The process of establishing enterprise's information security

If an enterprise needs to establish an information security architecture, the general process is as follows:


1, analysis of the enterprise's information security objectives, that is, the enterprise in the next 3-5 years of security goals what is the level of information security to achieve?


2, with security objectives, the next step we have to do is to analyze the current security situation of the enterprise, this phase is generally through the risk assessment and other means to achieve, the choice of the way there are risk assessment, safety audit, penetration testing.


3, the analysis of the security situation, we have to do is to analyze the security objectives and security situation between the gap between the target has, the status quo is also clear, the gap will naturally come out. The gap analysis stage is mainly to analyze the current security situation and the objectives of the existing weak points, and enumerated, the gap analysis is mainly from the organizational security, personnel security, access control, physical security, security incidents, business continuity and so on.


4, after we get the gap, we will design a security architecture for the enterprise, a complete information security architecture, should include technology architecture and management architecture, technology architecture mainly refers to from the network, system level design, such as analysis of the enterprise's current network structure is reasonable? Is the deployment of the product in place? And the management system architecture is mainly refers to the information security system construction, as the saying goes "no rules radius", the security question boils down to is the management question, many security incidents occur because of the management is not in place to produce. For example, weak passwords, if the company's security system has a clear requirement, the password is 6 bits, and should include numbers, letters, special characters, etc., which can avoid the phenomenon of weak passwords, such as patch updates are not timely, the ACL does not do enough and so on, and so on, largely because management is not in place. In our assessment project, we found that many times is not technically unreachable, but management awareness is not in place. There is a relatively high level of corporate leadership security awareness is weak, the security of this piece is basically not a concept, for the administrator or security Department to put forward the security recommendations do not need to wait. Many safety measures in many enterprises will be difficult to implement, because the security measures to a large extent will cause inconvenience to employees, employees will be inconsistent mood, in this case, the company's top management system to implement security measures, so it comes down to the management of the problem.


For enterprises, such as these phenomena generally appear in small and medium enterprises, these enterprises lack of funds, in the company did not appear large security incidents, the company's senior level is generally not considered in the security of increased investment, and in large enterprises, as the scale of the growing, the network has become an indispensable part of these enterprises, If there is a security incident, will cause serious losses to enterprises, such as loss of customer information, financial data leaks, corporate image damage, and so on, and large enterprises have relatively strong capital, investment in security is relatively more.


In addition, when we design information security architecture, we should fully combine the current security status of the enterprise and relevant laws and regulations, and should consider the operation cost of enterprises, and finally need to consider is the information security architecture design executable, can not appear after a set of system out, Found that there is no contact with the company's current security situation, the program is too poor enforceability. (material)


5, after we have established the Information security architecture, the final phase is implemented. In the implementation, still need the strong support of the high-level enterprise, in order to proceed smoothly, because the implementation and operation of information security architecture, such as will cross different departments, in the Department and Department of Coordination, it needs the coordination of the top leadership.


6, the final stage is Check, information security architecture should follow the PDCA model. We should keep track of the construction of information security system in time, check the leakage fill, timely find deficiencies and existing problems, in the late operation and maintenance of timely correction.