In the process of using the system, various security risks are accompanied. If we ignore it, take it lightly or take chances, these risks will lead to various safety accidents and may bring us immeasurable losses. How to do a good job in risk analysis and safety protection of the system will play a vital role in the safe use of our system.
With the development of information technology, information systems have spread all over our lives, work and study, bringing us earth-shaking changes. This paper analyzes the risks existing in the information system and puts forward the corresponding security protection measures. In the whole life cycle of the system, the security of the system is ensured by security measures such as civil air defense, physical defense, technical defense and preventive defense, so that the use of the information system can bring us better life enjoyment and work and study experience, and at the same time reduce or eliminate various influences brought by system security risks for discussion.
Keyword information system; Information security; Security risks; Safety protection
1 Importance of information system risk analysis
The risk of information system exists in the whole life cycle of the system, including five stages: system planning start-up, design and development or procurement, integration, operation and maintenance, and abandonment. In the Code for Risk Assessment of Information Security Technology (GB/T20984-2007), the requirements of risk analysis in the life cycle of information systems are fully expounded, such as risk analysis in the design stage to determine the security objectives of the system; In the stage of construction acceptance, risk analysis should be carried out to determine whether the safety goal of the system is achieved; In the operation and maintenance stage, risk analysis should be carried out continuously to determine the effectiveness of system safety measures and ensure that safety objectives are always adhered to. In the system planning and start-up stage, the purpose, requirements, scale and security requirements of the information system are mainly put forward, and the security requirements of the information system can be determined through risk analysis. In the design, development or procurement stage, information systems are mainly designed, purchased, developed or built.
Risk analysis can support the security analysis of information system, which may affect the balance between architecture and design in the process of system development. In the integration stage, the security functions of the information system should be configured, activated, tested and verified. Through risk analysis, we can support the evaluation of the implementation effect of the system, check whether it can meet the requirements and check whether the operating environment of the system is designed as expected. Before the system runs, a series of risk decisions must be made. In the operation and maintenance stage, the information system began to play a role. Under normal circumstances, the system should be constantly modified, adding hardware and software, or changing the operating rules, policies or processes of the organization. Through risk analysis, the system can be re-evaluated or made major changes to better ensure that the system can meet the requirements of stable operation or use.
The abandonment stage mainly involves the abandonment of information, hardware and software. These activities may include information transfer, backup, discarding, destruction and classified processing of software and hardware. Through risk analysis, when discarding or replacing system components, it can be ensured that the hardware and software are properly discarded, the remaining information is properly handled, and the system update can be completed in a safe and systematic way.
2 Information system security risks and impacts
System security risks exist in all stages of information system life cycle. When the system is planned and started, if there is no comprehensive security scheme design and detailed scheme design, and the data security and functional services of the system are not considered and analyzed as a whole, there may be security risks and loopholes in the system design, and various risks or problems may be exposed after the system is put into production, such as unreasonable equipment performance configuration, unreasonable system function setting, unreasonable database table structure design, etc., which may lead to slow system response and data errors. In the design, development or procurement stage, if the system design, development or procurement is not carried out according to the original planning and requirements, there will be random changes and modifications, which will lead to the system's functions not reaching the original design or planning, or the system can not meet the original functional requirements due to unreasonable changes in the scheme, thus bringing more unstable factors to the system maintenance and users. In the integration stage, if the system construction is not carried out according to the approved scheme, it may lead to the deviation of the function and performance of the system, or bring waste and loss of manpower, financial resources or material resources.
At the same time, failure to carry out construction according to the plan may lead to unknown security loopholes or hidden dangers in the system, which may have a potential security impact on the use of the system. In the operation and maintenance stage, if the system hardware and software are not maintained and used according to the management regulations or operating instructions, it is easy to damage the system hardware equipment and facilities, and at the same time cause the risk of system being attacked and destroyed. If the equipment is not operated according to regulations, such as switches and routine maintenance, it will be easily damaged and its service life will be affected. For example, the use, upgrade and update of system software are not implemented in accordance with various security management systems, which makes the system vulnerable to attacks and illegal use. In the abandonment stage, if the software and hardware of the system are not processed according to the relevant requirements, it may lead to the leakage of important or sensitive data in the equipment or system, which will have a serious impact on system maintenance or users. If some sensitive data are maliciously disclosed or leaked to the society, it may bring adverse social impact.
As mentioned above, security risks exist in the whole life cycle of an information system, and the security risks in each stage are different, so the impact is different according to the characteristics and cycle of the system. According to the different security protection capabilities of information systems, there are five levels in the Classification Standard of Computer Information Security Protection Levels (GB 17859- 1999), which are user-independent protection level, system audit protection level, security mark protection level, structured protection level and access verification protection level. Each level requires different security protection capabilities, and users can adopt different security protection capabilities according to the importance of the system. According to the classification standard of the system, in the Guide to Security Level Protection of Information Security Technology Information System (GB/T22240-2008), according to the object (national security, social order/public interests, legitimate rights and interests of citizens/legal persons and other organizations) and the degree of the object (especially serious damage, serious damage, general damage) when the system is destroyed,
At the same time, these influences have been systematically described in the classified guide to information security technology and information system security protection (GB/T22240-2008). For example, at the level of national security, the influence includes the influence on the stability of state power and national defense strength, the influence on national unity, national unity and social stability, the influence on the political and economic interests of the country in foreign activities, and the influence on the national economic competitiveness and scientific and technological strength. At the level of social order, the influence includes the work order of social management and public service of state organs, the order of various economic activities, the order of scientific research and production of various industries, etc. At the level of public interest, the influence includes the influence on the use of public facilities, the acquisition of public information resources and the acceptance of public services by members of society. The impact on the legitimate rights and interests of citizens, legal persons and other organizations, including the impact on certain social rights and interests enjoyed by citizens, legal persons and other organizations recognized and protected by law.
3 information system security protection
There are various risks in the use of information system, such as network attack, information leakage such as user identity interception, camouflage, replay attack, data interception, illegal use, virus, denial of service, database file loss, system damage, system source file leakage, management account password leakage, malicious code attack and so on. In view of these risks in the information system, we should take various protection and reinforcement measures to control the risks within the controllable range and provide guarantee for the safe and stable operation of the system. "Basic Requirements for Information System Security Level Protection" (GB/T22239-2008) defines the basic terms for each level system to meet the corresponding level security requirements according to the system levels in the classification guide.
In the basic requirements, it provides reference standards for the operation and maintenance of the system from the aspects of civil air defense, physical defense, technical defense and preventive defense, which basically covers the whole life cycle of the system. In order to ensure the safe and stable operation of the system, it mainly includes two aspects: technology and management. On the technical level, it mainly includes physical security, network security, host security, application security, data security and backup recovery. At the management level, it mainly includes safety management system, safety management organization, personnel safety management, system construction management and system operation and maintenance management. Combining these two aspects, we can protect and strengthen the system from civil air defense, physical defense, technical defense and preventive defense. Civil air defense, in the whole life cycle of the system, people play the most important role and are also the core factor.
(1) People should have corresponding technical skills to solve various situations in the whole process of the system, and sufficient theoretical knowledge and rich processing ability can bring twice the result with half the effort to the stable operation of the system. ② During the operation and maintenance of the system, people need to operate in strict accordance with relevant rules and regulations, and can generate various records. At the same time, major operations need detailed operation plans or steps and backup measures, and the plans need to be approved and confirmed. ③ For the management and training of operation and maintenance personnel, all important information operation and maintenance personnel should sign confidentiality agreements and safety responsibility letters, and carry out various trainings regularly or irregularly to improve their technical skills to meet the maintenance requirements of the system.
Here, there is also an important premise, that is, the person in charge of the unit should attach importance to the security of the system, support the work of the staff in each position, and treat information security as a major event. Only with the full attention and attention of the leaders can the work of all personnel be fully supported and the safe and stable operation of the system be better maintained. Physical defense, the operation of information system can not be separated from various hardware and software facilities, from basic computer room facilities to network equipment, security equipment, host equipment, application software and various auxiliary software, lines and cables.
Therefore, a complete operating environment is a great progress in the stable operation of the system, and the design and construction of the computer room can be carried out according to the requirements of the system and the national computer room construction standards. The deployment of network and equipment needs to be implemented in a redundant way, providing hardware redundancy of equipment and lines, and at the same time, it needs to be equipped with various corresponding security protection equipment and software, including firewall, WAF, IDS/IPS, anti-virus wall, anti-malicious code software, computer room monitoring platform, network host monitoring platform, etc. Deploying software and hardware products with certain requirements can escort the system and meet the stable operation of the system.
The safe and stable operation of information system is inseparable from the support of various devices. "A clever woman can't cook without rice." Without reasonable equipment configuration, even the best management and technology can't guarantee the safe and stable operation of the system. The investment in technical defense and equipment needs reasonable security strategy deployment in order to play a role in security protection. Therefore, while equipped with corresponding security equipment, we need to set reasonable security policies according to the requirements of the system, such as reasonable access control policy, routing policy, upgrade and update policy, malicious code killing policy, data backup policy, security access rules and so on. The combination of strategy and equipment can play a key protection role and provide guarantee for the stable operation of the system. At the same time, policies should be set according to the operating environment and conditions of the system, including network environment and use environment. For example, when limiting the network traffic and bandwidth, we should consider the daily traffic of the system and the network bandwidth. The most reasonable strategy is the most important. If the application and security of the system are combined, the system should be available and secure.
Under the current situation, all kinds of network attacks are hard to prevent. As long as we can combine all kinds of security devices, make full use of their security protection capabilities, follow the principle of minimum authorization and minimum service, close redundant services and ports, and set reasonable security policies, we can minimize security risks and keep them under control. Prevention, no rules, no Fiona Fang, the formulation and improvement of information security management system is the key to the stable operation of the system. Our operation should be carried out in strict accordance with relevant systems and rules. Therefore, the rationality and enforceability of the system is particularly important. In the whole system, a system consisting of information security policy, security management system and operation rules and regulations should be established. Guidelines, policies, systems and operation rules and regulations need to be discussed and approved by relevant responsible personnel, and constantly revised and improved through PDCA cycle to ensure that the whole system documents meet the requirements of system operation and maintenance. Once the system is determined and implemented, all personnel must strictly abide by it.
We will implement our operation and maintenance work specifications through the way of system administrator, so as to prevent the staff from carrying out operation and maintenance work according to their own habits and bring uncertain hidden dangers to the system. A complete and applicable system needs several years of practice to gradually improve. Only the applicable and truly implemented system can ensure the safe and stable operation of the system. The system should not stay on paper, but should be used to handle all kinds of inspections. Only when the system really runs through the whole process of system management can we really see the true meaning of the system. Civil air defense, physical defense, technical defense and joint defense complement each other and interweave with each other. From the implementation of the system, people combine equipment and technology to ensure the stable operation of the system, reduce the safety risk coefficient and control the risk within the controllable range.
4 conclusion
Information system security risks exist objectively. As long as the risks are well controlled, the stable and safe operation of the system can be guaranteed. In this paper, the security risks of information systems are described and analyzed, and the description of security protection is put forward in combination with the risks. Through civil air defense, physical defense, technical defense, preventive defense and other means to strengthen the stable operation of the system, I hope all information systems can run more safely and stably, and at the same time bring more convenience and enjoyment to our life, work and study.
refer to
Code for Risk Assessment of Information Security Technology (GB/T20984-2007)[S].
[2] Classification Standard for Computer Information Security Protection (GB 17859- 1999)[S].
[3] Information Security Technology Information System Security Protection Classification Guide (GB/T22240-2008)[S].
[4] Basic Requirements for Information Security Technology and Information System Security Level Protection (GB/T22239-2008)[S].
;