In the process of implementing the network security level protection work, what principle should the information system security management follow? The principles to be followed by the information system can be referred to by national standards, and the ideal to follow in the process of building and operating the system is the “Information Security Technology Information System Security Management Requirements” (GB/T 20269-2006). According to the current national standard “Information Security Technology Information System Security Management Requirements” (GB/T 20269-2006), a total of 11 principles are given, as follows, which can be used as a reference for information security workers. The following is an excerpt of the principles of information system security management for your reference!
a) Based on the principle of security requirements: Organizations should analyze security requirements according to the mission of their information systems, the importance of accumulated information assets, possible threats and risks they face, and determine the corresponding information system security according to the level of protection requirements of information systems Protection level, comply with the specification requirements of the corresponding level, and properly balance the security input and effect from the overall perspective;
b) The principle of responsibility of the main leader: The main leader should establish the purpose and policy of the unified information security assurance of his organization, be responsible for improving the security awareness of employees, organize an effective security assurance team, mobilize and optimize the allocation of necessary resources, coordinate security management work and various departments. Departmental work relationship and ensure its implementation and effectiveness;
c) The principle of full participation: all relevant personnel of the information system should generally participate in the security management of the information system, and cooperate and coordinate with relevant parties to jointly ensure the security of the information system;
d) Principles of the system approach: in accordance with the requirements of systems engineering, identify and understand the interrelated levels and processes of information security assurance, and adopt a combination of management and technology to improve the effectiveness and efficiency of achieving the goal of security assurance;
e) Principle of continuous improvement: safety management is a dynamic feedback process that runs through the entire life cycle of safety management. With the changes in the time and space distribution of safety requirements and system vulnerabilities, the degree of threat increases, the system environment changes, and the awareness of system safety The existing security policies, risk acceptance levels and protection measures should be reviewed, modified, adjusted in a timely manner to improve the security management level, and the effectiveness of the information security management system should be maintained and continuously improved;
f) Principle of management according to law: Information security management is mainly reflected in management behaviors, and it should be ensured that the subject of information system security management is legal, the management behavior is legal, the management content is legal, and the management procedures are legal. For the handling of security incidents, the authorizer should release accurate and consistent relevant information in a timely manner to avoid adverse social impacts;
g) The principle of decentralization and authorization: the separation of management functions in specific functions or areas of responsibility, independent auditing, etc. to implement decentralization, to avoid the hidden dangers caused by excessive concentration of power, and to reduce the chance of unauthorized modification or abuse of system resources . Any entity (such as a user, administrator, process, application or system) only has the necessary permissions for the entity to complete its tasks, and should not have any superfluous permissions;
h) The principle of selecting mature technology: mature technology has better reliability and stability. When adopting new technology, attention should be paid to its degree of maturity, and it should be partially piloted and then gradually promoted to reduce or avoid possible mistakes;
i) The principle of hierarchical protection: determine the security protection level of the information system according to the classification standard, and implement hierarchical protection; for a large-scale information system composed of multiple subsystems, determine the basic security protection level of the system, and determine each sub-system according to the actual security requirements. The security protection level of the system implements multi-level security protection;
j) The principle of equal emphasis on management and technology: adhere to active defense and comprehensive prevention, comprehensively improve information system security protection capabilities, based on national conditions, adopt the method of combining management and technology, and combining scientific management and technology forward-looking to ensure the security of information systems achieve the required objectives;
k) The principle of combining self-protection and state supervision: implement a combination of self-protection and state protection for information system security. Organizations should be responsible for the security protection of their own information systems, and relevant government departments have the responsibility to guide, supervise and inspect the security of information systems, and form a management model that combines self-management, self-inspection, self-assessment and state supervision to improve information systems. The ability and level of security protection to ensure national information security.
The Links: CM400DY-24A TT 250 N 18 KOF 25CN
