Information security management practices of large enterprises (Phase 6, 05)

ZTE Chen Fei

My company is a large high-tech enterprise with over people. I am engaged in information security management. Every day I come into contact with various security management concepts, security technologies, and products, feel the importance of information security for an enterprise. Here I would like to share some of my views on how to ensure enterprise information security with my work experience. I. Importance of security managementInformation security is a "three-point technology and seven-point management". security management is the core of enterprise information security. After an enterprise establishes a security management system, security technology can fully play its role. Security management should first establish a sound, pragmatic, and effective security organizational structure, and clarify the security responsibilities of the Architecture members. This is the basis for the implementation and promotion of enterprise security management; second, a complete and operable security management system must be established and strictly enforced. Unclear responsibilities, chaotic management, imperfect security management systems, and lack of operability may all cause security management risks. For example, some employees or administrators may randomly allow non-local employees or even foreign personnel to enter the IDC, or the employees intentionally or unintentionally disclose some important information they know, but there is no corresponding system for management.Ii. Importance of Security TechnologyTo solve information security problems, we should not only consider technology, but not technology. Technology is the main body of security and management is the soul of security. Information security is inseparable from the implementation of security technologies and deployment of security products. However, the current security technologies and products are dazzling and difficult to choose from. In this case, risk analysis and feasibility analysis are required, analyze the risks that our network is facing, the feasibility of solving problems or minimizing risks, and the comparison between benefits and contributions, which products allow us to meet our security requirements at minimum cost, and balance security and efficiency. For an enterprise, figuring out the existing and potential risks of the information system and fully assessing the potential threats and impacts of these risks will be the first problem that must be solved before the enterprise implements security construction, it is also the basis and basis for formulating security policies.Iii. security risk and demand analysisWhen analyzing the security risks of Enterprise LAN, we should take into account the characteristics of this network and conduct targeted risk analysis. Taking my enterprise lan as an example, it has the following features: 1. The network is directly connected to the Internet. Therefore, when designing a security solution, you should consider controlling risks related to Internet connections, including controlling the possibility of spreading viruses over the Internet to prevent hacker attacks, develop remote access management rules, junk and virus Email filtering, and poor website filtering. 2. Some servers on the network, such as web servers, must allow external direct access. In this case, reinforcement systems, access authentication, anti-virus systems, network isolation, content filtering, and other measures should be taken, avoid spreading the security risks of public servers to internal systems. 3. viruses and worms are the greatest security threats on the Enterprise lan. enterprise-level network anti-virus mechanisms must be established to deploy enterprise-level network Anti-Virus products. Automatic Distribution of system patches should be established. 4. A large number of network users. Security policies must be formulated so that users meeting certain conditions can access the company's network. User access control is the foundation of Enterprise Information Security Management. It includes information acquisition for access network computers and enterprise security policies, such as password policy, software policy, service policy, and peripheral policy setting and distribution. 5. There are many different subnets in the internal network, and different subnets have different security. Therefore, when designing a security solution, logical or physical separation of networks with different functions and security levels should be considered. 6. Based on lessons learned from some security incidents, the design of enterprise application systems should fully consider security factors, such as strong identity authentication and log auditing, prevent Attacks and leaks. 7. The extensive use of mobile storage devices also brings about a series of security problems, which should be solved from management to technology. 8. Real-time detection, monitoring, reporting and warning should be carried out in the event of network attacks or other security threats (such as illegal operations by internal personnel; after an accident, the attacker should be able to trace the attack behavior. In short, to ensure information security in the LAN, when analyzing security risks and requirements, we should combine the characteristics of the LAN, based on potential security risks, functions, prices, and other factors of the security product.Iv. Security improvement measuresBy analyzing the risks and requirements of enterprise LAN, we believe that enterprise security risks mainly include server security protection, anti-hacker and virus protection, hierarchical protection of different network segments, access control, network boundary security and security management. Therefore, we must take appropriate security measures to eliminate security risks. We have completed or are in the process of building an information security project, including the construction of a general security control center and a virus defense system, firewall deployment, IDS deployment, digital certificate authentication, mail filtering, proxy server deployment, access control and PC security, document security, and network separation. These are not described in detail.V. Security Management IdeasDeploying a reliable and effective security architecture is not only complex but also costly, because security is a project and requires constant practices and changes, moreover, security technology will always lag behind the development of application technology. Absolute information security does not exist. Each network environment has certain vulnerabilities and risks. For example, if we deploy an anti-virus system, the virus will still appear in various ways, however, the risk level is reduced, and the scope of the impact is reduced, which is no longer uncontrollable. Information security problems can only be solved through a series of planning and measures to reduce the risk to an acceptable level, while taking appropriate mechanisms to maintain the risk to this extent. When the information system changes, it should be re-planned and implemented to meet new security requirements. To protect the security of enterprise information systems, you must first know which assets are identifiable and which are the most critical and need to be protected, which are secondary, but also need to be protected, and which do not require special attention. From the perspective of defense, it is sometimes difficult to grasp external threats accurately, but you should be aware of yourself. When enterprises are aware of the value of assets and potential threats, they can make informed decisions on the budget for protecting these assets. The security of information systems often depends on the weakest part of the system-people. People are the most critical factor in information security. At the same time, we should be aware that people are also the weakest link in information security. This requires the enterprise's information management department to strengthen security management and improve network security awareness and prevention technology of all system personnel. This involves another important part of information security: security training. Enterprises must organize multi-level and multi-faceted information security publicity and training, establish a security training mechanism, and enhance users' security awareness and defense capabilities. As an employee in information security management, our task is to build a "security architecture" that best suits the current business activities for users, because "security" is not an aim in the eyes of users, "business application" is, "security" is only a means to ensure its "business application. Security often conflicts with business and efficiency. At this time, some departments often regard security assurance as a burden and act as the executor of security management, what we hope most is that we can understand "good security" and promote "business applications.Vi. Security Technology ideasWhen talking about information security technology, we will think of firewall, intrusion detection system, anti-virus system, VPN, multi-layer switching, encryption/decryption algorithms, and so on. Security management positions require us to understand the latest security technologies because our defense targets are also doing this. However, with the rapid development of information security technology, various security products have their own strengths, making it difficult to choose from. At this time, we must remember that security is not synonymous with complexity, and security is not everything to be taken over. Security should be as simple as possible, security should be centered on businesses and related applications; security defense should be at multiple levels not only at the border; security needs to be continuously practiced and managed effectively; the design and development technology of the security architecture should be more open. The new technologies and new products of major security technology companies all reflect the trends of "intelligence, integration, and management. Development Direction Technology/product Company Intelligence Deep inspector Netscreen Application Intelligence Checkpoint Integration Association and processing of real-time events Openservice Tivoli SecureWay IBM Tianyao Network Security Audit System Venus stars Management Enterprise Security Manager 5.5 Symantec Vigilent Security Manager suit Netiq Enterprise Security Plan ESP Lumon Technology Table 1 Information Security Management of New Products/technology enterprises that reflect development trends should be gradually standardized and systematic, and a sound management and technical defense system should be established, this is what I feel most deeply in practice. It is also the direction for us to move forward in information security management.