The term "information security" is used with different meanings depending on the context. In its broadest sense, the concept implies the protection of confidential information, production process, company infrastructure from intentional or accidental actions that lead to financial damage or loss of reputation.
Information security principles
In any industry, the basic principle of information security is to maintain a balance of interests of the citizen, society and the state. The difficulty in maintaining a balance lies in the fact that the interests of society and the citizen are often in conflict. The citizen seeks to keep secret the details of his personal life, sources and level of income, bad deeds. On the contrary, society is interested in “declassifying” information about illegal income, facts of corruption, and criminal acts. The state creates and manages a restraining mechanism that protects the citizen's rights to non-disclosure of personal data and at the same time regulates legal relations associated with the disclosure of crimes and bringing the perpetrators to justice.
The importance in modern conditions of the principle of legal support acquires information security when regulatory support does not keep pace with the development of the information security industry. Legal gaps not only allow evading responsibility for cybercrimes, but also hinder the implementation of advanced data protection technologies.
The principle of globalization, or the integration of information security systems, affects all sectors: political, economic, cultural. The development of international communication systems requires consistent data security.
According to the principle of economic feasibility , the effectiveness of measures to ensure information security must match or exceed the expended resources. The unrecoverable cost of maintaining a security system only harms progress.
The principle of flexibility of information security systems means the elimination of any regime restrictions that hinder the generation and implementation of new technologies.
Strict regulation of confidential, rather than open information, implies the principle of non-secrecy.
The more different hardware and software security tools are used to protect data, the more versatile knowledge and skills are required for attackers to detect vulnerabilities and bypass protection. It aims to strengthen information security the principle of a variety of defense mechanisms of information systems.
The principle of easy security management is based on the idea that the more complex the information security system, the more difficult it is to verify the consistency of the individual components and implement central administration.
The key to the loyal attitude of personnel to information security is constant training in information security rules and clear explanations of the consequences of non-compliance with the rules, up to the company's bankruptcy. The principle of loyalty of data security administrators and all company personnel links security with employee motivation. If employees, as well as counterparties and customers perceive information security as unnecessary or even hostile, even the most powerful systems cannot guarantee the security of information in the company.
The listed principles are the basis for ensuring information security in all industries, which is supplemented with elements depending on the specifics of the industry. Let's look at the examples of banking, energy and media.
Banks
The development of cyberattack technologies forces banks to introduce new and constantly improve basic security systems. The goal of developing information security in the banking sector is to develop such technological solutions that are capable of securing information resources and ensuring the integration of the latest IT products into key business processes of financial institutions.
Information security mechanisms of financial institutions are built in accordance with ratified international conventions and agreements, as well as federal laws and standards. The following are the benchmarks in the field of information security for Russian banks:
- Bank of Russia standard STO BR IBBS-1.0-2010 "Ensuring information security of organizations in the banking system of the Russian Federation";
- Federal Law No. 161 "On the National Payment System";
- Federal Law No. 152 "On Personal Data";
- PCI DSS Payment Card Industry Data Security Standard and other documents.
The need to follow different laws and standards is due to the fact that banks carry out many different operations, conduct activities in different directions that need their own security tools. For example, ensuring information security in remote banking services (RBS) includes the creation of a security infrastructure, which includes means of protecting banking applications, controlling data flows. monitoring banking transactions and investigating incidents. Multi-component protection of information resources minimizes threats associated with fraud when using RBS services, as well as protects the bank's reputation.
Information security in the banking sector, like in other industries, depends on staffing. The peculiarity of information security in banks is the increased attention to security specialists at the level of the regulator. In early 2017, the Bank of Russia, together with the Ministry of Labor and Social Protection, with the participation of FSTEC, the Ministry of Education and Science, began to prepare a professional standard for information security specialists.
Energy
The energy complex is one of the strategic industries that require special measures to ensure information security. If at workplaces in administrations and departments, standard information security tools are sufficient, then protection at the technological sections of energy generation and delivery to end users needs increased control. The main object of protection in the energy sector is not information, but the technological process. The security system in this case must ensure the integrity of the technological process and automated control systems. Therefore, before introducing information security mechanisms at enterprises of the energy sector, experts study:
- object of protection is a technological process;
- devices used in power engineering (telemechanics);
- accompanying factors (relay protection, automation, energy metering).
The importance of information security in the energy sector is determined by the consequences of the implementation of information cyber threats. This is not only material damage or a blow to reputation, but above all - harm to the health of citizens, undermining the environment, violation of the infrastructure of a city or region.
Designing an information security system in the energy sector begins with predicting and assessing security risks. The main method of assessment is modeling of possible threats, which helps to rationally allocate resources when organizing a security system and to prevent the implementation of cyber threats. In addition, the assessment of security risks in the energy sector is continuous: audits are carried out continuously during the operation of the system in order to timely change the settings to ensure the maximum degree of protection and keep the system up to date.
Media
The main task of information security in the media is to protect national interests, including the interests of the citizen, society and the state. The activity of the media in modern conditions is reduced to the creation of information flows in the form of news and journalistic materials that are received, processed and issued to end consumers: readers, viewers, site visitors.
Provision and control of security in the field of mass media is implemented in several directions and includes:
- development of recommendations on anti-crisis procedures in case of realization of the threat of an information attack;
- training programs on information security for employees of media editorial offices, press services, public relations departments;
- temporary external administration of an organization that has undergone an information attack.
Another problem of information security in the media is bias. To ensure objective coverage of events, a protection mechanism is required that would protect journalists from pressure from government officials, management and / or the owner of the media, and at the same time - insure bona fide business structures from the actions of dishonest media representatives.
Restricting access to data is another cornerstone of information security in the media sector. The problem is that restricting access to information in order to prevent information threats does not become a “cover” for censorship. A decision that will make the work of the media more transparent and help avoid harming national security interests is contained in the draft Convention on Access to Information Resources, which is awaiting a vote in the European Union. The norms of the document assume that the state provides equal access to all official documents by creating appropriate registries on the Internet, and sets access restrictions that cannot be changed. There are only two exceptions that will allow you to cancel restrictions on access to information resources:
- public benefit, which implies the ability to disclose even those data that are not subject to dissemination under normal conditions;
- national interest if concealing information harms the state.
Private sector
With the development of a market economy, growth and increased competition, the company's reputation becomes an integral part of intangible assets. The formation and safety of a positive image directly depend on the level of information security. There is also a feedback when the existing image of the company in the market serves as a guarantee of information security. With this approach, there are three types of business reputation:
1. The image of a "useless" organization, the information resources of which are not of interest, since they cannot be used to the detriment or benefit of a third party.
2. The image of a strong adversary, to threaten the security of which is "more dear to himself." The blurring of the boundaries of opportunities for repelling an information attack helps to maintain the reputation of a formidable adversary: the more difficult it is to understand the potential of information protection, the more impregnable a company looks in the eyes of attackers.
3. The image of a "useful" organization. If a potential aggressor is interested in the viability of the company, instead of an information attack, dialogue and the formation of a common information security policy are possible.
Each company organizes its activities, observing the norms of the law and striving to achieve the set goals. Similar criteria will also fit in the development of information security policy, implementation and operation of internal security systems for confidential data and IT resources. To ensure the highest possible level of security of information in an organization, after the implementation of security systems, the security components should be systematically monitored, reconfigured and updated as needed.
Information protection of strategic facilities
In early 2017, the State Duma of the Russian Federation adopted in the first reading a package of bills that relate to information security and critical information infrastructure of the country.
The chairman of the parliamentary committee on information policy, information technology and communications Leonid Levin, presenting the draft laws, warned of an increase in the number of cyber attacks on strategically important objects. At a meeting of the committee, FSB representative Nikolai Murashov said that 70 million cyber attacks were carried out on objects in Russia during the year. Simultaneously with the growing threats of external attacks, the scale, complexity and coordination of information attacks within the country are increasing.
The bills passed by parliamentarians create the legal basis for providing information in the field of national critical infrastructure and individual industries. In addition, the bills prescribe the powers of state bodies in the field of information security and provide for tougher criminal liability for violation of information security.
17.12.2020
