Business secret series -- Talking about the evaluation of commercial passwords from the perspective of Party A and Party B (I)

      
      

       
        Engaged in secret evaluation for more than one year , During this period, I engaged in many types of projects , provincial level IDC, Of each department OA And customized system . It's not the technology that takes time in this process , It is the docking with Party A or the evaluated party , Because secret reviews have emerged in recent years , All parties have insufficient understanding of it , As a result, people who want to pass the secret review don't know what to do . So it sprouted to write a series of articles , Help non insiders understand confidential comments .
      
      
      
      

       
       
1.
      
      

      
      

       
        This series of articles is written for non insiders to understand and understand confidential reviews , So I will introduce the corresponding technology , But it won't involve technical details , At the same time, try to use concise narration to make reading easy and clear . Here are some abbreviations and terms used for convenience ：
      
      
      
      

       
       
1.
      
      

      
      

       
        In a nutshell ,《 Cryptology 》、《 Network security law 》、《 Network security level protection regulations 》 And other laws emphasize hierarchy 
       
       
 Protect level III and above information systems 、 Critical information infrastructure should be secretly evaluated .
      
      
      
      

       
       
1.
       
       
2.
      
      

      
      

       
        Passing the secret evaluation needs to meet GB/T 39786-2021《 Information security technology   Basic requirements for password application of information system 》, Same as 
       
       
 According to the 《 Quantitative evaluation rules for security evaluation of commercial password application 》 score 60 above , And there is no 《 Information system password Application 
       
       
 High risk judgment guidelines 》 The high-risk item in is passing .
       
       
60 More than , And no high-risk items are the conditions for passing the secret evaluation .
      
      
      
      

       
       
1.
       
       
2.
       
       
3.
       
       
4.
      
      

      
      

       
        Maintained by the State Password Administration 《 Directory of pilot institutions for security evaluation of commercial password applications 》 Only institutions in China have implemented secret evaluation 
       
       
 Qualification of , total 48 home .（https://www.oscca.gov.cn/sca/xwdt/2021-06/11/content_1060863.shtml）
       
       
 Certified , Products with commercial secret certificates can be found on the commercial password authentication business network .（http://service.scctc.org.cn）
      
      
      
      

       
       
1.
       
       
2.
       
       
3.
      
      

      
      

       
        The implementation personnel of secret evaluation will ask about all aspects of the system in the early stage of secret evaluation and on site ：
       
       
1、 Physical condition of machine room , Need to enter the machine room for inspection ———— Computer room management personnel 
       
       
2、 Know the physical server location of the system , Management style , As well as network architecture and relevant password products adopted ———— System operation and maintenance personnel 
       
       
3、 The database used by the system , And the structure of the database and the form in which the corresponding data is stored , And the encryption method of data storage ———— Developer 
       
       
4、 Systems related to cryptographic equipment and key management ———— Party A's unit 
      
      
      
      

       
       
1.
       
       
2.
       
       
3.
       
       
4.
       
       
5.