How to effectively build an information security system; With the development of information technology, the government or enterprises rely on information resources; Information security guarantee system usually includes information security management institutions; The first step of construction is to determine the specific objectives of information security management system construction; The construction of information security management system is to establish an organization in the whole or in a specific scope; Information security organization system: refers to the internal security of the organization; Specific organizational structure, including: decision-making, management, implementation and supervision; Information security strategic system: refers to the overall information security.
How to effectively build an information security guarantee system
With the development of information technology, governments or enterprises are increasingly dependent on information resources. Without the support of various information systems, it is difficult for many governments or enterprises to operate their core business and functions normally. This undoubtedly shows that information systems are more fragile and vulnerable to attacks than traditional physical assets and should be properly protected. At present, with the development of internet and network technology, the information system of government or enterprise is facing greater risks and challenges. This makes more users, manufacturers and standardization organizations seek a perfect system to effectively ensure the overall security of information systems. Therefore, the information security system came into being. Its main purpose is to make the risks faced by the government or enterprises reach controllable standards through the comprehensive and effective construction of information security management system, information security technology system and information security operation and maintenance system, and further ensure the operational efficiency of information systems.
Information security guarantee system usually includes information security management system, technical system and operation and maintenance system. This paper will focus on the construction method of information security management system.
The first step of construction is to determine the specific objectives of information security management system construction.
The construction of information security management system is a system in which the organization establishes information security policies and objectives in the whole or in a specific scope, and the methods adopted to accomplish these objectives. It includes two parts: information security organization and strategy system, and achieves specific construction goals through information security governance.
Information security organization system: refers to the organization formed by an organization to complete the policy and objectives of information security.
The specific organizational structure includes: decision-making, management, implementation and supervision institutions.
Information security policy system: refers to the overall policy framework and norms of information security and the sum of norms, processes and systems of information security management. The strategy system is divided into three levels from top to bottom:
Summary of the first-level strategy
The strategic master plan is the basic system of information security in the Group's organization, and no department or individual in the organization may violate it. This paper expounds the general requirements of information security work.
The second layer of technical guidelines and management regulations
Professional requirements, methods and technical means formulated in accordance with the overall strategy principle and in combination with specific departments, applications and actual conditions. Includes the following two parts:
Technical guidance: put forward requirements and methods from a technical point of view;
Management regulations: focus on organization and management, define responsibilities and requirements, and provide assessment basis.
The third layer operation manual, working rules and implementation process
Follow the principles of overall strategy, technical guidance and management regulations, and combine with the actual work, refine the technical guidance and management regulations for specific systems on the second floor, form an operation manual and workflow that can guide and standardize specific work, and ensure the institutionalization and routinization of safety work.
The second step of construction is to determine the appropriate information security construction method.
The methodology of information security system construction accumulated by Taiji for many years is also called "1-5-4-3-4". That is, using the basic theory of 1 and referring to five standards, three lines of defense are formed around four systems, and finally four goals are achieved.
First, the basic theory of risk management
The methodology of information system risk management is to establish a unified security system, establish an effective application control mechanism, realize the comprehensive integration of application system and security system, form a complete information system process control system, and ensure the efficiency and effectiveness of information system.
Second, follow five relevant domestic and international standards.
In the process of establishing the information security system, we completely follow the relevant domestic and international standards:
ISO 2700 1 standard
Hierarchical protection structure
Grade protection building
IT process control management (COBIT)
Information technology process and service management (ITIL/ISO20000)
Third, establish four information security systems
Organization and guarantee system for information security: Establish decision-making, management, implementation and supervision institutions for information security, clarify the roles and responsibilities of institutions at all levels, and improve the information security management and control process.
Information security management guarantee system: it is a set of management regulations on information security formed after the standardization and institutionalization of information security organization, operation and technical system.
Information security technology guarantee system: Comprehensive use of various mature information security technologies and products to achieve different levels of security functions such as identity authentication, access control, data integrity, data confidentiality and non-repudiation.
Information security operation and maintenance guarantee system: under the specification and guidance of information security management system, through safe operation management, standardize operation management, safety monitoring, incident handling, change management and other processes, timely, accurately and quickly deal with security issues, and ensure the stable and reliable operation of business platform system and application system.
Fourth, three lines of defense.
The first line of defense: the complete safety management system and basic safety facilities are composed of management system, organization system and technical support system, which forms the first line of defense against the security signs in advance and lays a good foundation for the safe operation of enterprises.
The second line of defense: technical system and operation and maintenance system constitute the second line of defense to control things. Through careful production scheduling, safety operation and maintenance management, safety monitoring and early warning, potential safety hazards are eliminated in time to ensure the continuous and reliable operation of business systems.
The third line of defense: the technical system constitutes the third line of defense for ex post control. In view of all kinds of sudden disasters, a disaster recovery system is established for important information systems, and emergency drills are conducted regularly to form a mechanism of rapid response and rapid recovery, so as to reduce the losses caused by disasters to an acceptable level for the organization.
Five, four major security goals
Information security: protecting the confidentiality, integrity and availability of government or enterprise business data and information.
System security: ensure the security of government or enterprise network system, host operating system, middleware system, database system and application system.
Physical security: the requirement of ensuring the environmental security, equipment security and storage media security related to business and management information system.
Operation safety: ensure that all kinds of operations, daily monitoring, changes and maintenance of business and management information systems meet the requirements of standardized operation, and ensure the stable and reliable operation of the system.
The third step: the whole process of current situation investigation and risk assessment.
In the investigation stage, we should fully understand the actual situation of the government or enterprises, such as organizational structure, business environment, information system processes, etc. Only by understanding the organizational structure and nature of the government or enterprise can we determine the standards followed by the organization's information security system. In addition, we must fully understand the culture of government or enterprise to ensure the integration of management system and related culture, so as to facilitate the later promotion, publicity and implementation. In the investigation, the method of "hypothesis-oriented and fact-based" is adopted, assuming that the government or enterprise meets all the control requirements of the relevant standards, and then collecting information through various ways and means such as manual interviews and questionnaires to prove or falsify that the control measures of the organization meet all the requirements of the standards, and then analyzing the gap by comparing the current situation with the requirements of the standards.
In the risk assessment stage, firstly, the risk assessment of information system involves assets, threats, vulnerabilities and other basic elements. Each factor has its own attribute, and the attribute of an asset is its value. Nature of the threat
It can be threat subject, affected object, frequency of occurrence, motivation, etc. The attribute of vulnerability is the severity of asset weakness. The main contents of risk analysis are:
Determine assets and allocate asset values; ?
Identify threats, describe their attributes, and assign values to the frequency of threats; ?
Identify the vulnerability of assets and assign a value to the severity of the vulnerability of specific assets; ?
Judging the possibility of security incidents according to threats and the difficulty of threats using weaknesses; ?
Calculate the loss of security incidents according to the severity of vulnerabilities and the value of assets affected by security incidents; ?
According to the possibility and loss of security incidents, the impact of security incidents on the organization, that is, risk value, is calculated. ?
Secondly, the risk assessment of information system process is carried out. According to the survey results of Gartner, an internationally renowned consulting firm, and our confirmation in practice, one of the most effective ways to reduce the failures of information systems is to carry out effective process management. Therefore, IT is necessary to effectively manage IT-related business processes on the basis of ensuring the security of "static assets" to protect the security of "dynamic assets" such as business processes.
The fourth step is to design and establish the overall framework of the information security guarantee system.
On the basis of full investigation, risk analysis and evaluation, the general outline of the organization's information security guarantee system is established, covering all aspects of the organization's information security policies, strategies, frameworks, plans, implementation, inspection and improvement, and putting forward clear security objectives and norms for information security construction in the next 3-5 years. The framework design of information security system needs to comprehensively consider the compliance of risk management, laws and regulations of regulatory agencies and relevant domestic and foreign standards after integrating current situation investigation, risk assessment, organizational structure and overall information security planning. In order to ensure the realization of the goal of information security construction and derive the organization's future information security tasks, the overall framework design documents (first-level documents) of the information security system will include:
A report on the overall framework design of the information security guarantee system;
Information security system construction planning report;
According to the information security system model, the information security system will be developed from four aspects: security organization, security management, security technology and security operation and maintenance. If we further decompose and refine the four aspects, we will get the secondary documents of the information security guarantee system of the whole government department or enterprise. Specific secondary documents include:
Information security organization system: organizational structure, roles and responsibilities, education and training, cooperation and communication.
Information security management system: information asset management; Human resource security; Physical and environmental safety; Communication and operation management; Access control; Acquisition and maintenance of information system; Business continuity management; Conformity;
Information security technology system: technical specifications of physical layer, network layer, system layer, application layer and terminal layer;
Information security operation and maintenance system: related working methods, processes and management at the daily operation and maintenance level. Including: incident management, problem management, configuration management, change management, release management and service desk.
The fifth step is to design and establish the organizational structure of information security guarantee system.
Information security organization system is the guarantee of information security management, so as to ensure that there are relevant management positions to control the corresponding control points in practical work. According to the overall framework and actual situation of organizational information security, the organizational structure of organizational information security management is determined.
Organizational structure of information security: the result of structuring and systematizing various departments responsible for information security decision-making, management, implementation and monitoring. ?
Information security roles and responsibilities: mainly define, divide and clarify the roles played by individuals in information security organizations. ?
Safety education and training: mainly including safety awareness and cognitive requirements, safety skills training and safety professional education. ?
Cooperation and communication: communication and cooperation with superior supervision departments, brothers at the same level, internal units, suppliers, security industry experts and other parties?
The sixth step is to design and establish the management system of information security guarantee system.
According to the overall framework design of information security, combined with the results of risk assessment and the actual situation of information system construction in this institution, and referring to relevant standards, three-level and four-level documents of information security management system are established, including:
Asset management: information system sensitivity classification and identification implementation specifications and corresponding tables, information system classification control actual specifications and corresponding tables?
Human resource security: internal employee information security code, third-party personnel security management code and corresponding forms, confidentiality agreement?
Physical and environmental safety: physical safety area division and identification specifications and corresponding forms, computer room safety management specifications and corresponding forms, access control system safety management specifications and corresponding forms?
Access control: user access management specifications and corresponding tables, network access control specifications and corresponding tables,
Operating system access control specifications and corresponding tables, applications and information access regulations; Communication and operation management: network security management specifications and corresponding forms, in; Information system procurement and maintenance: information security project management norms and regulations; Business continuity management: business continuity management process specification and corresponding forms; Compliance: applicable laws and regulations of the industry, tracking management norms and corresponding forms? ; Finally, an integrated information security management system must be formed, which must meet the requirements of the whole group;
Operating system access control specifications and corresponding tables, application and information access specifications and corresponding tables, mobile computing and remote access specifications and corresponding tables?
Communication and operation management: network security management norms and corresponding tables, Internet service use security management norms and corresponding tables, malicious code prevention norms, storage and mobile media security management norms and corresponding tables?
Information system acquisition and maintenance: information security project establishment management specification and corresponding form, software security development management specification and corresponding form, software system vulnerability management specification and corresponding form?
Business continuity management: business continuity management process specification and corresponding table, business impact analysis specification and corresponding table?
Compliance: applicable laws and regulations of the industry, tracking management norms and corresponding forms?
In order to form an integrated information security management system, it is necessary to conform to the strategic objectives, vision, organizational culture and actual situation of the whole organization and make corresponding integration. In the whole implementation process, it is necessary to carry out all-through training, convey the significance of the overall information security system construction to every corner of the organization, and improve the overall information security awareness. Only by combining these aspects can the construction be more effective.