XX单位信息系统安全整改建议二零一七年九月目录一、整改项目概述 ------------------------------------------------------------------------------------------------------------------ 41.1整改项目背景 ----------------------------------------------------------------------------------------------------------- 4 1.2整改依据 ------------------------------------------------------------------------------------------------------------------ 4 1.3整改方案设计目的----------------------------------------------------------------------------------------------------- 4 1.4整改方案设计原则----------------------------------------------------------------------------------------------------- 4二、系统整改总体设计------------------------------------------------------------------------------------------------------------ 72.1整改方案总体设计目标 ---------------------------------------------------------------------------------------------- 72.2安全保障体系框架概述 ---------------------------------------------------------------------------------------------- 7三、系统整改分析（不符合项整改说明） --------------------------------------------------------------------------------- 83.1物理安全 ------------------------------------------------------------------------------------------------------------------ 8 3.2网络安全 ------------------------------------------------------------------------------------------------------------------ 83.2.1边界完整性检查 ----------------------------------------------------------------------------------------- 83.2.2访问控制--------------------------------------------------------------------------------------------------- 83.2.3入侵防范--------------------------------------------------------------------------------------------------- 93.2.4安全审计--------------------------------------------------------------------------------------------------- 93.2.5网络设备防护--------------------------------------------------------------------------------------------- 9 3.3主机安全 ---------------------------------------------------------------------------------------------------------------- 103.3.1身份鉴别-------------------------------------------------------------------------------------------------- 103.3.2访问控制-------------------------------------------------------------------------------------------------- 103.3.3恶意代码防范-------------------------------------------------------------------------------------------- 103.3.4入侵防范-------------------------------------------------------------------------------------------------- 103.3.5资源控制-------------------------------------------------------------------------------------------------- 11 3.4应用安全 ---------------------------------------------------------------------------------------------------------------- 113.4.1身份鉴别-------------------------------------------------------------------------------------------------- 113.4.2访问控制-------------------------------------------------------------------------------------------------- 113.4.3安全审计-------------------------------------------------------------------------------------------------- 123.4.4通信完整性----------------------------------------------------------------------------------------------- 123.4.5通信保密性----------------------------------------------------------------------------------------------- 123.4.6资源控制-------------------------------------------------------------------------------------------------- 13 3.5数据安全及备份恢复 ----------------------------------------------------------------------------------------------- 133.5.1数据完整性----------------------------------------------------------------------------------------------- 133.5.2数据保密性----------------------------------------------------------------------------------------------- 133.5.3备份和恢复----------------------------------------------------------------------------------------------- 13 3.6安全管理机构 --------------------------------------------------------------------------------------------------------- 143.6.1岗位设置-------------------------------------------------------------------------------------------------- 143.6.2人员配备-------------------------------------------------------------------------------------------------- 14 3.7系统建设管理 --------------------------------------------------------------------------------------------------------- 143.7.1自行软件开发-------------------------------------------------------------------------------------------- 143.7.2外包软件开发-------------------------------------------------------------------------------------------- 153.7.3测试验收-------------------------------------------------------------------------------------------------- 153.8系统运维管理 --------------------------------------------------------------------------------------------------------- 153.8.1资产管理-------------------------------------------------------------------------------------------------- 153.8.2网络安全管理-------------------------------------------------------------------------------------------- 153.8.3系统安全管理-------------------------------------------------------------------------------------------- 163.8.4备份和恢复管理 ---------------------------------------------------------------------------------------- 163.8.5应急预案管理-------------------------------------------------------------------------------------------- 17四、安全加固类建议 ------------------------------------------------------------------------------------------------------------- 184.1网络及安全设备 ------------------------------------------------------------------------------------------------------ 18 4.2数据库安全------------------------------------------------------------------------------------------------------------- 18五、安全巡检服务和管理制度优化类建议 ------------------------------------------------------------------------------- 205.1定期的安全巡检服务 ----------------------------------------------------------------------------------------------- 20 5.2安全管理制度 --------------------------------------------------------------------------------------------------------- 20六、安全产品类建议 ------------------------------------------------------------------------------------------------------------- 216.1日志审计系统 --------------------------------------------------------------------------------------------------------- 21 6.2操作运维审计 --------------------------------------------------------------------------------------------------------- 21 6.3数据库存审计系统--------------------------------------------------------------------------------------------------- 23 6.4风险评估系统 --------------------------------------------------------------------------------------------------------- 24七、配置清单与预算 ------------------------------------------------------------------------------------------------------------- 25一、整改项目概述1.1整改项目背景XXXXXX1.2整改依据1.3整改方案设计目的本整改方案设计的目的是在其系统定级、等级差距测评结果的基础上，按照国家、广东省对信息系统安全等级保护的相关建设规范和技术要求，结合XX单位受评的信息系统的真实情况和具体需求，设计一套完善、全面、合规的整改方案，保证XX单位受评的信息系统在按照整改方案进行合规性整改后，可顺利通过当地网监的测评和备案，达到信息系统等级保护第二级的要求。