NAC
Suzhou Metalogic Information Technology Co.,Ltd 2018-11-08 14:15:59 Author:SystemMaster
The source definition of information security requirements according to the international standard ISO/IEC 17799:2005 "Information Technology-Information Security Management Business Code". There are three main sources of information security needs: legal, prescribed and contractual requirements; From the perspective of enterprise IT management, the first and second sources are mainly legal and business-related hard requirements, that is, the content that must be met in IT security construction. The third source is the various risks faced by information systems and their security protection and security management.
Requirements of laws and regulations for information security
At present, among the laws and regulations in force in China, 65 are directly related to information security, of which 18 are laws and regulations regulating information security, such as the Regulations of the People's Republic of China on the Security and Protection of Computer Information Systems,there are also normative and guiding documents, such as the "Administrative Measures for the Protection of Information Security Levels." Due to the early development of information technology in developed countries such as Europe and the United States, the corresponding or close laws, regulations and standards are more complete and strict. Such as the Sarbanes Act and the ISO 27001 Information Security Management System, which cover various areas such as network and information system security, computer virus and harmfulness program prevention, and information security crime sanctions. The requirement of the state for information security in the aspect of laws and regulations is the hard requirement of the enterprise information security construction, so the importance of laws and regulations makes it the primary requirement of the enterprise information security construction.
Administrative Measures on Information Security Hierarchy Protection
The security protection level of information system is defined from two aspects: technology and management. Related content of intranet security includes:Terminal access control
Border integrity inspection
Host ID
Intranet access control
Malicious code prevention and system security management, etc.
Sarbaes-Oxley Act
Sarbanes-Oxley Act , which imposes financial restrictions on U.S. listed companies, sets strict requirements for IT governance, IT internal control, and external auditing. The Sarbanes-Oxley Act covers a very comprehensive range of management content, of which Section 404 (Management Assessment of Internal Controls) explicitly requires control within the company.National and foreign authorities have long defined the laws and regulations governing access control for intranet security. From the perspective of building an IT internal control system, and drawing on the international internal control framework and international best practice experience, we can build a systematic, standardized, auditable, and sustainable improvement IT internal control system.