Information security fundamentals
The creator of cybernetics, Norbert Wiener, believed that information has unique characteristics and cannot be attributed to either energy or matter. The special status of information as a phenomenon has given rise to many definitions.
In the dictionary of the ISO / IEC 2382: 2015 "Information technology" standard, the following interpretation is given:
To develop the concept of information security, information is understood as information that is available for collection, storage, processing (editing, transformation), use and transmission in various ways, including in computer networks and other information systems.
Such information is of high value and can become objects of encroachment by third parties. The desire to protect information from threats underlies the creation of information security systems.
In December 2017, a new edition of the Information Security Doctrine was adopted in Russia. In the document, IB is defined as the state of protection of national interests in the information sphere. In this case, national interests are understood as the totality of interests of society, the individual and the state, each group of interests is necessary for the stable functioning of society.
Doctrine is a concept paper. Legal relations related to information security are governed by federal laws "On State Secrets", "On Information", "On Protection of Personal Data" and others. On the basis of the fundamental normative acts, government decrees and departmental normative acts are developed, devoted to particular issues of information protection.
Definition of information security
Before developing an information security strategy, it is necessary to adopt a basic definition of the concept itself, which will allow the use of a certain set of methods and methods of protection.
Industry practitioners suggest that information security be understood as a stable state of security of information, its carriers and infrastructure, which ensures the integrity and resilience of information-related processes to intentional or unintentional impacts of a natural and artificial nature. Impacts are classified as information security threats that can harm the subjects of information relations.
Thus, information protection will mean a complex of legal, administrative, organizational and technical measures aimed at preventing real or perceived information security threats, as well as eliminating the consequences of incidents. The continuity of the information protection process should guarantee the fight against threats at all stages of the information cycle: in the process of collecting, storing, processing, using and transmitting information.
Information security in this understanding becomes one of the characteristics of the system's performance. At every moment in time, the system must have a measurable level of security, and ensuring the security of the system must be a continuous process that is carried out at all time intervals during the life of the system.
In information security theory, information security subjects are understood as owners and users of information, not only users on an ongoing basis (employees), but also users who access databases in isolated cases, for example, government agencies requesting information. In a number of cases, for example, in banking information security standards, shareholders - legal entities who own certain data - are ranked as information owners.
The supporting infrastructure, from the point of view of information security basics, includes computers, networks, telecommunications equipment, premises, life support systems, and personnel. When analyzing security, it is necessary to study all elements of the systems, paying special attention to personnel as the carrier of most internal threats.
For information security management and damage assessment, the characteristic of acceptability is used, so damage is determined as acceptable or unacceptable. It is useful for each company to establish its own criteria for the admissibility of damage in monetary form or, for example, in the form of acceptable harm to reputation. In public institutions, other characteristics can be adopted, for example, the influence on the management process or the reflection of the degree of damage to the life and health of citizens. Criteria for the materiality, importance and value of information can change during the life cycle of the information array, therefore, should be revised in a timely manner.
An information threat in the narrow sense is an objective possibility to influence the object of protection, which can lead to leakage, theft, disclosure or dissemination of information. In a broader sense, information security threats will include directed informational impacts, the purpose of which is to harm the state, organization, and individual. Such threats include, for example, defamation, deliberate misrepresentation, and inappropriate advertising.
Three main questions of information security concept for any organization
Information security system
The information security system for a company - a legal entity includes three groups of basic concepts: integrity, availability and confidentiality. Underneath each are concepts with many characteristics.
Integrity is understood as the stability of databases and other information arrays against accidental or intentional destruction, unauthorized changes. Integrity can be viewed as:
- static, expressed in the immutability, authenticity of information objects to those objects that were created according to a specific technical task and contain the amount of information required by users for their main activities, in the required configuration and sequence;
- dynamic, implying correct execution of complex actions or transactions, without harming the safety of information.
To control the dynamic integrity, special technical means are used that analyze the flow of information, for example, financial ones, and identify cases of theft, duplication, redirection, and reordering of messages. Integrity as a key characteristic is required when decisions are made to take actions based on incoming or available information. Violation of the order of the commands or the sequence of actions can cause great damage in the case of describing technological processes, program codes and in other similar situations.
Accessibility is a property that allows authorized subjects to access or exchange data of interest to them. The key requirement of legitimation or authorization of subjects makes it possible to create different levels of access. The failure of the system to provide information becomes a problem for any organization or user group. An example is the inaccessibility of public service sites in the event of a system failure, which deprives many users of the opportunity to receive the necessary services or information.
Confidentiality means the property of information to be available to those users: subjects and processes that are initially allowed access. Most companies and organizations perceive confidentiality as a key element of information security, but in practice it is difficult to fully implement it. Not all data on existing channels of information leakage are available to the authors of information security concepts, and many technical means of protection, including cryptographic ones, cannot be purchased freely, in some cases the turnover is limited.
Equal properties of information security have different values for users, hence the two extreme categories when developing data protection concepts. For companies or organizations related to state secrets, confidentiality will become a key parameter, for public services or educational institutions the most important parameter is accessibility.
Protected objects in information security concepts
The difference in subjects gives rise to differences in the objects of protection. The main groups of protected objects:
- information resources of all types (a resource is understood as a material object: a hard disk, another medium, a document with data and details that help to identify it and assign it to a certain group of subjects);
- the rights of citizens, organizations and the state to access information, the ability to obtain it within the framework of the law; access can be limited only by regulatory legal acts, the organization of any barriers that violate human rights is inadmissible;
- system for creating, using and distributing data (systems and technologies, archives, libraries, regulatory documents);
- a system for the formation of public consciousness (media, Internet resources, social institutions, educational institutions).
Each object assumes a special system of measures to protect against threats to information security and public order. Ensuring information security in each case should be based on a systematic approach that takes into account the specifics of the facility.
Categories and storage media
The Russian legal system, law enforcement practice and established social relations classify information according to the criteria of accessibility. This allows you to clarify the essential parameters necessary to ensure information security:
- information, access to which is limited on the basis of legal requirements (state secrets, commercial secrets, personal data);
- information in the public domain;
- publicly available information that is provided under certain conditions: paid information or data for which you need to issue an admission, for example, a library card;
- dangerous, harmful, false and other types of information, the circulation and distribution of which is limited either by the requirements of laws or corporate standards.
Information from the first group has two arming modes. State secrets, according to the law, are information protected by the state, the free dissemination of which can harm the security of the country. These are data in the field of military, foreign policy, intelligence, counterintelligence and economic activities of the state. The owner of this data group is the state itself. The bodies authorized to take measures to protect state secrets are the Ministry of Defense, the Federal Security Service (FSB), the Foreign Intelligence Service, and the Federal Service for Technical and Export Control (FSTEC).
Confidential information is a more multifaceted subject of regulation. The list of information that may constitute confidential information is contained in Presidential Decree No. 188 "On Approving the List of Confidential Information". This is personal data; secrecy of investigation and legal proceedings; official secret; professional secret (medical, notarial, lawyer's); trade secret; information about inventions and utility models; information contained in the personal files of convicts, as well as information on the compulsory execution of judicial acts.
Personal data exists in an open and confidential mode. Part of personal data open and accessible to all users includes first name, last name, patronymic. According to FZ-152 "On Personal Data", personal data subjects have the right:
- informational self-determination;
- to access personal personal data and make changes to them;
- to block personal data and access to them;
- to appeal against illegal actions of third parties committed in relation to personal data;
- for compensation for damage caused.
The right to process personal data is enshrined in the regulations on state bodies, federal laws, licenses for working with personal data issued by Roskomnadzor or FSTEC. Companies that professionally work with personal data of a wide range of people, for example, telecom operators, must enter the register, which is maintained by Roskomnadzor.
A separate object in the theory and practice of information security are information carriers, access to which is open and closed. When developing an information security concept, protection methods are selected depending on the type of media. Main storage media:
- print and electronic media, social networks, other resources on the Internet;
- employees of the organization who have access to information on the basis of their friendships, family, professional ties;
- communication facilities that transmit or store information: telephones, automatic telephone exchanges, other telecommunication equipment;
- documents of all types: personal, official, government;
- software as an independent information object, especially if its version has been modified specifically for a specific company;
- electronic storage media that process data in an automatic manner.
Information security tools
For the purpose of developing concepts of information security, information security means are usually divided into normative (informal) and technical (formal).
Informal means of protection are documents, rules, events, formal means are special technical means and software. Delineation helps to distribute areas of responsibility when creating information security systems: with general management of protection, administrative personnel implement normative methods, and IT specialists, respectively, technical ones.
The basics of information security imply the delineation of powers not only in terms of using information, but also in terms of working with its protection. This delineation of powers also requires several levels of control.
Standard data protection tools
A wide range of technical means of information security includes:
Physical protective equipment. These are mechanical, electrical, electronic mechanisms that function independently of information systems and create barriers to access to them. Locks, including electronic ones, screens, blinds are designed to create obstacles for the contact of destabilizing factors with systems. The group is supplemented by security systems, for example, video cameras, video recorders, sensors that detect movement or excess of the degree of electromagnetic radiation in the area of location of technical means of information retrieval, embedded devices.
Hardware protection. These are electrical, electronic, optical, laser and other devices that are embedded in information and telecommunication systems. Before introducing hardware into information systems, it is necessary to ensure compatibility.
Software tools are simple and systemic, complex programs designed to solve specific and complex problems related to information security. DLP systems and SIEM systems serve as examples of integrated solutions: the former are used to prevent leakage, reformat information and redirect information flows, while the latter provide protection against incidents in the field of information security. Software is demanding on the power of hardware devices, and additional reserves must be provided during installation.
SearchInform Risk Monitor can be tested free of charge for 30 days. Before installing the system, SearchInform engineers will conduct a technical audit at the customer's company.
Specific information security tools include various cryptographic algorithms that encrypt information on the disk and redirected through external communication channels. Information transformation can occur using software and hardware methods operating in corporate information systems.
All means that guarantee the security of information should be used in combination, after a preliminary assessment of the value of the information and comparing it with the cost of resources spent on security. Therefore, proposals for the use of funds should be formulated already at the stage of developing systems, and approval should be made at the level of management responsible for approving budgets.
In order to ensure security, it is necessary to monitor all modern developments, software and hardware protection tools, threats, and promptly make changes to our own protection systems against unauthorized access. Only adequate and prompt response to threats will help to achieve a high level of confidentiality in the company's work.
In 2018, the first release of SearchInform ProfileCenter was released. This unique program creates psychological profiles of employees and assigns them to risk groups. This approach to ensuring information security allows you to anticipate possible incidents and take action in advance.
Non-conventional data protection tools
Non-conventional data protection tools are grouped into normative, administrative, and moral-ethical. At the first level of protection are the regulatory means that regulate information security as a process in the organization's activities.
- Regulatory means
This category of information security tools is represented by legislative acts and regulatory and administrative documents that operate at the organization level.
In world practice, when developing regulatory tools, they are guided by information security protection standards, the main one is ISO / IEC 27000. The standard was created by two organizations:
- ISO - the International Commission for Standardization, which develops and approves most of the internationally recognized methodologies for certification of the quality of production and management processes;
- IEC - International Energy Commission, which introduced into the standard its understanding of information security systems, means and methods of ensuring it
The current version of ISO / IEC 27000-2016 offers ready-made standards and proven methods necessary for the implementation of information security. According to the authors of the methods, the basis of information security lies in the consistency and consistent implementation of all stages from development to post-control.
To obtain a certificate that confirms compliance with information security standards, it is necessary to implement all recommended techniques in full. If there is no need to obtain a certificate, it is allowed to accept any of the earlier versions of the standard, starting with ISO / IEC 27000-2002, or Russian GOSTs, as a basis for the development of their own information security systems.
Based on the results of studying the standard, two documents are being developed that relate to information security. The main, but less formal, is the concept of an enterprise's information security, which defines the measures and methods of introducing an information security system for information systems of an organization. The second document that all employees of the company must comply with is the information security regulation approved at the level of the board of directors or the executive body.
In addition to the position at the company level, lists of information constituting a trade secret, annexes to labor contracts, securing responsibility for the disclosure of confidential data, other standards and methods should be developed. Internal rules and regulations should contain implementation mechanisms and measures of responsibility. Most often, the measures are disciplinary in nature, and the violator must be prepared for the fact that the violation of the trade secret regime will be followed by significant sanctions, up to and including dismissal.
- Organizational and administrative measures
As part of the administrative activities for the protection of information security, there is scope for creativity for security personnel. These are architectural and planning solutions that allow to protect meeting rooms and management offices from eavesdropping, and the establishment of various levels of access to information. Important organizational measures will be certification of the company's activities in accordance with ISO / IEC 27000 standards, certification of individual hardware and software systems, certification of subjects and objects for compliance with the necessary security requirements, and obtaining licenses necessary to work with protected arrays of information.
From the point of view of regulating the activities of personnel, it will be important to issue a system of requests for access to the Internet, external e-mail, and other resources. A separate element will be obtaining an electronic digital signature to enhance the security of financial and other information that is transmitted to government agencies via e-mail.
- Moral and ethical measures
Moral and ethical measures determine a person's personal attitude to confidential information or information limited in circulation. Increasing the level of knowledge of employees regarding the impact of threats on the company's activities affects the degree of consciousness and responsibility of employees. To combat violations of the information regime, including, for example, the transfer of passwords, careless handling of media, the dissemination of confidential data in private conversations, it is required to focus on the personal conscientiousness of the employee. It will be useful to establish performance indicators of personnel, which will depend on the attitude towards the corporate information security system.