Abstract:
The new Multi-Level Protection Scheme (MLPS) 2.0 standard has been released since 2019 and now it takes place more and more from the government entities into the enterprises. This article is the instruction of get MLPS assessment or how to get companies as conform as possible to the MLPS standard for mainly enterprises.

1.Background

Due to the development of the national security stand, and the cybercrimes occur more and more frequently in China, to protect the Chinese economy and for Chinese people’s livelihoods, China released the cyber-security law (Cybersecurity Law of the People’s Republic of China, i.e. CSL) in June, 2017. In article 21 of the CSL, that all the network operators shall fulfill the MLPS.

The MLPS is a normative document to help network operators to grade their information system/network and help maintain and protect it.

The MLPS was already drafted and practiced since 2008. It was firstly to be considered dedicated for government entities to protect the national network security. But after 2017, as stated in CSL, all the network operators (incl. Key industrial companies, or even WFOE) should be obligated to follow the standard of MLPS to protect the network they operate.

1.1.Legal Reference

Cybersecurity Law of the People’s Republic of China
Regulations of the People’s Republic of China for Safety Protection of Computer Information Systems (Decree of the State Council of the People’s Republic of China (No. 147)
Administrative Measures for the Multi-level Protection of Information Security (GongTongZi [2007] No. 43)

1.2.Standards

The GB/T 22239-2019 Basic Requirements for the Multi-level Protection of Information Security Technology
The GB/T 25070-2019 Information Security Technology Cybersecurity Multi-level Protection Security Design Technical Requirements
The GB/T 28448-2019 Information Security Technology Cybersecurity Multi-level Protection Assessment Requirements
The GB/T 25058-2019 Information Security Technology-Implementation Guide for Cybersecurity Classified Protection

1.3.Objects: Network Operators

The grading objects in this Specification refer to local government departments, enterprises and institutions or representative and other social organizations, who build, operate, and use basic information networks, cloud computing platforms/systems, big data applications/platforms/resources, Internet of Things, industrial control systems and systems using mobile internet technology, data resources and information systems that host independent business applications.

Network operators shall, according to the requirements of the multi-level protection system, fulfill their security obligations to ensure that the network is free from interference, damage, or unauthorized access, and prevent network data from being divulged, stolen, or falsified.

2.Assessment Procedure

2.1.Self-Grading

The network operator shall fill the application form (template form sees Annex 1, because only the Chinese form will be accepted, therefore we have not translated it) according to its own network/system situation.

Which level to take is based on the below matrix:.

Harmed objects when the network/system is damaged	Severity of the harm
Harmed objects when the network/system is damaged	harm	serious harm	particularly serious damage
legitimate rights and interests of the Chinese citizens	L1	L2	L3
social order and the public interest	L2	L3	L4
National Security	L3	L4	L5

When the network topology, usage, service scope/objects or handled data change, the corresponding security Level should also be re-graded.

Normally for manufacture companies based on our experience, maximum L2 is sufficient. Even L1 is also acceptable.

Starting from 2021, based on our experience, WFOEs in our region whose systems have no data-exchange between foreign sites, pure internal systems, like fundamental office system (active-directory + file share + mail server or SharePoint server), OA system or MRP system can apply for acknowledgement of self-grading above level 2. Due to the explanation of the data-security law and personal information protection law published in 2021 is still not clearly in written form, systems have data-exchange between foreign sites should not be considered to application of MLPS.

2.2.Platform Application

等级保护测评基本流程（中文）

It is used for network security related work such as system filing and notification.

Registration/Login Address: http://tbyj.szgaj.cn:82, the interface is as follows:

Click “Register”, enter the registration page, fill in the basic information of the unit, password, registered mobile phone number, and enter the mobile phone verification code, check the consent agreement below, click Register and wait for public security review (about 30 minutes or so).

If the audit is passed or the audit is not passed, it will be notified by SMS, and after the audit is passed, the mobile phone number and password at the time of registration can be logged into the system.

2.3.Expert review applications

As shown in the figure: Click —— upload the stamped scanned documents “Network Security Grade Protection Rating Review Application Form” and “Unit Network and Information System Registration Form”

The following content needs to be passed into the system after review by public security and experts

After the review, the filing form, grading report, print and stamp, scan and upload the attachment, and click Submit for review after confirmation

2.4.Filing application

Unit information entry, through the level of protection module for system filing, the platform filing process is as follows:

Click ——-—- to fill in the following unit basic situation form according to the actual situation:

After filling in, upload the attachment Stamped Scanned Copy Filing Form, Grading Report, Expert Review Opinion Form, Confirm that there is no error, Click Submit for Review Click OK, you can save the record. On the ICP Filing application page, if you want to view the record, you can modify it by clicking Edit.

Click Submit to complete the filing application.

Note: In accordance with the requirements of the “Suzhou Cyber Security Grade Protection Grading Review Work Specification”, please conduct an expert review in accordance with the requirements of the specification before submitting for review, and the materials required for expert review are shown in the annex.

2.5.Example 1 “Information System Security Level Protection Filing Certificate” issued by the public security

The stamped filing form is sent to the public security, and finally the public security stamps and issues the filing certificate

2.6.Example 2 “Network Security Level Evaluation and Testing and Evaluation Agency Service Certification Certificate” Qualification Conditions

2.7.Example 3 Assessment Report

3.Assessment Items

3.1.Level 2

Security Category	Security sub-category	Number of assessment items	Comments
Physical security	Selection of physical location	1	Evaluate whether the physical server room is in the building with the ability of shockproof, windproof and rainproof
	Physical access control	2	The examination and approval control means of entering and leaving the server room and the entrance and exit of the server room need to be attended by special personnel
	Theft and vandalism	5	Evaluate the security of equipment and communication cables in the server room and the anti-theft alarm facilities.
	Lightning protection	2	Evaluate the construction of building lightning protection and induction lightning protection and AC power ground wire
	Fire prevention	1	Evaluate the setting of automatic monitoring fire protection system and the fire-fighting equipment.
	Waterproof and damp proof	3	Evaluate the water pipe setting, rainwater infiltration, condensation and underground water transfer and infiltration in the server room.
	Antistatic	1	Evaluate the anti-corrosion measures of key equipment.
	Temperature and humidity control	1	Evaluate the temperature and humidity control measures of the server room.
	Power supply	2	Evaluate the power supply line voltage stabilization, overvoltage and standby power supply in the server room.
	Electromagnetic protection	1	Evaluate the isolation of power line and communication cable
	Total	19
Network security	Structural safety	4	Main verification: the processing capacity of key network equipment, whether the network bandwidth meets the business requirements, whether the network topology is consistent, and whether the subnet is divided.
	Access control	4	Main verification: border network device access control function, system and dial-up access restrictions.
	Security audit	2	Main verification: network equipment log collection, and audit records detailed records.
	Boundary integrity check	1	Main verification: whether it can check the behavior of unauthorized devices connecting to the internal network.
	Intrusion Prevention	1	Main verification: deployment and usage of IDS.
	Network equipment protection	6	Main verification: user identification, administrator login address restriction, user identity uniqueness, password policy, login policy, remote management policy.
	Total	18
Host security	Identification	5	Main verification: user identification method, account and user correspondence, account and password length setting, password change cycle, etc; Login failure handling function settings.
	Access control	4	Main verification: privilege separation of privileged users; Access right of default account; Processing of redundant and overdue accounts.
	Security audit	4	Main verification: coverage of safety audit; Record content integrity; Prevent audit records from being deleted and covered.
	Intrusion Prevention	1	Main verification: operating system component installation and patch upgrade.
	Malicious code prevention	2	Main verification: use and upgrade of anti-virus and malicious code products. Support the unified management of anti malware software.
	Resource control	3	Main verification: terminal login restriction mode and security policy
	Total	19
Application Security	Identification	4	Main verification: identity identification and authentication, authentication information complexity, login failure processing function and user identity uniqueness check, etc.
	Access control	4	Main verification: independent access control function, minimum required authority and mutual restriction.
	Security audit	3	Main verification: coverage of safety audit; Record content integrity; Prevent audit records from being deleted and covered.
	Communication integrity	1	Main verification: Communication cryptography technology ensures the integrity of data communication process.
	Communication confidentiality	2	Main verification: whether to use cryptographic technology for session initialization verification and encryption of sensitive information in the communication process.
	Software fault tolerance	2	Main verification: data validation; Whether the fault can provide some functions.
	Resource control	3	Main verification: automatic end session function, maximum number of Concurrent Session connections limit, multiple concurrent sessions limit for a single account.
	Total	19
Data security	Data integrity	1	Main verification: identify the integrity of information and important business data in the transmission process.
	Data confidentiality	1	Main verification: use encryption or other protection measures to identify the storage confidentiality of information.
	Backup and recovery	2	Main verification: backup and recovery of important information; Hardware redundancy of network equipment.
	Total	4
Safety management system	Management system	3	Main verification: overall security strategy construction; Establish safety management system for important management contents in safety activities; Establishment of personnel management operation procedures.
	Development and release	3	Main verification: the establishment of the responsible department for the formulation of the safety management system; Establishment, review and release of safety management system.
	Review and revision	1	Main verification: review and revision of safety management system
	Total	7
	Post setting	2	Main verification: establishment of safety management posts and clarification of responsibilities.
	Staffing	2	Main verification: staffing of safety management posts.
	Authorization and approval	2	The main verification is to authorize the approval department and the approving person according to the responsibilities of each department and post; The approval process for key activities shall be established and signed by the approval person.
	Communication and cooperation	2	Main verification: communication and cooperation among management personnel, internal organizations and information functional departments; Cooperation and communication among brother units, public security organs and telecommunication companies.
	Audit and inspection	1	Main verification: standardization and implementation of system safety inspection.
Safety management organization	Total	9
Personnel safety management	Personnel recruitment	3	Main verification: standardized management of personnel recruitment process; Sign the confidentiality agreement for the employed personnel.
	Personnel leaving post	3	Main verification: control of personnel departure process;
	Personnel assessment	1	Main verification: conduct safety skill and safety cognition assessment for each daring personnel.
	Safety awareness education and training	3	Main verification: formulation and implementation of safety training plan.
	Access management of external personnel	1	Main verification: approval and supervision of external personnel entering important areas. And grade record.
	Total	11
System construction management	System grading	3	Main verification: whether the security protection level of the information system is clear, and the method and reason for determining the security protection level in written form, to ensure that the grading results are approved by relevant departments.
	Security scheme design	4	Main verification: the overall planning and design of the information security work of the system.
	Purchase and use of products	3	Main verification: purchase and use management measures of information security products in the system.
	Self developed software	3	Main verification: management of self-development of software within the system
	Outsourcing software development	4	Main verification: the quality of outsourcing software to ensure the safety and availability of outsourcing software.
	Project implementation	2	Main verification: implementation of information system engineering.
	Test acceptance	3	Main verification: acceptance of information system engineering.
	System delivery	3	Main verification: delivery of information system engineering.
	Security service provider selection	3	Main verification: selection of relevant security service providers and service management measures in the system.
	Total	28
System operation and maintenance management	Environmental management	4	Main verification: daily management of server room infrastructure and office environment.
	Asset management	2	Main verification: asset list preservation measures; Establish asset safety management system.
	Media management	4	Main verification: storage, filing, destruction and classified management measures of various media.
	Device management	4	Main verification: management of daily use, operation and maintenance of all kinds of equipment.
	Network security management	6	Main verification: Construction of safety management system and inspection of illegal networking.
	System security management	6	Main verification: system access control, patch, daily vulnerability scanning and audit management.
	Malicious code prevention management	3	Main verification: the management of malicious code detection, analysis and other preventive work.
	Password management	1	Main verification: the institutionalization and implementation of password use.
	Change management	2	Main verification: the institutionalization of change activities and the standardized management before, during and after the change.
	Backup and recovery management	3	Main verification: daily backup management of system data and system recovery management.
	Security incident handling	4	Main verification: the construction of security incident reporting and disposal system and the standardized management of different security incident handling processes.
	Emergency plan management	2	Main verification: formulate emergency plans for different events and train system idlers on emergency plans.
	Total	41
Total	66 items	175 indexes

3.2.Level 3

Level	Control points	Control items	Evaluation judgment items
Security Common Requirements	Safe Physical Environment	Physical location selection	a) The site of the machine room shall be in a building with the ability to prevent earthquake, wind and rain;
		Physical location selection	b)The machine room site shall not be located on the top floor or basement of the building, otherwise waterproof and moisture-proof measures shall be strengthened.
		Physical access control	The entrance and exit of the machine room shall be equipped with an electronic access control system to control, identify and record the personnel entering.
		Anti theft and vandalism	a) The equipment or main components shall be fixed and set with obvious signs that are not easy to remove;
			b) The communication cable shall be laid in a concealed and safe place;
			C)The machine room shall be equipped with anti-theft alarm system or video monitoring system with special personnel on duty.
		Lightning protection	a) Various cabinets, facilities and equipment shall be safely grounded through the grounding system;
		Lightning protection	b)Measures shall be taken to prevent induced lightning, such as lightning protector or overvoltage protection device.
		Fire prevention	a) The machine room shall be equipped with automatic fire fighting system, which can automatically detect the fire, automatically alarm and automatically extinguish the fire;
			b)The machine room and relevant working rooms and auxiliary rooms shall be made of building materials with fire resistance rating;
			c)The machine room shall be divided into areas for management, and isolation and fire prevention measures shall be set between areas.
		Waterproof and moisture proof	a) Measures shall be taken to prevent rainwater from penetrating through the windows, roofs and walls of the machine room;
			b) Measures shall be taken to prevent water vapor condensation in the machine room and the transfer and infiltration of underground ponding;
			c)Water sensitive detection instruments or elements shall be installed to detect and alarm the water resistance of the machine room.
		Electrostatic prevention	a) Anti static floor or ground shall be adopted, and necessary grounding anti-static measures shall be taken;
		Electrostatic prevention	b)Measures shall be taken to prevent the generation of static electricity, such as using static eliminator, wearing anti-static bracelet, etc.
		Temperature and humidity control	Automatic temperature and humidity adjustment facilities shall be set to make the change of temperature and humidity in the machine room within the allowable range of equipment operation.
		Power supply	a) Voltage regulator and overvoltage protection equipment shall be configured on the power supply line of the machine room;
			b) Short term standby power supply shall be provided to at least meet the normal operation requirements of the equipment in case of power failure;
			c)Redundant or parallel power cable lines shall be set to supply power to the computer system.
		Electromagnetic protection	a) The power line and communication cable shall be laid separately to avoid mutual interference;
		Electromagnetic protection	b)Electromagnetic shielding shall be applied to key equipment.
	Secure Communication Network	Network Architecture	a) Ensure that the business processing capacity of network equipment meets the needs of business peak;
			b) Ensure that the bandwidth of each part of the network meets the needs of business peak;
			c) Different network areas shall be divided, and addresses shall be assigned to each network area according to the principle of convenient management and control;
			d) The deployment of important network areas at the boundary shall be avoided, and reliable technical isolation means shall be adopted between important network areas and other network areas;
			e)Hardware redundancy of communication lines, key network equipment and key computing equipment shall be provided to ensure the availability of the system.
		Communication transmission	a) Verification technology or password technology shall be adopted to ensure the integrity of data in the communication process;
		Communication transmission	b)Password technology shall be adopted to ensure the confidentiality of data in the communication process.
		Trusted Authentication	The system boot program, system program, important configuration parameters and communication application program of the communication equipment can be trusted based on the trusted root, and the dynamic trusted verification can be carried out in the key execution links of the application program. After detecting that its credibility is damaged, the alarm will be given, and the verification results will be formed into audit records and sent to the security management center.
	Security Zone Boundaries	Boundary protection	a) The access and data flow across the boundary shall be ensured to communicate through the controlled interface provided by the boundary equipment;
			b) It shall be able to check or restrict the unauthorized equipment’s private connection to the internal network;
			c) It shall be able to check or restrict the unauthorized connection of internal users to the external network;
			d)The use of wireless network shall be limited to ensure that the wireless network is connected to the internal network through controlled boundary equipment.
		Access control	a) Access control rules shall be set between network boundaries or areas according to the access control policy. By default, the controlled interface rejects all communication except allowing communication;
			b) Redundant or invalid access control rules shall be deleted, the access control list shall be optimized, and the number of access control rules shall be minimized;
			c) The source address, destination address, source port, destination port and Protocol shall be checked to allow / deny the access of data packets;
			d) It shall be able to provide explicit permission / denial of access for incoming and outgoing data streams according to session state information;
			e)Access control based on application protocol and application content shall be realized for data flow in and out of the network.
		Intrusion prevention	a) Network attacks initiated from outside shall be detected, prevented or restricted at key network nodes;
			b) Network attacks initiated internally shall be detected, prevented or restricted at key network nodes;
			c)Technical measures should be taken to analyze network behavior to realize the analysis of network attack, especially new network attack behavior;
			d)When an attack is detected, record the attack source IP, attack type, attack target and attack time, and provide an alarm in case of serious intrusion event.
		Malicious code and spam prevention	a) Malicious code shall be detected and cleared at key network nodes, and the upgrade and update of malicious code protection mechanism shall be maintained;
		Malicious code and spam prevention	b)Spam shall be detected and protected at key network nodes, and the upgrade and update of spam protection mechanism shall be maintained.
		security audit	a) Security audit shall be conducted at the network boundary and important network nodes, covering each user, and auditing important user behaviors and important security events;
			b) The audit record shall include the date and time of the event, user, event type, success of the event and other audit related information;
			c) Audit records shall be protected and backed up regularly to avoid unexpected deletion, modification or overwrite;
			d)It shall be able to conduct behavior audit and data analysis separately for user behavior of remote access and user behavior of accessing the Internet.
		Trusted Authentication	Based on the trusted root, the system boot program, system program, important configuration parameters and boundary protection application program of the boundary equipment can be trusted verified, and the dynamic trusted verification can be carried out in the key execution links of the application program. After detecting that its credibility is damaged, an alarm will be reported, and the verification results will be formed into an audit record and sent to the security management center.
	Secure Computing Environment	Authentication	a) The logged in user shall be identified and authenticated. The identity identification shall be unique, and the identity authentication information shall have complexity requirements and be changed regularly;
			b) It shall have login failure processing function, and shall configure and enable relevant measures such as ending session, limiting illegal login times and automatic exit when login connection times out;
			c) In case of remote management, necessary measures shall be taken to prevent the authentication information from being eavesdropped in the process of network transmission;
			d)Two or more combination authentication technologies such as password, password technology and biotechnology shall be used to authenticate the user’s identity, and at least one authentication technology shall be realized by password technology.
		Access control	a) Account and authority shall be assigned to the logged in user;
			b) The default account shall be renamed or deleted, and the default password of the default account shall be modified;
			c) Redundant and expired accounts shall be deleted or deactivated in time to avoid the existence of shared accounts;
			d) The minimum authority required by the management user shall be granted to realize the separation of authority of the management user;
			e) The authorized subject shall configure the access control policy, which specifies the access rules of the subject to the object;
			f) The granularity of access control should reach the user level or process level for the subject, and the file and database table level for the object;
			g)Security marks shall be set for important subjects and objects, and the access of subjects to information resources with security marks shall be controlled.
		Security audit	a) The security audit function shall be enabled to cover each user and audit important user behaviors and important security events;
			b) The audit record shall include the date and time of the event, user, event type, success of the event and other audit related information;
			c) Audit records shall be protected and backed up regularly to avoid unexpected deletion, modification or overwrite;
The audit process should be protected against unauthorized interruption.
Intrusion prevention		a) The principle of minimum installation shall be followed, and only required components and applications shall be installed;
		b) Unnecessary system services, default shares and high-risk ports shall be closed;
		c) The management terminal managed through the network shall be limited by setting the terminal access mode or network address range;
		d) Data validity inspection function shall be provided to ensure that the contents input through man-machine interface or communication interface meet the system setting requirements;
		e) It shall be able to find possible known vulnerabilities and repair them in time after full test and evaluation;
		f)It shall be able to detect the intrusion on important nodes and provide alarm in case of serious intrusion events.
Malicious code prevention		Technical measures against malicious code attacks or active immune trusted verification mechanism shall be adopted to timely identify intrusion and virus behaviors and effectively block them.
Trusted Authentication		Based on the trusted root, the system boot program, system program, important configuration parameters and application program of the computing device can be trusted verified, and the dynamic trusted verification can be carried out in the key execution links of the application program. After detecting that its credibility is damaged, the alarm will be given, and the verification results will be formed into an audit record and sent to the security management center.
Data Integrity		a) Verification technology or password technology shall be adopted to ensure the integrity of important data in the transmission process, including but not limited to identification data, important business data, important audit data, important configuration data, important video data and important personal information;
Data Integrity		b) Verification technology or password technology shall be adopted to ensure the integrity of important data in the storage process, including but not limited to identification data, important business data, important audit data, important configuration data, important video data and important personal information.
Data confidentiality		a) Password technology shall be adopted to ensure the confidentiality of important data during transmission, including but not limited to identification data, important business data and important personal information;
Data confidentiality		b)Password technology shall be adopted to ensure the confidentiality of important data during storage, including but not limited to identification data, important business data and important personal information.
Data backup recovery		a) Local data backup and recovery of important data shall be provided;
		b) Remote real-time backup function shall be provided to backup important data to the backup site in real time by using communication network;
		c)Thermal redundancy of important data processing system shall be provided to ensure high availability of the system.
Remaining Information Protection		a) Ensure that the storage space where the authentication information is located is completely cleared before being released or reallocated;
Remaining Information Protection		b) It shall be ensured that the storage space containing sensitive data is completely cleared before being released or reallocated.
Personal Information Protection		a) Only the user’s personal information necessary for business shall be collected and saved;
Personal Information Protection		b)Unauthorized access and illegal use of users’ personal information shall be prohibited.
Security Management Center	System management	a) The system administrator shall be authenticated, only allowed to carry out system management operations through specific commands or operation interfaces, and audit these operations;
	System management	b)The system administrator shall configure, control and manage the system resources and operation, including user identity, system resource configuration, system loading and startup, exception handling of system operation, backup and recovery of data and equipment, etc.
	Audit Management	a) The audit administrator shall be authenticated, only allowed to conduct security audit operations through specific commands or operation interfaces, and audit these operations;
	Audit Management	b)The audit records shall be analyzed by the audit administrator and processed according to the analysis results, including storage, management and query of audit records according to the security audit strategy.
	Security management	a) The security administrator shall be authenticated, only allowed to perform security management operations through specific commands or operation interfaces, and audit these operations;
	Security management	b)The security policy in the system shall be configured through the security administrator, including the setting of security parameters, unified security marking of subject and object, authorization of subject, configuration of trusted authentication policy, etc.
	Centralized control	a) Specific management areas shall be divided to control the security equipment or security components distributed in the network;
		b) It shall be able to establish a secure information transmission path to manage the security equipment or security components in the network;
		c) The operation status of network links, security equipment, network equipment and servers shall be monitored centrally;
		d) The audit data scattered on each equipment shall be collected, summarized and centrally analyzed, and the retention time of audit records shall meet the requirements of laws and regulations;
		e) Centralized management shall be conducted for security related matters such as security policy, malicious code and patch upgrade;
		It shall be able to identify, alarm and analyze various security events in the network.
Safety Management System	Security policy	The overall policy and security strategy of network security work shall be formulated, and the overall objectives, scope, principles and security framework of institutional security work shall be clarified.
	Management system	a) Establish safety management system for various management contents in safety management activities;
		b) Establish operating procedures for daily management operations performed by managers or operators;
		c)A comprehensive safety management system composed of safety strategy, management system, operating procedures, record forms, etc. shall be formed.
	Develop and release	a) Special departments or personnel shall be designated or authorized to be responsible for the formulation of safety management system;
	Develop and release	b)The safety management system shall be issued in a formal and effective manner and subject to version control.
	Review and Revision	The rationality and applicability of the safety management system shall be demonstrated and reviewed regularly, and the safety management system that has deficiencies or needs to be improved shall be revised.
Security Administration	Job Settings	a) A committee or leading group shall be established to guide and manage network security work, and its top leader shall be assumed or authorized by the competent leader of the unit;
		b) The functional department of network security management shall be established, the posts of security supervisor and person in charge of all aspects of security management shall be established, and the responsibilities of each person in charge shall be defined;
		Posts such as system administrator, audit administrator and security administrator shall be established, and the responsibilities of departments and various posts shall be defined.
	Staffing	a) A certain number of system administrators, audit administrators and security administrators shall be equipped;
	Staffing	b)A full-time safety administrator shall be provided, not concurrently.
	Authorization and Approval	a) The authorized approval items, approval departments and approvers shall be defined according to the responsibilities of each department and post;
		b) Establish approval procedures for system changes, important operations, physical access and system access, implement the approval process according to the approval procedures, and establish a level by level approval system for important activities;
		c)The approval items shall be reviewed regularly, and the information such as items to be authorized and approved, approval departments and approvers shall be updated in time.
	Communication and Collaboration	a) The cooperation and communication among various managers, internal organizations and network security management departments should be strengthened, and coordination meetings should be held regularly to jointly deal with network security issues;
		b) Strengthen cooperation and communication with network security functional departments, various suppliers, industry experts and security organizations;
		c)A contact list of outreach units shall be established, including the name of outreach unit, cooperation content, contact person, contact information and other information.
	Audit and Inspection	a) Regular security inspection shall be carried out regularly, including the daily operation of the system, system vulnerabilities and data backup;
		b) Comprehensive safety inspection shall be conducted regularly, including the effectiveness of existing safety technical measures, the consistency of safety configuration and safety strategy, the implementation of safety management system, etc;
		c)A safety inspection form shall be prepared to implement safety inspection, summarize safety inspection data, form a safety inspection report, and report the safety inspection results.
Security Manager	Employment	a) Special departments or personnel shall be designated or authorized to be responsible for personnel recruitment;
		b) The identity, security background, professional qualification or qualification of the employed personnel shall be reviewed, and their technical skills shall be assessed;
		c)A confidentiality agreement shall be signed with the employed personnel and a post responsibility agreement shall be signed with the personnel in key positions.
	Personnel leaving their posts	a) All access rights of the personnel leaving the post shall be terminated in time, and various ID cards, keys, badges, etc., as well as the software and hardware equipment provided by the organization shall be retrieved;
	Personnel leaving their posts	b)Strict transfer procedures shall be handled and the confidentiality obligation after transfer shall be promised before leaving.
	Safety awareness education and training	a) Carry out safety awareness education and job skill training for all kinds of personnel, and inform relevant safety responsibilities and disciplinary measures;
		b) Different training plans shall be formulated for different posts to train basic safety knowledge and post operation procedures;
		c)Skill assessment shall be conducted regularly for personnel in different positions.
	External Personnel Access Management	a) A written application shall be submitted before external personnel physically visit the controlled area. After approval, a specially assigned person shall accompany the whole process and register for the record;
		b) A written application shall be submitted before external personnel access the controlled network access system. After approval, a specially assigned person shall open an account, assign authority and register for the record;
		c) All access rights of external personnel shall be cleared in time after leaving the site;
		d)External personnel authorized to access the system shall sign a confidentiality agreement and shall not carry out unauthorized operations, copy and disclose any sensitive information.
Safety Construction Management	Grading and filing	a) The safety protection level of the protected object and the method and reason for determining the level shall be explained in writing;
		b) Organize relevant departments and relevant safety technical experts to demonstrate and review the rationality and correctness of the grading results;
		c) Ensure that the grading results are approved by relevant departments;
		d) The filing materials shall be reported to the competent department and the corresponding public security organ for filing.
	Security scheme design	a) The basic safety measures shall be selected according to the safety protection level, and the safety measures shall be supplemented and adjusted according to the results of risk analysis;
		b) The overall security planning and security scheme design shall be carried out according to the security protection level of the protected object and the relationship with other protected objects. The design content shall include the contents related to password technology and form supporting documents;
		c) Relevant departments and relevant safety experts shall be organized to demonstrate and review the rationality and correctness of the overall safety plan and its supporting documents, which can be formally implemented after approval.
	Product Purchase and Use	a) Ensure that the procurement and use of network security products comply with relevant national regulations;
		b) Ensure that the procurement and use of password products and services meet the requirements of the competent national password management department;
		c)Type selection test shall be conducted for products in advance to determine the candidate range of products, and the list of candidate products shall be reviewed and updated regularly.
	Self-developed software	a) The development environment shall be physically separated from the actual operation environment, and the test data and test results shall be controlled;
		b) A software development management system shall be formulated to clearly describe the control method and personnel code of conduct in the development process;
		c) A code writing safety specification shall be formulated, and developers are required to write code according to the specification;
		d) Relevant software design documents and use guidelines shall be available, and the use of documents shall be controlled;
		e) It shall ensure that the security is tested during software development and the possible malicious code is detected before software installation;
		f) The modification, update and release of the program resource library shall be authorized and approved, and the version shall be strictly controlled;
		g)It shall be ensured that developers are full-time personnel and their development activities are controlled, monitored and reviewed.
	Outsourcing Software Development	a) The possible malicious code shall be detected before software delivery;
		b) Ensure that the development unit provides software design documents and use guidelines;
		c)It shall ensure that the development unit provides the software source code and review the possible backdoors and hidden channels in the software.
	Project implementation	a) Special departments or personnel shall be designated or authorized to be responsible for the management of the project implementation process;
		b) A safety project implementation plan shall be formulated to control the project implementation process;
		c)The implementation process of the project shall be controlled through the third-party engineering supervisor.
	Test Acceptance	a) The test acceptance scheme shall be formulated, the test acceptance shall be implemented according to the test acceptance scheme, and the test acceptance report shall be formed;
	Test Acceptance	b)The security test before going online shall be carried out and a security test report shall be issued. The security test report shall include the relevant contents of password application security test.
	System Delivery	a) A delivery list shall be prepared and the delivered equipment, software and documents shall be counted according to the delivery list;
		b)Corresponding skill training shall be conducted for technicians responsible for operation and maintenance;
		c)Construction process documents and operation and maintenance documents shall be provided.
	Rating	a) Grade evaluation shall be carried out regularly, and if it is found that it does not meet the requirements of corresponding grade protection standards, it shall be rectified in time;
		b) Grade evaluation shall be conducted in case of major change or grade change;
		c)It shall ensure that the selection of evaluation institutions complies with relevant national regulations.
	Service Provider Selection	a) Ensure that the selection of service providers complies with relevant national regulations;
		b) Relevant agreements shall be signed with the selected service providers to clarify the network security related obligations to be performed by all parties in the whole service supply chain;
		c)Regularly supervise, review and audit the services provided by the service supplier, and control its change of service content.
Safety Operations Management	Environmental Management	a) Special departments or personnel shall be designated to be responsible for the safety of the machine room, manage the access to the machine room, and regularly maintain and manage the power supply and distribution, air conditioning, temperature and humidity control, fire control and other facilities of the machine room;
		b) A computer room security management system shall be established to provide for the management of physical access, goods in and out and environmental security;
		c)Visitors shall not be received in important areas, and paper files and mobile media containing sensitive information shall not be placed at will.
	Asset management	a) A list of assets related to the protected objects shall be prepared and kept, including the asset responsible department, importance and location;
		b) The identification management of assets shall be carried out according to the importance of assets, and the corresponding management measures shall be selected according to the value of assets;
		c)Information classification and identification methods shall be specified, and the use, transmission and storage of information shall be standardized.
	Media Management	a) The media shall be stored in a safe environment, various media shall be controlled and protected, the storage environment shall be managed by a specially assigned person, and the inventory shall be made regularly according to the catalog list of archived media;
	Media Management	b)The personnel selection, packaging and delivery of media during physical transmission shall be controlled, and the archiving and query of media shall be registered.
	Equipment Maintenance Management	a) All kinds of equipment (including backup and redundant equipment), lines and other designated special departments or personnel shall be maintained and managed regularly;
		b) A management system for supporting facilities, software and hardware maintenance shall be established to effectively manage its maintenance, including clarifying the responsibilities of maintenance personnel, approval of maintenance and service, supervision and control of maintenance process, etc;
		c) Information processing equipment can only be taken out of the machine room or office place after approval. When the equipment containing storage media is brought out of the working environment, the important data shall be encrypted;
		d)Before scrapping or reusing the equipment containing storage media, it shall be completely removed or safely covered to ensure that the sensitive data and authorized software on the equipment cannot be recovered and reused.
	Vulnerability and Risk Management	a)Necessary measures shall be taken to identify security vulnerabilities and hidden dangers, and the discovered security vulnerabilities and hidden dangers shall be repaired in time or repaired after assessing the possible impact;
	Vulnerability and Risk Management	b)Safety evaluation shall be carried out regularly, safety evaluation report shall be formed, and measures shall be taken to deal with the found safety problems.
	Network and System Security Management	a) Different administrator roles shall be divided for network and system operation and maintenance management, and the responsibilities and authorities of each role shall be clarified;
		b) Special departments or personnel shall be designated for account management to control account application, account establishment, account deletion, etc;
		c) Network and system security management system shall be established to specify security strategy, account management, configuration management, log management, daily operation, upgrade and patch, password update cycle, etc;
		d) The configuration and operation manual of important equipment shall be formulated, and the equipment shall be safely configured and optimized according to the manual;
		e) The operation and maintenance log shall be recorded in detail, including daily patrol inspection, operation and maintenance records, parameter setting and modification, etc;
		f) Special departments or personnel shall be designated to analyze and count logs, monitoring and alarm data, so as to find suspicious behaviors in time;
		g) The changeable operation and maintenance shall be strictly controlled, and the connection, installation of system components or adjustment of configuration parameters can be changed only after approval. The audit log that cannot be changed shall be kept during the operation, and the configuration information database shall be updated synchronously after the operation;
		h) The use of operation and maintenance tools shall be strictly controlled and can only be accessed for operation after approval. During the operation, an unalterable audit log shall be kept, and the sensitive data in the tools shall be deleted after the operation;
		i) The opening of remote operation and maintenance shall be strictly controlled, and the remote operation and maintenance interface or channel can be opened only after approval. The unalterable audit log shall be kept during the operation, and the interface or channel shall be closed immediately after the operation;
		j)Ensure that all external connections are authorized and approved, and regularly check for violations of wireless internet access and other violations of network security policies.
	Malicious Code Prevention Management	a) Improve the awareness of anti malicious code of all users, and check the malicious code of foreign computers or storage devices before accessing the system;
	Malicious Code Prevention Management	b)The effectiveness of technical measures to prevent malicious code attacks shall be verified regularly.
	Configuration management	a) Basic configuration information shall be recorded and saved, including network topology, software components installed by each device, version and patch information of software components, configuration parameters of each device or software component, etc;
	Configuration management	b)The change of basic configuration information shall be included in the scope of change, the control of configuration information change shall be implemented, and the basic configuration information database shall be updated in time.
	Password Management	a) It shall comply with relevant national and industrial standards for passwords;
	Password Management	b)The password technology and products certified and approved by the competent national password management department shall be used.
	Change Management	a) The change requirements shall be specified. Before the change, the change plan shall be formulated according to the change requirements, and the change plan can be implemented only after review and approval;
		b) Establish change declaration and approval control procedures, control all changes according to the procedures, and record the change implementation process;
		c)Procedures for suspending changes and recovering from failed changes shall be established, process control methods and personnel responsibilities shall be defined, and the recovery process shall be rehearsed if necessary.
	Backup and Recovery Management	a) Identify important business information, system data and software systems that need to be backed up regularly;
		b) The backup method, backup frequency, storage medium, storage period, etc. of backup information shall be specified;
		c)According to the importance of data and the impact of data on system operation, formulate data backup strategy and recovery strategy, backup program and recovery program, etc.
	Security Event Disposal	a) Report the security weaknesses and suspicious events found to the security management department in time;
		b) A safety incident reporting and handling management system shall be formulated to clarify the reporting, handling and response processes of different safety incidents, and specify the management responsibilities of on-site handling, incident reporting and later recovery of safety incidents;
		c) In the process of safety incident reporting and response, analyze and identify the causes of the incident, collect evidence, record the handling process, and summarize experiences and lessons;
		d) Different handling procedures and reporting procedures shall be adopted for major security events that cause system interruption and information leakage.
	Emergency Plan Management	a) A unified emergency plan framework shall be specified, including the conditions for starting the plan, the composition of emergency organization, the guarantee of emergency resources, post event education and training, etc;
		b) The emergency plan for important events shall be formulated, including emergency treatment process, system recovery process, etc;
		c) Personnel related to the system shall be regularly trained in the emergency plan and rehearsed in the emergency plan;
		d) The original emergency plan shall be reassessed, revised and improved regularly.
	Outsourcing Operations and Maintenance Management	a) Ensure that the selection of outsourcing operation and maintenance service providers complies with relevant national regulations;
		b) Relevant agreements shall be signed with the selected outsourcing operation and maintenance service provider to clearly stipulate the scope and work content of outsourcing operation and maintenance;
		c) Ensure that the selected outsourcing operation and maintenance service provider has the ability to carry out safe operation and maintenance according to the level protection requirements in terms of technology and management, and specify the ability requirements in the signed agreement;
		d)All relevant security requirements shall be specified in the agreement signed with the outsourcing operation and maintenance service provider, such as access, processing and storage requirements that may involve sensitive information, emergency support requirements for IT infrastructure interruption services, etc.
Cloud computing security extension requirements	Safe Physical Environment	Infrastructure Location	It shall ensure that the cloud computing infrastructure is located in China.
	Secure communication network	Network Architecture	a) Ensure that the cloud computing platform does not carry business application systems higher than its security protection level;
			b) Isolation between virtual networks of different cloud service customers shall be realized;
			c) It shall have the ability to provide security mechanisms such as communication transmission, boundary protection and intrusion prevention according to the business needs of cloud service customers;
			d) It shall have the ability to independently set security policies according to the business needs of cloud service customers, including defining access paths, selecting security components and configuring security policies;
			e)Open interfaces or open security services shall be provided to allow cloud service customers to access third-party security products or select third-party security services on the cloud computing platform.
	Security Zone Boundaries	Access control	a) The access control mechanism shall be deployed at the virtualization network boundary and the access control rules shall be set;
		Access control	b)Access control mechanisms shall be deployed at the boundaries of different levels of network areas and access control rules shall be set.
		Intrusion prevention	a)It shall be able to detect the network attacks initiated by cloud service customers, and record the attack type, attack time, attack traffic, etc;
			b) It shall be able to detect the network attack on virtual network nodes, and record the attack type, attack time, attack traffic, etc;
			c) It shall be able to detect abnormal traffic between virtual machine and host, and between virtual machine and virtual machine;
			d) Alarm shall be given when network attack and abnormal traffic are detected.
		Security audit	a) Audit the privileged commands executed by cloud service providers and cloud service customers during remote management, including at least virtual machine deletion and virtual machine restart;
		Security audit	b) It shall ensure that the cloud service provider’s operations on the cloud service customer’s system and data can be audited by the cloud service customer.
	Secure computing environment	Authentication	When remotely managing devices in the cloud computing platform, a two-way authentication mechanism shall be established between the management terminal and the cloud computing platform.
		Access control	a) Ensure that when the virtual machine is migrated, the access control policy is migrated with it;
		Access control	b) Cloud service customers should be allowed to set access control policies between different virtual machines.
		Intrusion prevention	a) It shall be able to detect the failure of resource isolation between virtual machines and give an alarm;
			b) It shall be able to detect unauthorized new virtual machines or re enable virtual machines and alarm;
			c) It shall be able to detect malicious code infection and spread among virtual machines, and alarm.
		Mirror and snapshot protection	a) Provide enhanced operating system image or operating system security reinforcement services for important business systems;
			b) The integrity verification function of virtual machine image and snapshot shall be provided to prevent malicious tampering of virtual machine image;
			c) Password technology or other technical means shall be adopted to prevent possible sensitive resources in virtual machine images and snapshots from being illegally accessed.
		Data integrity and confidentiality	a) It shall ensure that cloud service customer data and user personal information are stored in China. If it is necessary to leave the country, it shall comply with relevant national regulations;
			b) It shall ensure that only under the authorization of the cloud service customer can the cloud service provider or a third party have the management authority of the cloud service customer data;
			c) Check code or password technology shall be used to ensure the integrity of important data during virtual machine migration, and necessary recovery measures shall be taken when the integrity is detected to be damaged;
			d) Cloud service customers shall be supported to deploy key management solutions to ensure that cloud service customers can realize the data encryption and decryption process by themselves.
		Data backup and recovery	a) Cloud service customers shall keep backup of their business data locally;
			b) It shall provide the ability to query cloud service customer data and backup storage location;
			c) The cloud storage service of the cloud service provider shall ensure that there are several available copies of cloud service customer data, and the contents of each copy shall be consistent;
			d) Provide technical means for cloud service customers to migrate business systems and data to other cloud computing platforms and local systems, and assist in completing the migration process.
		Residual information protection	a) Ensure that the memory and storage space used by the virtual machine are completely cleared when recycled;
		Residual information protection	b) When a cloud service customer deletes business application data, the cloud computing platform shall delete all copies in the cloud storage.
	Safety management center	Centralized control	a) It shall be able to uniformly manage, schedule and allocate physical and virtual resources according to policies;
			b) Ensure that the cloud computing platform management traffic is separated from the cloud service customer business traffic;
			c)According to the division of responsibilities between cloud service providers and cloud service customers, collect the audit data of their respective control parts and realize their own centralized audit;
			d) According to the division of responsibilities of cloud service providers and cloud service customers, realize the centralized monitoring of the operation status of their respective control parts, including virtualized networks, virtual machines, virtualized security devices, etc.
	Safety construction management	Cloud service provider selection	a) A security compliant cloud service provider shall be selected, and the cloud computing platform provided by it shall provide corresponding level of security protection capability for its business application system;
			b)The service contents and specific technical indicators of cloud services shall be specified in the service level agreement;
			c)The rights and responsibilities of the cloud service provider shall be specified in the service level agreement, including management scope, responsibility division, access authorization, privacy protection, code of conduct, liability for breach of contract, etc;
			d) It shall provide complete cloud service customer data when the service contract expires as specified in the service level agreement, and promise that relevant data will be cleared on the cloud computing platform;
			e) A confidentiality agreement shall be signed with the selected cloud service provider, requiring it not to disclose cloud service customer data.
		supply chain management	a) Ensure that the selection of suppliers complies with relevant national regulations;
			b)Supply chain security incident information or security threat information shall be timely transmitted to cloud service customers;
			c) The important changes of the supplier shall be timely communicated to the cloud service customers, the security risks caused by the changes shall be evaluated, and measures shall be taken to control the risks.
	Safety operation and maintenance management	Cloud computing environment management	The operation and maintenance site of cloud computing platform shall be located in China, and the operation and maintenance of domestic cloud computing platform outside China shall comply with relevant national regulations.
Mobile internet security extension requirements	Secure physical environment	Physical location of wireless access point	A reasonable location shall be selected for the installation of wireless access equipment to avoid excessive coverage and electromagnetic interference.
	Safety zone boundary	Boundary protection	The access and data flow between wired network and wireless network boundary shall be ensured to pass through wireless access gateway equipment.
		Access control	The wireless access equipment shall enable the access authentication function and support the authentication using the authentication server authentication or the password module approved by the national password management authority.
		Intrusion Prevention	a) It shall be able to detect the access behavior of unauthorized wireless access equipment and unauthorized mobile terminal;
			b) It shall be able to detect network scanning, DDoS attack, key cracking, man in the middle attack and spoofing attack against wireless access equipment;
			c) It shall be able to detect the opening status of SSID broadcast, WPS and other high-risk functions of wireless access equipment;
			d) The functions of wireless access equipment and wireless access gateway with risks shall be disabled, such as SSID broadcasting, WEP authentication, etc;
			e)Multiple APS shall be prohibited from using the same authentication key;
			f) It shall be able to block unauthorized wireless access devices or unauthorized mobile terminals.
	Secure computing environment	Mobile terminal control	a)Ensure that the mobile terminal installs, registers and runs the terminal management client software;
		Mobile terminal control	b) The mobile terminal shall accept the equipment life cycle management and remote control of the mobile terminal management server, such as remote locking, remote erasure, etc.
		Mobile application control	a) It shall have the function of selecting application software installation and operation;
			b) Only the application software with specified certificate signature shall be allowed to install and run;
			c) It shall have the function of software white list, and shall be able to control the installation and operation of application software according to the white list.
	Safety construction management	Mobile application software procurement	a) Ensure that the application software installed and operated by the mobile terminal comes from a reliable distribution channel or signed with a reliable certificate;
		Mobile application software procurement	b) The application software installed and run by the mobile terminal shall be developed by the designated developer.
		Mobile application software development	a) Qualification examination shall be conducted for mobile business application software developers;
		Mobile application software development	b) The validity of the signature certificate for developing mobile service application software shall be guaranteed.
	Safety operation and maintenance management	Configuration management	A configuration library of legal wireless access devices and legal mobile terminals shall be established to identify illegal wireless access devices and illegal mobile terminals.
IOT security extension requirements	Secure physical environment	Physical protection of sensing node equipment	a) The physical environment of the sensing node equipment shall not cause physical damage to the sensing node equipment, such as extrusion and strong vibration;
			b) The physical environment of the sensing node equipment in the working state shall correctly reflect the environmental state (for example, the temperature and humidity sensor cannot be installed in the direct sunlight area);
			c) The physical environment of the sensing node equipment in the working state shall not affect the normal operation of the sensing node equipment, such as strong interference, blocking, shielding, etc;
			d) The key sensing node equipment shall have power supply that can work for a long time (the key gateway node equipment shall have long-term and stable power supply capacity).
	Safety zone boundary	Access control	It shall be ensured that only authorized sensing nodes can access.
		Intrusion Prevention	a)It shall be able to limit the target address communicating with the sensing node to avoid attacks on unfamiliar addresses;
		Intrusion Prevention	b) It shall be able to limit the target address of communication with the gateway node to avoid attacks on unfamiliar addresses.
	Secure computing environment	Aware node device security	a) It shall be ensured that only authorized users can configure or change the software application on the sensing node device;
			b) It shall have the ability to identify and authenticate the connected gateway node equipment (including card reader);
			c ) It shall have the ability to identify and authenticate other sensing node devices (including routing nodes) connected to it.
		Gateway node device security	a) It shall have the ability to identify and identify legally connected equipment (including terminal node, routing node and data processing center);
			b) It shall have the ability to filter the data sent by illegal nodes and forged nodes;
			c) The authorized user shall be able to update the key key online during the use of the equipment;
			d) Authorized users shall be able to update key configuration parameters online during equipment use.
		Anti data replay	a) It shall be able to identify the freshness of data and avoid the replay attack of historical data;
		Anti data replay	b) It shall be able to identify the illegal modification of historical data and avoid the modification and replay attack of data.
		Data fusion	The data from the sensor network shall be fused so that different kinds of data can be used on the same platform.
	Safety operation and maintenance management	Aware node management	a) Designated personnel shall regularly patrol the deployment environment of sensing node equipment and gateway node equipment, and record and maintain environmental abnormalities that may affect the normal operation of sensing node equipment and gateway node equipment;
			b) The warehousing, storage, deployment, carrying, maintenance, loss and scrapping of sensing node equipment and gateway node equipment shall be clearly specified and managed in the whole process;
			c) The confidentiality management of the deployment environment of sensing node equipment and gateway node equipment shall be strengthened, including that the personnel responsible for inspection and maintenance shall return relevant inspection tools and inspection and maintenance records immediately after being transferred from their posts.
Safety extension requirements for industrial control systems	Secure physical environment	Physical protection of outdoor control equipment	a) The outdoor control equipment shall be placed in the box or device made of iron plate or other fireproof materials and fastened; The box or device has the ability of ventilation, heat dissipation, anti-theft, rainproof and fire prevention;
	Secure physical environment	Physical protection of outdoor control equipment	b) Outdoor control equipment shall be placed away from strong electromagnetic interference, strong heat source and other environments. If it is unavoidable, emergency disposal and maintenance shall be done in time to ensure the normal operation of the equipment.
	Secure communication network	Network architecture	a) The industrial control system and other systems of the enterprise shall be divided into two areas, and one-way technical isolation means shall be adopted between the areas;
			b) The internal of industrial control system shall be divided into different security domains according to business characteristics, and technical isolation means shall be adopted between security domains;
			c) The industrial control system involving real-time control and data transmission shall be networked with independent network equipment to realize safe isolation from other data networks and external public information networks at the physical level.
		Communication transmission	If wide area network is used for control instruction or related data exchange in industrial control system, encryption authentication technology shall be used to realize identity authentication, access control and data encryption transmission.
	Safety zone boundary	Access control	a) The access control equipment shall be deployed between the industrial control system and other systems of the enterprise, and the access control strategy shall be configured to prohibit any general network services such as e-mail, web, Telnet, rlogin and FTP crossing the regional boundary;
		Access control	b) When the boundary protection mechanism between the security domain and the security domain in the industrial control system fails, the alarm shall be given in time.
		Dial up usage control	a) If the industrial control system really needs to use dial-up access service, the number of users with dial-up access authority shall be limited, and measures such as user identification and access control shall be taken;
		Dial up usage control	b) Both dial-up server and client shall use the operating system with security reinforcement, and take measures such as digital certificate authentication, transmission encryption and access control.
		Wireless usage control	a) All users (personnel, software process or equipment) participating in wireless communication shall be provided with unique identification and identification;
			b) Authorization and use of all users (persons, software processes or devices) participating in wireless communication should be restricted;
			c) The security measures of transmission encryption shall be taken for wireless communication to realize the confidentiality protection of transmission message;
			d) The industrial control system controlled by wireless communication technology shall be able to identify the unauthorized wireless equipment transmitted in its physical environment and report the unauthorized attempt to access or interfere with the control system.
	Secure computing environment	Control equipment safety	a) The control equipment itself shall meet the security requirements such as identity authentication, access control and security audit proposed by the general security requirements of the corresponding level. If the control equipment cannot meet the above requirements due to conditions, its upper control or management equipment shall realize the same functions or be controlled through the management section;
			b) After full test and evaluation, patch update and firmware update shall be carried out for the control equipment without affecting the safe and stable operation of the system;
			c) The floppy disk drive, optical disk drive, USB interface, serial port or redundant network port of the control equipment shall be closed or removed. If it is necessary to retain, strict monitoring and management shall be implemented through relevant technical measures;
			d) Special equipment and special software shall be used to update the control equipment;
			e) It shall be ensured that the control equipment is subject to security detection before going online to avoid malicious code programs in the firmware of the control equipment.
	Safety construction management	Product procurement and use	Important equipment of industrial control system can be purchased and used only after passing the safety test of professional institutions.
	Safety construction management	Outsourcing software development	The outsourcing development contract shall specify the binding terms for the development unit and supplier, including confidentiality, prohibition of key technology diffusion and equipment industry-specific during the life cycle of the equipment and system.

3.3.MLPS high-risk items & rectification Approaches

NO.	Security Category	Security Sub-Category		Level-2 rectification	Level-3 rectification	Investment
1	Physical security	1	Selection of physical location
2		2	Physical access control		Electronic access control	Medium
3		3	Theft and vandalism	Video monitoring system / burglar alarm system	Video monitoring system / burglar alarm system	Medium
4		4	Lightning protection		lightning protector	Low
5		5	Fire prevention	Fire-fighting equipment and automatic fire alarm system	Automatic fire-fighting system	High
6		6	Waterproof and damp proof	Dehumidifier	Waterproof detection and alarm	Medium high
7		7	Antistatic		Anti-static floor	Medium
8		8	Temperature and humidity control	Precision air conditioner	Precision air conditioner	High
9		9	power supply	Voltage regulator, overvoltage protection equipment, UPS	Voltage regulator, overvoltage protection equipment, UPS, standby power supply system	High
10		10	Electromagnetic protection		Electromagnetic shielding and electromagnetic interference device	Low
11	Network security	1	Structural safety		Core equipment redundancy	Medium
12		2	Access control	Border firewall	Border firewall	Medium high
13		3	Security audit	Log audit system	Log audit system	Medium
14		4	Boundary integrity check	Private external connection control (terminal security management system)	Network access control / private external connection control (terminal security management system)	Medium
15		5	Intrusion Prevention	Intrusion detection / defense system	Intrusion prevention system	Medium
16		6	Malicious code prevention		Network anti virus gateway	Medium
17		7	Network equipment protection		Network operation and maintenance management system (Jumper machine)	Medium
18	Host security	1	Identification		Multi factor identity authentication system	Medium
19		2	Access control		Host security environment system	Medium
20		3	Security audit	Log audit system	Log audit system	Medium
			Security audit	Database audit system	Database audit system
21		4	Residual information protection		Host security environment system	Medium
22		5	Intrusion Prevention	Patch management system (free WSUS or terminal management system with patch management module)	Host intrusion prevention software / patch management system (free WSUS or terminal management system patch management module)	Medium
23		6	Malicious code prevention	Network version antivirus software	Network version anti-virus software (host anti malicious code products should have different malicious code libraries from network anti malicious code products)	Medium
24		7	Resource control		Security monitoring center host system resource monitoring module
25	Application Security