Shulou(Shulou.com)06/01 Report--

Some time ago, a customer asked our technical staff, I have bought the latest security solution on the market, and I have invested a lot of money to buy security protection equipment, but the security problem has not been solved yet. Why? In fact, many people have such an idea, here, the technical staff of Shandong Software Evaluation Center summed up the problems often encountered by some enterprises in information security, hoping to help you.

The following are the problems often encountered by enterprises in terms of information security:

First, do you think that adopting the latest security solutions in the market, or investing a lot of money to buy security equipment, can effectively solve the information security problems of enterprises?

The answer should be no. An excellent information security solution should be to analyze, design, implement and maintain the actual situation of the enterprise, and such a system will continue to develop with the emergence of the new situation. In order to develop a security solution suitable for the actual situation of the company, the specific details must be worked out according to the company's business objectives and marketing strategy. The management of the company must have a sufficient understanding of the information security issues and their impact on the company and customers so that they can provide the right resources, funds and sufficient time for the development of the entire solution. In other words, the implementation of information security should be from top to bottom. However, this is not the case. Organizations tend to focus on new firewalls, detection systems, and antivirus software, and once all or one of the security measures are in place, both IT departments and management will feel at ease. It is often not advisable to simply pursue the latest security solutions on the market or to use a large amount of money to buy security equipment. In many companies, security matters are often taken care of by the IT department, while IT personnel are often busy with daily situations and simply do not have enough energy to formulate a reasonable security plan. Security is achieved in a reactive, bottom-up manner, which will significantly reduce its effectiveness.

Many enterprises, even large and well-known enterprises, have applied a lot of technologies and products, and some enterprises have even established a lot of security management systems, even made information security management systems and passed certification, and invested a lot of financial and manpower. However, the overall level of information security management has not been significantly improved, and information security problems still emerge in endlessly. The root cause is that there is a common problem in these enterprises: the relevant management can not keep up, such as the equipment has been online and has been running for a long time, there are still many default configurations, the relevant policies of the equipment are not complete, the relevant policies of the equipment are not reviewed for a long time, the accounts of the departing personnel still exist, the system is not implemented or is not in place, and it is not thorough. These problems can not be solved very well, even if there are good products, technologies or standards, it is very difficult to fundamentally improve the information security management level of enterprises, and the best products, technologies and standards are to upgrade the equipment level of IT fire brigade at most. In terms of information security, we must attach importance to the principle of "three-point technology and seven-point management". We must ask for security from management, and technology is only a means to help achieve management.

2. Have you ever encountered an information security incident during the implementation of the project due to the lack of risk management control of the project? Or the problem that the project implementation effect is quite different from the expected due to the lack of project quality control?

When enterprises carry out information construction projects, most of them are lack of professional information security practitioners. It leads to the lack of professional control in the process of enterprise information security project management. At present, most enterprises do not pay attention to the project management of information projects, especially the information security construction projects. Because of the particularity of the information security construction project, it has high requirements for the risk management of the project, and it can not lead to information security accidents due to the introduction of new security risks in the new system or misoperation in the construction process. At the same time, it is difficult to make a good assessment of whether the information security project meets the expected purpose after the completion of the information security project. As a result, there is often a gap between projects and expectations, resulting in that even if a large amount of money is invested, the problem of information security is not well solved. Therefore, only by adopting professional information security project management and paying attention to project risk management and quality control can the construction of new projects avoid the occurrence of information security accidents as far as possible. and ensure that the project achieves its ultimate goal in accordance with the established direction.

Third, do you know whether the completion of the information security project meets your set goals, or whether it meets the requirements of relevant national standards, and whether the current information security risks in enterprises have been reduced to an acceptable level?

After the completion of the information project construction, users often do not know whether their own construction projects meet the requirements of relevant national standards, or whether the security risk is reduced to an acceptable level.

4. The IT department is often responsible for the information security of the enterprise. however, does the IT department have enough energy to ensure the secure and stable operation of the business information system?

Within many companies, the information security construction of the whole company is often handed over to a small IT department, which is too heavy for them. In many cases, the system environment faced by new IT employees was established by another group of people many years ago. Such a system environment cannot remain the same, and new components are constantly being added. IT staff are often busy dealing with daily situations, simply do not have enough energy to be responsible for the security operation and maintenance of the entire information system, there is a relative lack of useful documents, and no one has a comprehensive understanding of the way the entire network works, so they cannot guarantee that the network structure is always up-to-date. This means that when something goes wrong, 80% of the time and managers of IT employees will be wasted in the frenzied search for a solution. The IT department should formulate a reasonable work flow for the company from the perspective of information security, and the management department should formulate the framework of information security operation and maintenance, and assign special personnel to improve the operation and maintenance system.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.