Information Security Service
T he majority of the business owners understand the need for information security. But not everyone fully understands the goals and responsibilities of information security services. It is not enough to create an information security management. It is necessary to understand why it was created and what goals it pursues. Otherwise, you can forget about the effectiveness of its work. To create a NIB "for show" means to pay employees who will be of no use. Protecting confidential data with this approach will not work.
Objectives of the information security service
Information security officers must prevent any illegal use of information as an object of property.
The main objectives of the information security service:
- legal protection of the company in relations with government agencies, business partners (Russian and foreign), competitors;
- protection of classified information, intellectual property rights, increasing the reputation of an organization in the business sphere, increasing the efficiency of using available data;
- protection of company property;
- increasing competitiveness, minimizing damage from unauthorized access to information;
- stimulating the business activity of all employees, monitoring compliance with labor discipline;
- exclusion of getting into dependence on unscrupulous partners, competitors;
- organization of continuous activities of the company, planning of actions to restore work in cases of force majeure;
- prevention of distortion, loss, theft, counterfeiting of information resources;
- prevention of any unauthorized actions in relation to classified information;
- documentation support of the enterprise within its competence;
- protection of the constitutional rights of people to personal secrecy and confidentiality of information contained in the AIS;
- timely identification and prevention of threats to the interests of the company;
- development of ways to compensate for damage from illegal actions of third parties, minimization of consequences;
- suppression of attempts to undermine the stable functioning of the organization;
- ensuring the safe conduct of transactions, meetings, negotiations, meetings;
- obtaining information about competitors, investors and potential partners in ways permitted by law;
- training all personnel in the basics of information security, conducting preventive and educational conversations.
Information security service functions
The activities of information security services in enterprises should be organized within the framework of legal norms. Depending on the direction of the company's work, the functions and staff of information security services can vary greatly.
The main duties of the information security service include:
- advising managers on information security and personnel attraction;
- checking candidates for filling vacancies in other departments, conversations with quitting employees, as well as periodic briefing of personnel, increasing their level of literacy in the field of information security;
- periodic analysis of the psychological situation in the team;
- control of personnel activity, accounting for violations of safety rules by employees;
- classification of information, determination of the level of its importance and role in information systems;
- information security policy development;
- differentiation of user access to classified information;
- development of instructions on information security for each structural unit, control of their implementation (when forming new IS rules, this should be reflected in regulatory documents);
- control over the authentication of employees, periodic change of passwords, control over the observance of the prohibition on the transfer of passwords to persons who do not have access rights to information systems;
- ensuring the security of information systems (limiting remote access, installing attack detection system agents on each segment of the information network);
- keeping logs for all systems;
- control and accounting of antivirus and software;
- familiarization with the rules for the use of information of third parties (for example, partners of the company), if necessary, their access to classified data;
- storage, accounting and issuance of confidential information carriers;
- organization of physical security of the facility;
- taking measures for the safety of information during its transportation;
- interaction with representatives of law enforcement agencies, if necessary.
Also, an information security specialist is engaged in ensuring the safe functioning of automated information systems (AIS).
The complex of measures to ensure the security of AIS includes:
- regular updating of the system and all its elements;
- conducting investigations for each violation, taking the necessary measures based on the results of the investigation in order to avoid a repetition of the incident;
- inventory of software and hardware AIS protection;
- calculation of open ports, identification of OS and applications;
- checking the security level of web applications;
- assessment of management systems for information knowledge and data bases;
- analysis of the effectiveness of control over the safety of the automatic information system;
- preparation of reports for management.
The information security service is also engaged in the creation of cryptographic data protection. Conducts an audit of information systems, checking the possibility of their hacking, the presence of channels of leakage of classified data.
Information security service composition
The composition of the information security service depends on the goals and size of the organization. For small companies, one person may be enough, who combines the positions of the head of the NIB and the information security specialist.
It is necessary to understand that the service dealing with information security is not a service department, but a managerial one. Its main task is to develop information security rules and control their observance. For example, the requirements of information security services for the installation of security software must be fulfilled by employees of the IT department. They can also be involved in the development and maintenance of software. In this case, the information security service acts as a coordinator.
All employees of the organization should be subordinate to IS management in matters related to its competence. The department dealing with the creation and maintenance of security should not be part of the structure of other departments. It should work in isolation, but at the same time interact with all other employees.
Each employee, from an ordinary executive to the management of the company, must clearly understand what information security is, and realize the importance of keeping secret information. And the punishment that will follow for violation of information security rules.
To ensure the safety of classified information, you can seek help from a third party. In this situation, there is a certain risk - information that should be kept secret will be partially available to invited specialists. Therefore, for closed organizations, their own IS management is preferable to service employees.
Information security documents
The responsibilities of information security services include the development and maintenance of up to date documents to ensure the security of classified information:
- company information security concept;
- information security policy;
- manuals and instructions for ensuring the safety of information for each department, including management;
- regulations for working with protected data;
- job descriptions of employees involved in information security;
- regulatory documents, regulations to ensure the safety of confidential and personal information;
- orders for the appointment of people responsible for working with classified data.
Depending on the size and type of activity of the company, the list of necessary documents for ensuring information security can be significantly expanded.
Work organization
Employees involved in the protection of information should report directly to management, and not to the heads of other departments. This will avoid conflicts of interest.
It is impossible to burden employees with information security tasks with related duties. People simply will not have enough time to provide information security. Or they will not fulfill their main job duties in full, engaging in information protection. This should be done by specially trained people hired to ensure the safety of confidential information.
If the company does not have a dedicated information security service, information security outsourcing will be the solution.
In cases where there is no separate information security department, the issue of financing remains open. If a security officer is "attached" to IT specialists or physical security, the heads of these departments will ask for funding for their main work, and the needs of information security will be left aside. Each of these units must work harmoniously with each other to effectively protect classified information, but at the same time are not subordinate to each other.
You should not expect direct profit from information security management. His job is to minimize possible losses due to the release of confidential data into the public domain. It is not worth saving on means and methods to ensure information security. Ultimately, the harm from the leakage of information resources will be greater.
06/22/2020
