Shulou(Shulou.com)06/01 Report--

In the previous article, we learned about the importance of information security strategy and how to do it well. In this paper, we introduce another important work in the process of information security construction-- three major systems: organizational management and control system, technical management and control system and operation management and control system.

Based on years of experience in information security construction, Shandong Software Evaluation Center briefly summarizes the above three systems, hoping to bring help to you. The following picture shows the overall structure of the information security architecture.

The overall structure of information security architecture

As can be seen from the above picture, the information security system is mainly composed of three parts: security technology system, security organization and management system and operation guarantee system.

As we learned in the previous article, security policy is the guide. The relationship between security policy and security technology system, security organization and management system and operation guarantee system is also interactive. The three systems are constructed under the guidance of the security policy, mainly to transform the various elements of the security policy into feasible technical implementation methods and management, operation guarantee means, and to fully achieve the goals set in the security policy.

(1) organizational management and control system

The organizational management and control system is an important guarantee for the safety technology system to play a protective role effectively. The design of the organizational management and control system is based on the overall security strategy and cooperates with the safety technology system to enhance the efficiency and effectiveness of the technical protection system. At the same time, it also makes up for the security defects that can not be completely solved by the current technology.

Technology and management are combined with each other. On the one hand, safety protection technical measures need to be strengthened by safety management measures, on the other hand, technology is also a means to supervise the implementation of management measures.

The organizational management and control system is composed of several information security management classes, each of which can be divided into multiple security objectives and security controls. Each security goal has a number of security controls corresponding to them, which are the management work and requirements to achieve the corresponding security objectives. The information security management system includes 12 management categories: security policy and system, security risk management, personnel and organizational security management, environment and equipment security management, network and communications security management, host and system security management, application and business security management, data security and encryption management, project engineering security management, operation and maintenance security management, business continuity management, Compliance (compliance) management.

(2) Technical management and control system

The technology management and control system is the basis of the whole information security system framework, which includes three parts: security infrastructure platform, security application system platform and security integrated management platform, which is supported by a unified information security infrastructure platform. with the assistance of a unified security system application platform, the technical guarantee system framework under the management of a unified integrated security management platform.

Under the guidance of security policy, the security infrastructure platform is based on the existing mature security technology and security mechanism, starting from many levels, such as physical and communication security protection, network security protection, host system security protection, application security protection and so on. to establish a complete security technology protection system in which various parts cooperate with each other.

The security application system platform deals with the association and integration between the security infrastructure and the application information system. The application information system promotes its own security level by using all kinds of security services provided by the security infrastructure platform. Provide business services and internal information management services in a more secure way.

The management scope of the integrated security management platform covers all kinds of security mechanisms and devices involved in the security technology system as far as possible, uniformly manages and controls these security mechanisms and devices, and is responsible for managing and maintaining security policies. configure and manage the corresponding security mechanisms to ensure that these security technologies and facilities can operate in accordance with the design requirements and operate reliably. It builds a bridge between the traditional information system application system and all kinds of security technologies, security products, security defense measures and other security means, so that all kinds of security means can be closely combined with the existing information system application system to achieve seamless connection, promote the real integration of information system security and information system application, and make the traditional information system application system gradually transition to a secure information system application system.

A unified security management platform is conducive to the mutual supplement and effective play of various technical means of security management, and is also convenient for security monitoring and management from the perspective of the system as a whole, so as to improve the efficiency of safety management and greatly reduce the participation in artificial security management activities.

Technology and management are combined with each other. On the one hand, safety protection technical measures need to be strengthened by safety management measures, on the other hand, technology is also a means to supervise the implementation of management measures.

(3) Operation management and control system

The operation management and control system consists of a close combination of security technology and security management, including system reliability design, system data backup plan, security incident emergency response plan, security audit, disaster recovery plan and so on. the operation guarantee system provides an important guarantee means for the sustainable operation of organizational informatization.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.