Information system security integration and security operation and maintenance service qualification Secondary application requirementsThe information system security integration service qualification level is divided into three levels: Level 1, Level 2 and Level 3, among which level 1 is the highest and Level 3 is the lowest. The service capability of the security integration service provider is mainly reflected in the following four aspects: basic qualification, service management ability, service technology ability and service process ability; The ability of service personnel is evaluated from the comprehensive knowledge and experience of security integrated service. The requirements are divided into two parts: general requirements and professional requirements.
I. General requirementsApplicants can apply directly according to the conditions, or they can apply for level II if they have obtained level III qualification for more than one year. Service management procedure files should be established, issued and operated for more than half a year.
1. Legal status requirementsIndependent legal person organizations registered within the territory of the People's Republic of China have a clear history of development and clear property rights. Comply with relevant national laws and regulations, standard requirements, no illegal record, good credit status.
2. Financial credit requirements
The organization's operating conditions are normal, and the establishment and implementation of financial management system can provide necessary financial support for the service.
3. Office space requirements
It has long-term fixed office space and suitable office conditions, which can meet the establishment and business needs of the organization.
4. Personnel capacity requirements
The person in charge of the organization has more than 3 years management experience in the field of information technology. The technical person in charge has the management ability of information security service (consistent with the declared category) and has passed the evaluation (consistent with the declared category).
The project leader and project engineer have the technical ability of information security service (consistent with the declared category) and have passed the evaluation (consistent with the declared category).
5. Performance requirements
Engaged in information security services (consistent with the declaration category) for more than 3 years, or obtain information security services (consistent with the declaration category) level 3 qualification for more than 1 year.
Signed and completed at least 6 information security service projects (consistent with the declaration category) in the last three years. 6. Service management requirementsEstablish and operate personnel management procedures, identify the service ability requirements of security service personnel, clarify the job responsibilities and technical ability requirements of security service personnel, and prove that they are competent for their responsibilities through evaluation.
Develop service personnel ability training plan, including network and information security related technology, management, awareness and other content, and implement the plan, to ensure that service personnel continue to be competent for their responsibilities. Establish and run the document management program, including organization management, service process management, quality management and other contents, and define the document control of production, release, storage, transmission, use (including delivery and internal use), waste and other links. Equipped with file room and high security file server. Establish and run project management procedures, clarify the operation procedures of service project organization, planning, implementation, risk control, delivery and other links.
Establish and operate the confidentiality management procedure, clarify the confidentiality responsibility of the post, sign the confidentiality agreement, and conduct confidentiality education to relevant personnel timely. Establish and operate supplier management procedures, identify risks in the process of supply and/or outsourcing, identify suppliers and/or contractors' basic service qualifications, service process control, service quality, service delivery, etc. Ensure that its suppliers or contractors meet service safety requirements (only applicable to safety integration, safety operation and maintenance, disaster backup and recovery direction, industrial control system safety direction). Establish contract management procedures, formulate unified contract templates, and implement information security service projects according to contract provisions. Protect customer sensitive information and intellectual property information as required by the customer, and ensure that the service personnel understand the relevant requirements of the customer. With reference to international or domestic standards, establish a quality management system covering information security services (consistent with the declaration category), and operate effectively for more than half a year. Establish an information security management system or information technology service management system with business scope covering information security services (consistent with the declaration category) according to international or domestic standards, and operate effectively for more than half a year.
7. Technical tool requirementsHave independent test environment and necessary software and hardware equipment for technical training and simulation test.
Have the security tools required to undertake the information security service (consistent with the declaration category) project, and manage and version control the tools.
8. Service technical requirementsEstablish a process for information security service (consistent with declaration category) requirements and implement it in accordance with the process. Formulate the standard and standard of information security service (consistent with the declaration category) requirements, and implement them in accordance with the standard. Two, professional requirements
1 Preparing for integration
1.1 Demand research and analysisAccurately identify and comprehensively analyze the security requirements corresponding to the information security characteristics of the system. Carry out demand analysis and prepare demand analysis report based on customer demand and investment capacity.
2. Scheme design stage
Combined with the demand analysis and the customer's investment ability in system security, put forward the system construction safety design specification, and define the system architecture, product selection, product function, performance and configuration parameters. Organize customers and related technical experts to demonstrate the technical plan and implementation plan, and confirm whether it meets the requirements of system function, performance and security.
Carry out business and skill training for project team and third party coordinators based on technical solutions.
3. Construction implementation stage
3.1 Integration
During the installation and debugging of products and equipment, relevant information should be properly and completely recorded. After the completion of the project construction, the completion report shall be submitted to the customer.
After the completion of project implementation, the relevant process records shall be filed and kept in a unified manner.
4 Security Stage
4.1 System TestAfter the completion of system test, prepare system test report and submit to customer. Put forward preliminary inspection application according to project needs, organize customers and related parties to carry out preliminary inspection of the project, and submit preliminary inspection report.
4.2 System test runThe trial operation period of the system is at least one month.
After the trial run, the project team will prepare the system trial run report and submit it to the customer.
4.3 Operation and MaintenanceEstablish customer satisfaction survey mechanism and analyze the survey results.
【Related reading】:
Editor in charge:Shanghai Yue Fei Enterprise Management Consulting Co., Ltd.
Copyright:http://www.yf-iso.com/ Please indicate the source of the reprint