For a long time, people pay attention to relying on technology to ensure information security, from early encryption technology, data backup and anti-virus to firewall, intrusion detection and identity authentication in recent network environment. Manufacturers spare no effort in the research and development of safety technologies and products, and new technologies and products are constantly emerging; Consumers also believe in safety products and invest their only budget in the procurement of safety products. But in fact, the desire to ensure information security only by technology and products is often unsatisfactory, and many complex and changeable security threats and hidden dangers cannot be eliminated by products. "Three-point technology and seven-point management", which is a practical experience and principle summarized in other fields, is also applicable to the field of information security. According to the statistics of relevant departments, about 52% of all computer security incidents are caused by human factors, 25% by natural disasters such as fires and floods, 10% by technical errors, 10% by internal personnel of the organization, and only about 3% by external illegal personnel. Simple classification, management reasons account for more than 70%, and 95% of these security problems can be avoided through scientific information security management. Therefore, management has become an important foundation of information security. First, the current situation of information security management in China (1) has initially established a national information security organization guarantee system. The State Council Information Office has set up a network and information security leading group composed of the Ministry of Information Industry, the Ministry of Public Security, the State Secrecy Bureau, the National Password Management Association, the Ministry of National Security and other functional departments, and corresponding management institutions have also been set up in various provinces, municipalities and autonomous prefectures. In July 2003, the third meeting of the State Council Informatization Leading Group discussed and adopted the Opinions on Strengthening Information Security. In September of the same year, the General Office of the Central Committee and the General Office of the State Council forwarded the Opinions of the National Leading Group for Strengthening Information Security (document [27] in 2003). Document No.27 for the first time raised information security to the height of promoting economic development, maintaining social stability, safeguarding national security and strengthening spiritual civilization construction, and put forward the information security management policy of "active defense and comprehensive prevention". In July, 2003, the National Computer Network Emergency Technical Handling Coordination Center (CNCERT/CC) was established, which is responsible for collecting, summarizing, verifying and publishing authoritative emergency handling information, providing emergency handling services for important national departments, coordinating CERT organizations nationwide to handle large-scale network security incidents, counting relevant data of computer emergency handling nationwide, proposing corresponding countermeasures according to the current situation, and communicating with CERT in other countries and regions. At present, China has established 3 1 sub-centers, 10 national public internet emergency response pilot units, 20 provincial public internet emergency response pilot units, and 10 domestic backbone internet operators have been authorized to set up their own emergency response centers (CERT). These 10 Internet operators, together with thousands of domestic ISPs, individual users and enterprise users, have become the main contact members of CNCERT/CC, thus forming a three-dimensional staggered emergency system and a top-down notification system for smooth information transmission. In May, 20001,China Information Security Product Evaluation and Certification Center (CNITSEC) was established to manage and operate the national information security evaluation and certification system on behalf of the national information security evaluation and certification function institutions in accordance with national laws and regulations on product quality certification and information security management. Responsible for the evaluation and certification of information security products and information technology at home and abroad, the security evaluation and certification of domestic information systems and projects, the evaluation and certification of organizations and units in information security service, and the qualification evaluation and certification of information security professionals. At present, it has five authorized evaluation and certification centers in Shanghai, Northeast China, Southwest China, Central China and North China and two system security and evaluation technology laboratories. (2) A number of important information security management standards have been formulated and promulgated. In order to better promote the information security management in China, the Ministry of Public Security presided over the formulation of People's Republic of China (PRC) national standard GB 17895-1999 "Computer Information System Security Protection Classification Standard". Introduced the internationally renowned ISO 17799: 2000: Implementation Criteria for Information Security Management, BS 7799-2: 2002: Implementation Specification for Information Security Management System, and ISO/IEC 15408: 198 Working Group under the Information Security Standardization Committee. The information security management working group is responsible for putting forward normative requirements and guidance on the administrative, technical and personnel management of information security, including information security management guidelines, information security management implementation specifications, personnel training, education and employment requirements, information security socialized service management specifications, information security insurance business specification framework and security policy requirements and guidance. (3) Formulated a series of necessary laws and regulations on information security management. Since the early 1990s, in order to meet the needs of information security management, the state, relevant departments, industries and local governments have successively formulated Interim Provisions on the Administration of International Networking of Computer Information Networks in People's Republic of China (PRC), Provisions on the Administration of Commercial Passwords, Measures for the Administration of Internet Information Services, Measures for the Administration of Security Protection of International Networking of Computer Information Networks, and Measures for the Administration of Computer Virus Prevention. Provisions on the administration of internet bulletin board services, measures for the administration of software products, and interim provisions on the administration of interconnection between telecommunications networks. (4) Information security risk assessment is paid attention to, and risk assessment is one of the core tasks of information security management. In July, 2003, the Information Security Risk Assessment Team of the National Information Office began to compile the relevant standards for information security risk assessment. As pioneers, China Railway System and Beijing Mobile Communication Company have completed the pilot work of information security risk assessment, and other key industries or systems in China (such as electric power, telecommunications, banking, etc.). ) will also carry out this work one after another. Second, there are some problems in China's information security management. 1. The current situation of information security management is still chaotic and lacks an overall strategy at the national level. The actual management is insufficient, and the policy implementation and supervision are insufficient. Some regulations overemphasize the characteristics of the department itself, but neglect to reflect the characteristics of China in the international political and economic environment. Some regulations do not accurately distinguish the relationship between technology, management and legal system, and the practice of replacing law with management and using administrative management technology is still relatively common, resulting in poor operability of the system. 2. The information security management system with China characteristics has not yet been established, which is dynamic and covers organizations, documents, control measures, operational processes and procedures and related resources. 3. China's characteristic information security risk assessment standard system needs to be improved, it is difficult to determine the information security requirements, protection objects and boundaries, and it lacks a systematic and comprehensive information security risk assessment and evaluation system and a comprehensive and perfect information security guarantee system. 4. Lack of awareness of information security, and widespread thoughts of emphasizing products, neglecting services, emphasizing technology and neglecting management. 5. Insufficient investment in special funds, extreme shortage of management talents, weak basic theoretical research and key technologies, and heavy dependence on foreign countries. The imported information technology and equipment lack effective management and technical transformation necessary to ensure information security. 6. Technological innovation is not enough, and the level and quality of information security management products are not high, especially the research and development of security management platform products with centralized configuration, centralized management, status report and strategic interaction as the main tasks is still very backward. 7. Lack of authoritative, unified and specialized legislative management institutions to organize, plan, manage and implement coordination, resulting in some existing laws and regulations on information security management in China, such as low legal level, few real laws, many administrative regulations, unreasonable structure, compartmentalization and so on; The subject of law enforcement is not clear, multi-head management, multi-head policy, each with its own way, conflicting rules, lack of operability, difficult to implement, and difficult to follow the law; The quantity is not enough, the content is not perfect, the formulation cycle is too long, the time lags behind, and it is often impossible to follow; Poor supervision, failure to abide by the law and lax enforcement; Lack of special information security basic laws, such as information security law and e-commerce law; Lack of legislation in civil law, such as network privacy law, network reputation right and network copyright protection law; Citizens have poor legal awareness, weak law enforcement team and lack of talents. 8. There are too few information security management standards in China, and most of them follow international standards. In the process of implementing standards, there is a lack of necessary national supervision and management mechanism and legal guarantee, which makes some enterprises or users unable to implement standards, and the problems arising in the implementation process cannot be solved in time and properly. Three. Some Countermeasures for Information Security Management in China (1) In terms of leadership system, it is suggested to set up a "National Information Security Committee" as the main liaison and promoter of cooperation among state institutions, local governments and private sectors, responsible for the overall coordination of cross-departmental protection work, and establish a national information security guarantee system with information security protection ability, hidden danger detection ability, network emergency ability and information countermeasure ability as soon as possible. (2) Replace the past methods of blockade, isolation and passive defense with open, developed and active defense, pay close attention to user management, behavior management, content control, application management and storage management of the intranet, and adhere to the policy of "multi-layer protection and active protection". Strengthen the research, formulation and implementation of information security strategy. National information security authorities and standards committees should provide standard support for organizations to formulate information security strategies, ensure that organizations can formulate professional information security strategies at extremely low cost, and improve the overall information security management level in China. (3) Further improve the construction of the national Internet emergency management system, realize unified national command and division of labor and cooperation, and comprehensively improve the planning level and processing capacity. While establishing a report system of classified information similar to that of SARS, an "information security force" similar to "1 10" and "19" should be established in the existing public security system to be responsible for information network security, security supervision, security emergency and security deterrence. Formulate emergency plans for key facilities or systems, and regularly update and test emergency plans for information security. (4) To speed up the legislation and supervision of information security, it is suggested to establish a unified, authoritative and professional organization and management organization for information security legislation, comprehensively plan, design, supervise and coordinate the implementation of China's information legal system, speed up the construction of China's characteristic information security legal system, and repair the promulgated laws and regulations according to information security requirements. Formulate policies and regulations as soon as possible, such as the Basic Law on Information Security, the Youth Internet Protection Law, and the Government Information Disclosure Regulations. In particular, in order to cooperate with the implementation of the electronic signature law and implement the opinions of the General Office of the State Council on accelerating the development of e-commerce, we should pay close attention to the study of laws and regulations on electronic transactions, credit management, security certification, online payment, taxation, market access, privacy protection, information resource management, etc., and put forward to formulate relevant laws and regulations as soon as possible; Promote the construction of legal services and guarantee systems such as online arbitration and online notarization. (5) Accelerate the formulation and implementation of information security standardization, formulate an information security management standard system based on ISO/IEC 17799 and suitable for China as soon as possible, especially establish and improve information security risk assessment standards and management mechanisms, and regularly implement some national key infrastructure and important information systems, such as economy, science and technology, statistics, banking, railways, civil aviation and customs, according to national standards. (6) Adhere to the principle of "internal defense first, both internal and external defense", and increase information security popularization and law-abiding publicity through conferences, websites, radio and television, newspapers and other media. , so as to improve the information security awareness of the whole people, especially to strengthen the training and education of information security knowledge for personnel in organizations or enterprises, and improve the information security self-discipline level of employees. In key national departments, enterprises and institutions, the responsibilities of information security work are clearly defined, and it is suggested that the top leaders of the party and government should be the responsible persons of information security work in their own units, and the position of CSO (Chief Security Officer) should be added in qualified enterprises to form a vertical and horizontal leadership management system. (7) It is suggested that the government formulate preferential policies, set up a special fund for information security management, encourage venture capital, and improve the independent research ability and product development level of key technologies such as information security integrated management platform, management tools, network forensics and accident recovery. (8) Pay attention to and strengthen the protection of information security level, and implement compulsory certification for important information security products. Users in specific fields must explicitly purchase certified information security products. (9) Strengthen the construction of information security management personnel and law enforcement team, especially increase the training of compound talents who know both technology and management. (10) Strengthen international cooperation, especially international exchanges, cooperation and collaboration in standards, technology, evidence collection and emergency response. (The author is the head of the national information security-related project of the School of Information Engineering of Guizhou University.)