We know that there are two pillars to ensure information security: technology and management. When we talk about information security every day, it is mostly in technical related fields, such as IDS intrusion detection technology, firewall technology, antivirus technology, encryption technology, CA authentication technology and so on. This is because the adoption of information security technology and products can quickly see direct benefits, and the development level of technology and products is also relatively high. In addition, the cultivation of the market by technology manufacturers has also continuously improved people's awareness of information security technologies and products.
With the development trend of threats, there are more and more types and quantities of security technologies, but the more types and quantities of security technologies and products, the better. Only the accumulation of technology without paying attention to management will inevitably lead to many security omissions. Although people always sigh when facing information security incidents: "The road is one foot high, the magic is one foot high", while reflecting on their own technical deficiencies, people actually ignore the protection of the other two levels at this time. As Academician Shen Changxiang pointed out: "Traditional information security measures are mainly to plug loopholes, build high walls and prevent foreign attacks, but the final result is impossible to prevent."
Technical requirements and management requirements are two inseparable parts to ensure the security of information systems. They are both independent and interrelated. In some cases, technology and management can play their respective roles. In other cases, it is necessary to use technology and management at the same time to achieve security control or stronger security control; In most cases, technology and management need to support each other to ensure the correct realization of their respective functions. We usually use the bucket effect to describe the security problem of distributed system, and think that the security of the whole system depends on the weakest piece of wood in the bucket. The platform is like the iron ring of this bucket. With this hoop, it is difficult for the bucket to collapse. Even if there are individual vulnerabilities, it will not cause catastrophic damage to the whole system.
Information security management system is a system in which an organization establishes information security policies and objectives in a whole or a specific scope, and the methods used to achieve these objectives. It is the result of direct management activities, which is manifested as a collection of principles, principles, objectives, methods, processes, lists and other elements. System is a major change to the traditional management mode. It collects, screens, collects and analyzes a large number of scattered individual security incidents in different places and different security systems, obtains security risk incidents from a global perspective, and forms a unified security decision to deal with and deal with security incidents.
At present, various vendors and standardization organizations have put forward various system standards for information security management based on their own perspectives. These standards based on products, technology and management have been well applied in some fields. However, from the perspective of organizational information security and the whole life cycle, the existing information security management system and standards are not complete, especially ignoring the most active factor in the organization-the role of people. Looking at all kinds of information security incidents at home and abroad, we can easily find that behind the appearance of information security incidents, human factors actually play a decisive role. Incomplete security system can't guarantee the security of increasingly complex organization information system.
7.2.2 Information security management architecture
The construction of information security is a systematic project, which requires unified comprehensive consideration, planning and framework for all aspects of information systems, and always takes into account the constant changes of organizations. Any link security flaws will pose a threat to the system. Here, we can cite the Konikin's law in management to illustrate it. Kannikin's law means that a wooden barrel is made up of many boards. If these boards are different in length, the maximum capacity of a barrel depends not on the longest board, but on the shortest board. This principle also applies to information security. The information security level of an organization will be determined by the weakest link among all the links related to information security. The life cycle of information from generation to destruction includes many events such as generation, collection, processing, exchange, storage, retrieval, archiving and destruction, and its form and carrier will change in various ways, any one of which may affect the overall information security level. In order to achieve the goal of information security, an organization must make all the wooden boards that make up the "barrel" of security prevention system reach a certain length. From a macro perspective, we believe that the information security management architecture can be described by the following HTP models: people and management, technology and products, process and framework.
Among them, people are the most active factor in information security, and human behavior is the most important aspect of information security. People, especially internal employees, are not only the biggest potential threat to information systems, but also the most reliable security line. The statistical results show that only 20% ~ 30% of all information security accidents are caused by hacker attacks or other external reasons, and 70% ~ 80% are caused by the negligence or deliberate disclosure of secrets by internal employees. Looking at the whole picture of information and network security from a higher level, we will find that the security problem is actually a human problem, and it is impossible to change from "the biggest threat" to "the most reliable line of defense" by technology alone. The biggest defect of the previous security model is that it ignores the consideration of human factors. On the issue of information security, we should be people-oriented, and human factors are more important than those of information security technology and products. People-related security issues involve a wide range of laws, regulations and policies from a national perspective; From the organizational point of view, there are safety policies and procedures, safety management, safety education and training, organizational culture, emergency plan and business continuity management. Personally speaking, there are professional requirements, personal privacy, behavior, psychology and other issues. In the aspect of information security technology, we can adopt a variety of technologies and products such as commercial password, firewall, anti-virus, identity identification, network isolation, trusted service, security service, backup recovery, PKI service, evidence collection, network intrusion trap, active counterattack and so on. Protect information system security, but we should not aim at deploying all security products and technologies and pursue zero risk of information security. If the cost of security is too high, security will lose its meaning. Organizations should adopt the principle of "Rightsizing" to realize information security, that is, under the premise of risk assessment, appropriate control measures should be introduced to reduce the risks of the organization to an acceptable level, ensure the continuity of the organization's business and maximize its commercial value, so as to achieve the purpose of security.
7.2.3 Functions of Information Security Management System
6.5438+0 Security Policy
Security policy management can be said to be the center of the whole security management platform, which formulates and maintains various security policies and configuration information of the organization according to the organization's security objectives. Security policy refers to the rules that must be followed to ensure a certain level of security protection in a specific environment. The realization of network security depends not only on advanced technology, but also on strict security management, legal constraints and security education.
Security policy is based on the concept of authorized behavior. Security policies generally include requirements such as "unauthorized entities, information cannot be given, accessed, quoted or modified", that is, different policies are distinguished according to authorization. According to the nature of authorization, it can be divided into rule-based security policy and identity-based security policy. There are two types of authorized services: management coercion and dynamic selection. The security policy will determine which security measures must be implemented and which security measures can be selected according to the needs of users. Most security policies should be enforced.
(1) Identity-based security policy. The purpose of identity-based security policy is to filter access to data or resources. In other words, users can access some of their resources (access control lists), or the system grants users privilege marks or permissions. In both cases, the number of data items will change greatly.
(2) Rule-based security policy. The rule-based security policy is that the system marks the subject (user, process) and object (data) with corresponding security labels, and formulates access rights, and this label is taken as a part of the data item.
Both security policies use labels. The concept of tag is very important in data communication. Identity authentication, management, access control, etc. all need to mark the subject and object accordingly and control them accordingly. When communicating, data items, communication processes and entities, communication channels and resources can all be marked with their attributes. The security policy must specify how the property is used to provide the necessary security.
According to the actual situation and security requirements of the system, it is complex and important to determine the security policy reasonably. Because security is relative and security technology is constantly developing, there should be a reasonable and clear requirement for security, which is mainly reflected in security strategy. The security requirements of network system are mainly integrity, availability and confidentiality. Integrity and availability are determined by the openness and enjoyment of the network. Providing corresponding services according to users' needs is the most basic purpose of the network. Confidentiality has different requirements for different networks, that is, networks are not necessarily secure networks. Therefore, each intranet should determine its own security policy according to its own requirements. The problem now is that most of the software and hardware are advanced, huge and complete, but there is no clear security strategy in terms of security. Once put into use, there are many security loopholes. In the overall design, if the network security strategy is formulated according to the security requirements and implemented step by step, there will be fewer system vulnerabilities and better operation results.
In engineering design, a series of safety mechanisms and specific measures are constructed according to the safety strategy to ensure safety first. The purpose of multiple protection is to make various protective measures complement each other. The bottom layer relies on the security protection function of the security operating system itself, and the upper layer has measures such as firewall and access control list to prevent the security from being threatened after the first layer measures are broken. The principle of least authorization refers to taking restrictive measures to limit the power of super users and using all one-time passwords. Comprehensive protection needs to take various measures in physics, software and hardware, management, and layered protection to ensure system security.
7.2.3.2 security mechanism
In the information security management system, the security mechanism is a mechanism and system to ensure the implementation and realization of security policies, which usually realizes three functions: prevention, detection and recovery. Typical security mechanisms are as follows:
(1) data security transformation. Data security conversion, that is, cryptographic technology, is the basis of many security mechanisms and services. Password is the main means to realize secret communication, and it is a special symbol to hide language, words and images. Any communication method that uses special symbols to hide the message prototype according to the agreed method of both parties and is not recognized by the third party is called cryptographic communication. In computer communication, information is hidden by cryptographic technology, and then the hidden information is transmitted, so that even if the information is stolen or intercepted in the transmission process, the thief cannot know the content of the information, thus ensuring the security of information transmission. The use of cryptography can effectively prevent unauthorized observation, modification, denial, imitation and communication traffic analysis of information.
(2) Digital signature mechanism. Digital signature mechanism is used to realize special security services, such as anti-repudiation and authentication. Digital signature is an application of public key encryption technology, which is to encrypt the message digest with the sender's private key and then attach it to the original information, which is called digital signature.
(3) Access control mechanism. The implementation of access control mechanism is a strategy to restrict resource access. That is to say, the operation authority of different subjects to different objects is stipulated, and only authorized users are allowed to access sensitive resources, while unauthorized users are denied access. First, the entity that wants to access a resource must be successfully authenticated, and then the access control mechanism will process the entity's access request to see whether the entity has the right to access the requested resource and make corresponding processing. The technologies used include access control matrix, password, ability level and label, which can explain users' access rights.
(4) Data integrity mechanism. In order to prevent the data from being modified without authorization, this mechanism can be realized by using the one-way irreversible function-hash function to calculate the message digest and digitally sign the message digest.
(5) Identity exchange mechanism. Authentication exchange mechanism refers to mutual authentication between two parties (such as intranet and Internet) in information exchange. Exchange authentication is a mechanism to confirm the identity of entities by exchanging information. Techniques for exchanging authentication include: a password provided by a sending entity and detected by a receiving entity; Cryptography technology, that is, the data to be exchanged is encrypted, and only legitimate users can decrypt it and get meaningful plaintext; Use the characteristics or ownership of an entity, such as fingerprint identification and identity card.
(6) Routing control mechanism. Used to specify the path of data through the network. In this way, you can choose a path, and all nodes on this path are credible, ensuring that the information sent will not be attacked because it passes through unsafe nodes.
(7) Notarization mechanism. Provided by a third party trusted by all communication parties. The third party ensures data integrity and correctness of data source, time and destination.
There are also physical environment security mechanisms, personnel audit and control mechanisms. In fact, the protective measures can not be separated from people's mastery and implementation, and the system security is ultimately controlled by people. Therefore, safety is inseparable from the assessment, control, training and management of personnel, and it should be realized by formulating and implementing various management systems.
Risk and Safety Early Warning Management in 7.2.3.3
Risk analysis is a scientific method to understand the security situation of computer system, identify system vulnerabilities and put forward countermeasures. When carrying out risk analysis, we must first make clear the object of analysis. If the object should be the clear scope and security sensitive area of the whole system, determine the analysis content, find out the security loopholes and determine the key analysis direction. Then carefully analyze the key protected objects, analyze the causes, impacts, potential threats and consequences of risks, and have certain quantitative evaluation data. Finally, according to the analysis results, effective safety measures and possible risks brought by these measures are put forward, and the rationality of capital investment is confirmed.
Safety early warning is an effective preventive measure. Combined with security vulnerability tracking research, timely release relevant security vulnerability information and solutions, and urge and guide security management departments at all levels to do a good job in security prevention in time to nip in the bud. At the same time, through the security trends of the whole network mastered by the security threat management module, the security management agencies at all levels are guided to do a good job in security prevention, especially for the current high-frequency attacks.
7.2.4 Information Security Management System Standards and Certification
The formulation of information security management system standard began with 1995, and after years of revision and improvement, it formed the ISO2700 1:2005 certification standard which is widely used now. British Standards Institute (BSI) put forward BS7799 in February 1995, and revised it twice in 1995 and 1999. BS7799 is divided into two parts: BS7799- 1, detailed rules for the implementation of information security management; BS7799-2, Specification for Information Security Management System.
The first part provides suggestions on information security management for those who are responsible for starting, implementing or maintaining security in their organizations. The second part explains the requirements for establishing, implementing and recording the Information Security Management System (ISMS), and specifies the requirements for implementing security control according to the needs of independent organizations.
In 2000, the International Organization for Standardization (ISO) adopted the ISO 17799 standard based on BS7799- 1. Iso/iec17799: 2000 (bs 7799-1) contains 127 security control measures to help organizations identify elements that have an impact on information security during operation. Organizations can choose and use them according to applicable laws, regulations and articles of association, or add other additional control measures. BSI also revised BS7799-2 in 2002. In 2005, ISO revised ISO 17799 again, and BS7799-2 was also adopted as ISO2700 1:2005 in 2005. The revised standard is the first part of ISO27000 standard series -ISO/IEC 2700 1, and nine control measures have been deleted from the new standard. And modify that wording of some control measure.
However, because ISO 17799 is not based on the certification framework, it does not have the information security management system requirements necessary for passing the certification. ISO/IEC2700 1 contains these detailed management system certification requirements. From a technical point of view, this shows that an organization that is independently using ISO 17799 fully meets the requirements of the Practice Guide, but it is not enough for the outside world to recognize that it has met the certification requirements set by the certification framework. The difference is that an organization that uses ISO2700 1 and ISO 17799 standards at the same time can establish an ISMS that fully meets the specific requirements of certification, and at the same time, this ISMS also meets the requirements of the practice guide, then this organization can obtain external recognition, that is, obtain certification.