Appendix 2: Introduction to classified protection-Alibaba Gov Cloud-阿里云帮助中心

What is classified protection

Regulatory requirements
- "Cybersecurity Law of the People's Republic of China": "The state implements a Classified Protection of Cybersecurity system. In accordance with the requirements of this system, network operators must fulfill security protection obligations to protect networks from interference, damage, or unauthorized access, and to prevent network data from being leaked, stolen, or tampered with."
- "Regulations on the Security Protection of Computer Information Systems of the People's Republic of China" (State Council Order No. 147): "Computer information systems are subject to classified protection. The classification standards and specific measures for classified protection are formulated by the Ministry of Public Security in conjunction with other relevant departments."
- "Opinions of the National Informatization Leading Group on Strengthening Information Security" (Zhong Ban Fa [2003] No. 27) states: "It is necessary to focus on protecting basic information networks and important information systems related to national security, the economy, and social stability, and to promptly establish a classified protection system for information security."
Legal basis
- The "Police Law" stipulates that the police have the responsibility to "supervise and manage the security protection of computer information systems."
- State Council Order No. 147 stipulates that "The Ministry of Public Security is responsible for the security protection of computer information systems nationwide," and "The specific measures for classified protection shall be formulated by the Ministry of Public Security in conjunction with other relevant departments."
- According to the 2008 State Council plan for defining institutional functions, organization, and staffing, the Ministry of Public Security was assigned the new function of "supervising, inspecting, and guiding the classified protection of information security."
Scope and enforcement
- Scope of application for classified protection of information security: All computer information systems within the territory of the People's Republic of China.
- Enforcement: Systems at Level 2 and above are subject to supervision by public security authorities. Level 3 systems must undergo an assessment at least once a year.
- Key requirements for security products in Level 3 systems: The provider must be a domestic and independent legal entity, possess independent intellectual property rights, and hold an information security product certification.
Status and role
- It is a fundamental system and basic national policy for ensuring national information security.
- It is a basic method for implementing information security work.
- It is a fundamental guarantee for promoting informatization and safeguarding national information security.

Classification levels explained

Level	Level definition	Applicable system
Level 1	If the information system is damaged, it will harm the legitimate rights and interests of citizens, legal entities, and other organizations, but will not harm national security, social order, or public interests.	Non-critical systems
Level 2	If the information system is damaged, it will cause serious harm to the legitimate rights and interests of citizens, legal entities, and other organizations, or cause harm to social order and public interests, but will not harm national security.	Generally important systems
Level 3	If the information system is damaged, it will cause serious harm to social order and public interests, or cause harm to national security.	Relatively important systems
Level 4	If the information system is damaged, it will cause particularly serious harm to social order and public interests, or cause serious harm to national security.	Very important systems
Level 5	If the information system is damaged, it will cause particularly serious harm to national security.	Extremely important systems

Key interpretations of the Basic Requirements for Classified Protection of Cybersecurity

Network and Communication Security

Table 1. Security requirements
Category	Security requirement
Network architecture	Divide the network into different regions. Assign addresses to each network region based on principles that facilitate management and control.
Access control	Set access control rules at network borders or between regions based on the access control policy. By default, controlled interfaces must deny all communication except for explicitly allowed traffic. Provide the ability to explicitly allow or deny incoming and outgoing data streams based on session state information. The control granularity must be at the port level.
Communication transmission	Use checksums or encryption and decryption techniques to ensure data integrity during communication.
Border protection	Ensure that access and data streams that cross borders communicate through controlled interfaces provided by border protection devices.
Intrusion prevention	Detect, prevent, or limit network attacks from external sources at key network nodes. When an attack is detected, record the source IP, Attack Type, attack destination, and Attack Time. Provide an alert when a critical intrusion event occurs.
Security audit	Perform security audits at network borders and important network nodes. The audits must cover every user and log important user behaviors and security events.

Table 2. Interpretations and countermeasures
Interpretation	Countermeasures
Divide the network into security domains based on server roles and importance. Set access control policies at the security domain borders between internal and external networks. The policies must be configured down to specific ports. Deploy intrusion prevention measures at network borders to defend against and record intrusive behaviors. Record and audit user behavioral logs and security event information within the network.	Use Alibaba Cloud's VPC and security groups to divide the network into security domains and implement proper access control. Use Web Application Firewall to prevent network intrusions. Use the log feature of Threat Detection Service to record, analyze, and audit user behavioral logs and security events. For systems that frequently face DDoS threats, use Anti-DDoS Pro and Anti-DDoS Premium to filter and scrub unusual traffic.

Device and Computing Security

Table 3. Security requirements
Category	Security requirement
Identity authentication	Identify and authenticate logged-on users. The identity must be unique.
Access control	Create different accounts and assign permissions based on the roles of administrative users. Grant only the least privilege required for each user to perform their tasks to achieve separation of permissions.
Security audit	Enable the security audit feature. The audit must cover every user and log important user behaviors and security events.
Intrusion prevention	Detect intrusions on important nodes. Provide an alert when a critical intrusion event occurs.
Malicious code prevention	Use technical measures to prevent malicious code attacks, or use trusted computing to build a trust chain from the system to the application. This allows for integrity checks of important programs or files during system operation and enables recovery after a breach is detected.

Table 4. Interpretations and countermeasures
Interpretation	Countermeasures
Avoiding account sharing and recording and auditing O&M operations are basic security requirements. Necessary security measures are required to ensure system-level security and prevent server intrusions.	Use Alibaba Cloud's Bastionhost and DataBase Audit to audit operations on servers and data. Create separate Bastionhost accounts for each O&M engineer to avoid account sharing. Use Server Guard for complete vulnerability management, baseline checks, and intrusion prevention for servers.

Application and Data Security

Table 5. Security requirements
Category	Security requirement
Identity authentication	Identify and authenticate logged-on users. The identity must be unique, and the authentication information must meet complexity requirements.
Access control	Grant different accounts the least privilege required to complete their assigned tasks. Establish a system of checks and balances between them.
Security audit	Provide a security audit feature. The audit must cover every user and log important user behaviors and security events.
Data integrity	Use checksums or encryption and decryption techniques to ensure the integrity and confidentiality of important data during transmission.
Data backup and recovery	Provide a geo-redundant, real-time backup feature. Use a communication network to back up important data to a backup site in real time.

Table 6. Interpretations and countermeasures
Interpretation	Countermeasures
Applications are the direct implementation of specific business services and do not have the relatively standardized characteristics of networks and systems. For most applications, features such as identity authentication, access control, and operation audits are difficult to implement using third-party products. Besides security protection at other layers, encryption is the most effective method to ensure data integrity and confidentiality. Geo-redundant data backup is one of the most important requirements that distinguishes MLPS Level 3 from Level 2. It is a fundamental technical measure for ensuring business continuity.	When developing an application, consider its built-in features for identity authentication, access control, and security audits from the beginning. For systems that are already online, add features such as identity verification, user permission differentiation, and log auditing to meet classified protection requirements. For data security, use a mature service such as Alibaba Cloud Certificate Service to implement HTTPS. This ensures that data remains encrypted during transmission. For data backup, use RDS geo-disaster recovery instances to automatically back up data. You can also manually sync database backup files to servers in other Alibaba Cloud regions.

Security Management Policy

Table 7. Security requirements
Category	Security requirement
Security policy and management system	Establish a comprehensive information security management system that includes security policies, management rules, operating procedures, and record forms.
Security management organization and personnel	Establish a committee or leadership group to guide and manage information security. The head of this group must be appointed or authorized by the organization's top management.
Security construction management	Conduct overall security planning and solution design based on the protection level of the target object and its relationship with objects of other protection levels. Create supporting documentation.
Security operations management	Take necessary measures to identify security vulnerabilities and risks. Promptly patch discovered vulnerabilities and risks, or assess their potential impact before patching.

Table 8. Interpretations and countermeasures
Interpretation	Countermeasures
Security policies, systems, and management personnel are a crucial foundation for ensuring continuous security. Policies guide the direction of security, systems define security processes, and personnel implement security responsibilities. The classified protection requirements provide a methodology and best practices. Security can be continuously built and managed according to this methodology.	The customer's management team must define, prepare, and implement security policies, systems, and personnel roles based on the company's specific situation, and create dedicated documentation. For the technical measures required during vulnerability management, use Alibaba Cloud's Managed Security Service and Crowdsourcing Security Testing service to quickly discover and promptly address system vulnerabilities in the cloud.