Enterprise information security, where to start
A company that is well versed in the cyber threats of the modern world feels the need to build an information security system in accordance with the level of risks. But the decisions you make do not have to be expensive and still be effective. When building an information security strategy, you need to focus on the real needs of the business.
Any system, including an information security system at an enterprise, begins with the people who build it and will act according to its rules. Therefore, the first step will be to develop a strategy in which it is necessary to describe:
- perceived risks, their type depends on the degree of confidentiality of the protected information and on whether the company is the operator of personal data. In the second case, the main provisions of the strategy will be based on the recommendations of the regulators;
- expectations from the information security architecture, software and hardware planned for installation;
- financial resources to be spent on the development and implementation of the system;
- personnel involved in the implementation of the strategy - our own, involved experts, an outsourcing company;
- planned terms of implementation.
After the strategy is approved, it is required to develop and implement a package of organizational and administrative documentation. Some of the documents from the list define the general principles of information security at the enterprise, some are provided for by the requirements of the law "On the protection of personal data" and the recommendations of the FSTEC RF. As a minimum, three documents will need to be developed and adopted:
- Information security policy.
- Information security concept.
- Regulations on commercial secrets (confidential information).
In addition to them, it is necessary to develop methodological instructions of an applied nature.
Information security policy
The document is fundamental for the organization, and, if possible, it should be approved not at the level of the company's executive management, but at the level of the Board of Directors, since the rules described in it regulate the behavior of top management. The document describes:
- confidentiality levels of documents;
- basic regulations for handling information and its carriers;
- rules for admitting users;
- information security threats and risks.
Due to the fact that the level of information threats is constantly changing, it is advisable to revise the information security policy annually.
Information security concept
It is important for a customer data company to maintain its goodwill and confirm that it is taking all measures to maintain the confidentiality of information. To do this, you need to prepare a small extract from the Strategy and Policy, highlighting in it the main measures and means to protect information. Placing this document on the company's website in the public domain for clients will create a favorable image of the organization.
Commercial secret regulation
Each enterprise generates a certain amount of confidential information, but not everywhere it belongs to a commercial secret, the disclosure of which is punishable by law. For this to happen, the company needs to declare a trade secret regime and issue a Regulation governing the basic rules for handling confidential information.
The Regulations indicate:
- the procedure for classifying information as a commercial secret;
- the procedure for handling documents and files containing commercial secrets;
- persons and divisions responsible for the observance of the trade secret regime;
- measures of responsibility for the disclosure of confidential data, disciplinary or related to demotivating personnel.
It is necessary to familiarize all employees with this document, at the same time adding to the employment contracts the Statement of responsibility for maintaining confidentiality. In this case, in case of deliberate leakage of information from the guilty person, it will be possible to recover damage in civil law, and if significant damage is caused to interests protected by law, bring this person to criminal responsibility. Such preventive measures sometimes better protect confidential information from the risk of loss or substitution than measures to physically and programmatically protect documents and files from unauthorized access.
Documents regulating the behavior of personnel and introducing measures of responsibility can affect the employees of the organization, insiders, who, according to statistics, are responsible for almost 80% of information leaks, but 20% remains due to external causes. An audit will help to find vulnerabilities in the security system; you can organize it on your own or with the help of outsourced specialists. Vulnerability scanners simulate the actions of hackers, taking into account all threats existing at the time of the audit and find weaknesses in the information security system at the enterprise. Based on this data, you can develop recommendations for software and technical measures to protect confidential information. The scope of the audit depends on the network architecture, the degree of distribution, the use of cloud technologies.
But for the following parameters, the audit will be mandatory:
1. Access policy. It is necessary to assess the degree of physical access to servers and computers, the presence of restrictions on passage to the premises where the workstations processing confidential information are located, the use of electronic passes to enter the premises and the maintenance of a visitor's log, the storage time of information about persons visiting the premises. It is also required to assess the effectiveness of the video surveillance system, if available, whether it is able to show user actions, how long the records are stored. After that, it is necessary to analyze the access system, by whom and how logins and passwords are generated, to check whether the differentiated access model has been implemented, and to assess its practical necessity. If you are using multi-factor authentication, you need to understand how additional identifiers are issued. The password policy is subject to audit (password expiration date, complexity, number of login attempts, time to lock the system after exceeding the number of attempts).
2. Network status. It analyzes the physical location of servers, the organization of physical and information access to them, the features of network segmentation, the use of firewalls at sector boundaries and the quality of firewalls. It is checked how the remote access model is implemented, what type of secure channels is used. The optimal remote access model is implemented by installing a proven and uncompromised VPN service. Granting the right to remote access with the approval of top management for employees, for external users access is possible only at certain hours for service work. User rights for remote access should be minimally restricted.
3. Handling information security incidents. It is necessary to understand which information security incidents are critical, how the model of notifications and responses to them is built, how changes are made to the register of incidents and how the results of their elimination are analyzed. For each company, it is necessary to rank incidents according to the degree of significance for a specific information system. Here it is necessary to analyze the procedure for maintaining registers of records of user actions with information assets and the possibility of deleting or changing records in them.
4. Assets. The company must create a list of assets, which include infrastructure elements, equipment, valuable information, processes and software solutions. For each asset, the access mechanism and the model for changing access rights must be analyzed.
5. Information protection regulations. In addition to the access model and the establishment of the confidentiality mode, it is required to check in which cases the data is encrypted, what type of means are used for this, and who has access to the encryption keys. And also how personal data is protected if the company is their operator, whether the protection algorithms comply with the requirements of the regulator.
The audit results should be summarized in the form of recommendations for improving the information security system, so that there are no questions about where to start to bring the information system into a form that meets the risks and requirements of the time. The task of information security specialists is to make these recommendations feasible in the existing financial and personnel situation at the enterprise. After the adoption of the fundamental documents and the audit, implementation begins. The software will be selected by specialists taking into account the recommendations of the FSTEC, almost all effective security solutions are certified by the department. Additional solutions, such as DLP, SIEM systems, are recommended when the risk of external intrusions or insider leaks looks really serious.
The introduction of new techniques and software products should be accompanied by staff training and motivation. Even modern monitoring systems will be useless if there is no response to notifications. Key performance indicators of personnel should depend on how effectively the security model is maintained; it is necessary to involve personnel from the personnel departments in the development of such a motivation system. The whole process should take place under the close supervision of senior management, becoming one of the priorities of the company during the period of creation and adjustment. At the same time, a working information security system at an enterprise should become a convenient service that does not slow down or block the flow of business processes.