Experts and scholars gather in the clouds, and enroll the information construction and network security support for Wuhan colleges and universities

Author:Changjiang Daily Time:2022.09.29

With the rapid development of new generation of information technology such as artificial intelligence, big data, and the Internet of Things, educational information 2.0 and smart campus construction have advanced rapidly. Wuhan universities are rich in resources. They are "double cities" with more than one million college students and more than 100,000 graduate students. The informationization of colleges and universities is also built in full swing.

However, in the process of informatization construction, universities still have problems such as many information systems, massive data and sensitivity, weak security capabilities, and complex management. In addition, the network security threat layers such as mining Trojan, ransomware, and fishing mail are endless. Informatization construction and network security have brought great challenges.

On the afternoon of September 27, the Yangtze River Daily and Wuhan Cyber ​​Security Association and Tencent Security "Digital Future · Security escort" -Wuhan University Information Construction and Network Security Symposium was held online. People and network security experts and scholars gather together to discuss how colleges and universities build cyber security barriers.

Students swipe their ID cards through the gate.

Cyber ​​security is the foundation and bottom plate of universities informatization

Open the mobile phone WeChat to complete the registration procedures, choose the bed position of the dormitory, the size of the army training clothing, and the entire online processing of survival supplies, brush your face into and out of the campus ... Now, a relaxed "school season" is staged on many universities in Wuhan.

These services that are convenient to rely on mobile phones are due to the results of the "13th Five -Year Plan" informatization construction of colleges and universities. In recent years, Wuhan University has continuously increased the construction of campus informatization in accordance with its own positioning and development needs, and continuously strengthened investment in network security guarantee. Based on their own characteristics and priorities, various universities have targeted solving the difficulties and pain points of teachers and students in daily informatization services, forming a distinctive information construction and service system for their respective schools.

With the continuous advancement of informatization, network attacks and threats such as mining Trojan and ransomware have also increased, and the education industry has also become the focus of online attacks. According to the statistics of Checkpoint, each institution and enterprise in the second quarter of 2021 and 2022 suffered the average number of attacks every week, and the education industry ranked first.

Yu Shaohua, an associate researcher at the Internet Security Center of the Third Research Institute of the Ministry of Public Security, said that the school's application stores a large amount of personal information and data of teachers and students. Hackers steal these data to sell for profits; the school's data center has a large number of computing resources and storage resources, The attacker can obtain these resources through the attack server to carry out the "mining" activity and make profits through virtual currency; at the same time, the school also has a large number of scientific research data and examination data. Hackers will try to attack and invade college information systems.

"The increasing requirements of the campus information security on campus and the increasingly convenient contradiction between the experience requirements of teachers and students. Challenge. "Wu Libing, a professor at the School of Cyber ​​Security at Wuhan University, believes that the number of network attacks suffered by the campus network is huge. ODAY vulnerabilities and APT threats increase the difficulty of security protection. Cyber ​​security is the foundation and bottom plate of informatization.

Liu Yueheng, Secretary -General of the Wuhan Network Security Association, also said in his speech that network security is not just a pure technical problem, but a comprehensive comprehensive Sexual subject.

Students brush their faces into and out of campus.

"Safety Construction" and "literacy training" need to be paid to equal emphasis on

In recent years, my country has also successively introduced laws and regulations such as the "Network Security Law", "Data Security Law", "Personal Information Protection Law", and the protection of network security level protection 2.0, and the overall construction of the security rule of the rule of law of network space. Yu Shaohua mentioned that in fact, the Ministry of Education has issued a series of regulations since 2009, attaching great importance to the network security of the education industry. "In 2020, the Ministry of Education mentioned a core goal in the" Notice of Education Informatization and Network Security Work ": to continuously improve the education network security support system for education, comprehensively improve the ability and quality of network security talents, and continuously improve the education system network network Safety protection level. "

However, there are still many pain points in the informatization and security construction of colleges and universities, such as many systems, less personnel, and management difficulties, and at the same time, they also face endless risks of loopholes. Whether it is daily safety operation and maintenance or the response to emergencies, it has brought great pressure and challenges to the informatization and safety construction of universities.

Zhang Feifan, a senior architect of Tencent's security, made some suggestions for the construction of the network security of colleges and universities. At the level of security compliance, the school needs to check whether the system requires the protection level required by equal protection 2.0, and whether the technical measures and management systems are ready. At the active defense level, network security risk = vulnerability × threats, schools need to build various measures to actively identify risks and vulnerability, and periodic assessment, testing and reinforcement of important assets. At the level of timely confrontation, the school can build a set of mechanisms including personnel, platforms, tools, and processes, quickly discover problems, and timely optimize and adjust their protection measures.

For universities with weak safety construction, the first thing to do is to supplement and make safety capabilities to achieve the basic qualified line, and then do some improvement based on the qualified line. Tencent's self -developed zero -trust safety management system (Tencent IOA) escorted 1 million end -end remote office, which can help colleges and universities solve the security problem in remote access. At the same time A series of issues such as passwords and mining Trojan and ransomware. In addition, in terms of data center's important data protection, Tencent security can help customers sort out security risks and hidden dangers in various aspects such as circulation, collection, transmission, storage, and sharing of important data. Life cycle safety solution. He Jingjing, an associate researcher at the Institute of International Law of the Chinese Academy of Social Sciences, also mentioned that universities need to establish a data compliance management system for the full life cycle.

In fact, in the scenario of network security, personnel are the most vulnerable elements. Yu Shaohua said, "Cyber ​​security literacy requires normalized literacy education." Universities need to carry out network security education and training, network security science popularization and publicity activities, and network security offensive and defensive exercises. Through high simulation and immersive real scenes, the majority of teachers and students can realize the confusion and concealment of "fishing emails", thereby increasing their vigilance.

On the whole, to ensure the normalization and systemicization of network security literacy education in colleges and universities, it is necessary to start from the top -level design to improve the institutional mechanism, strengthen departmental coordination, guarantee funding investment, and do a good job of supervision and assessment.

Interview

He Jingjing, an associate researcher at the Institute of International Law of the Chinese Academy of Social Sciences:

Safety does not mean "compliance", and data compliance management must be done well

"Data security does not represent data compliance. This is actually a matter of two dimensions." At the Wuhan University Informatization Construction and Network Security Seminar held on September 27, He Jingjing, an associate researcher at the Institute of International Law Institute of the Chinese Academy of Social Sciences.

In her opinion, data security construction is to ensure that the network is not attacked and data is not leaked, and data compliance needs to meet the requirements of laws and regulations. On the whole, data compliance governance requires "compliance" and "security".

The data compliance of colleges and universities is particularly worthy of attention. He Jingjing pointed out that the data of colleges and universities is not only large in size, but also has high sensitivity. First of all, colleges and universities have a large number of personal information of students and faculty members, including ID cards, family address, etc. These data are very well summarized. In addition, universities also have a large number of experimental data and valuable scientific research results, involving some important papers, research projects, and so on.

"Therefore, colleges and universities need to have a" full process "concept on the issue of data compliance. From data collection, storage, and use to the exchanges and destruction later, each stage must meet the requirements of data compliance. Data compliance management of the full life cycle. "He Jingjing said.

From the perspective of personal information protection, during the data collection stage, colleges and universities should publicize the rules of personal information collection, such as informed consent forms and privacy policy texts, collecting rules should clarify the rights of teachers and students, regulate the legality of personal information, and necessary to collect personal information. Sexuality and authorization mechanism; colleges and universities should follow the principles of collecting and notifications. Only after the consent of teachers and students can collect personal information of teachers and students, and the actual personal information collected should be consistent with the collection rules; Individuals agreed alone and used within the necessary range.

During the data transmission and storage stage, the period of personal information of universities storage teachers and students should be the shortest time for teachers and students to authorize the purpose of use, and it should be deleted or anonymous after exceeding the storage period; colleges and universities should formulate a data grading system The scope of sensitive data; the method of storing data emphasizes security and confidentiality, and the transmission data and storage data are required to encrypt and de -identifiable processing; the construction of digital campus should be backups to avoid losses caused by data loss.

During the data use and access phase, the use of data should not exceed the purpose of collecting the personal information of teachers and students; colleges and universities should take de -identification measures when using personal information through large screens or small screen interfaces. Scientific and technological ethics requirements; relevant colleges and universities should follow the minimum authorization access strategy when conducting data access, and internal approval for important data access operations. Experience data access should be approved and recorded. Data access restrictions should be performed for employees and external personnel.

During the stage of data exchange and destruction, when colleges and universities provide data to third parties, they need to obtain individual consent of the teachers and students. Data sharing, transfer, and disclosure to third parties should make necessary dedication and restraints to third parties; universities should be connected to third -party systems when they connect to third -party systems. For security management; for data destruction, colleges and universities should establish a functional department responsible for data destruction processing, and take measures such as local or network data destruction, physical or chemical destruction according to specific circumstances.

In response to the current status of data security of universities, He Jingjing suggested that it can start from the following three aspects to improve the emphasis on data compliance with data: First, establish and improve the data compliance supervision system of colleges and universities. The education system should formulate various data compliance standard standards and standards, conduct hierarchical protection evaluation and risk assessment, continue to carry out data compliance inspection and guidance work, and build a data compliance and regulatory management system; Operation system.通过测绘高校在互联网中数据资产的分布,建设覆盖全方位的数据安全态势感知体系,构筑全天候的威胁攻击防御堡垒,并组建数据安全应急中心,全面提升高校的数据安全防护能力;最后,建立全Life cycle college data compliance management system. From the process of collection, storage, use, access, exchange, and destruction of data, the data of college data is managed, and the operating specifications, classification and grading management of the key links in the process, division of responsibilities, emergency safety inspection mechanisms, and accountability of responsibilities are carried out. In terms of orientation, focus on the protection of personal information of teachers and students. Talking about the impression of the informatization construction of Wuhan universities, He Jingjing said that Wuhan has many well -known universities, cultivating and transporting a large number of professional talents for the society, and the overall informatization construction is very good.

"From the perspective of data security and personal information protection, Wuhan is also particularly important, universities have very high density, and the number of personal information and scientific research data is huge. Pay more attention to data security and data compliance." He Jingjing said, "Wuhan University University It can also strengthen the application of compliance technology and make full use of some technical means to explore new methods of compliance landing. "

Round table forum

Wuhan college experts talk about campus network security construction together

At the information construction and cyber security seminar held on September 27, the person in charge of the informatization of various universities and researchers and researchers conducted in -depth discussions on the topic of college network security, talking about the solution of the current network security of colleges and universities.

Topic 1: Suggestions for the development of campus informatization

Wu Li Bing, a professor at the School of Network Security, Wuhan University:

Cyber ​​security is related to national security and should attract great attention from teachers and students. On the one hand, colleges and universities must ensure that core data is not lost, tampered with, and not stolen. On the other hand, it is necessary to prevent attacks and threats from ransomware, mining Trojan horses, etc. It is necessary to build a platform for the situation of campus network security and build a network security defense line.

It is recommended that colleges and universities improve data security protection capabilities in multiple ways. Regularly organize internal offensive and defensive drills, find vulnerabilities and security threats, and prevent attackers from using system vulnerabilities to obtain permissions and enter the information system in the school. The key data is used to store the data encryption in the server, and the authorized users can directly inquire, calculate and other operations on the ciphertext data to solve the problem of reassuring and safe use of data.

Use a fortress machine to perform operation and maintenance management, filter out illegal access to target equipment, and audit monitoring of internal personnel's miscalculation and cross -power behavior in order to track the responsibility after the incident; clean up the old system in time to prevent the dragging library and cause data leakage.

Further promote the Anco project, replace foreign information technology products with independent controllable, safe and reliable key software and hardware products to prevent back doors and hardware Trojan.

Ye Zhiwei, Dean of the School of Computer, Hubei University of Technology:

At present, all universities are promoting the construction of smart campuses, while bringing service convenience to teachers and students, they also bring certain data security risks. Therefore, universities need to strengthen data security construction. Improve the protection mechanism of school data security and privacy, and consider formulating the school's own data security management measures while the construction of smart campuses. In order to play a game of chess, various departments cooperate with different users to establish rules and regulations such as data grading classification management measures and data open sharing standards, and form a unified and complete data security and privacy protection chain of the school.

Most local colleges and universities' smart campus construction is in the stage of promotion from a good to excellent, and more resources need to be invested to improve the data security protection capabilities based on new technologies. With the application of new technologies such as cloud computing, big data, artificial intelligence, and 5G, it has brought challenges to traditional data security, and measures such as data encryption, data desensitization, data backup and fine -grained access control should be adopted to strengthen data security And privacy protection capabilities.

Give full play to the cultivation of college talents and Wuhan as the advantages of national network security talents and innovation bases, do a good job of network empty sky, information security, cryptography and other related majors, do a good job in the training of network security talents, jointly settle in national network security talents and innovation bases, The head enterprises have jointly cultivated a large number of high -quality network security talents to serve the strategy of serving the network.

Hu Yingjiu, Dean of the School of Electronics and Information Engineering, Wuhan Vocational College of Transportation:

The hidden dangers of college data security are mainly reflected in: weak network security awareness and loopholes in network systems; large data assets, many second -level departments, many data usage methods, large number of users and systems in contact with data, it is difficult to ensure status legitimacy and eliminate data from data Use the right to use; the data standards of business systems are not uniform, and there are generally historical problems such as lack of data, data redundancy, multi -source heterogeneous, and border blurring, which hinders the efficient landing of data security governance; universities' information departments lack data security professionals, data Inadequate security protection can easily cause personal information leakage.

Universities need to strengthen data security construction, let data use legal compliance, strictly follow the corresponding laws and regulations, these laws and regulations are not only a constraint condition, it is actually a idea for our data security information security guarantee; Education and training, cultivate data security thinking and use capabilities, and strengthen special training for data security for teachers, students, managers and other key groups; we must also establish a sound and complete network data security management system to build data security protection walls. Take safety technical measures to establish reasonable operating procedures, and the dual way of "authority layered+technical control" can be used to establish a data operation process. Issue 2: Network Security Maintenance Practice Application Application

Tu Wei, deputy director of the Network Information Center of Wuhan University of Science and Technology:

Informatization work of provincial universities, on the one hand, it is necessary to support functional departments, on the other hand, to help analyze the actual costs and possible benefits from a technical perspective, reduce waste through multiple ways such as demand analysis, advance testing, and batch investment. Informatization work should pay more attention to the design of the system.

Many information projects in colleges and universities have socialized solutions with alternatives, such as online questionnaires or voting, online teaching or examinations, school bus positioning, cafeteria consumption, network disk mailbox, etc. Cooperate with superior manufacturers in these segments to sign a stable cooperation agreement. In the new round of smart campus construction, accurately locate, exert advantages, reduce costs, practice internal skills, and use the mentality of "long -lasting war" and confidence in winning.

In terms of network security, the school's talents are more important than funds, and they must have their own core teams; because convenience and security are often contradictory, they need to cultivate teachers and students' awareness of safety; Forced network security work, clarify the responsibilities of all parties, and discovered, notified and rectified to form a closed -loop through testing and inspection to continue to improve.

Huang Shiyong, deputy director of the network information center of Wuhan University of Technology:

For the understanding of the network security issues of colleges and universities, one is to continuously improve the position. There are also management problems, technical and information asymmetry increases the difficulty of work.

It is necessary to improve the guarantee system. The functional departments and technical support departments of network security must be closely collaborated, and the internal matters within the school should be coordinated in accordance with the overall security work pattern; , Industry organizations, professional socialized forces maintain close contact, timely obtain relevant information, scientifically judge, and take the initiative to deal with; functional departments and technical support departments must contact the unit to act as actual situation, distinguish the priority, and adopt the work method of combining points, lines, and faces. Reduction, control increase, maintain concentration, and work for a long time; we must carry out training through various channels, enhance the awareness of network security, improve the literacy of network security, and continuously improve the level of network security work in universities.

Xiao Lei, director of the Information Center of Wuhan College:

At present, the information construction of various schools has been significantly improved. The tedious procedures such as a card recharge, financial reimbursement, and scientific research materials are solved with informationization. Instead of investing in teaching and learning.

The college launched the "Information Service Network Patternization Management", the information network staff of the information center went to the college to get close to the service object, actively understand the service needs, coordinate service resources in time, collect the problems and suggestions of teachers, and timely feedback the progress of various tasks in time , To provide higher -level information services.

At the same time, the content of network security -related training is introduced, and the school's offensive and defensive drills allow teachers and students to experience the security issues around them more deeply. They also organize students who are interested in network security through the school -level security competition, and then form a network security force. Improve students 'information literacy and exercise students' technical ability.

(Yangtze Daily Learner Li Yizhen)

【Edit: Wang Rongfei】

For more exciting content, please download the "Da Wuhan" client in the major application markets.

- END -

Global Global Chamber of Commerce: Return to Sangzi help the revitalization of Huizhi Ji Gongchuang to create the future

With the theme of Promoting the Spirit of Ji Shang Jilin in the New Era, the 7th G...

Jiao Hong presided over the implementation of the electronic license license to implement the work site promotion meeting

On September 6, Jiao Hong, director of the State Drug Administration, presided over the implementation of the implementation of the electronic certificate license implementation work promotion meeting