Confidentiality refers to preventing unauthorized subjects from reading information. It is a feature of information security since its birth, and it is also one of the main research contents of information security. More generally, it means that sensitive information cannot be obtained by unauthorized users. For the information of paper documents, we only need to protect the documents from unauthorized people. For information in computer and network environment, we should not only prevent unauthorized people from reading this information. It is also necessary to prevent authorized people from passing the information they access to unauthorized people, so that the information will be leaked.
Integrity refers to preventing information from being tampered with without authorization. It is to protect the information and keep it authentic. If the information is intentionally modified, inserted, deleted, etc. The formation of false information will have serious consequences.
Availability refers to the ability of authorized subjects to get services in time when they need information. Availability is a new requirement for information security in the stage of information security protection, and it is also an information security requirement that networked space must meet.
Controllability refers to the implementation of security monitoring and management of information and information systems to prevent information and information systems from being illegally used.
Non-repudiation means that in the network environment, neither party can deny the behavior of sending or receiving information during the exchange.
The confidentiality, integrity and availability of information security mainly emphasize the control of unauthorized subjects. How to control the improper behavior of the authorized subject? The controllability and non-repudiation of information security is an effective supplement to confidentiality, integrity and availability through the control of authorized subjects, which mainly emphasizes that authorized users can only access legally within the scope of authorization, and supervise and review their behavior.
In addition to the above five characteristics, information security also has the audibility and authenticity of information security. The auditability of information security means that the participants in the information system cannot deny their information processing behavior. Compared with the undeniable behavior identifiability in the process of information exchange, auditability has a wider meaning. Visible authentication of information security means that the receiver of information can judge the identity of the sender of information. This is also a concept related to undeniable. In order to achieve the goal of information security, the use of various information security technologies must abide by some basic principles.
Minimization principle. Protected sensitive information can only be enjoyed within a certain range. The safety subjects who perform their duties and functions meet the work needs under the premise of laws and relevant safety policies. Only appropriate access to information is granted, which is called the principle of minimization. Sensitive information. The right to know must be restricted, which is a restrictive opening on the premise of "meeting the needs of work". Minimization principle can be subdivided into need to know principle and need to cooperate principle.
Principle of decentralization and checks and balances. In the information system, all rights should be properly divided, so that each authorized subject can only have some rights, so as to restrict and supervise each other and ensure the security of the information system. If the authority granted by the authorized subject is too large and there is no supervision and restriction, it implies the security risks of "abuse of power" and "keeping your mouth shut".
The principle of safe isolation. Isolation and control are the basic methods to realize information security, and isolation is the basis of control. A basic strategy of information security is to separate the subject and object of information, and realize the access of the subject to the object under the premise of controllability and security according to certain security strategies.
On the basis of these basic principles, people have also summed up some implementation principles in the process of production practice, which are the concrete embodiment and expansion of the basic principles. Including: the principle of overall protection, the principle of who is in charge is responsible, the principle of moderate protection classification, the principle of domain protection, the principle of dynamic protection, the principle of multi-level protection, the principle of deep protection and the principle of information flow. China Information Security Evaluation and Certification Center is the highest information security certification in China. Evaluation and certification projects are divided into four categories: information security product evaluation, information system security level certification, information security service qualification certification and information security practitioners qualification certification.
Information security product evaluation: evaluate the security of information technology products outside China, including firewall, intrusion monitoring, security audit, network isolation, VPN, smart card, card terminal, security management and other information security products. , and various unsafe IT products such as operating system, database, switch, router, application software, etc.
According to the evaluation basis and content, it is divided into: grading evaluation of information security products, identification evaluation of information security products, independent original evaluation of information technology products, source code security risk evaluation, selective testing and customized testing.
Information system identification:
China information system security testing and evaluation.
According to different standards and evaluation methods, China's information system security testing, evaluation and appraisal mainly provide: information security risk assessment, information system security level protection assessment, information system security guarantee ability assessment, information system security scheme assessment, and information security risk assessment of e-government projects.
Information security service qualifications:
Review, evaluate and identify the qualifications of organizations and units providing information security service.
Information security service qualification is a process of evaluating the technical, resource, legal, management and other qualifications and capabilities of information system security service providers and their stability and reliability according to open standards and procedures, and determining their security service support capabilities. Divided into: information security engineering, information security disaster tolerance and security operation and maintenance.
Qualifications of information security professionals:
Assess, evaluate and identify the qualifications of information security professionals.
The evaluation and qualification of information security personnel mainly include special training and information security awareness training such as CISP, CISM and security assembly.