Information security in a corporation
The terms "corporate information security" and "corporate information security" have different meanings. In the second case, we are talking about any company, in the first - about a corporation, that is, an organization with a complex structure, distributed over various branches and sometimes legal entities. This creates special data security challenges based on the need to integrate multiple local area networks into one control loop.
Corporation and company: what's the difference
Not everyone clearly understands the essence of the term "corporation". It is not official, there is no such form of enterprise in the Civil Code of the Russian Federation, but in recent decades the concept has firmly entered the business circulation. It should be understood as a company in the structure of which there are many branches or it manages a group of subsidiaries. The role of the parent organization is responsible for the coordination and management of subsidiaries and branches, where production or commercial business processes take place. A specific feature of the corporation is the recognition of its main function as the management of business processes of subsidiaries. The analogue of the corporation is the holding, in which the parent company is also responsible for managing the subsidiaries and establishing production there. There is one difference between a holding and a corporation - in the first, trade tasks are at the forefront and in the formation of the IP architecture, the emphasis is on CRM and similar systems responsible for increasing sales; in a corporation, the most important element of IS are ACS (automated control systems).
In Russia, a special form of state corporation is envisaged. It is intended for large holding structures that manage many subsidiaries specializing in one important area for the state, for example, the state corporation "Russian Technologies".
Information security in a corporation is not one of the side functions accompanying business processes, but one of the main tasks. The corporation is obliged to set up the data security system in subsidiaries and branches, to maintain it at a high level of efficiency.
Features of IP architecture in a corporation
Features of the architecture of the information system of a corporation or holding are associated with the organizational structure of the enterprise. A computer network in a corporation will almost always turn out to be complex, with many branches and remote workplaces. In holding structures, computers and servers belonging to different legal entities may be included in the network, which creates problems with determining the rights to programs installed on computers of several films simultaneously, despite the fact that the license is issued for one legal entity.
When building the system, the following tasks are solved:
- organization of internal secure communication between companies and divisions with different locations, assuming a single IP-telephony, the possibility of organizing teleconferences, selectors;
- the presence of separate sections of networks, control loops at each subsidiary with the need to combine them into a common network;
- the ability for corporate divisions to receive all operational information from subsidiaries or branches online, with access to each workplace;
- work with a large volume of daily incoming data, requiring the solution of problems of structuring, processing, storage;
- structuring and optimization of unified business processes with the participation of several independent economic entities;
- the need to create a single corporate knowledge base with a large number of users;
- creation of uniform rules and methods for IP users in each division;
- finding the main block of system administrators in the corporation, while the field staff has technical and support functions;
- finding the main business applications on the servers of the corporation with the organization of access to them for users of subsidiaries;
- solving problems with the use of virtualization technologies, when the total amount of data must be available for many legal entities.
These features do not allow the possibility of haphazard building of the architecture of a computer system; it should be created according to a single strategy. Most often, a single IT directorate is created, whose functions include the automation of all remote departments and workplaces - from a trading company to an oil rig. An ERP system usually becomes the basis for solving complex problems. The main problem in automating a corporation is the drive for savings. When meeting the requirements of regulators, one software product is often purchased for the balance of one legal entity, and the workplaces are located on computers belonging to several, and when checking it becomes difficult to confirm the legality of purchasing a license. Scaling up when solving problems within the corporation, introducing uniform solutions in all departments, outsourcing IT management personnel significantly reduces the burden on the business.
Information security organization system in a corporation
Features of information security in a corporation:
- complex architecture of the information network, requiring configuration and interaction of its components;
- at least three levels of data exchange - within one structural unit, between structural units and external data consumers, between structural units and the parent company;
- constant incoming and outgoing information traffic when communicating between remote units and the need to filter it with tracking of possible leaks.
If the structure of the corporation includes manufacturing enterprises, then the features of the automation of production processes give rise to nuances that must be taken into account when forming a security system:
- a large number of different types of consumers of information - management, engineers, adjusters, operators. In this case, there are more user groups than in a bank or trading company;
- the presence of production facilities (machine tools, generating units, drilling rigs), which are independent control objects;
- features of ACS that complicate the use of many modern solutions related to information security;
- the bulk of information necessary for making management decisions is created within the framework of technological processes, and errors in the data (for example, a critical change in the temperature of the gas mixture for steel smelting can become catastrophic).
This prompts in solving data security problems to pay more attention to system reliability and software accuracy than to leaks or external attacks. A separate task is to protect the system from virus attacks when malicious programs are created taking into account the features of the ICS.
The rest of the information security problems are common both for a large company and for a corporation with an extensive structure. But for a corporation as an association of manufacturing enterprises, internal threats may turn out to be more significant than external ones.
Unintentional personnel error, entering an incorrect value or lack of control over the change in indicators can lead to a halt in the production process or to an accident. This puts the first place in the data security system to train personnel and set such parameters of the system, which would automatically correct incorrectly entered values.
Corporate personnel training
The large number of corporate employees, the lack of constant communication between them (often many do not know each other by sight) does not allow solving problems related to data security in an informal mode. A corporate training program in the basics of information security is needed, which will be able to remove most of the questions and eliminate mistakes made out of ignorance.
- development of work methods and plans for responding to unforeseen situations, familiarizing users with them;
- continuous user training;
- control of user actions using software;
- explanatory work that has the effect of preventive measures and helps prevent intentional and unintentional information security incidents.
The lion's share of these tasks is assigned to the security service of the corporation, but the personnel departments take a serious part in them, already at the stage of selecting workers and employees, paying attention to their training in the field of computer security.
Security service in the corporation
The complex and ramified organizational structure of the corporation presupposes a large role for the security service, whose share falls to the need to set up a complex mechanism of interaction between divisions, legal entities and branches and monitor potential risks. In addition to the IS aspect as an issue solved by software, the service has two more tasks:
- development of organizational and legal documentation and tracking the implementation of its requirements;
- monitoring the staff, its interaction, compatibility, the possibility of entering into a criminal conspiracy in order to harm the interests of the company using computer technology.
But the official duties of employees working with the information security system should be charged with the need to delve into all the features of processes and technologies, so that the recommendations they generate and the actions they take do not contradict the software processes and procedures.
Information security objectives
The main tasks of information security in the corporation will be associated with ensuring the continuity and correctness of business processes and only secondarily - with the reflection of external and internal threats and the prevention of information leaks.
Functions of the IT Directorate:
- development of corporate security policies, ensuring that users are informed about them;
- development and approval of budgets for the creation and maintenance of an information security system in the corporation and subsidiaries;
- monitoring the information security system, analyzing the external environment, identifying new types of threats and changes in the field of software, legal regulation of information security problems;
- security audit, analysis of incidents in the field of information security, development of recommendations;
- choice of protection model, definition of security system architecture, choice of software;
- organizing the direction of incoming information flows to a single center for processing, structuring, analyzing, storing data;
- organization of compliance with the requirements of regulators in the field of personal data protection, ensuring the security of critical information infrastructure facilities;
- if necessary, control over the compliance of the system, procedures and processes with ISO standards and similar;
- monitoring of IS in general, development of recommendations to improve its efficiency.
Building an information security system in a corporation
The beginning of building a corporate information security system is to study the sources of threats, those individuals and companies from whom information or cyber attacks can be expected. Often external hacking or internal insider negative impacts on IP are only tools in the hands of competitors.
Potential threat authors can be divided into categories:
1. Competitors. For a large corporation, they can work not only in the domestic, but also in the foreign market, using foreign hackers and cyber resources for information attacks.
2. Shareholders in a state of conflict with the main owner. A corporate conflict easily turns into an information war.
3. Management in conflict with the owner.
4. Criminal groups interested in redistributing business or taking away income.
5. Offended or fired employees.
6. Hacker groups that set the goal of stealing resources or stopping the production process.
Each of these groups can successfully use information weapons in an attack on a corporation. For a large corporation participating in the provision of the vital system of the region or actively working on the international market, one of the sources of risk may be foreign countries. The situation is widely known when hackers associated with the Chinese government have been hacking into cloud services for several years in a row and stealing information from information industry giants - Hewlett Packard Enterprise, IBM, Fujitsu.
After the most obvious threat sources or their groups have been identified, it is necessary to create threat models:
- for the corporation itself;
- for its divisions or branches (identical or different, based on the specifics of the business);
- for the communication system between business units.
Based on threat models, the formation of a data security organization strategy begins, in which it is necessary to link all management perimeters and risk zones.
Infrastructure security of the corporation
For a manufacturing corporation, one can single out infrastructural information security as a component, the task of which is to concentrate on the points of the production and information infrastructure, which are independent control objects. It:
- ensuring compliance with the requirements of the law in terms of the introduction of the recommended software and hardware protection and the organization of physical protection of facilities;
- forecasting, identification, analysis and assessment of IS threats to objects, prevention and neutralization of emerging cyber threats;
- ensuring counteraction to terrorist acts and other encroachments that threaten the safe operation of the corporation;
- development and implementation of targeted programs in the field of safety of infrastructure facilities;
- implementation of secure modern versions of the ACS;
- security personnel;
- organization of interaction between security personnel and IT services of the corporation with representatives of state authorities and ensuring state security (FSB, Ministry of Internal Affairs, Ministry of Emergencies).
The solution of these tasks is obligatory, the refusal from them may become the basis for bringing to criminal responsibility.
Information attacks are becoming a special problem for a large corporation, whose shares are traded on the securities markets. Theft of information from the protected perimeter and its publication can become the basis not only for the fall in the value of shares. If hackers succeed in obtaining evidence that the issuer's public reports are based on inaccurate data, it is under US law that if shares are traded on their markets, it could lead to criminal liability for the management and shareholders of the corporation.
The risk creates the need to solve two problems:
- Ensuring the protection of operational and financial information on which public reporting is based, from loss, intentional or unintentional distortion, compromise of the database or its source. The task is solved by installing protection on databases in accordance with ISO standards and regular external audit of the unavailability of databases.
- Organization of complete protection of the company's information perimeter from leaks of any kind, including oral information.
The second information security problem, which is not strictly technical in nature, is black PR, which is often used by competitors, scooping negative information from organized leaks or introducing insiders.
These types of threats are divided into:
- an attack on the management or shareholders of the corporation. It can be expressed in the form of black PR, widespread promotion of unsuccessful statements, creating a negative image;
- an attack on a corporation as a whole or one of its subdivisions, one-time or constant, involving a series of stuffing, a long-term viral and systematic promotion of the topic.
In both cases, organized information leaks become material for promotion.
Despite the real threat to corporations of attacks in the information field, the greatest threat is posed by hacker intrusions aimed not at stealing information, but at introducing them into enterprise management systems. According to Kaspersky Lab's data, at least 46% of ICS systems of Russian companies have become targets of external attacks aimed at intercepting control of production processes. If corporate divisions are located in high-risk zones, in regions with hostilities, hacker attacks can be aimed at deliberately creating major man-made accidents in order to blame the corporation's shareholders for them.
Interruption or change in the parameters of technological processes may entail:
- financial losses;
- technogenic accidents;
- a break in the electricity and heat supply of residential areas;
- ecological disasters;
- reputational losses not only for the company, but also for the country as a whole, if the object is located abroad.
The complexity of the topology of control systems for individual production facilities prompts to build more and more advanced systems. For those corporations that own objects of critical information infrastructure, there is a need to create on their basis GosSOPKA centers, a unified system for monitoring and responding to computer attacks.
Large manufacturing corporations are faced with another cybersecurity challenge associated with the widespread adoption of the Internet of Things. A study by the Ponemon Institute, aimed at studying the problems of the state of cybersecurity in the fuel and energy complex, showed that corporations are not ready to repel attacks, they do not have knowledge about the capabilities of cybersecurity.
If the corporation has not reached the level of growth to create an effective IT management with high-level professionals capable of solving the problems of building a reliable corporate information security system, experts recommend using outsourcing services. It is more efficient from a technical and economic point of view. With regard to five large corporations, whose shares are traded on the open stock market, a study was carried out of the effect of transferring the task of building a corporate security system to outsourcing over a 5-year period. The analysis showed that companies that entered into large deals in the field of IT outsourcing achieved higher business performance in the long term than competitors, companies that independently build a security strategy. These companies have succeeded in reducing selling, general and administrative expenses (SG&A), increasing return on assets (ROA) and increasing profit before interest and taxes (EBIT).
Pros of outsourcing:
- scaling up successful results;
- deeper understanding of the information environment, knowledge of modern software;
- effective configuration of business processes for protecting information.
- the company offering outsourcing services may not be familiar with the peculiarities of the corporation's production processes, it will take time to get acquainted;
- the likelihood of leaks of information or code of security tools increases, especially if the developer's employees are interested in competitors.
One of the features of the corporate model of information security is the need to work not only for protection, but also ahead of schedule. A competitive market requires the use of such methods of economic intelligence that would not contradict the law, but would eliminate the threat of external cyber attacks by competitors.
This level of information security includes the study of:
- competitive environment;
- threats posed by competitors and options for confronting them;
- suppliers and contractors, their reliability;
- competitors' behavior using analytical programs and open sources and predicting attacks from their side.
Comprehensive solution to corporate information security problems is often a task assigned to IT services not only by shareholders and management, but also by the state. The specifics of their work in the event of accidents and computer incidents can damage the protected public interests. This encourages us to solve security problems in the most efficient way, building the architecture of the information system with high quality and using proven solutions.