Information security: refers to the maintenance of the confidentiality, integrity and availability of information.

• Confidentiality: To ensure that information is only available to those authorized to use it.

The confidentiality of information is different according to the number of objects that the information is allowed to access (Access), the information that all personnel can access is public information, the information that needs to be restricted access is generally sensitive information or secrets, and secrets can be based on the importance of the information. Secrecy requirements are divided into different levels of secrecy. For example, the state divides state secrets into three levels: secret, secret and top secret according to the impact (consequence) of the leakage of secrets on the national economy and security interests. Under the premise of complying with the "National Secrecy Law", its information is divided into different levels of confidentiality; the confidentiality of specific information is time-effective, such as secret expiration and decryption.

• Integrity: To protect the accuracy and integrity of the information and how it is processed.

On the one hand, information integrity means that the information is not tampered with, lost, or damaged during the process of utilization, transmission, and storage, and on the other hand, it refers to the correctness of information processing methods. Improper operations, such as deleting files by mistake, may result in the loss of important files.

• Availability: To ensure that authorized users can access information and use related assets when needed.

Availability of information refers to the immediate availability of information and related information assets when required by authorized persons. For example, the interruption of communication lines will cause information to be unavailable for a period of time, affecting normal business operations, which is the destruction of information availability. The information security of different types of information and corresponding assets has different concerns in terms of confidentiality, integrity and availability. For example, the organization's proprietary technology, marketing plans and other trade secrets are particularly important for organizations to keep secrets; while for industrial automatic control system, the integrity of control information is much more important than its confidentiality.

Why do you need information security?

Information, information processing, and the information systems and networks that support it are important business assets. Confidentiality, integrity and availability of information are critical to maintaining competitive advantage, financial flow, effectiveness, legal compliance and business image. However, more and more organizations and their information systems and networks are facing a wide range of security threats including computer fraud, espionage, sabotage, fire, flood, etc., information disasters caused by means such as computer viruses, computer intrusions, Dos attacks, etc. It has become more common, planned and invisible. Organizations' reliance on information systems and information services means they are more vulnerable to security threats, and the interconnection of public and private networks and the sharing of information resources increases the difficulty of implementing access control. Many information systems themselves are not designed according to the requirements of security systems, so relying only on technical means to achieve information security has its limitations, so the realization of information security must be properly supported by management and program control. Determining what controls should be in place requires careful planning and attention to detail. Information security management requires, at a minimum, the involvement of all employees in the organization, in addition to the involvement of suppliers, customers or shareholders and expert advice on information security. If the integration of security requirements and control is considered in the information system design stage, the cost will be lower and the efficiency will be higher.

BS7799 Information Management Process:

① Determine the information security management policy.

②Determine the scope of ISMS (Information Security Management System)

③ Carry out risk analysis.

④Select the control target and control it.

⑤ Establish a business continuity plan.

⑥ Establish and implement a safety management system.

The role of establishing an information security management system:

No matter how hard it is in information technology and how new information security technology it adopts, any organization actually still has loopholes in information security management, such as:

 • Lack of information security management forums, unclear security orientation, and unclear management support;

 • Lack of cross-departmental information security coordination mechanisms;

 • Responsibilities for protecting specific assets and completing specific security processes are unclear;

 • The employees' awareness of information security is weak, lack of awareness of prevention, and it is easy for outsiders to directly enter the production and workplace;

 • The organizational information system management system is not sound enough;

 • There are hidden dangers in the security of the main room of the organization's information system, such as problems with fire prevention facilities, and the same office building as the dangerous goods warehouse;

 • The organization's information system backup equipment is still lacking;

 • Lack of technical investment in the organization's information system security protection;

 • Lack of software intellectual property protection;

 • Lack of physical precautions in computer rooms and office spaces;

 • Lack of reliable storage places for files, records, etc.;

 • Lack of measures and plans to ensure the continuity of production and operation in the event of an accident;

……etc.

In fact, the organization can refer to the information security management model, establish the complete information security management system of the organization in accordance with the advanced information security management standard BS7799 standard, implement and maintain it, and achieve dynamic, systematic, full participation, institutionalization, and prevention. The main information security management method, with the lowest cost, to achieve an acceptable level of information security, can fundamentally ensure business continuity. The establishment, implementation and maintenance of an information security management system by an organization will have the following effects:

 • Strengthen employees' information security awareness and standardize organizational information security behavior;

 • Comprehensive and systematic protection of the organization's key information assets to maintain a competitive advantage;

 • Ensure business continuity and minimize damage when information systems are compromised;

 • To give the organization's business partners and customers confidence in the organization;

 • If it passes the system certification, it shows that the system meets the standards, proves that the organization has the ability to protect important information, and improves the organization's reputation and trust;

 • Encourage management to adhere to the information security assurance system.

BS7799 standard overview:

 • In 1995, the Department of Trade and Industry of the United Kingdom organized the information security managers of large enterprises to formulate the world's first information security management system standard BS7799-1: 1995 Information Security Management Implementation Rules" as a guide for business and large, medium and small organizations to implement information security management. Because this standard is written in a form of advice and guidance, it should not be used as a certification standard.

 • In 1998, in order to meet the needs of third-party certification, the United Kingdom formulated the first information security management system certification standard--BS7799-2: 1998 "Information Security Management System Specification", as a comprehensive or partial information security for an organization. The basis for the evaluation and certification of the management system.

 • In 1999, in view of the rapid development of computer and information processing technology, especially the application in the field of network and communication, the United Kingdom revised the information security management system standard again. The revised BS7799-1:1999 and BS7799-2:1999 supersede BS7799-1:1995 and BS7799-2:1998 respectively. The newly revised 1999 edition of the standard further emphasizes the information security and information security responsibilities of organizations involved in business work. BS7799-1:1999 and BS7799-2:1999 are a pair of complementary standards, BS7799-1:1999 provides the best application advice on how to establish and implement an information security management system that meets the requirements of BS7799-2:1999.

 • In December 2000, BS7799-1: 1999 has been officially adopted by ISO/IEC as an international standard -- ISO/IEC 17799: 2000 "Information Technology - Implementation Rules for Information Security Management", in addition, BS7799-2: 1999 will be published soon At the end of 2002, it was revised by ISO/IEC as a blueprint to become ISO/IEC's "Information Security Management System Specification" which can be used for certification.

Information security certification is the best way to achieve your information security goals:

BS7799-2:2002 Information Security Management System Specification puts forward a series of certification requirements for organizations. In the General Provisions, it is proposed that organizations should establish and maintain a documented information security management system, which describes the assets to be protected, the channels for organizational risk management, Control objectives and control methods and required assurance levels; identify control objectives and control methods by establishing and implementing a management structure, and form documents and records.

The control rules of BS7799-2:2002 include 10 aspects:

 • Security Policy: Provide management guidance and support for information security;

 • Organizational security: establish an information security structure to ensure the internal management of the organization; protect the information security of the organization when it is accessed or outsourced by a third party;

 • Asset classification and control: clarify asset responsibilities and maintain appropriate protection of organizational assets; classify information to ensure that information assets are protected to an appropriate level;

 • Personnel security: Reduce the risk of human error, theft, fraud and misuse of facilities in job descriptions and resources; enhance user training to ensure users are well aware of the dangers and related issues of information security for their day-to-day work Support the organization's security policy in; develop response procedures for security incidents or failures, reduce losses caused by security incidents and failures, monitor security incidents and learn from such incidents;

 • Physical and environmental security: Determine safe areas to prevent unauthorized access, destruction, and interference with business premises and information; prevent loss, destruction, damage to assets, and interruption of business activities by ensuring equipment security; adopt general control methods to prevent Damage or theft of information or information processing facilities;

 • Communication and operation mode management: clarify operating procedures and responsibilities to ensure correct and safe operation of information processing facilities; strengthen system planning and acceptance to reduce the risk of system failure; prevent malicious software to maintain software and information integrity; strengthen housekeeping management To maintain the integrity and effectiveness of information processing and communication services; strengthen network management to ensure the security of information in the network and its auxiliary facilities are protected; prevent damage to assets and interruption of business activities by protecting the security of media processing; strengthen information and Management of the exchange of software to prevent loss, alteration and misuse of information exchanged between organizations;

 • Access control: Control information access according to the business requirements of access control; strengthen user access management to prevent unauthorized access to information systems; clarify user responsibilities and prevent unauthorized user access; strengthen network access control to protect network service programs; strengthen operations System access control, to prevent unauthorized computer access; strengthen application access control to prevent unauthorized access to information in the system; monitor system access and use, monitor unauthorized behavior; in mobile computing and telex work, ensure use Information security for mobile computing and telework facilities;

 • System development and maintenance: clarify system security requirements to ensure that security has become a part of the information system; strengthen the security of the application system to prevent the loss, modification or misuse of user data in the application system; strengthen the control of password technology to protect information enhance the security of system files to ensure that IT programs and their support activities are carried out in a secure manner; enhance the security of development and support processes to ensure the security of application system software and information;

 • Business Continuity Management: preventing disruption of business activities and protecting critical business processes from major failures or catastrophic events;

 • Compliant: Comply with the requirements of laws and regulations to avoid conflicts between criminal law, civil law, relevant laws and regulations or contractual matters and other security requirements; strengthen security policy and technical compliance review to ensure that the system is implemented in accordance with the organization's security policy and standards; system Review considerations to maximize effectiveness and minimize the impact of the system review process.

The international standard ISO/IEC17799 gives detailed guidance on various measures required to achieve information security certification, which is highly operable and instructive.

In the final analysis, the purpose of information security work is to provide assurance of security requirements by adopting appropriate security technology and security management measures under the support and guidance of laws, regulations and policies, and the BS7799 information security certification standard is the sum of these requirements. Organizations can implement information security requirements according to their own characteristics and under the guidance of ISO/IEC 17799.

ISO27001:2005 "Information Security Management System Requirements"

ISO27001: 2005 "Information Security Management System Requirements" is a standard for information security management. It is a standard, not a method. It is not difficult to meet the requirements of these standards. What is important is how to achieve it. Enterprises should take the implementation of standards as an opportunity to comprehensively improve internal management, and should not use standards as a simple model to apply existing process operations. Only by improving the existing management system, improving the weak links, improving the operation process and internal communication, and effectively integrating the advanced management ideas into the specific implementation procedures, can the standard play a real role.

Obtaining a certificate is not the ultimate goal. To establish a responsible, orderly, effective and efficient information security management system, to improve employees' information security awareness, and to continuously acquire and use advanced management methods and technical means, can the enterprise's information security management level be improved. Continuous development and improvement.