Establish an information security management system architecture in our hospital
As our production technology platform is completely established on the network and the gradual upgrade of information construction, from the whole, it has begun to transfer your daily business to the electronic platform, resulting in "network dependence" has made Our company's enterprise network information security has become the focus of the whole hospital, the most significant sign is the malignant destruction of network hackers since last year, Nimda virus violations and server crash events. As we all know, in today's high-speed development, our CAD integration application software and MIS management continue to use networking technology to integrate information technology. With the increasing data accesses through intranet and Internet, companies continue to face more security threats from the network. At this time, if companies cannot eliminate safety hazards in time, protect enterprise design information and other sensitive data, not only bring huge economic losses to companies, but also have a bad impact on the credibility of the enterprise. It can be said that the network is also giving a huge challenge to cyber security while the network is designed and managed. How to safely make network continuous operation, how to protect important information from hackers, accidents, competitors and internal Destruction of people, how to safely and quickly connect the external network environment, the production and design management is smooth in the network system, and has become a problem that the corporate information supervisor must consider.
The three elements of the information security management system are: people, institutions and technologies; the technology is the foundation, only when the technology is effective, the system and talent are critical, and the information security management system has more emphasizes seven-point management, three-tier technology from the perspective of users. In the actual operation, the three elements are like a triangular bracket, and the three legs are as long, the system can keep balance.
After years of research, developed countries has formed a perfect information security management method, and use the standards that can be generally adopted, namely: BRITISH STANDARD 7799 Information Security Management System (ISO / IEC 17779), the security management content: information security Policy, information security organization, information asset classification and management, personal information security, physical and environmental security, communication and operation safety management, access control, development and maintenance of information systems, continuous operation management, etc. In the face of such a huge management technology system, how can companies effectively build their own information security management systems, and truly reach the basic goal of information security? From Information Security Management Three Elements: Computer Network and Information Security = Information Security Technology Information Security Management System (Technology Man System). Good cooperation in the technical level and management is an effective way to organize network and information security systems. Among them, information security technology is achieved by using a method including building a security host system and a secure network system, and is equipped with an appropriate safety product: at the management level, it is achieved by the archive information security management system (implementation system and personnel training). .
The information management process of British Standard 7799 is:
· Determine the scope of information security management policy and information security management system
· Risk analysis
· Establish information security management system (system and technical system) based on risk analysis
· Establish business continuous plans and implement safety management systems
The design institute should organize information security management frameworks for their own business development and information security requirements according to their own conditions, and implement the framework in the normal business process, and establish a related document, documents consistent with the information security management framework. And strict management, strict records of various information security events and security conditions that occur during specific implementations, and establish strict feedback processes and systems.
1. Determine the scope of information security management policy and information security management system
Information security strategy is a high-level characterization characterization of corporate philosophy and high-quality data to protect enterprises and ensuring safe operation of production design systems. They help the hospital to eliminate improper use systems, software, email by carefully writing, effective communication and implementation strategies. The risk of the system and the Internet. Information security policy is the highest policy of organizing information security, it should be simple, easy to understand and direct the theme, avoiding all levels of security within the organization in a policy, making people unjust the cloud. Written documents must be formed, extensively spread into all employees in the organization, and training for information security policies for all relevant employees, special training for personnel with special responsibility for information security, so that the information security policy is truly rooted The mind of all employees within the organization and implemented in actual work. Information security policies have dominated roles in enterprise implementation of network security measures. Only by developing reasonable security policies for their own characteristics can make the company's security measures to be effective, it can be in accordance with the expected results. Good, reasonable security strategy will help users assess network risks, develop security objectives, and determine reasonable and feasible security levels and selection and deploy security solutions. The information security management policy should be provided:
· The design hospital has systematic and data to ensure that the information can only be accessed by people to obtain, ensuring the accuracy and improvement of information and processing methods, ensuring that the authorized person needs to obtain information and corresponding assets;
· The employee agrees that the non-authorization copy of the copyright software is not allowed to choose the copyright software, agreeing that the password does not disclose the password, agree to access the system and data by authorization, and the acknowledgment has the power to monitor the system for security purposes, guarantee the company's Honorary will never be damaged, whether it complies with safety strategies should be an integral part of each employee performance evaluation;
· Maintain the value of technical resources, intellectual property rights and information;
· Avoid damage to information, business procedures, and property to ensure continuous operation of the entire enterprise.
Determine the scope of the information security management system: that is, in the organization, the structure is selected in the organizational information security management system. The existing organizational structure of the company is the most important aspect of defining the scope of information security management system.
2. Risk analysis
The complexity of information security risk assessments will depend on the complexity of risk and the degree of sensitivity of protected assets, and the assessment measures used should be consistent with the organization of information asset risk.
Asset assessment enables enterprises to develop a prerequisite for information security strategies, only to determine resources that enterprises need focus protection, they can make the corresponding fitting actual strategy. The company must first determine data, systems, and networks that are critical to the company's current success and long-term survival, as these elements have both monetary value and intrinsic value for companies. Money value pointed to the key, sensitive data design materials, application systems and networks, and if these elements are unable to provide appropriate functions, the company will suffer how much losses. The intrinsic value refers to the damage of the agency to the relationship between credibility, reputation, and investor relationships.
In the assessment process, companies should adopt new business models that can make full use of excellent traditional methods and networking computing to obtain competitive advantage. And for many companies, the problem is not necessary to manage the data security, but how to manage complex computer environments, multiple computer platforms, and multiple integrated computer networks within the budget. The agencies must independently determine the required level of security, and which security can most effectively meet their special business needs. Therefore, the effective assessment method is to operate targeted according to the special conditions of different enterprises.
The most typical information resources of the design institute are electronic information accumulation accumulated by long-term design, especially recent data; financial data and personnel information; key application systems: MIS integration design office system, three-dimensional design software, etc. The server, such as problems, is difficult to continue; the computer workstation is also difficult to deliver the progress.
Basic risk assessment. A method of risk assessment of organizational assets only with reference to the risks listed in the standard. Standard Ros listed some of the risks of common information assets and its control points, these points to some SMEs (such as business nature, "information, information processing, and computer networks depend without strong or not external-oriented business) It is sufficient to say; however, there may be some problems with different organizations. On the one hand, if the organizational security level setting is too high, the choice of control measures for some risks will be too expensive, and it may make daily operations have been limited; but if it is too low, it may be insufficient to control some of the risks. . On the other hand, it is possible to make adjustments related to information security management, because when the information security management system is updated and adjusted, it may be difficult to assess whether the original regulatory measures still meet the current security needs. Threat recognition: To make a successful strategy, you must know yourself, not only to understand the business's own situation, but also to understand all kinds of internal problems that threaten enterprise security. May be destroyed, disappeared, damaged, damaged, damaged, damaged, damaged, damaged, hardcore ,,,,,,,,,,,,,,,,,,,,, Theft, depreciation, transfer, bringing a fatal blow to the company.
According to risk management decisions, companies can take three basic attitudes: Accept - if the exposure is small, high protection cost, you can choose to accept risks; disperse - If the risk is scattered to other people, it can take a dispersion approach. Buying fire insurance rather than building a fire building is a dispersed risk; avoiding - if necessary, the company can take the necessary measures to prevent security problems, or reduce security incidents or reduced damage. Taking measures in a correct attitude is the key to determining corporate destiny, so why attitude directly determines the accuracy of enterprise risk assessment.
The organization is not lucky when conducting information asset risk assessments, and the direct consequences and potential consequences must be considered. Identify and estimate information assets within the scope of information security management system, and then evaluate various threats and vulnerabilities faced by information assets, while identifying existing or planned safety control measures, this is a risk assessment the process of.
3. Establish information security management system (system and technical system) based on risk analysis
The determination of control targets and the selection principle of controlling measures is the cost that does not exceed the risk. However, attention should be paid to the consequences of some risks and cannot be measured with money (such as the loss of goodwill, etc.). Since information security is a dynamic system engineering, organizations should always be able to check and adjust the selected control targets and control measures to adapt to changes, enabling organizational assets to be effective, economical, and reasonable.
Preparing information security applicability declaration: Information security applicability has stated that the organization's internal risk control goals and various control measures taken for each risk. Preparation for the application of information security, on the one hand, in order to declare the risk of information security in the organization, to a greater extent, in order to demonstrate the attitude and as an organization to the outside world, to indicate that the organization has been comprehensive The organization's information security system is systematically examined, and all the risk controls necessary to control in the range that can be accepted.
Information security involves all aspects of the problem, is an extremely complex system engineering. To implement a complete information security management system, at least three types of measures should be included. First, social legal policies, corporate rules and regulations, etc. External soft environment, etc. Management measures, the measures include technological and social measures: real-time monitoring enterprise security status, providing the ability to change the security strategy in real time, implementing a vulnerability check for existing security systems, etc., the main purpose is to make the information security management system continue to operate . Enterprises should implement a safe system should be three-pronged. Among them, the legal leadership focuses on the most important position. Establish and implement a safety management system
The security system is the foundation of your safety protection system. The security system is such a one or a set of documents: it plans all the security control measures implemented within the enterprise. The rules and regulations are not technical indicators, and it has three main roles in the enterprise:
· Clarify the legal responsibility of employees;
· Protection of confidential information and intangible assets from theft, misuse, non-authorized public or modifications;
· Prevent a waste of business computer resources.
The rules and regulations written on the paper are just the means of conveying the company's programs to each employee. The rules and regulations must be officially released and formally released rules and regulations can be used as legal evidence.
The life cycle of the rules and regulations (ie, the implementation of the system is implemented) is the process we must follow during the development, implementation, and supervision of implementation rules and regulations. The preparation of the rules and regulations is based on the conclusions of risk assessment, and the security control measures needed to mitigate and transfer risks are based on the conclusions of risk assessment. To write them with concise and easy-to-understand words, don't make too complicated. The implementation of the rules and regulations, the implementation of the rules and regulations is the work of the company released the implementation rules and regulations. It is necessary to ensure that the punishment of the act of non-compliance system matches the behavior itself, and punishment for each violation of the rules and regulations. If the implementation of the rules and regulations is not strict, the security system will be difficult to implement. Supervision and implementation needs to be unremitted. This work requires long-term repetitions, and must ensure that they can be able to develop and change their business.
The development of rules and regulations, from the global perspective, the formulation of rules and regulations includes several aspects: clarify the key business resources and policy systems, define all positions in the enterprise, and determine the power and obligation of enterprises. It is also possible to divide the security system into top ten parts, content coverage of information system decision and system development work. All issues involved in the system's decision-making and institutional development work in the British Standard 7799 10 parts and their roles are:
1 Business Event Disaster Reduction Recovery Program
· The consequences of most mistakes and disasters began to restore the operation plan of enterprise operation and its key business processes.
2 System Access Right Control
· Control information about information;
· Prevent non-abparability access to the information system;
· Protecting services on the network is effective;
· Prevent unauthorized access to computer hardware devices;
· Testing is not authorized to access;
· The information security on the time of travel or the information on the telecommunications line.
3 system development and maintenance
· Ensure that safety protection measures have been built on systems that make people control.
· Prevent the loss, modification, and abuse of user data in the application system.
· Protection of information. The correspondence and integrity of the user identity.
· Ensure that IT projects and their support activities are developed in a protected manner.
· Maintain the security of software and data in the application system.
4. Physical and environmental security considerations
· Prevent unauthorized access, damage, and interference against enterprise roots and information.
· Prevent enterprise assets from being lost, damaged, unfair use, prevent business activities from interruption;
· Prevent information and information processing equipment from being used and theft.
5 abide by law and regulations
· Avoid violations of all criminal and civil laws; avoid violations of decrementation, policy, and contractual obligations; avoid violating security system requirements;
· The security system of the company is in line with international and domestic standards.
· Maximize the performance of the company's supervision mechanism, reduce the inconvenience it brings. 6 security considerations
· Reduce the risk of information processing equipment in human error, theft, forgery, abuse;
· Ensure that users understand the threats and focus of information security, understand the use of the necessary equipment to support the company's security system during their daily work;
· Reduce security accidents and unexpected losses to minimal and learn from this type of incident.
7 Enterprise Organization's security consideration
· Strengthen information security management within the enterprise;
· Enterprise information processing equipment and information assets allowing third party access to security;
• Safety protection for information involved in other company information processing services.
8 Computer and network management
· Ensure that the operation of the information processing device is correct and secure;
· Reduce the risk of system failure;
· Protect software and information integrity;
· Pay attention to maintenance of integrity and availability during processing and communication;
· Ensure security monitoring of online information and security protection of relevant support systems;
· Prevent behavior of damage to corporate assets and interrupting companies;
· Prevent exchange information between enterprises, being lost, modified or abused.
9 assets classification and control
Appropriate protection measures to corporate assets ensure that intangible assets can receive sufficient levels of protection.
10 security system
Provide management guidelines and support services in information security.
Strict information security systems must include the following focus:
· There must be clarity of clear information ownership.
· It is necessary to specify the responsibility of employees / users in protecting information assets.
· It is necessary to develop penalties for non-compliance system phenomena.
In order to avoid a vulnerability, the following construction is given:
In the development of information security systems, pay attention to corporate culture, many security regulations are the reference system template or have a model of other enterprises. Information security systems that are not suitable for corporate culture and company business activities often lead to a wide range of non-compliance.
The rules and regulations must have practical significance, and must be clearly issued by the management before the official release rules and regulations, it should first investigate how the user's acceptance of this system is, but also transforms multi-faceted spending plan arrangements for network systems and business processes. it is good. Do not underestimate the role of the rules and regulations. If the employee wants to consciously abide by the rules and regulations, it must first make the truth of the development rules and regulations clearly. Holding a learning meeting, announced at the meeting to begin implementing the rules and regulations, and issuing the notice issued by the company's leadership to each employee. When issuing rules and regulations, it must be written in the implementation of the oversight implementation, and the timetable for formal implementation of this set of rules should be explained to explain the examination and approval procedures of exceptions and the reporting procedures of the rules and regulations. This is very important. Employees should send some small items that remind them to comply with the system, and even prepare some self-examination to self-examine the employee and departmental manager to self-examine the system's compliance. The rules and regulations must include appropriate monitoring mechanisms, must have disciplinary penalties for non-compliance, in order to ensure that the wrong understanding of the rules and regulations can be found and correct, it must be found and correcting the phenomenon of non-compliance with rules and regulations. According to the appropriate oversight implementation, companies should use some automated tools to perform regular inspections on the implementation of the rules and regulations as much as possible. If you use artificial methods to check, you must have a regular regular inspection plan. Causes and responsibilities for malignant accidents must be formally traced; violating the prescribed behavior should be punished depending on the plot; discipline, people equality, accident treatment How to investigate and collect evidence in the way, in what circumstances, the judicial organs should be done, and should be summarized regularly to comply, exception, and violate the rules and regulations and communicate with corporate leadership, let them understand the implementation of the system. The situation, supporting your job To make a successful information security system, the key is the answer to the question: the employee understands the difference between the correct usage and incorrect usage; for the obvious violation of the system Behavior, will employee report? Does employees know how to report to obvious violation of the system? The following is a few important components in the security system:
Computer board management system
The computer is discussed and defined in the correct usage of the company's computer resources. Users should be required to read and sign this agreement when they open their accounts. Users have responsibility to protect the information stored in it, and this must be written in the agreement. The user's personal email usage is also written in the agreement. This system needs to answer the following questions:
· Can users access and copy their files that have access to their files;
· Can users modify their files that have write permissions but they don't belong to them;
· Can users copy system configuration files (such as ETC / PassWD and SAM) for personal use or copy to others;
· Can users use the .rhosts file. Which data items can be set;
· Can users share an account;
· The user can copy the copyrightime software.
User Account Management System
The user account management system gives the request for the application and the system account. Computer users in big companies often have accounts in several systems, so this system is very important for them. Batch reading and signing this agreement is a better way to apply for an application for an account. User Account Management System requires a question to question the following questions:
· Who has the right to approve the application for opening an account;
· Who (employee, spouse, child, company visitor, etc.) is allowed to use the company's computer resources;
· Can users open multiple accounts on a system;
· Can users share an account;
· What rights and obligations have users;
· When will accounts are disabled and archived;
Remote access management system
The remote access management system specifies the remote connection method of the company's internal network. This system is very important for today's companies because users and networks may be distributed in the vast area. This system should include the means of remote access to the internal resources allowed, such as Dial (SLIP, PPP), ISDN / Frame Relay, Telnet access, cable TV modem / DSL, and so on. This system needs to answer the following questions: · Who is entitled to use remote access services?
· Which connection method is supported (for example, only support broadband modem / DSL or dialing);
• Whether to use an exo-dial-up modem is allowed on the internal network;
· There is no additional requirements on the remote system - such as mandatory anti-virus software and security software;
· Other members in the employee family use the company's network;
• Whether the data that is remotely accessed is restricted.
Information protection management system
The Storage Protection Management System specifies the correct approach when the user is handled, saved, and transmits sensitive data. The main purpose of this system is to ensure that protected information is not modified and disclosed in unauthorized cases. Existing employees of the company must sign this agreement, and new employees must learn this system during post training, and the information protection management system needs to answer the following questions:
· How the sensitive level of information is set;
· Who can access sensitive information;
· How sensitive information is saved and transmitted;
· Which level sensitive information allows printing on a common printer;
· How to delete sensitive information from storage media (shredder, hard disk finishing, floppy disk dismissivity, etc.).
Firewall management system
The firewall management system stipulates the management of firewall hardware and firewall software, which provides for changing the firewall configuration, and the approval procedure of the approval procedure needs to answer the following questions:
· Who has access to a firewall system;
· If you need to change the firewall's distribution, you need to apply for anyone;
· If you need to change the configuration of the firewall, the application will be approved by anyone;
· Which person can see the firewall configuration rules and its access list;
· How long is the inspection cycle of firewall configuration?
Special access management system
The special access management system specifies the application and usage of the system special account (root user account, system administrator account, etc.). This system needs to answer the following questions:
· Special access needs to apply for anyone;
· Special access needs to approve anyone;
· What is the password rule of special access?
· How long changes a password;
· What reasons or situations will cause user special access to cancel.
Network connection device management system
The network connection device management system has specified to add new devices to the network, it needs to answer the following questions:
· Who has the right to install the equipment on the network;
· Who is needed to install new devices?
· Who should notify which person should be notified when installing new devices;
· Who is recorded by the increase in network equipment;
· There is no security requirements for new equipment on the network.
Business partner management system
The business partners management system stipulates what kind of security conditions should be available in business buddies. With the development of e-commerce, the company's internal network is increasingly open to business partners, customers, and suppliers. The business partners management system is increasingly important. This regulations have great changes in every business partners agreement, but it needs to answer the following important issues at least:
· Whether each business partner must have a written security system;
· Does every business partner must have a firewall or other network boundary security device;
· How communication communication is carried out (VPN virtual private network on the Internet, leased line, etc.);
· How to make Shenqing if you want to visit the information resources of your business partner.
Other important regulations
You may also need to develop other rules and regulations, such as: • Wireless network management system - help strengthen security protection measures for wireless networks, including which devices can be wireless access, what security measures need to be taken, etc.
· Laboratory management system - If there is a test laboratory in your company, you must use this system to protect internal networks to reduce security. It is best to let the test laboratory use a completely independent homologual connection to make it connect with the company's interior business network.
· Personal Digital Assistant (PDA) Management System - This system classes whether the PDA device is allowed to connect to the company's internal network, how to establish a connection, allowing PDA software to be installed on the company's system. These devices will bring you a lot of support and mixing issues to your technical support.
Customer management system
With this company, the company also provides a general discussion report to our secure protection system to customers, potential customers, and business partners. This helps to showcase the importance and experience of the company's security environment.
Information Security Management System Basic Technical Framework
Data-oriented security concept is the confidentiality, integrity and availability of data, while the user's security concept is identification, authorization, access control, anti-negative and serviceability, and personal privacy, intellectual property rights. The protection of the like. Comprehensive consideration is the security service function in the information security management architecture, and these security issues have to rely on passwords, digital signature, authentication technology, firewall, security audit, disaster recovery, anti-virus, anti-black invasion and other safety mechanisms (measures) Solved. The password technology and management is the core, security standards and systematic assessment of information security is the basis for information security.
The security system of the information security management system can be divided into three levels: First, the basic security link, these security links are available in many system platforms, such as operating systems or databases; followed by the enhancement of basic security elements, using These enhancements can make a more reliable protective effect on the system; secondly, it is a secure mechanism that provides stronger safety monitoring and defense.
Basic security
User identity and identification
The trusted operation of the computer information system is initially executed, first requiring the user to identify its own identity and provide the basis for proof to identify its identity.
Identity can be identified only for the subject, in some cases, while you need to identify objects. Identification of identity identification in a computer system involves three factors: what (the secret password), what you have (token or key), who (physiological characteristics).
As a verification only by password is a method of generally adopting most commercial systems. This simple method will bring obvious risks to the computer system, including the password cracking of the dictionary; the login program of the legal computer is punched by the login.
Any simple password system cannot guarantee that it will not be invaded. Some systems use the password to the token, in this manner, in this way, verify that the user holds the correct token while checking the user password. The token is software or hardware executed by a computer user or holding. The token continuously changes the password, and verifies the verification by synchronizing with the verification.
The verification based on physiological characteristics is a technology that is always in the research phase, and the verification is a wide variety, common like fingerprint, retina or iris, palm geometry. Such systems are usually very expensive, and the error rate and performance have not been widely recognized.
Access control
Access control is divided into "autonomous access control" and "Forced Access Control".
Autonomous Access Control (DAC) is the most common type in the commercial system, the UNIX and NT operating systems use DAC. In DAC-based systems, the owners of the main body are responsible for setting access. One of the biggest problems with autonomous access control is that the main permissions are too large, and there is unintentionally possible to leak information, and it is not possible to prevent the attack of Trojan horses.
Forced Access Control (DMC) is the system allocated different security properties to each object and body, and these security properties are not easily modified as the ACL (access control list) developed by the object owner. The system determines the operational feasibility of the subject by comparing the security attributes of the subject and the object. Forced access control prevents Trojan and users with higher security. audit
The audit is a trusted mechanism. The security system uses audits to record its activities. The information recorded by the audit system should include the identification of the subject and object, access request, date, and time, reference request results (success or failure). The audit record should be stored in a trusted manner. Most operating systems provide at least an audit subsystem that can be accessed by the user.
These security elements are the most basic and indispensable security mechanisms of a security system. The lack of these elements means that there is almost no trustworthy security mechanism.
Enhancement mechanism for basic safety links
Some feasible techniques can be taken to strengthen the role of basic safety mechanisms, including:
· By strengthening the kernel in a normal operating system, an enhanced access control capability is added, and ROOT permissions are increased.
· Set firewall on the network, because the firewall can add a layer of protection outside the operating system, so that the system can effectively increase the security of the system in the absence of the commercial operating system security.
· Independent network and host audit system.
· Use the identity identification system established by password technology: the authentication system based on public key algorithm and PKI.
Expansion security mechanism
These security mechanisms use more targeted technologies to improve system security control, which is essential for establishing highly secure information systems.
1. Security audit
The basic principle is to automatically simulate various access actions outside the system outside the system, and the security status of these actions is evaluated by the system. Safety review By improves the purpose of enhancing security by improving the basic security links in the system, typical products such as network scanners.
2. Real-time monitoring
Real-time monitoring system based on system accumulation of abnormal and intrusion, in real time monitoring system, and can generate pre-defined actions when occurrence of hazardous systems, and can end hazard events or Report an abnormal event. Real-time monitoring has been known as "intrusion detection" because of the intensive knowledge of invasive systems and typical behavior. It enhances access control (production actions) and audit mechanisms in the system (recording hazard events).
3. Anti-virus
Antiviral systems use viral known features to discover viruses and remove them from the system.
4. Information encryption
Including encrypted storage inside the trusted system, and mechanisms that transmit controlled information between trusted systems in trusted systems. Information encryption technology is usually used and the VPN system established in encryption and channel technology.
5. The last singer of the security system recovery
Disaster recovery of data is an indispensable basis for ensuring systemal security and reliable. If you regularly back up important data, you can guarantee that important data is accurate when the system is faulty.
These technical links described above are basic, some are not necessarily deployed, and companies should decide on the value of the information system itself according to the composition of their own information, the value of the information system itself, the main source of threats, etc.
4. Establish a business continuous plan and implement a safety management system
The construction of the framework of the information security management system is just the first step. In the process of specific implementation of the information security management system, it is necessary to fully consider various factors, such as implementation of various fees (such as training fees, report fees, etc.), conflicts with the original work habits of organizational employees, different departments / institutions. Mutual cooperation issues during the implementation process, etc.
In the process of construction and implementation of information security management system, various related documents, documents, such as document content specified in the information security management system management range, summary of management frameworks, including information security policies, control Target and control measures proposed in applicability), the process, information security management system management and specific operations required by the information security management system management (including IT service department, system administrator, network management) Members, on-site administrators, IT users, and other personnel's responsibilities and related activities), etc. Documents can be saved in various forms, but different levels or types must be divided. At the same time, for the smooth progress of future information security certification, documentation must be easily accessible and understood by third parties (such as certification auditors). Organization must strict management, combined with business and scale changes, and regularly review and fixing documents. When some documents are no longer suitable for organization information security policies, they must be discarded. However, it is worth noting that although certain documents may have been outdated to organizations, the organization can reserve the corresponding document after confirmation of the corresponding document due to legal or intellectual property.
A comprehensive record must be performed on various events related to information security in the process of implementing the information security management system. The record of safety incidents provides a reality for the amendments to organize information security policy definitions, safety control measures. Safety event records must be clear and clearly record the activities of each relevant personnel at the time. Safety event records must be properly saved (can be saved in writing or electronics) and make it easy to save when records are damaged, damaged or lost.
BS 7799 Information Safety Management System Standards only provide some principled suggestions, how to combine these principled suggestions with the actual situation of each organizational unit, and instigate the information security management system that meets its own status, is truly Challenging work. When the information system of the architecture, the following guidelines should be kept in mind: "Information security technology, information security products are the foundation of information security management, information security management is the key to information security, personnel management is the core and information security of information security management. Policy is the guiding principle for information security management, and the information security management system is the most effective means of implementing information security management. "
