With the promulgation of the "Administrative Measures for the Protection of Information Security Grades," to further advance the implementation of the security protection measures, the state has been tightening its supervision over these measures. Local cyber police are enhancing the promotion of these security protection efforts. Let's take a look at the relevant content of the third-grade security protection assessment with Tianrun Technology.

Sample of Grade III Quality Assurance Certificate

What are the contents of the third-level security assessment?

1. Physical Security Aspect

(1) The server room should be divided into at least two sections: the main server room and the monitoring area.

(2) The server room should be equipped with an electronic access control system, a burglary alarm system, and a monitoring system.

(3) The server room should not have windows and should be equipped with a Z-type gas fire suppression system and an uninterruptible power supply (UPS).

2. Cybersecurity Aspect

(1) A topology diagram that corresponds to the current operational status should be drawn.

(2) Switches, firewalls, and other equipment configurations must meet the requirements, such as implementing VLAN segmentation with logical isolation between each VLAN, configuring QoS traffic control policies, setting up access control strategies, and binding IP/MAC addresses for critical network equipment and servers.

(3) Network auditing equipment, intrusion detection, or defense devices should be provided.

(4) The authentication mechanism of switches and firewalls must meet the security protection requirements, such as username and password complexity policies, login access failure handling mechanisms, and user role and permission control.

Wait;

(5) Network links, core network equipment, and security devices require redundancy design.

3. Server Security Section

(1) The server's own configuration must meet the requirements, such as authentication mechanisms, access control mechanisms, security auditing mechanisms, antivirus protection, etc. If necessary, third-party host and database auditing equipment can be purchased.

(2) The server should be redundant, such as requiring dual-machine equipment or cluster deployment, etc.

(3) Servers and critical network devices must undergo vulnerability scanning and assessment prior to deployment, and should not have any vulnerabilities above medium severity.

(4) A Z utility log server should be provided to store audit logs for the host and database.

4. Application Security

(1) Meets security standards with its built-in features, such as identity verification mechanisms, audit logs, encrypted communication and storage;

(2) Consider deploying web tamper-proof devices at the application location.

(3) The security assessment of the application should not contain any vulnerability above medium risk.

(4) Logs generated by the application system should be saved to the designated log server.

5. Data Security Backup

(1) A local backup mechanism for the data should be provided, with daily backups stored off-site.

(2) If core critical data exists within the system, a remote data backup feature should be provided to transmit and back up the data to a different location via the internet or other means.