Specific operation process of network security emergency response

General content

Every standard basically has a format , For our reference in writing documents Definitions and terms : Names of relevant majors involved in national standards , There will be a definition , Prevent ambiguity in understanding
Structure level : Generally, there is a complete structure of the current document , It can be a graph , It could be a watch , Let those who have no time , You can quickly understand the content
Attachment form : Forms may be necessary for documents , System documents need to be implemented , All need the corresponding test table
Reference documents : Each standard is based on other standards , Will improve their authority comprehensive : The content written basically conforms to the content related and independent , The principle of complete exhaustion , For example information Safe operation Services and other information security operation services

Introduction to the standard

This standard is based on 《 The Chinese people republic Computer Information System security Protection regulations 》, reference GB/Z20985-2007《 Information technology security technology information security incident management guide 》、GB/T20988-2007《 Information security technology - Information System Disaster Recovery specification 》、GB/Z20986-2007《 Information security technology - Guidelines for classification and classification of information security incidents 》、GB/T20984 One 2007《 Information security technology information security risk assessment specification 》、GB/T 22240《 Information security technology - Guidelines for the classification of security classification protection of information systems 》、 GB/T 22239《 Information security technology basic requirements for classified protection of information system security 》 as well as NISTSP 800-34《 Guidelines for emergency planning of information technology systems 》 and NISTSP 800-61《 Computer security incident handling Guide 》 And other relevant parts of the standard , combination 《 Emergency plan for national communication support 》 and 《 Special emergency plan for network and information security incidents in Shanghai 》 And the technical development and practical experience of relevant industries .

Information systems are vulnerable to various known and unknown threats, resulting in harmful program events 、 Cyber attacks 、 Information breach 、 Information content security incidents 、 The occurrence of information security events such as equipment and facilities failures and catastrophic events . Although many information security incidents can be solved by technology 、 Managed 、 The method of operation is reduced , But there is no information security strategy or protective measures , It can provide absolute protection for information systems . Even if protective measures are taken , There may still be residual weaknesses , Make information security protection may be broken , Resulting in business interruption 、 System downtime 、 Network paralysis and other emergencies ／ Major information security incidents occur , And have a direct or indirect negative impact on the operation of the organization and business . therefore , In order to reduce the impact of information security incidents on the organization and business , An effective information security emergency response plan should be formulated , And form a plan .
The formulation of information security emergency response plan is a cycle 、 The process of continuous improvement , It includes the following stages ：
a) Preparation of emergency response plan ;
b) Prepare emergency response plan documents ;
c) Testing of emergency response plan 、 train 、 Drill and maintain

Preparation of emergency response plan

risk assessment

Identify the asset value of the information system , Identify natural and man-made threats to information systems , Identify information system Vulnerability , Analyze the possibility of various threats . For details of risk assessment, see GB/T 20984-2007 Of the 5 Chapter risk assessment implementation and chapter 6 Chapter risk assessment of each stage of information system life cycle .

Business impact analysis

Business impact analysis (BIA) On the basis of risk assessment , Analyze the possible impact of various information security events on business functions , Then determine the recovery goal of emergency response

Analyze the business functions of the unit or department and the correlation between them , Determine the corresponding information system resources and other resources that support various business functions , Clarify the confidentiality of relevant information 、 integrity And availability requirements .

• Determine the key resources of the information system

Evaluate the information system , To determine the key functions performed by the system , And determine the specific system resources required to perform these functions .- Determine the impact of information security incidents
The following quantitative and ／ Or qualitative method , For business interruption 、 System rock machine 、 The impact of information security incidents such as network paralysis To assess the ：- Determine the recovery objectives of emergency response

According to the results of business impact analysis , At the same time combined with GB/T 22239 and GB/T 22240, Determine the recovery objectives of emergency response , Include ：a) Key business functions and priorities for recovery ;
b) Recovery time range , The recovery time goal CRTO) And recovery point objectives (RPO) The scope of the .

Develop emergency response strategies

• summary
  Emergency response strategies are provided in case of business interruption 、 System forgiveness 、 After information security incidents such as network paralysis , Recover the letter quickly and effectively Information system operation method . These strategies should be involved in business impact analysis (BIA) The recovery objectives of emergency response determined in .- Classification of system recovery capability
  System recovery capability can be divided into basic support 、 Alternate site support 、 Electronic transmission and some equipment support 、 Electronic transmission and complete equipment support 、 Real time data transmission and complete equipment support 、 Zero data loss and remote cluster support 6 Level , The specific division follows GB/T 20988-2007 The appendix A Disaster recovery capability rating
• The requirements of system recovery resources shall comply with GB/T 20988-2007 Of 6.3 Requirements for disaster recovery resources .
• Cost considerations
  Use or management organization of information system （ hereinafter referred to as “ organization ”) Ensure that there are sufficient personnel and funds to implement the selected strategy . Various types of backup sites 、 The cost of equipment replacement and storage should be balanced with budgetary constraints . The budget should be adequate , It should include software 、 Hardware 、 Travel and transportation 、 test 、 Plan training programs 、 Awareness training program 、 labour services 、 Other contracts The same as the cost of services and any other applicable resources . The organization should conduct a cost-benefit analysis , To determine the best emergency response strategy .

Prepare emergency response plan documents

Preparing information security emergency response plan documents is a key step in the emergency response planning process . The emergency response plan shall describe the technical capabilities to support emergency operations , And adapt to institutional needs . Emergency response plans need to strike a balance between detail and flexibility , Usually the more detailed the plan , The less flexible and versatile the method is . This standard describes the key points of preparing emergency response plan . The plan preparer should adjust its contents appropriately according to the actual situation 、 Enrichment and localization , To better meet the organization's specific systems 、 Operation and mechanism need seek . At the same time, we can refer to GB/Z 20985-2007 Of the 8 Chapter use . The emergency response plan should be able to provide a quick and clear response for the personnel who are not familiar with the plan or the system that requires recovery operation in the information security event Guidance of . The plan should be clear 、 concise 、 Easy to implement in case of emergency , And try to use checklists and detailed procedures . Emergency response plan documents include general 、 Roles and responsibilities 、 Prevention and early warning mechanism 、 Emergency response process 、 Emergency response guarantee measures and accessories 6 Parts of .
To be continued Original address GB/T 24363-2009 Information security technology Information security emergency response plan specification

reference

GB/T 28827.3-2012 Information technology services Operation and maintenance The first 3 part ： Emergency response specifications
GB/Z 20986-2007 Information security technology Guidelines for classification and classification of information security incidents
Microsoft sysinternals Tool library
lsof Command Introduction

yara Rule based parser Open source

apimonitor
processhacker
National network security emergency plan

Qianxin 2020 Network security emergency response analysis report 2021

Shanghai network security incident emergency plan 2019