How to ensure the security of OA office system

In view of the security requirements of enterprises for OA system 6, Pan-micro OA system has the following measures to solve the system security:

1, access level security

Authentication system: CA authentication system can support a variety of strong security authentication methods, such as certificate authentication, to solve the security risks in weak password.

Login security system: dual-tone subsystem support (Ukey support, dynamic password support, SMS support) and hardware docking support (fingerprint, facial recognition and other hardware support).

Password requirement system: you can customize the level of password security requirements (password complexity requirements, password change cycle requirements, mandatory password change requirements, and password lock requirements); Login policy requirements (equipment repeated login management, disconnected repeated login management, time control login management)

2. Transmission level security

DMZ area: DMZ area+port mapping-the mobile application server is placed in DMZ area, and the PC application server is placed in the server area, which communicates with the outside world through port mapping.

Advantages: relatively safe, only one port is opened; Multiple firewall protection; Convenient policy setting; The bandwidth occupation is relatively small;

Disadvantages: there is still a port to the outside world; Still have to bear the risks of scanning and DDOS; General data transmission is not encrypted;

It is suggested to turn on Https on the middleware side to enhance transmission security;

VPN area: Build a unified intranet environment through VPN devices.

Advantages: high security, forming a unified intranet environment through VPN dial-in; Data is encrypted by Https to ensure transmission security;

Disadvantages: one-step VPN dialing operation is required; Additional VPN overhead is required; Additional bandwidth overhead is required.

Generation of SSL middleware: Through the setting of resin, SSL encryption of external lines can be realized without increasing VPN hardware.

3. Data level security

Structured data: sub-database, encryption and audit.

Unstructured data: encryption, segmentation and presentation layer control.

File segmented encryption storage mode-all data are guaranteed by segmented encryption technology: the file server will not be poisoned by file poisoning; All data of the file server cannot be read directly from the background; All data must be displayed through the application server.

Of course, it also supports the unencrypted method, which is convenient for customers who have independent access requirements for files.

4. Hardware level security

Three-tier deployment structure: the most common centralized deployment mode of OA system, we suggest using DMZ+ server area+data area.

Three-tier structure to ensure data security;

Firewall system: border protection and regional protection are carried out among various areas through hardware or software firewalls to ensure the prevention and control of DDOS attacks and intrusions.

5, the implementation of operation and maintenance level safety

Safety ethics at the executive level and data and authority protection at the operational level: stable team, professional ethics, detailed record and confirmation of work, and virtual data realization of sensitive data.

Response and recording requirements at the operation and maintenance level: a unified problem submission window is formed through the change evaluation process to reduce the authority error and lack of control caused by direct correction; Reduce the management conflicts between departments caused by direct correction; Clear change costs (IT costs and operating costs); There are rules to follow and traces to check.

6. Disaster recovery level security

Data saving:

① Data backup content

A. Program files: You don't need to back up automatically and regularly, just manually back up the folder where the program is installed on the server to other servers or computers after installation or upgrade;

B. Data file: generally, it can be backed up by the planned execution command of the server;

C. Database content: you can directly use the regular backup function of the database for backup;

② backup cycle frequency

A. data backup retention period

B. Backup frequency: data files-daily incremental backup and weekly full backup; Database-daily full backup;

C. Backup schedule: short-term data retention period is 14 days; Medium-and long-term retention period of data-a full backup is made in the last week of each month for medium-and long-term retention;

D. Requirements for the duration of backup: the annual complete backup shall be kept permanently; Keep the monthly full backup of the latest 12 months; Keep the comprehensive backup of the latest 1 month; Keep the daily incremental backup of the latest 1 month;

E. For the operation state that does not need hot standby, it is also necessary to back up the daily data and program cycle of e-cology, so that the system or server can quickly return to normal state in case of abnormality.

Rapid recovery of the system: the damaged data of program files, data files and database contents can be recovered quickly.

Terminal with data permission: If the terminal is accidentally lost, the system administrator can directly cancel the number and bind a new device.