How do companies manage data security well?

Lead: How does the company do a good job in data security management? Information security strategy is the most important part for enterprise management to solve information security problems. The work of enterprise information security strategy is mainly carried out from two aspects, one is the formulation of enterprise information security strategy, and the other is the implementation and execution of enterprise information security strategy. The purpose of making security policy is to ensure network security and protect the integrity, planning and standardization of work. How to do a good job in data security management

1. Establish and improve the information security system

Establish and improve the system, process and standard system of information security process management, and implement the whole process control of information system security planning, planning, implementation, operation and supervision. Revise the information security system and standards in a rolling way, and continuously consolidate the company's information security standardization management foundation.

2. Continue to strengthen the basic management of information security

First, strengthen information security education and training, introduce an information security simulation training platform, and adjust the original single on-site training to multiple and periodic trainings through the network, rolling quarterly and semi-annually, so as to continuously strengthen and improve employees' information security awareness and behavior norms; The second is to deepen the construction of the existing information security defense system, strengthen the security protection of information extranet, standardize the management of information extranet terminals, and improve the protection ability of information extranet against DDos attacks. Popularize and implement information security access platform and security terminal, illegal outreach monitoring system, identity authentication (RA) system, document protection system and unified vulnerability patch management system; The third is to popularize and implement the comprehensive management system of information security, mainly including compliance control, risk control, management control and so on; The fourth is to promote the secure access of smart grid information system, and study the secure access of power collection system, transmission line monitoring system, warehouse management system and vehicle management system of Chongqing Company according to the requirements of the overall plan of unified and strong smart grid information security of State Grid Corporation.

3. Effectively improve the operation level of information system

First, strengthen the operation management of information system according to the requirements of power grid safety production and operation management, and establish an advanced information dispatching operation system. Further bring all information systems into the company's unified information operation team, strictly observe the discipline of safe operation, and strictly control the operation and maintenance, operation and maintenance, planned maintenance, fault notification and handling. The second is to carry out standardization of operation and maintenance. Formulate Standard Operating Instructions for information system operation, implement standardized operating procedures (SOP), and strictly manage the three links before, during and after operation. Strictly implement the working ticket system, and strictly examine and approve the operation processes such as fault handling, upgrade and configuration change, commissioning and shutdown; Through the safety audit system, all operations are recorded in the whole process, and the whole process control of the main links of operation from approval and execution to inspection and audit is realized. The operating personnel shall carry out the system of operating with certificates, and important operations must be carried out with two people present and supervised. Strengthen the scientific management of operation site work, standardize operation standards and improve the quality of system operation and maintenance. The third is to strengthen the work of three synchronizations. Ensure that information security measures are planned, implemented and put into operation synchronously with SG-ERP business construction, so that the whole life cycle security management of information systems runs through the five stages of information system planning, design, implementation, operation and maintenance and abandonment, and clearly define the responsibility requirements of all involved departments. Establish an information system security review system, build an application system project management platform, and conduct security control on information systems from the aspects of security management and security technology.

4. Deepen information security supervision

First, gradually improve the hardware facilities of the information security supervision team by improving the equipment and tools of the information security technical supervision team and building an information security laboratory, so as to improve the accuracy and precision of technical inspection. Second, to carry out the purpose of full participation, full qualification and full security, and to carry out the training of information security inspectors with certificates in the form of training and technical exchange between SERC and State Grid Corporation of China, so as to improve the professional skills of information security inspectors, promote the standardization and standardization of information security supervision, and build a first-class information security technical supervision team. The third is to establish a system of supervision and listing, and strengthen the rectification mechanism of problems found by supervision. Deepen daily and special inspections and carry out advanced inspections on information security. Strengthen supervision notification, establish company supervision benchmark, and popularize typical experience of supervision. Integrate and expand the functions of inspection tools, build a safety inspection platform, and improve the efficiency and standardize the inspection work through the analysis of safety inspection experts.

5. Vigorously cultivate information system operation and maintenance talents

Promote the operation and maintenance team to work with certificates, broaden the vision of operation and maintenance personnel, adapt to the potential requirements of the rapid development of information technology, improve the ability of operation and maintenance personnel to monitor, respond and actively discover threats, master new products and technologies, and find and deal with new risks in time, and establish a high-quality information operation and maintenance talent team to ensure the safe, stable and reliable operation of the company's information system. How do companies do a good job in data security management

1. Analyze objectively, face up to the problems and make up for the deficiencies

The hidden dangers of production safety accidents are mainly manifested in the dangerous state of things that may lead to accidents in production and business activities, people's unsafe behaviors and management defects. As we all know, the practical problems faced by enterprises at present are: the main responsibility of enterprises is not implemented, the safety awareness of employees is not high, professionals are lacking, the quality of employees is uneven and mobile, the foundation of construction projects is weak, and the safety investment is seriously insufficient. Enterprises should strictly control the requirements of safety production standardization, seek truth from facts, repent of mistakes, strive to improve safety production conditions and improve the safety production level of enterprises.

Second, strengthen training, not stick to form, and emphasize practical results

As the saying goes: Inadequate safety training is the biggest safety hazard? The revised "New Security Law" once again emphasizes that enterprises must carry out special safety education and training for employees. Safe production month? Many places also incorporate the importance of education and training into publicity activities. But in actual work, many enterprises, for? Education training? Being a mere formality and struggling to cope with it, it is difficult to achieve the goal of education and training. It is suggested that enterprises should fully understand the importance of training, not stick to the form, and often organize various, rich and meaningful training, such as playing accident scenes with multimedia and analyzing cases; Lead employees to go out to visit and study, and invite experts to come in? Consultation? Hidden dangers, self-presentation.

Third, increase investment in safety, and supervision promotes effectiveness

As a safety worker, in daily inspections, it is often found that many enterprises have hardly allocated labor protection articles to their employees in accordance with relevant national standards and industry norms, some of them have to cope with inspections, and temporarily bought products without any marks from the market, and some even have no protective articles. Some problems still exist in the financial expenditure of enterprises, such as unclear security expenditure, insufficient quota or no such item. Safety funds are the guarantee for enterprises to produce safely and create greater economic benefits, which must be paid attention to and must not be ignored. Trade unions in enterprises should strengthen supervision to ensure that the funds are implemented and effective.

fourth, strict rewards and punishments to enhance the sense of responsibility of employees

improve the construction of safety production system and establish a reward and punishment mechanism, with the aim of rewarding diligence and punishing the poor. Those who put forward important suggestions to eliminate hidden dangers of accidents and avoid major accidents should be rewarded. Especially for those full-time and part-time safety officers who are conscientious, hard-working and correctly perform their safety production supervision and management responsibilities on the construction site, necessary incentives and rewards should be given to make them more practical and motivated in safety management positions. How to do a good job in data security management

1) Establish a normalization mechanism for information security supervision

On the basis of in-depth information security work, the first enterprise information security supervision team in Chongqing was established to normalize, fix and streamline the information security supervision work. The Management Measures for Information Security Supervision of Chongqing Electric Power Company was formulated. According to this management method, the company has successively carried out a number of tasks, such as the special supervision of the Spring Festival and the two sessions, the information security supervision of power supply companies, and the information security supervision for the World Expo. From May 21st to 22nd, we passed the special inspection of Chongqing Company's information security by the State Grid Corporation's inspection team and got a good evaluation.

2) Carry out special action against information security violations

In order to achieve three basic security goals, eradicate the persistent problems of violations, eliminate hidden dangers of accidents, and comprehensively improve the controllability, controllability and control level of information systems, the company compiled and distributed the Plan of Chongqing Electric Power Company to carry out special activities against information security violations to all units of the company. Organize all staff to learn the Baseline Measures for Information Security Anti-accident by carrying out special activities for information security against violations, and carry out information security publicity and education; Emphasis was placed on the supervision of information security, the implementation of hidden dangers elimination mechanism, etc., and the weak password found in the company's mail system and application system was rectified in time.

3. Strengthen emergency drills and special security

1) Organize emergency drills

For the first time, the company successfully held a joint emergency drill of information wide area network involving ICT, Jiangbei Power Supply Bureau, Yangjiaping Power Supply Bureau and EHV Bureau. It has changed the situation that everyone was in a separate array before troubleshooting the WAN, and replaced it with advanced remote unified command and cooperation. Through this exercise, it provides a new mode for remote unified command and collaborative disposal of sudden failures of information systems in the future.

2) Ensuring information security during the peak summer and the World Expo

In order to ensure the network and information security during the peak summer and the World Expo, the company has carried out the following three aspects: First, improving the emergency handling mechanism of the information system. Second, the division of security areas, partition protection, secure terminal access and other aspects was carried out, the comprehensive protection of business application systems and core equipment was strengthened, and the security inspection and malicious attack prevention of Internet export and foreign service systems were increased. The third is to strengthen the operation and maintenance duty system, especially the duty management in important and special periods.

4. echelon construction of information security talents

1) Holding the first informatization skill competition of the company

The first informatization skill competition was organized throughout the company. 4 units directly under the company and holding power supply company participated in the competition. The development of this competition is of great significance to the construction of information-based high-skilled talent team and excellent information operation and maintenance team, and to further improve the information construction level of the whole company.

2) Carry out information security training for new college students

Insist on information security education from the source and constantly innovate information security education and training. Every year, new college students are trained in information security knowledge, so that every college student can deeply understand the importance of information security before they formally take up their jobs, sound the security alarm, firmly establish the awareness of information security, and strictly abide by the relevant rules and regulations on information security and confidentiality in their future work.

(II) Breakthrough and innovation in work: Construction of information security standardization system

The company's information security standardization management system was established with reference to ISO271 standard. 64 information security rules and regulations in 11 aspects have been sorted out, 24 systems have been newly compiled and 2 systems have been revised, ensuring the advancement and integrity of the company's information security management system.