|In the last period, we discussed the status quo of information security for small and medium-sized enterprises, and focused on the problems faced by small and medium-sized enterprises in terms of security awareness, investment capability, and technical reserves. Reading this article may give you a sense of difficulty in implementing information security in small and medium-sized enterprises, but is it true? It can be said that the answer is no, because in reality, the objective situation of each enterprise is different. The question we are talking about is only the weakness of small and medium enterprises compared with large-scale enterprises, due to the inherent flexibility and controllability of small and medium-sized enterprises, as long as you pay more attention to these issues during the implementation of information security, the success of information security work is still quite optimistic. Next we will provide some security work frameworks and processes suitable for small and medium-sized enterprises based on the situation of small and medium-sized enterprises.
Before implementing the information security project, we need to formulate a complete set of information security policies, which are the basis of enterprise information security, the information security policies mentioned in this Article refer not only to the highest-level requirements, descriptions and directions, but also to the most detailed solutions.
Simply put, enterprise information security planning mainly needs to solve two problems: What to protect and how to protect it. From devices that use information to locations where information is stored, links from the Internet to company employees, information security work targets a wide range of protection objects. From the perspective of protection measures, it is not only the permission control and encryption that people often think about, but also the coverage of information security policies, the equipment requirements, performance indicators, and technical types of data room locks may also become an important part of security policies.
First, we need to know which information assets belong to the protection scope. The task of identifying protected objects can be completed through information classification, risk assessment, and other technologies. Enterprises can establish an information classification system to divide all their information assets into different levels, in this way, it is relatively easy to know what needs to be protected (such as patented technologies and strategic planning) and what needs to be protected (such as customer information and production cost data ), and which do not need protection (such as product promotion materials ). Information Classification should also assess the security risks faced by all information assets. Information Classification reflects the extent to which information assets are affected when they are threatened, and risk assessment helps us understand the possibility of information assets being threatened.
After completing the above work, we will have a clear understanding of the situation of protected objects. On this basis, we can design corresponding security measures for different objects. When designing security measures, we need to follow some basic principles: the risks faced by information systems should be less than the value they create and the security investment should be less than the value of the protected objects; for example, the customer database of an enterprise stores the contact information and credit card information of all customers. If we do not perform effective security management on the database, it is very likely that someone will use this information for fraud, this risk usually exceeds the convenience we bring about by using these databases for work. If the comprehensive value of this data is about 100,000 yuan, we should not purchase a firewall worth RMB 0.2 million to protect the data. This investment is obviously far greater than the value of the data, in addition, simply deploying firewall equipment can only prevent malicious attacks to the database to a certain extent, but cannot prevent employees from abusing the database.
In the security implementation process, the main task is to select, deploy, train facilities and conduct security policy education. Security facilities include common hardware devices such as anti-virus software, firewall, and intrusion detection systems, as well as application solutions such as AAA and PKI, security procedures such as authorization planning and access control are also included. We need to effectively complete the implementation work according to the requirements and content designed in the security policy to provide a stable platform for the enterprise's information security system.
Some suggestions for information security implementation and related work are as follows: do not implement it before the strategy is complete. This is like building construction without a blueprint, it is extremely dangerous and unsuccessfullyguaranteed. The success of implementation depends on the support of the Decision-Making layer. If enterprise managers cannot consistently support the project, the security work is nothing more than an empty talk; security policies must be fully publicized in the enterprise. This is also one of the important steps to improve the overall security awareness of the enterprise. Only all employees are deeply aware of the importance of security work, the information security system can operate normally. When your technical resources are insufficient, consult the local professional information security agencies for advice, these organizations are generally willing to provide their knowledge reserves and consulting power free of charge, and local organizations are generally able to provide better emergency response.
We mentioned in the previous article that the establishment of security facilities is not the end of security work. After the implementation of the information security system, related Management and maintenance work will face a greater test, because the design and implementation work usually has clear requirements and has a relatively fixed working period, management and maintenance work is a non-ending process, especially because of the weak security awareness and insufficient technical reserves of small and medium-sized enterprises. Over time, the control capability of the security system will be continuously reduced, which requires enterprises to earnestly implement security management to ensure the effectiveness of the security system.
Information security management procedures provide a reference architecture for application environment changes and response to security incidents. Any enterprise must face changes in the application environment. Even if only one application or employee's position is changed, it may have a profound impact on the entire security system, therefore, change management plays a critical role in information security. The change management work includes identifying changes in a timely manner, recording relevant information in detail, and carrying out sufficient evaluations on changes, to determine whether the impact will undermine the original security policy, if the change is more acceptable, we can implement it and make a good plan before implementation, when the change is completed, we need to update the corresponding security policy and complete the training of the new policy.
Responding to security incidents is also a major part of information security work. Security incidents usually refer to violations of security policies. They may be due to information infrastructure intrusion, it may also be that an employee has modified a document that does not allow him to access. to manage security incidents, all employees of the company need to understand and implement security policies clearly, because for security incidents, time is very important. early identification of security incidents can greatly reduce the loss of enterprises, and full participation can effectively reduce the probability of security incidents. In order to effectively respond to security incidents, an emergency response plan should be established in advance for security policies, even if there is not enough technical force to establish their own emergency response team, at least the management procedures should also be used to indicate the steps to be taken to initiate various security incidents and the persons to be contacted (including their contact information), and for important information assets, A disaster recovery plan should also be established to ensure that after a serious security accident, it can be restored to a normal state as soon as possible to ensure the business operation of the enterprise.
In addition to the above three main steps, there is also an easy-to-ignore task in information security affairs, that is, security assessment. In many cases, system administrators only scan all nodes on a regular basis using their own scanners. This has proved far from enough. Apart from targeted vulnerability scanning, all facilities included in the security policy should be regularly inspected, and patch and upgrade should be performed against the current security policy at an appropriate frequency, and system vulnerabilities and other risks should be tracked according to the system list, periodically reviews logs generated by the security system. The primary purpose of the evaluation is to discover potential problems as early as possible.
In a short space, we cannot express too many details in the implementation of information security. Instead, we can only discuss the framework and process of information security work in light of the information security requirements of SMEs, we hope that the refined information will help the information security staff of SMEs better plan their work and continuously improve the information security level of your system.