Policy guiding principle: All information security management activities should be carried out under the guidance of unified policies.
Risk assessment principle: The formulation of information security management strategy should be based on the results of risk assessment.
Prevention first principle: In the planning, design, procurement, integration and installation of information systems, information security should be considered at the same time, and it is not allowed to take chances or make up for it afterwards.
The principle of moderate safety: we should balance the cost of safety control and the loss of potential risks, pay attention to practical results, and reduce the risks to a level acceptable to users. There is no need to pursue absolute and expensive security, and in fact there is no absolute security.
Principle of technology maturity: try to choose mature technology to obtain reliable security. When adopting new technologies, we should be cautious and pay attention to their maturity.
Principle of norms and standards: the security system should follow the unified operation norms and technical standards to ensure interconnection, otherwise, multiple security islands will be formed and there will be no unified overall security.
Content of information security management
1. Information security risk management: Information security management is the security management of information, information carriers and information environment according to security standards and requirements, so as to achieve security objectives. Risk management runs through the whole information system life cycle, including background establishment, risk assessment, risk treatment, approval and supervision, monitoring and review, communication and consultation.
2. Information security management system: Information security management system is a part of the overall management system, and it is also a method system used by organizations to establish information security policies and objectives in the whole or in a specific scope, and to accomplish these objectives. Based on the understanding of business risks, the information security management system includes a series of management activities such as establishment, implementation, operation, monitoring, maintenance and improvement of information security. It is a collection of organizational structure, policies and strategies, planned activities, objectives and principles, personnel and responsibilities, processes and methods, resources and many other elements.
3. Information security control measures: Information security control measures are specific means and methods to manage information security risks. Controlling risks within an acceptable range depends on various security measures deployed by the organization. A set of reasonable control measures should integrate technology, management, physics, law, administration and other methods to deter security violators and even criminals, prevent and detect the occurrence of security incidents, and restore the damaged system to normal state.