Information security is the foundation and key of national security. Among the three elements of information security (personnel, technology and management), the position and role of management elements are paid more and more attention. Understanding and attaching importance to the key role of management in information security is particularly important for achieving the goal of information security. This paper analyzes the present situation of information security management, and focuses on the strategies to strengthen information security management.
Keywords: information security; Management; Current situation; tactics
Information security management develops with the development of information and information security. In the information society, on the one hand, information has become an important asset of human beings and plays an important role in politics, economy, military affairs, education, science and technology, life and so on. On the other hand, the information security problem brought by the rapid development of computer technology has become increasingly prominent. Because information is easy to spread, spread and be destroyed, information assets are more fragile and vulnerable than traditional physical assets, which will make organizations face great risks in the process of business operation. This risk mainly comes from the inherent weaknesses and loopholes in organizational management, information systems and information infrastructure, as well as a large number of threats inside and outside the organization. Therefore, information security management came into being, and information systems were strictly managed and properly protected.
1, current situation of information security management in China
1. 1 Problems in National Macro Information Security Management
(1) Legal and regulatory issues. A perfect system of information security laws and regulations is the basis and the first line of defense to ensure national information security. China has established a system of information security laws and regulations at three levels: laws, administrative regulations, departmental regulations and normative documents, which puts forward security requirements for organizations and individuals' information security behavior. However, there are still some defects in China's laws and regulations system. First, there are imperfections in the existing laws and regulations, such as overlapping contents between laws and regulations, many subjects of administrative punishment for the same act, some rules and administrative regulations contradict each other, and the punishment ranges are not the same. 6? 8 consistent; Second, the construction of laws and regulations can't keep up with the development of information technology, which mainly involves the lack of laws and regulations in network planning and construction, network management and operation, network security, legal protection of data, legal authentication of electronic fund transfer, computer crime, criminal legislation, legal effect of computer evidence and so on.
(2) management issues. Management includes three levels: organization construction, system construction and personnel consciousness. Organizational construction refers to the construction of information security management institutions. The management of information security includes security planning, risk management, emergency plan, security education and training, security system evaluation, security certification and many other aspects, which cannot be solved by one organization alone. There should be a clear division of labor between information security management agencies to avoid the phenomenon of "multiple policies" and "pulling policies". It is necessary to establish practical rules and regulations, that is, to carry out system construction and ensure information security. For example, the management of people needs to solve the problems of multi-person responsibility, responsibility from children to people, limited term, separation of responsibilities, minimum authority and so on. With the organization and corresponding system, leaders need to attach great importance to group prevention and treatment, that is, to strengthen the safety awareness of personnel, which requires education and training of information security awareness and attaches great importance to information security issues.
(3) National information infrastructure construction. At present, the network, hardware, software and other products that constitute China's information infrastructure are almost all based on foreign core information technology. The problems existing in the national information infrastructure have attracted great attention from the state. For example, during the Tenth Five-Year Plan period, the important projects of the National 863 Plan and tackling key scientific and technological problems include "information security and e-government" and "financial informatization". The Measures for the Administration of Telecom Business License, which came into effect on June 5438+1 October1,2002, clearly requires that telecom product software manufacturers should not reserve a "back door" in their software, foreign suppliers should not remotely log in to the operating system of China telecom operators, and the advanced management system should use software products developed by reliable domestic institutions.
1.2 The main problems existing in micro-information security management in China are as follows.
(1) Lack of information security awareness and clear information security policies. The top management of most organizations is not fully aware of the seriousness of the threat to information assets, or is limited to IT security, and has not formed a reasonable information security policy to guide the organization's information security management, which is manifested in the lack of a complete information security management system, the lack of necessary security laws and regulations and the education and training of employees to prevent security risks, and the existing security regulations may not be strictly enforced.
(2) Attach importance to safety technology and despise safety management. At present, organizations generally use modern communication, computer and network technologies to build information systems to improve organizational efficiency and competitiveness, but the corresponding management measures are not in place, such as unclear positions in system operation, maintenance and development, and the phenomenon that one person holds multiple positions.
(3) Safety management lacks the concept of systematic management. The existing security management mode of most organizations is still a traditional management method, and it is a matter-of-fact and static management, rather than a dynamic and continuous improvement management method based on security risk assessment.
2. Current situation of foreign information security management
The development of international information security management in recent years mainly includes the following aspects.
(1) Formulate information security development strategies and plans. It is the consistent practice of developed countries to formulate development strategies and plans. The United States, Russia and Japan have made or are making their own information security development strategies and plans to ensure that information security develops in the right direction.
(2) Strengthen information security legislation and realize unified and standardized management. It is the most powerful guarantee to effectively implement security measures to stipulate and standardize information security work in the form of law. The forerunners of formulating network information security rules are the major portals, and websites such as Yahoo and AOL in the United States have formed their own information security management methods in practice. 1O On June 5, 2008, the US Senate passed the Internet Network Integrity and Key Equipment Protection Act. In September 2000, Russia implemented the Law on Network Information Security.
(3) Stepping into the era of standardized and systematic management. With the appearance of IS09000 quality management standard in 1980s and its subsequent popularization and application in the world, the idea of system management has also been borrowed and adopted by other management fields, and information security management has also entered the era of standardization and systematic management in 1990s. 1995, Britain took the lead in introducing the BS7799 information security management standard, which was recognized as the international standard ISO/IEC 17799 by the international organization for standardization in 2000. Now this standard has attracted the attention of many countries and regions, and has been popularized and applied in some countries. The implementation of this standard can comprehensively and systematically manage information security risks, thus achieving organizational information security. At the same time, other countries and organizations have put forward many standards related to information security management.
3. Strategies to strengthen information security management
With the overall acceleration of the national economy and social informatization process, information security management is facing more and more severe situations and challenges. Generally speaking, China's information security management is still in its infancy, with a weak foundation and a low level, and there are many problems to be solved urgently. We should strengthen the organization and management of information security from a global perspective.
(1) Establish a centralized, unified and cooperative information security management mechanism. The key to information security lies in organization and leadership. To fundamentally strengthen China's information security work, we must establish a national centralized and unified information security management mechanism with division of labor and cooperation. First of all, the state should establish a comprehensive functional organization that can coordinate and safeguard various security interests, and set up a highly authoritative National Information Security Committee as the permanent organization of the leading group for informatization in the State Council, so as to change the current situation of scattered departments, unclear responsibilities, multi-head management, poor coordination and many policies in maintaining national information security; Second, all functional departments should form an organizational management system with clear division of labor, implementation of responsibilities, mutual connection and organic cooperation, and perform information security management duties according to the principle of "who is in charge and who is responsible"; Third, establish a relatively complete information security leadership management system at the provincial and municipal levels as soon as possible, actively mobilize various resources to actively cooperate and coordinate information security work, and form a vertical and horizontal information security coordination and information sharing mechanism; Fourth, fully mobilize the enthusiasm of the government, enterprises and individuals, realize organic linkage, form a joint force, and jointly build a national information security system; The fifth is to improve the information security responsibility system, requiring all departments and units to clarify the person in charge of information security work and equip them with corresponding information security officers, so as to truly implement the information security responsibility to people.
(2) Strengthen the legal construction of information security and provide law enforcement basis for information security management. As an important part of the information security system, the construction of relevant laws, regulations and standard systems is imperative. Next, we should strive to establish and improve the information security laws and regulations system; At the same time, we should attach importance to and strengthen the construction of information security law enforcement team; The law enforcement activities of various information security functional departments must be carried out in strict accordance with the authority and procedures prescribed by law, correctly exercise their functions and powers, perform their duties, protect the legitimate rights and interests of enterprises and citizens, and crack down on cyber crimes; All relevant competent departments and operating units should actively support the work of law enforcement agencies and fulfill their due obligations; Social organizations, enterprises and individuals should consciously fulfill the responsibilities and obligations of information security stipulated by law and carry out activities in the information network environment according to law.
(3) Take effective measures to actively promote the smooth development of information security level protection. Implementing information security level protection is the basic policy of the state to solve the problem of information security protection. Information security level protection is an objective requirement for the protection of social value and economic value of information system, that is, scientific and reasonable protection measures are taken according to the sensitivity and importance of information, the nature and strict value of system application and the importance of departments; The national key information infrastructure related to the national economy and people's livelihood should be protected at different levels; Proper protection, reasonable expenditure, avoid blindness and waste. To implement classified protection of information security, the state must consider from the overall strategic perspective, seize key links and establish a long-term protection mechanism. At present, some experience has been accumulated in the pilot work of information security level protection. In order to promote the umbrella development of information security level protection, we should focus on the following aspects: (1) clarify the responsibilities of all parties in information system level protection; Formulate various information security level protection management systems; Formulate and improve the management norms and technical standard system of information security level protection; Relying on social and technical forces, establish a technical support system; Research and development of information system and technology for filing, detection and evaluation of information security level protection
Tools; Strengthen publicity, training and so on.
(4) Strive to explore and establish an information network crime prevention and crackdown system under the new situation. In recent years, China has done a lot of work in combating cyber crimes and achieved great results. However, with the continuous development of information technology, the forms of cyber crime are more diversified and the technical means are more advanced, which requires us to constantly establish and improve an information cyber crime prevention and crackdown system with law enforcement departments as the main body and mobilizing the whole society. Use network technology to establish a systematic, complete and organically connected administrative law enforcement and criminal law enforcement system to prevent, control and investigate information network crimes and improve the ability to prevent, control, investigate and crack down on information network crimes. We should focus on the following four aspects: First, the prevention and control mechanism of the whole society. The second is the investigation mechanism of unified command and rapid response. The third is the support and cooperation mechanism of relevant departments and units. The fourth is the coordination mechanism of the three organs of the public security law.