In the early stage of information construction of government departments, due to lack of construction experience, there is a phenomenon of emphasizing construction, emphasizing application and neglecting security, resulting in the lack of necessary security protection measures for the information systems of some government departments. At the same time, problems such as imperfect network security system, inadequate implementation and weak network security awareness emerge one after another. With the rapid development of e-government "one stop", "two networks", "four libraries" and "ten gold" and the improvement of information level, the data center not only plays a basic supporting and ensuring role for the rapid development of public service business of government units, but also is of great significance to improve the internal management level of government institutions, and then improve the efficiency of resource allocation and information security, This also means that the dependence of government agencies on it information systems has reached an inseparable position for a moment. It is particularly important to protect important information systems and sensitive data. At present, government agencies and units mainly face the following security risks at the level of it operation and maintenance:
1. The identity is not clear and the authorization is not clear. At present, the IT affairs of government organs and units basically adopt the project system, and few units have their own it operation and maintenance team. Even for important units in first tier cities, their operation and maintenance is outsourced to third-party companies. As a third-party operation and maintenance company, there are often many problems in the identity and authorization of its personnel, such as what level of account the operation and maintenance personnel can use, what authority they have, and how long the authority is maintained. If it is not clearly specified in advance, it will lead to operation and maintenance security problems;
2. The operation is opaque and the behavior is uncontrollable. It can be found from the previous security incidents in major government departments that the service personnel of some third-party service companies log in to the core system and database without authorization for many times during the service period, resulting in the leakage of citizens' privacy information. After the occurrence of time, the problem was not exposed, which itself shows that the operation of the third-party company is opaque and the process is uncontrollable. Similar cases are not uncommon in the industry. In this case, the security of users' private information can only rely on the ethics and professional ethics of third-party operation and maintenance personnel. Obviously, this kind of it operation and maintenance operation without supervision carries great risks;
3. It is difficult to audit afterwards and the responsibility is not clear. Due to the fact that the operation and maintenance work is mostly handed over to a third party and the lack of effective identity authentication and authority control, there is a lot of and unregulated flexible operation room for it operation and maintenance, so that after the security incident, the relevant departments can not timely and effectively pursue the responsibility of dereliction of duty, and a lot of human and material resources need to be invested for investigation afterwards.