English
Chinese English
One-stop MLPS expert
POWERTIME
1、Development of Classified Protection

1994-2007    Starting and exploration

  • Feb 18. 1994 Regulations on the Protection of Computer Information System Security of the People's Republice of China(No.147 Order, the State Council)

  • Sept 7. 2001 Opinions on Strengthening Information Security Guarantee of China Informatization Leading Group (No.27, 2003, Issued by the General Office of the Central Committee)

  • Sept 15. 2004 Opinions on the Implementation of Information Security Classified Protection

  • June 22. 2007 Administration Measures for Information Security Classified Protection ( No.43, 2007, Ministry of Public Security and Ministry of Transport)

  • Notice on the Implementation of National Critical Information System Security Classified protection practices (No.861 (2007), the Ministry of Public Security and The Ministry of Transport

2007-2016    Standardizing and Improving

  • GB/T 22229-2008  Baseline for Classified Protection of Cybersecurity and other standards on classified protection such as GB/T 22240. 25070. 28448,28449.

2016-2019       Further development

  • June 1. 2017  Cybersecurity Law of the People's Republic of China


After 2019       Classified Protection 2.0 Era

  • May 13, 2019      Information Security Technology—Baseline for Classified Protection of Cybersecurity

1994-2007    Starting and exploration

  • Feb 18. 1994 Regulations on the Protection of Computer Information System Security of the People's Republice of China(No.147 Order, the State Council)

  • Sept 7. 2001 Opinions on Strengthening Information Security Guarantee of China Informatization Leading Group (No.27, 2003, Issued by the General Office of the Central Committee)

  • Sept 15. 2004 Opinions on the Implementation of Information Security Classified Protection

  • June 22. 2007 Administration Measures for Information Security Classified Protection ( No.43, 2007, Ministry of Public Security and Ministry of Transport)

  • Notice on the Implementation of National Critical Information System Security Classified protection practices (No.861 (2007), the Ministry of Public Security and The Ministry of Transport

2007-2016    Standardizing and Improving

  • GB/T 22229-2008  Baseline for Classified Protection of Cybersecurity and other standards on classified protection such as GB/T 22240. 25070. 28448,28449.

2016-2019       Further development

  • June 1. 2017  Cybersecurity Law of the People's Republic of China


After 2019       Classified Protection 2.0 Era

  • May 13, 2019      Information Security Technology—Baseline for Classified Protection of Cybersecurity
2、Background of the 2.0 Era

Since the implementation of information system classified protection in 1994 in the form of No. 147 Order of the State Council, the classified protection has been fully developed in several industries such as finance, electric power and telecommunications. However, with the development of emerging technologies such as cloud computing, large data, internet of things, artificial interconnection and artificial intelligence, it has been unable to cope with new risks effectively, in order to respond to those challenges of new situation and new requirements, and tackle new risks, the 2.0 Era of classified protection is born in the proper time and conditions.


Since the implementation of information system classified protection in 1994 in the form of No. 147 Order of the State Council, the classified protection has been fully developed in several industries such as finance, electric power and telecommunications. However, with the development of emerging technologies such as cloud computing, large data, internet of things, artificial interconnection and artificial intelligence, it has been unable to cope with new risks effectively, in order to respond to those challenges of new situation and new requirements, and tackle new risks, the 2.0 Era of classified protection is born in the proper time and conditions.


3、News Changes in the 2.0 Era

1. Legal status is confimed

Article 21 of the Cybersecurity Law of the People's Republic of China stipulates that "the state implements the cybersecurity classified protection system", and requires that "the network operator shall fulfill the obligation of security protection according to the requirements of the cybersecurity classified protection system"; Article 31 stipulates that "key protection shall be implemented for the national critical information infrastructure on the basis of the cybersecurity classified protection system".

2. Protection object is expanding

As new technologies such as cloud computing, mobile interconnection, big data, internet of things, artificial intelligence and so on are developing rapidly, the concept of Computer Information System is outdated, especially the development of internet highlights the value of big data, so the protection object will be expanded continuously

3.Trusted Computing is enhanced

he 2.0 Era of Classified Protection establish a core technical system for classified protection system based on the trusted computing technology, which strengthens the critical concept of trusted sytem.

4. Changes in General Requirements

General requirements include security general requirements, cloud computing security extension requirements, mobile interconnection security extension requirements, Internet of Things security extension requirements, and industrial control systems security extension requirements.

The core of general requirements in the 2.0 era of classified protection is optimization.


Key contents added

5.  Changes in Extension Requirement

(1)Security extension requirement of cloud computing platform

+ Responsible body is divided into two: cloud service provider and cloud tenant
+  Classified protection level matches

Cloud computing platform‘s protection level should be determined independently

Cloud computing platform needs to pass the classified protection level evaluation

Identical cloud computing platform can carry information system of different levels

Cloud computing platform cannot carry information system of higher levels

Cloud computing application scenario:

(2)Security extension requirement of Big Data

         Large data with a uniform security responsibility unit should be classified as an whole object.。

Large data system composition:

(3)  Security extension requirement of IoT

The Internet of Things (IoT) should be classified as a whole object, which mainly includes perception layer, network transport layer and processing application layer.

(4)Security extension requirement of Mobile Interconnected Network

Classified protection object of mobile interconnection technology should be classified as a whole object, and the factors such as mobile terminal, mobile application and wireless network should not be classified separately, and the application environment and application object should be classified together with the classified protection object of mobile interconnection technology.

Mobile Internet application architecture

(5)Security extension requirement of Industrial Control System

Industrial control system is composed of production management layer, field equipment layer, field control layer and process monitoring layer. The device layer, the field control layer and the process monitoring layer shall be classified as a whole object, and the elements of each level should not be classified separately. For large-scale industrial control system, it can be divided into several objects according to system functions, control objects and manufacturers.

  Note: This chart is a classic hierarchical model of industrial control system reference IEC62264-1, but as the industry 4.0 and information physics system develops rapidly, it can not be fully applicable, so for the actual development of different industries enterprises, partial hierarchical merger is allowed.

1. Legal status is confimed

Article 21 of the Cybersecurity Law of the People's Republic of China stipulates that "the state implements the cybersecurity classified protection system", and requires that "the network operator shall fulfill the obligation of security protection according to the requirements of the cybersecurity classified protection system"; Article 31 stipulates that "key protection shall be implemented for the national critical information infrastructure on the basis of the cybersecurity classified protection system".

2. Protection object is expanding

As new technologies such as cloud computing, mobile interconnection, big data, internet of things, artificial intelligence and so on are developing rapidly, the concept of Computer Information System is outdated, especially the development of internet highlights the value of big data, so the protection object will be expanded continuously

3.Trusted Computing is enhanced

he 2.0 Era of Classified Protection establish a core technical system for classified protection system based on the trusted computing technology, which strengthens the critical concept of trusted sytem.

4. Changes in General Requirements

General requirements include security general requirements, cloud computing security extension requirements, mobile interconnection security extension requirements, Internet of Things security extension requirements, and industrial control systems security extension requirements.

The core of general requirements in the 2.0 era of classified protection is optimization.


Key contents added

5.  Changes in Extension Requirement

(1)Security extension requirement of cloud computing platform

+ Responsible body is divided into two: cloud service provider and cloud tenant
+  Classified protection level matches

Cloud computing platform‘s protection level should be determined independently

Cloud computing platform needs to pass the classified protection level evaluation

Identical cloud computing platform can carry information system of different levels

Cloud computing platform cannot carry information system of higher levels

Cloud computing application scenario:

(2)Security extension requirement of Big Data

         Large data with a uniform security responsibility unit should be classified as an whole object.。

Large data system composition:

(3)  Security extension requirement of IoT

The Internet of Things (IoT) should be classified as a whole object, which mainly includes perception layer, network transport layer and processing application layer.

(4)Security extension requirement of Mobile Interconnected Network

Classified protection object of mobile interconnection technology should be classified as a whole object, and the factors such as mobile terminal, mobile application and wireless network should not be classified separately, and the application environment and application object should be classified together with the classified protection object of mobile interconnection technology.

Mobile Internet application architecture

(5)Security extension requirement of Industrial Control System

Industrial control system is composed of production management layer, field equipment layer, field control layer and process monitoring layer. The device layer, the field control layer and the process monitoring layer shall be classified as a whole object, and the elements of each level should not be classified separately. For large-scale industrial control system, it can be divided into several objects according to system functions, control objects and manufacturers.

  Note: This chart is a classic hierarchical model of industrial control system reference IEC62264-1, but as the industry 4.0 and information physics system develops rapidly, it can not be fully applicable, so for the actual development of different industries enterprises, partial hierarchical merger is allowed.

Classified protection

IT Audit Service

Security Service

About us

  • QQ: 3471814603
  • Tel: 010 58732083
  • Phone: 13601264474
  • Email: service@powertime.cn
  • Address: 15F, Bldg B, In-Do Mansion, No. 48. Zhichun Rd, Haidian Dist, Beijing
POWERTIME-MLPS and IT Audit All rights reserved ICP:13008575
Free calls

返回
顶部