The basic principles of information security management include policy guiding principle, risk assessment principle, prevention first principle, moderate security principle, technology maturity principle and standard principle.
Policy guiding principle: All information security management activities should be carried out under the guidance of unified policies.
Risk assessment principle: The formulation of information security management strategy should be based on the results of risk assessment.
Prevention first principle: In the planning, design, procurement, integration and installation of information systems, information security should be considered at the same time, and it is not allowed to take chances or make up for it afterwards.
The principle of moderate safety: we should balance the cost of safety control and the loss of potential risks, pay attention to practical results, and reduce the risks to a level acceptable to users. There is no need to pursue absolute and expensive security, and in fact there is no absolute security.
Principle of technology maturity: try to choose mature technology to obtain reliable security. When adopting new technologies, we should be cautious and pay attention to their maturity.
Principle of norms and standards: the security system should follow the unified operation norms and technical standards to ensure interconnection, otherwise, multiple security islands will be formed and there will be no unified overall security.
Content of information security management
1. Information security risk management: Information security management is the security management of information, information carriers and information environment according to security standards and requirements, so as to achieve security objectives. Risk management runs through the whole information system life cycle, including background establishment, risk assessment, risk treatment, approval and supervision, monitoring and review, communication and consultation.
2. Information security management system: Information security management system is a part of the overall management system, and it is also a method system used by organizations to establish information security policies and objectives in the whole or in a specific scope, and to accomplish these objectives. Based on the understanding of business risks, the information security management system includes a series of management activities such as establishment, implementation, operation, monitoring, maintenance and improvement of information security. It is a collection of organizational structure, policies and strategies, planned activities, objectives and principles, personnel and responsibilities, processes and methods, resources and many other elements.