Note: As the last article in this series, this article is first published on my BKJIA blog. This article puts forward some ideas and suggestions for the construction of the tax system security management platform.
Refer:Article 1:Requirement Analysis and overall design
Article 2: Application Mode Analysis
Research on Tax Information System Construction Security Management Platform 3) -- Construction planning ideas
1. Key ideas of construction planning 1.1 overall planning, step-by-step implementation, and gradual implementation
Building a comprehensive tax Security Management System is a systematic project involving all aspects of the Organization. It is not only a matter of the Security Management Department, but also an information center, it also involves various business departments and even individuals in the Organization. At the same time, the establishment of a security management system also involves many elements such as technology, process, organization, and personnel, which are interrelated and indispensable. Therefore, we must fully understand the complexity of the security management system construction, and get the understanding and support of the Organization's senior management. The overall plan must be in place, so we should not focus on building a light plan.
1), Security Management System Design
With the support of the Management layer, the Information Centers of various bureaus should first learn from the IAFT framework according to the basic requirements of classified protection based on the current situation and future development plans of their own units and their own business characteristics, design the overall security management system. This system should include the organization and personnel, process, technology and other aspects.
2)Security Management Platform Design
Then, based on the overall design concept and Function composition of the security management platform, the tax system security management platform design scheme under the security management system is designed based on actual needs. This overall solution focuses on the design of security management technical solutions to form a security management system technical support platform that meets requirements and is practical.
3) Security management platform implementation plan
The tax system security management platform design scheme cannot be put in place in one step. It requires reasonable planning, implementation in stages, and implementation in steps. Each step should clarify the scope and objectives of implementation, the expected results, and conduct feasibility analysis and demonstration. Generally, it is recommended to divide it into 2 ~ Step 4.
1.2 Focus on both technology and service, and combine construction and O & M
The establishment of the security management system and the selection, deployment, O & M, and use of the security management platform are not only technical issues, but also involve organizations, personnel and processes. Therefore, the security management platform must avoid the misunderstanding of "heavy construction and light use. As long as the planning is clear, the management scope is clearly defined, the objectives are clear, and scientific technical indicators follow a reasonable selection process, a security management platform can be established. However, to use this security management platform well, you need to constantly work in the daily O & M work to organize and gradually establish a suitable workflow. At the same time, we also need corresponding professional and technical talents and qualified O & M management teams.
Therefore, the construction of a tax system security management platform must focus on both technologies and services, and both construction and O & M. In the planning and selection stages, the O & M service part of the security management platform should be paid attention, avoid the embarrassment of "building and not using.
It should be pointed out that if a set of hard indicators can be developed for technical selection, service selection is a soft indicator. How these soft indicators are reflected in the subsequent security management and O & M processes is challenging.
1.3 make full use of the maintenance service and use the External Brain
As mentioned above, building a security management platform is a highly technical task that requires a high level of organization and supporting processes. After years of Informatization Construction and information security construction, the tax system has accumulated a lot of experience in security O & M and management, and some units have initially established a professional security O & M and service team. However, the current situation of most organizations is still difficult to meet the O & M needs of the security management platform, and there is a big gap between technology and personnel.
Therefore, in the process of building a security management platform, the tax system should make full use of external brain, make full use of external resources, and use the maintenance service and O & M outsourcing mode. In the project planning and construction phase, external experts and consultants can be used to determine the planning, contingency plan, and O & M process. In the system O & M phase, O & M outsourcing can be used, the outsourced field engineers are used to enrich the existing O & M team, and the outsourced experts are used to assist in emergency response, Security Event Analysis and forensics.
While utilizing external resources, the customer must also establish a dedicated and professional security O & M management team to continuously learn from the experience provided by external resources, gradually improve their professional technical level and Security O & M capabilities, and make appropriate maintenance and supervision work.
2. Suggestions for selecting technical platforms
The construction of the Security Management Platform of the tax system is a system project. We should first plan the security management system and formulate the task objectives, scope, and expected results of the current phase. Then, you can enter the Security Management Technology Platform selection stage. Follow these steps to select the Security Management Technology Platform:
1Establish a security management platform to measure key indicators
When selecting a security management platform, the first step is to establish a key indicator system to measure the security management platform. Based on the task objectives and scopes of the current stage, the user selects appropriate indicators from the selection index library, including technical and service indicators, and assigns the corresponding weights, this constitutes a key indicator system for this selection.
The output of work at this stage is a score table that includes key indicator systems.
2)Filter suppliers and determine alternative platforms
In this phase, suppliers are compared and scored based on the key indicator system and scoring table. Select the preferred suppliers based on the platform technical level and service level of the suppliers, and define 2 ~ Four alternative platforms.
It should be noted that the selection of a supplier is different from the selection of a security management platform. The selection of the security management platform focuses on whether it can meet the technical indicator system, supplier Selection focuses on the implementation capability of the supplier's security management platform and the degree to meet the service indicator system.
The output of this phase is: generate a service indicator system conformity report for the security management platform suppliers, and determine alternative suppliers and alternative platforms.
3)POC for alternative platforms based on technical Indicator SystemVerification Test
After determining the alternative security management platform, we need to determine 2 ~ Four alternative platforms for verification testing.
POCProof of Concept) testing, I .e., validation testing, refers to the actual data running in a simulated environment based on the preset system functions and performance technical indicators, test the functional compliance of the alternative system. At the same time, the performance of the alternative system is estimated, and the performance and system carrying capacity in the real environment are estimated.
At this stage, you need to build a simulated environment and build a testing platform with the cooperation of the security management platform vendor. Generally, the test cycle for each platform is about 1 ~ 2 weeks. After the test is completed, a test report and a technical Indicator System conformity report should be issued.
During the validation test, you can only test the technical indicators marked as high or must meet the priority level, which helps the rapid convergence of the test process.
4)Comprehensive Evaluation
The suppliers and platforms of the security management platform should be evaluated based on the work results of the second and third phases and scored.
5)Business Negotiation and Bidding
At this stage, the user enters the business bidding stage. You can choose public bidding or bidding invitation.
In short, because the security management platform technology is relatively complex and involves a wide range of areas, the security management platform should be selected with caution and the preparation work should be as full and complete as possible.
This series of articles is complete]
This article is from the "focus on security management platform" blog, please be sure to keep this source http://yepeng.blog.51cto.com/3101105/610347