security system
The X-axis is the "safety mechanism". The security mechanism can be understood as a relatively complete structural system formed by providing certain security services and utilizing various security technologies and techniques. For example, the "platform security" mechanism actually refers to secure operating systems, secure databases, security platforms for application development and operation, and network security management and monitoring systems.
The Y-axis is the "OS I Network Reference Model". Many technologies and techniques of information security systems are implemented at all levels of the network, and the security of network information systems will be meaningless without it.
The Z axis is the security service support required by "security services
. Such as peer entity authentication services, access control services, data confidentiality services, etc. 2. The three-dimensional
space of the information security system formed by the three axes of X, Y, and Z is the information system "Secure space". As the network expands layer by layer, this space not only gradually increases in scope, but also has a richer security connotation. It has five major elements: authentication, authority, integrity, encryption and non-repudiation, which is also called "secure space". ” five attributes.
Security Mechanism
1. The security mechanism includes infrastructure physical security, platform security, data security, communication security, application security, operation security, management security, authorization and audit security, security prevention system, etc.
(1) Infrastructure physical security. Infrastructure physical security mainly includes computer room security, site security, facility security, power system security, disaster prevention and recovery, etc.
(2) Platform security. Platform security mainly includes operating system vulnerability detection and repair, network infrastructure vulnerability detection and repair, general basic application vulnerability detection and repair, network security product deployment, etc.
(3) Data security. Data security mainly includes media and carrier security protection, data access control, data integrity, data availability, data monitoring and auditing, data storage and backup security, etc.
(4) Communication security. Communication mainly includes security testing and optimization of communication lines and network infrastructure, installing network encryption facilities, setting up communication encryption software, setting up identity authentication mechanisms, setting up and testing secure channels, and testing various network protocol operating vulnerabilities, etc.
(5) Application security. Application security mainly includes program security testing (Bug analysis) of business software, non-repudiation testing of business transactions, access control verification testing of business resources, identity authentication testing of business entities, backup and recovery mechanism inspection of business sites, and business data Uniqueness and consistency and anti-conflict detection, confidentiality testing of business data, reliability testing of business systems, usability testing of business systems, etc.
(6) Operational safety. Operational security mainly includes emergency response mechanisms and supporting services, network system security monitoring, network security product operation monitoring, regular inspections and evaluations, system upgrades and patch provision, tracking of the latest security vulnerabilities and notifications, disaster recovery mechanisms and prevention, and system transformation management. , network security professional technical consulting services, etc.
(7) Management security. Management security mainly includes personnel management, training management, application system management, software management, equipment management, document management, data management, operation management, operation management, computer room management, etc.
(8) Authorization and audit security. Authorization security refers to the goal of providing permission management and authorization services to users and applications. It is mainly responsible for providing authorization service management to business application systems, providing the mapping function from user identity to application authorization, and realizing corresponding to the actual application processing mode. An access control mechanism that has nothing to do with the development and management of specific application systems.
(9) Safety prevention system. The establishment of an organizational security prevention system is to enable the organization to have strong emergency incident handling capabilities, and its core is to achieve comprehensive management of the organization's information security resources, that is, EISRM. The establishment of an organizational security prevention system can better utilize the following six capabilities: Warn, Protect, Detect, Response, Recover and Counter-attack. , that is, the comprehensive WPDRRC information security assurance system.
2. Organizations can combine the WPDRRC capability model to form a macro information network security architecture framework from the three major elements of personnel, technology, and policies (including laws, regulations, systems, and management).