Shulou(Shulou.com)06/01 Report--

After struggling in the Internet industry for several years, I met customers from many industries, but found that in fact, many people would buy network security devices, WAF and so on, but in fact, they did not understand the role of these devices, as if only because others bought these, so they also want to buy one.

Often heard the boss tease, met a customer is selling vegetables, but the net Ann asked him to wait for protection, so sell vegetables ignorant circle, hear this thing is also ignorant, a vegetable seller need to wait for protection?

In fact, if this vegetable selling business is only an offline business, then the information security level protection work will certainly have nothing to do with him, but this businessman has extended his business to the online. Online, it involves privacy security issues such as user basic information and payment. These security issues are as small as a threat to store information security and as big as a threat to social and public security. That's why the Ministry of Network Security will ask to carry out such protection work.

From this point of view, even a vegetable vendor needs to do a good job of security after using the Internet, not to mention enterprises. Then how to do a good job of corporate security? We need to find ways and routines to solve problems effectively.

First, set goals:

Realize the security, visualization, controllability and manageability of the business, and maximize the efficiency of the business.

Second, find problems

In every enterprise, there will be compliance problems, threats from inside and outside the enterprise, and the vulnerability of the business system itself, which we need to pay attention to.

Compliance issues: lack of or comprehensive understanding of compliance and laws related to corporate business

Technical level: security issues arising from virtual and physical devices

Management level: lack of awareness of network security among employees, lack of standardized management system and process norms related to security.

Third, the planning plan:

1. Compliance supervision

National laws and regulations, industry regulatory requirements and norms, international laws, regulations and norms

2. Technology

Asset security: host security, Web security, Doker security, network device security, security device security, terminal security, database security, application security, physical security

Data security: data generation and collection, data storage, data access and application, data transmission, data backup, data destruction

Third-party detection: threat intelligence, * testing, risk assessment, regulatory testing, security certification (iOS27001, etc.)

Safety construction planning

Stage one: the initial stage of security construction

External threat defense needs to be higher than internal threat defense (of course). First of all, we should deal with external security threats and deploy WAF to the website for defense. If it is a non-operational network, you can deploy soft WAF, such as ShareWAF, ModSecurity and so on.

Stage 2: the middle stage of security construction

Supplement and improve the external threat defense, focusing on internal security and data security, mainly to prevent the mole.

The third stage: during the period of safe operation, the emphasis is on maintenance, and the safety awareness should not be relaxed. Network security has always been a precaution.

Summary:

The security construction work of the enterprise can flexibly adjust the process according to its own business needs. The security problem is not a performance-solving problem, and a good security awareness needs to be carried out in the work every day. In the end, the safety problem will be found to be rooted in the human problem, and the promotion of safety awareness is the best way to improve the overall safety level of the company.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.