the past. Under such a new situation, how to properly protect key moments such as corporate IPOs and improve corporate security globally has become a problem faced by many industries.
Industrial Security Open Class · Class 5 of Special Security 2.0, Li Guanghui, head of enterprise-level security services of Tencent Security Expert Consulting Center Faced with the general security issues, and shared Tencent Security s best practices in re-protecting aviation in finance, pan-mutual and other industries.
** Tencent Security has designed four-dimensional intelligence, attack and defense, management, and planning to rely on its own security capabilities in eight areas such as identity security, network security, and terminal security. The enterprise's own industry and business specificity are based on overall safety consulting. The plan includes three stages of overall security improvement, internal inspection, and actual combat presence.
First, in the overall security improvement phase, business risks are discovered in a timely manner through asset census and risk assessment, vulnerability scanning and baseline inspection, penetration testing of key core businesses, emergency response plan writing, establishment of emergency response organizational system, penetration testing and retesting Points to strengthen the protection capabilities. In the internal inspection stage, the red and blue confrontation and the effectiveness and integrity of the protection strategy are checked to prevent the strategy from being used by outsiders due to omissions and failures. In the actual combat stage, through 7x24 security monitoring and analysis, continuous monitoring of security logs and event alarms of security equipment and systems, and emergency response processing of security events to ensure that zero security events occur.
Lesson 6:Clarify authority, responsibility, and normative guidelines _ Building a full-life data security defense in depth _
Under the condition that the data security requirements of Equal Security 1.0 are basically unchanged, according to the new network environment and business scenarios, the data security protection capabilities have more explicit requirements for data auditing, access control, and encryption. In order to share the policy interpretation and practical experience of Data Protection 2.0 in the field of data security with corporate customers from all walks of life, Tencent Data in Industrial Security Open Class · Special Security 2.0 Session 6 "Interpretation of Core Data Security Requirements in Security 2.0" Security product manager Zhou Jingchuan interpreted the data security clauses of 2.0, etc., on how to ensure the safety of the entire life cycle of data and the integrity and confidentiality of data storage.
The upgrade of the requirements for data security and the setting of new norms of Isobao 2.0 are actually in line with the society's general demand for data governance. On the basis of 1.0, Isobao 2.0 integrates host security, application security, data security and backup recovery into the scope of "secure computing environment", divided into identity authentication, access control, security audit, data confidentiality, personal information protection , Security management center and other dimensions are clarified, engaged in the overall prevention before, during and after the event, requires enterprises not only to do a good data audit, but also to achieve data risk tracing when problems occur.
Faced with the security challenges from cloud computing, big data, AI, quantum confrontation to the open development of 5G layers, enterprises in the industrial Internet era should seize the cutting-edge technology dividends of the era and build a basic security architecture and comprehensive from a strategic perspective The operation management and tenant cloud security center's cloud data native, full life cycle defense-in-depth technical architecture and security operation and maintenance system provide comprehensive support for information security confrontation in the industrial cloudification upgrade.
As the basic national policy, basic system and basic method of China's cybersecurity field, the equivalent security 2.0 standard is not only an important guarantee for the establishment of corporate brands and sustainable development, but also a "vane" of cybersecurity in the new era and new situation of China's information system security. ".
Digital transformation is the mainstream trend of social development today. From the perspective of the endogenous construction of the industry, development needs to take into account both "efficiency" and "stability". Informatization construction and emergency capabilities need to incorporate security capabilities into consideration indicators while the industry is rapidly iteratively transforming; In the process of upgrading, a value depression of more data and information will be formed, which also allows cyber attack organizations to penetrate and destroy more space, and urgently needs enterprises and society to put security protection and health and stability in development planning. first place. Faced with the complex network security situation, Tencent Security relies on the technology, talents and ecological advantages accumulated by its in-depth industrial Internet practice, and cooperates with ecological partners to deepen the research and practice of other security, to provide enterprises with efficient and pragmatic equal security planning Sharing with experience helps companies win the starting line of industrial transformation.