1, the principle that the main leaders are responsible
The main leaders should establish the purpose and policy of organizing and unifying information security, be responsible for improving employees' safety awareness, organizing effective safety teams, mobilizing and optimizing necessary resources, coordinating the relationship between safety management and the work of various departments, and ensuring its implementation and effectiveness.
2, the principle of full participation
All relevant personnel of the information system should generally participate in the security management of the information system and cooperate and coordinate with relevant parties to ensure the security of the information system.
3, the principle of system method
According to the requirements of system engineering, identify and understand the interrelated levels and processes of information security, and adopt the method of combining management and technology to improve the effectiveness and efficiency of achieving security objectives.
4, the principle of continuous improvement
Safety management is a dynamic feedback process that runs through the whole life cycle of safety management. With the change of security demand and system vulnerability, the improvement of threat level, the change of system environment and the deepening of system security awareness, the existing security policies, risk acceptance and protective measures should be reviewed, revised, adjusted and even upgraded in time to maintain and continuously improve the effectiveness of the information security management system.
5, the principle of management according to law
Information security management is mainly embodied in management behavior, which should ensure the legality of information system security management subject, management behavior, management content and management procedure. When dealing with security incidents, the authorized person should release accurate and consistent information in time to avoid adverse social impact.
6, the principle of decentralization and authorization
Separation of management functions in specific functions or areas of responsibility, independent audit, etc. It should be implemented to avoid the hidden dangers caused by excessive concentration of power, thus reducing the chance of unauthorized modification or abuse of system resources. Any entity (such as user, administrator, process, application or system) only enjoys the necessary authority to complete its tasks, and should not enjoy any redundant authority.
7. Principles of selecting mature technologies
Mature technology has good reliability and stability, so when adopting new technology, we should pay attention to its maturity, try it locally first, and then popularize it step by step to reduce or avoid possible mistakes.
8, classification protection principle
Determine the security protection level of the information system according to the classification standard, and implement classified protection; For a large-scale information system composed of multiple subsystems, the basic security protection level of the system is determined, and according to the actual security requirements, the security protection levels of each subsystem are determined respectively to implement multi-level security protection.
9. The principle of paying equal attention to management and technology
Adhere to active defense and comprehensive prevention, comprehensively improve the security protection capability of information systems, base on the national conditions, and adopt the methods of combining management with technology, scientific management with technology foresight to ensure the security of information systems to achieve the expected goals.
10, the principle of combining self-protection with state supervision
Information system security adopts the combination of self-protection and national protection. Organizations should be responsible for the security protection of their own information systems, and relevant government departments have the responsibility to guide, supervise and inspect the security of information systems, form a management model combining self-management, self-inspection, self-evaluation and state supervision, improve the security protection ability and level of information systems, and ensure the national information security.