Research On Information Security Risk Management Based On Testing And Evaluation For Classified Protection Of Information System

Information security runs through the business and information management processes and is of great significance to the stable operation,risk control and business development of insurance companies.Due to the specific characteristics of the insurance industry,information security management and other industries and enterprises will have huge differences.Managers should formulate corresponding operating systems in combination with the insurance industry and the actual situation of enterprises.Although there are already excellent safety standards such as ISO27001 on the market,the actual safety construction methods that leave the insurance industry will inevitably encounter unacceptable conditions.Even the construction experience of banks and securities in the financial industry may not be fully applicable.In short,aiming at the information security features of insurance companies,improving the computer network security maintenance system as soon as possible and formulating measures to counter potential hidden dangers are urgent tasks in the current information security work.The information security system of an insurance company addresses many risks in the information management process,including the opening up of the information exchange data platform,the defects of the computer system itself,the mismatch of software and hardware coordination,and the intensified hacking attacks.The structure must be prioritized and complicated.The improvement of information security is a continuous iterative process with many contents,long cycle,and more investment,and the effect is not obvious.How to find a suitable and appropriate method can ensure the effectiveness of information security within a limited scope,and enable insurance company management to fully understand the importance and necessity of information security,and at the same time find information security vulnerabilities and follow The priority of the vulnerability is optimized for improvement.This paper chooses to conduct research on the Testing and Evaluation for Classified Protection of insurance company information system security(referred to as the Testing and Evaluation for Classified Protection),specifically taking a Sino-US joint venture life insurance company(referred to as PFL insurance company)in the insurance market in China as a case,based on the evaluation project The information security system is evaluated,such as physical security,network security,host system security,application security,data security,security management system,security management organization,personnel security management,system construction management,system operation and maintenance management,etc.Take the evaluation results of the core business system as an example,conduct research and find problems,and give suggestions for improvement in light of the company's actual situation.According to the existing information security system of PFL insurance company,combined with the actual development of the company's business,analyze the evaluation items of the insurance,identify the problems and prioritize the problems,and then analyze the identified problems one by one to explore the optimization points.,to give suggestions for improvement,not only to help PFL companies to achieve their business strategy,but also to provide reference for the construction of information security systems based on the assessment of small and medium-sized insurance companies in the industry.This study is a case study that combines literature research with data analysis.Among them,the purpose of literature research is to sort out the progress and overall problems of information security construction related to the insurance industry,which is the starting point and basic part of this research;the data analysis includes analysis of the problems of the company's assessment and evaluation,the investigation records,classification and summary,etc.The main conclusions and research recommendations of this study are summarized as follows:1)As a national standard for classification and protection of information security systems,level protection is of great significance for improving information security regulations and standards systems,improving the overall level of safety construction,and enhancing the integrity,pertinence and timeliness of information system security protection..In combination with the actual security needs of the insurance industry,in accordance with the classification of information security assurance capabilities,effective supervision,inspection and evaluation,service and protection,and reasonable input.2)Testing and Evaluation for Classified Protection from insurance companies in terms of physical security,network security,host system security,application security,data security,security management system,security management organization,personnel security management,system construction management,and system operation and maintenance management System and related equipment room,network equipment,security equipment,server,database management system,important terminals,business application software,security related personnel and management documents,etc.,all aspects of information security risk management are consistent with international security standard-ISO27001.3)With the rapid development of the company's business,the rapid increase in premium income,the investment in information security risk management needs to be gradually increased to improve the company's information security capabilities.As one of the national standards,the necessity and important performance of the grade protection assessment allows the company's management to understand and accept more easily,which makes it easier to obtain budget support.