Corporate information security
The principles of corporate information security arise from a corporation, or an organization, whose members can be a single whole. Such a subject of information security can be a large company with its own, developed by the needs of the organization, values, holding structure, public organization. The main difference from the usual structure of information security is the increased role of personnel or members of the corporation in ensuring data protection.
A specific feature of a corporation is an association of economic entities in the presence of many systems and local corporate networks of various levels, for which it is necessary to develop uniform security regulations and methods. The task requires the diversion of a large number of forces, resources - human, time, financial, and is not always successfully solved. Only relying on the human factor, creating an understanding of information security as a single value of the company can eliminate risks by 70% But the degree of threats is growing every year, which requires especially high qualifications from information security specialists.
It is difficult to predict the source of threats if a corporation is engaged in trade and production activities, is not a personal data operator, and does not own objects of key information infrastructure. For these market actors, external threats are always more dangerous than competitors or insiders. And for a corporation or mid-level company, competitors are more dangerous than global hacker groups. But the presence of an electronic payment service, for example, when selling goods over the Internet, will make them a target company for persons who want to take possession of not only information of indefinite value, but also money. The main risk for confidential information is the human factor; the level of protection of networks from insiders is often extremely low.
The key tasks of an information security specialist in these conditions will be:
- availability of applications that provide business processes for users, absence of risks of failure and system failure;
- availability of Internet applications and sites with stores for customers, minimizing the risk of DDoS attacks;
- protection of key confidential information from theft as a result of external attacks or as a result of the activities of insiders. The most vulnerable asset is considered to be customer databases, usually transferred from company to company with the sales manager;
- the integrity of information, its safety, and invariability as a result of external interventions or the work of insiders who want to make changes to the data to hide unreliable transactions Violation of the integrity of information will become a problem during the audit of financial statements if the experts of the auditing organization reveal facts of interference with the structure of accounting or financial accounting data.
According to the mechanism of their manifestation, information security risks are divided into:
- malicious programs (Trojans, ransomware);
- phishing emails;
- DDoS attacks and denial of service;
- external connections to communication channels to intercept data packets;
- substitution of the first page of the site.
There are different methods of treatment for these diseases - organizational, technical, and software. In a corporation with a large number of employees, where insider threats are becoming a priority, special attention should be paid to organizational measures. They help to avoid an incident, and not to minimize its consequences, and to conduct internal investigations with not always predictable results without the possibility of obtaining evidence sufficient to bring the perpetrator to justice.
Corporate protection methods
Organizational and procedural solutions are most in demand for the corporate information security system. But their implementation should be accompanied by the professional work of the personnel departments and the security service of the company. The main task is not to impose regulations on the corporate team that distracts from the maintenance of business processes but to explain the value of confidential information and the general interest in its protection.
Organizational protections for corporate information security usually begin with the implementation of regulations and policies that, if not supported by the authority of senior management, are silently ignored, or, if enforced, cause aggression. Sometimes just such manifestations indicate that confidential data is under threat, someone from management or top employees is using it for their purposes and does not intend to give up privileges. The first step at the stage of dealing with this problem is the creation of uniform ethical values, within the framework of which each employee of the corporation must feel personally responsible for the safety of data and compliance with all requirements of the regulations.
As noted in the reports of large consulting companies, the question of the reality of threats to corporate information security is still not seriously raised in the Russian business community. The part of the business that has faced cyber threats has already installed DLP and SIEM systems, passed a network health audit, and has a system for monitoring threats and responding to cybersecurity incidents. The rest, in an old-fashioned way, believe that the only issue that needs to be resolved is limiting the use of the Internet by employees, and in rare cases, blocking USB inputs to the computer. The standard antivirus and Windows firewall, sometimes not even licensed, is responsible for everything else. The result is massive theft of client databases and personal information of clients, instantly appearing on the black market of information on the darknet.
Some companies are pushing for data protection by regulators who put forward requirements for operators of personal data. Failure to comply with the requirements of FSTEC and Roskomnadzor for corporate information security threatens with fines or suspension of activities.
Among these requirements:
- use of technical means of information protection and software that has passed testing and certification and guarantees the necessary level of data protection;
- compliance of the state of the information infrastructure with laws and by-laws;
- development of a strategy for timely updating of critical software;
- availability of a mechanism for responding to information security incidents;
- fighting viruses using certified anti-virus protection;
- data encryption;
- adoption of a package of documentation regulating all aspects of work with IS that process PD.
But even to comply with the requirements of regulators, the staff must understand that if risks arise from their side threatening fines, monetary losses as a result of claims of clients, they also find themselves at risk from the point of view of paying motivating allowances and retaining a job. It is necessary to conduct training, familiarizing employees with risk models, and the main ways of responding to them. The need to develop company regulations to meet IS requirements are created by the needs of the risk model and the work of regulators.
General threat model
In every organization, the business threat model should be included in the package of corporate documents that employees get acquainted with when hiring.
For employees to understand, the hazard structure should look like this:
1. Threats to business. If these are threats to reputation - black PR, negative publications in the media caused by leaks and data leaks, then they will affect employees, because of a company with a negative reputation on their resume, they will experience difficulties in getting a job. If these are threats to investments - decisions are made based on inaccurate or false information, and they are ineffective, then these risks will affect the bonuses to employees.
2. Threats to data as such - both personal and confidential information. Intentional information leaks can lead to criminal liability, and a possible suspension of the company's activities threatens the loss of a job.
3. Threats to employees. In addition to poaching employees or offering them monetary compensation for providing information, competitors can use more severe methods of struggle, for example, open theft of mobile devices - data carriers. Eliminating the risk of finding data on mobile devices will reduce these threats.
4. Threats to the company's IP that cause application failures, server unavailability entail business interruption and losses, which affects the salaries of all employees, not just those who admit negligence in using e-mail and accidentally initiate the work of malware.
5. Financial threats. Deliberate distortion of reporting causes fines from the Federal Tax Service, and actions that allow attackers to steal company funds, as well as an explanation of why compliance with information security rules is primarily necessary for employees themselves, is the best preventive measure that ensures a high degree of information security. They should be backed up by requirements not to disclose confidential information reflected in job descriptions and employment contracts. This will allow, if necessary, to bring the violator to justice.
Software and hardware
In addition to outreach, the technical aspect of corporate information security needs to be worked out just as carefully. The regulators recommend preparing two fundamental documents - the IS Strategy and the Risk Model, in which to reflect:
- the type of threats and the image of the hypothetical attacker;
- system architecture, its main nodes, and elements;
- objects of protection;
- classification of information confidentiality levels;
- rules for differentiating admission and assignment of privileges;
- requirements for software and its updating;
- requirements for software and hardware.
Next comes the stage of implementing the information security program. To create protection against insider risks, the following information security elements are implemented:
- Access Control System. It should exist at the physical level, restricting access to servers and workstations of persons who do not have the right to do so, and recording all visits to the server room in the log. At the program level, it differentiates access to information about different degrees of confidentiality for employees of different ranks;
- authentication system, with a two-factor risk of unauthorized access, is reduced;
- email filtering to protect against spam, viruses, phishing;
- trusted download facilities;
- data leakage control. The task is solved by installing a DLP system.
The following solutions are used to protect against external threats:
- anti-virus protection means;
- intrusion protection means;
- scanners and other tools for monitoring network vulnerabilities;
- means of cryptographic data protection.
When transferring information through external channels, traffic encryption, and secure data transfer protocols, VPN technologies are used. Of the technical devices, routers are used. If the company processes personal data, the choice of software and technical solutions is limited to software tools for information security certified by the FSTEC and the Federal Security Service of the Russian Federation. They may not fit into the company's budget; in these cases, FSTEC gives time during checks to bring the system in line with its requirements.
The complex application of a system of preventive measures based on monitoring the actions of personnel and their training, together with hardware and software, can significantly increase the level of information security of the company.