As the network technology changes with each passing day, the Internet has become an integral part of everyone's life. As a result, network and information security has also become a public security event of great concern.
Shanghai Symphony Telecommunications Co., Ltd. (hereinafter referred to as “SST”) was established in December 2000, and was approved to start business in February 2001. As a high-quality Sino-foreign joint venture engaged in value-added telecom operations in China, SST undertakes the security responsibility of SST Data Center’s machine rooms in Hulan Road and Rijing Road, Shanghai, and acts as the organization responsible for grading the information system. In fact, the safe and reliable operation of the information system is fundamental for the smooth operation of SST’s business.
In order to further improve the guarantee capability of the information system and follow the requirements of the national network security grade protection system, SST entrusts the National Quality Supervision and Testing Center for Information Network Products to conduct security grade evaluation on the machine rooms of SST Data Center. The evaluation is conducted to give a preliminary judgment of the status of security technology and management of the target system by evaluating the target system in terms of security technology and management, so as to point out the gap between the target system and the corresponding protection requirements of security grade in terms of security technology and management. The entrusting party will further improve system security strategies and security technology protection measures based on the evaluation conclusion.
In order to carry out the evaluation, SST’s management has set up a leading group of information security to organize the personnel of relevant departments to overcome difficulties, earnestly complete the data and actively cooperate to solve various problems proposed by the entrusted party in combination with the Company’s status quo and according to the latest requirements of each competent department based on the security grade evaluation from 2017 to 2019. In about 2 months from the beginning of July 2020 to the beginning of September 2020, the leading group finally achieved a good score of 87.03 points after various strict audits, and successfully completed the security protection grade evaluation Level 3 (S3A3G3) for SST Data Center’s machine rooms.
Throughout the evaluation process, SST has adopted the corresponding security mechanism in respect to the major potential security threats faced by Data Center’s machine rooms by analyzing the basic security protection status of the information system, basically playing the role of protecting the important assets of the information system. In terms of security responsibility system, this evaluation has improved the organizations and personnel of security management, and clarified their responsibilities. Company leaders act as the leaders of the leading group of information security to be responsible for leading the management of information security; relevant department heads of information security serve as members of the leading group of information security to assist in implementing related work of information security; specific responsibilities shall be assigned to specific responsible persons.
In terms of management system, this evaluation has enabled the establishment of a more complete information security guarantee system. In accordance with the Information Security Management Strategies of Shanghai Symphony Telecommunications Co., Ltd., it has clarified the safety guidelines, overall objectives and information security strategies of security work; and has formed a comprehensive information security management system composed of security strategies, management system and operating procedures, etc.
In terms of infrastructure and network environment, adequate redundancy measures at the network level and security reinforcement were carried out. The machine rooms deployed in Hulan Road and Rijing Road have certain ability to control physical access, prevent fire, resist water and moisture, resist static electricity and control temperature and humidity, as well as effective power supply guarantee. The equipment in the machine rooms can be provided with safer protection by means of software and hardware.
In terms of security control measures, security on resistance to attack and security audit was reinforced, and bastion host, log audit platform, vulnerability scanning platform, anti-DDOS equipment, IDS and other equipment were deployed in a systematic manner with the corresponding protection strategies also provided.
In terms of data protection, measures for protecting transmission integrity and encryption for key and sensitive data was taken.
In terms of system planning and construction, in combination with the security demand design scheme of the system, it has strictly complied with the requirements of grade protection in terms of grading, filing, evaluation and rectification.
In terms of system operation and maintenance management, it has established an operation and maintenance guarantee, monitoring and emergency response system at all levels, including infrastructure, application and security, etc.
This evaluation has enabled us to see our own deficiencies in progress. According to the evaluation results, the Company has developed a series of targeted protective measures, sparing no effort to meet the increasingly stringent requirements of network information security from various angles, such as personnel, system and equipment, etc. In fact, this move not only infuses the development of SST with new energy, but will also win the recognition and trust of more customers for SST.