Source: //www.cnnq.net/

According to relevant requirements of national level protection, The information security protection level of the provincial government portal system should be set as three levels The website system should establish comprehensive control measures to form a protection, detection, response and recovery system under the guidance of the same security strategy. Through the use of information security risk analysis and hierarchical protection gap analysis, the security requirements of the website system are formed, so as to establish a targeted security system framework and security protection measures.

Website system security requirements

According to the application of the website system, the security requirements for the website system can be obtained from System business process, software, data, network and physics Comprehensive analysis is carried out in several aspects, and the specific requirements are as follows:

1. Business process security requirements

Focusing on the accuracy of published information, the controllability of collection, analysis and summary of information, and the availability of the service platform, the system may face threats including Network attack, ultra vires, abuse, tampering, anti repudiation and physical attack should strengthen the ability to resist and protect against these threats By strictly controlling all links in the business process, including the requirements of personnel access identity, access control, approval and audit in the process of information collection, analysis, summary, and release, we should also strengthen the integrity protection of the system itself and the realization of the non repudiation mechanism.

2. Software security requirements

The website system software architecture generally includes Access layer, presentation layer, application layer, basic application support layer, information resource layer and basic support operating environment As there are some differences in the main functions and software implementations involved in several levels, it is necessary to analyze the possible threats faced by different levels.

The access layer is jointly constructed by the target user and the access media. It is an access portal for the business system. From the perspective of security requirements, the possibility of the portal attacking the system should be reduced. The designated access and portal can be protected by establishing a trusted mechanism, and the non designated interface can be protected by controlling permissions;

The presentation layer is the display area of the system content, which should ensure the integrity of the system display information and reduce the risk of being tampered with;

The application layer is the core part of data information processing. The security of the system itself and the security of software coding should be strengthened to reduce the vulnerability of the system itself;

The basic application support layer mainly includes general application services such as general components, user management, directory services and exchange components. This layer focuses on ensuring the security of the system components themselves, and strengthening the security of the interface with applications; The information resource layer is composed of business database and platform database, and the key security of this layer is database security; The basic support operating environment layer, the operating system, network infrastructure and security protection that support the operation of the application system, together form the basic support operating environment. The main threats faced by this layer include physical attacks, network attacks, software and hardware failures, inadequate management, malicious code and other threats. The comprehensive management of assets should be strengthened.

3. Data security requirements

The data of the website system mainly includes the data information read, entered, managed and reviewed by the Internet, as well as the interaction information of the front desk and the data exchange information of the back desk. In view of the different access relationships in each link of these information, the sensitivity and importance of the information are different, and there may be some differences in the threats faced, The reading process should combine the sensitivity and importance of information to conduct access control, so as to reduce the occurrence of threats such as ultra vires and abuse; Pay attention to the integrity and legitimacy of the input information itself, and pay attention to preventing malicious code and Trojan horse attacks on the system; The management and audit involves the key information of the information system, so it basically belongs to the management of sensitive information or key processes in the system to strengthen the safety management of personnel; Interaction and data exchange should resist network attacks and strengthen the non repudiation mechanism through the system's own security protection mechanism.

4. Network and physical security requirements

At the network level, the focus is to design a reasonable network architecture, deploy redundant network equipment, and form a security domain that can establish different security policies, so as to ensure the normal and stable operation of the website system.

Physical security mainly involves environmental security (fire prevention, waterproof, lightning protection, etc.), anti-theft, theft and damage prevention of equipment and media. Specifically, it includes: the selection of physical location, physical access control, anti-theft and vandalism prevention, lightning protection, fire prevention, waterproof and moisture-proof, anti-static, temperature and humidity control, power supply and electromagnetic protection, etc. The construction of the computer room should meet the relevant national requirements.

5. Security requirements for IT assets

IT assets focus on the vulnerability risk of the assets themselves, and can be divided into hardware assets and software assets according to the different types of assets. The key threats that hardware assets may face are software and hardware failures, physical attacks, etc; The threats that software assets may face include tampering, disclosure, network attack, malicious code and non repudiation.

6. Comprehensive security requirements

Through comprehensive security risk and demand analysis in all aspects, the business, software, data, network and related IT assets related to the website system are mainly threatened by network attack, tampering, physical attack, malicious code, ultra vires, abuse and non repudiation due to its application type, environment and other factors, The threat will have a greater impact after being used, resulting in a higher security risk. Therefore, necessary security measures should be taken to counter these threats and strengthen the security of the system itself. At the same time, we should further improve the control measures related to physical security, network security, host security, application security and data security, and be able to implement the management requirements related to organization, system, personnel, construction and operation and maintenance, in combination with the relevant technologies and management control points of the basic requirements of information security level protection.