The Cyber ​​Security Standardization Committee issued the “Cyber ​​Security Standard Practice Guide – Cyber ​​Security Assessment Guide for Large Internet Platforms”

FreeBuf.COM is a network security industry portal that publishes professional security information and technical analysis every day.

Recently, in order to guide large-scale Internet platforms to assess, discover and prevent network security risks that affect or may affect social stability and public interests, and to improve the security level of platforms, the Secretariat of the National Cybersecurity Standardization Technical Committee organized the compilation of the “Cybersecurity Standard Practice Guide – Network Security Assessment Guide for Large Internet Platforms”.

The Guidelines propose the content and methods for conducting network security assessments on large Internet platforms from the perspective of those that affect or may affect social stability and public interests. They are applicable to network security assessment activities on large Internet platforms.

Note: The large-scale Internet platforms mentioned in the Guidelines refer to those that connect individuals, commodities, information, services, offline resources, and assets through network technology.It is a large-scale network platform that connects funds, software, etc. and provides services based on this.

The Guidelines state that large Internet platforms need to first set up a cybersecurity assessment working group before conducting cybersecurity assessments. The working group is directly led by the person in charge of the platform, and the working group formulates management systems and work procedures under his leadership. The specific work of the working group is organized and promoted by the person designated by the person in charge of the platform, who must be a senior manager of the platform.

The Guidelines also clearly divide the work content of the assessment working group, requiring the working group to identify the core business scope, clarify the scope of network security assessment, organize annual network security assessments, study and formulate work plans for network security assessments of important matters, and organize related assessment work based on the degree of impact of network security issues on social stability and public interests in various businesses.

Finally, the working group needs to organize and carry out rectification based on the security issues found in the network security assessment.

Regarding the assessment content of large-scale Internet platforms, the “Guidelines” require the working group to conduct an assessment from seven aspects, including core business continuity risks, disaster recovery capabilities, security of the supply chain of key software and hardware products, controllability of data provided to the outside world, emergency response after a data leak occurs, platform control, and user rights protection.

If the working group does not find any safety issues or risks during the assessment process, it is necessary to record the assessment and retain relevant materials. Once a safety issue or risk is found, it is necessary to record the assessment, organize analysis and judgment in a timely manner, and deal with the problems and risks found based on the results of the analysis.
Carry out rectification, record the rectification status or reasons for not rectifying, and report outstanding problems and risks in accordance with the requirements of relevant departments.

“Cybersecurity Standard Practice Guidelines – Guidelines for Cybersecurity Assessment of Large Internet Platforms”.pdf

This article is Independent opinions, no reproduction without permission, for authorization, please contact FreeBuf customer service Xiao Bee, WeChat: freebee2022