信息安全动态保障体系建设探讨

在信息系统安全保障体系建设过程中,一般会把信息系统安全建设分为三大体系,即技术体系、管理体系以及运维体系。那么在实际操作中,如何进行三大体系的建设?三者之间有什么关系?如何让三大体系进行有机结合,形成一套动态的信息系统安全保障体系?文中首先阐述了通过等级保护的相关技术标准,来建立信息系统安全技术体系架构,并提出了基于等级保护的信息系统安全保障体系架构模型;然后阐述了如何通过等级保护或ISO27001来建立安全管理体系;其次分析了建立安全运维体系所必须具备的三大条件;最后论述了在建立和完善三大体系的同时,如何才能把技术和管理结合起来,如何才能把静态防护与动态监控结合起来,从而构建一套动态的信息系统安全保障体系。

Exploration on Building-up Dynamic Infosec Assurance System

In the building up of infosec assurance system, the security building-up of information system is generally divided into three systems, that is, the technical system, management system and operation and maintenance system. So how to build up the three systems, what is the relations among between the three systems, and how to make an organic integration of the three systems and form a dynamic infosec assurance system in practice, become the in-depth discussions in this paper. This paper first describes the relevant technical standards of classified protection, the establishment of an infosec technical architecture and the model of infosec architecture based on classified protection; then tells of the establishment of safety management system by classified protection or ISO 27001 and the three conditions in building up the secure operation and maintenance system; finally treats of the establishment and improvement of the three systems, including how to integrate technology and management, static protection and dynamic monitoring, and thus to construct a dynamic infosec assurance system.