Equal Protection Assessment: The Gap Assessment phase is further divided into the following components: Preparation Activities, Planning Activities, On-site Assessment Activities, Analysis and Report Compilation Activities, Rectification Phase, and Acceptance Assessment Phase.
1. Preparatory Phase for Information Security Assessment
Signed the Collaboration Agreement and the Confidentiality Breach Agreement
After selecting the evaluation institution, both parties shall first sign the "Evaluation Service Contract." The contract details the scope of the project (number of systems), content of the project (gap assessment? acceptance assessment? assistance in rectification?), project timeline (when to start? how long for the project proposal?), project implementation plan (steps of the evaluation work), project personnel (members of the implementation team), acceptance criteria, payment methods, and terms of breach, etc., and agree upon each item in turn.
In conjunction with signing the "Evaluation Service Contract," the evaluation agency must also sign the "Leakage Agreement." The "Leakage Agreement" typically comes in two forms: one is between the evaluation agency and the entity being evaluated (business-to-business), outlining the agency's confidentiality obligations during the evaluation process; the other is between the project members of the evaluation agency and the entity being evaluated.
Project Kick-off Meeting
Following the signing of the委托测评 contract by both parties, they can then agree on the date for the project kickoff meeting. The purpose of the kickoff meeting is primarily for the client to guide the cessation of internal departmental initiation, prompt attention from relevant departments, harmonize internal resources, introduce the project implementation team of the evaluation party, and outline plans, etc., to lay the groundwork for the implementation of the entire information security assessment project.
System Status Survey
Following the kick-off meeting, the security assessment team commenced the research phase. By filling out the "Fundamental Condition Survey Form for Information Systems," they meticulously controlled the detailed status of the systems under test, preparing for the development of the assessment plan. The preparation activities for the security assessment are the premise and foundation for carrying out the graded assessment work and ensure the effectiveness of the entire security assessment process. The adequacy of the preparatory work directly affects whether the subsequent work can proceed smoothly. The preparation for a Level 2 system's security assessment typically requires 1.5 days, while the preparation for a Level 3 system usually takes about 2 days.
2. Evaluation Plan Development Phase
The primary task in this phase is to confirm the evaluation objects, evaluation criteria, and content aligned with the tested information system, and to develop or reuse evaluation implementation guidelines based on requirements, forming the evaluation plan. The planning activities provide the fundamental documentation and guidance for on-site evaluations. Typically, the planning work for a second-level system takes about two days to complete.
3. On-site Information Security Protection Assessment Phase
The On-site Information Security Assessment (ISA) event is the core activity for initiating the ISA process, encompassing both technical and management assessments. Technical assessments include: physical security, network security, host security, application security, data security, and backup recovery. Management assessments cover: security management systems, security management organizations, personnel security management, system establishment management, and system operation and maintenance management. The on-site gap assessment typically involves five aspects: interviews, document inspections, configuration checks, tool testing, and on-site observations.
Field assessment of a second-level system typically takes around 5 days to complete.
The deliverables at this stage include physical information security on-site assessment records, network information security on-site assessment records, host information security on-site assessment records, application information security on-site assessment records, data security and backup recovery on-site assessment records, security management system on-site assessment records, security management organization on-site assessment records, personnel security management on-site assessment records, system establishment management on-site assessment records, and system operation and maintenance on-site assessment records.
4. Analysis and Report Compilation Phase
The primary task at this stage is to identify discrepancies between the current safety maintenance status of the entire system and the corresponding maintenance requirements by means of individual assessment results, unit assessment results, and overall risk analysis. This involves analyzing the risks posed to the system by these discrepancies, thereby providing a level assessment conclusion and compiling a report text. The analysis and reporting of a second-level system typically takes around 3-4 days to complete.
This phase of the work does not necessarily require completion on-site with the client. The template for the "Evaluation Report" is standardized by the relevant department.
This phase's deliverables include the "System Level Evaluation Report" and the "System Rectification Proposal."
5. The rectification phase is primarily based on the gap assessment report and rectification proposals issued by the security assessment organization, and the rectification is stopped accordingly. This phase is mainly implemented by the filing unit, with assistance from the assessment organization. Customers can categorize the rectification into short-term, medium-term, and long-term based on their own actual conditions.
6. Acceptance Phase of Security Assessment Evaluation
The security assessment process remains the same as before, primarily focusing on the effectiveness of the rectification measures.
In summary, a single evaluation of a secondary system, with ample cooperation from the client and the security assessment party deploying three assessors, generally requires an approximate surrounding effort. If multiple systems are evaluated simultaneously, there may be some overlapping work, which would require a detailed analysis for specifics.
