Information security rules at an enterprise
A company that understands the value of information as an asset should make every effort to ensure the confidentiality of data. The key link in each process is the people participating in it, the employees of the organization. The activities of personnel to protect information security should ensure the rules of information security at the enterprise. They differ depending on whether it is an office or production. Special rules are required to be introduced to ensure security when working on remote access.
The need to implement information security rules
Cyber threats have become a familiar part of the world around us, every day the media bring reports of hacker attacks and failures in banks or mail servers. An individual employee of the company has little idea of the degree of real danger until he is faced with the fact that protected personal data has leaked or competitors have stopped the work of a profitable online store using a DDoS attack. Data is leaking from such global information industry giants as IBM, Yahoo !, Uber, Amazon, Equifax, regardless of the level of security of their information systems. This is often the fault of Chinese hackers or transnational hacker groups. Russian business, whose facilities are not critical to the country's information infrastructure, should not be afraid of them, but national groupings can cause a lot of trouble. But the greatest risk is incurred by unauthorized access to data by employees, who often do not represent the real value of information they knowingly transmitted or accidentally destroyed.
Careful development of information security rules for the office and production can partially reduce the risk. Training of employees in the basics of information security is carried out even at nuclear power plants, where personnel must a priori be prepared for the unexpected. All this speaks of the primary need to inform employees and regulate their behavior when working with protected information arrays and network infrastructure objects.
IS rules in the office
Information security rules for the office are not the most complicated, but the degree of responsibility of employees does not always guarantee their unconditional implementation. This means that the implementation of the rules should be accompanied by motivational measures that stimulate their implementation, and de-bonuses, disciplinary responsibility in case of non-compliance.
The first rule of information security in the office should be informing employees. Insider data leaks are just as dangerous as outside attacks. When sales managers quit, they take away customer databases with them, while employees of mobile operators can easily trade in detail of subscribers' telephone conversations. The size of the risk is indicated by the volume of the darknet market, measured in hundreds of millions of dollars a year for Russian resources alone. The well-known Russian market for stolen information, Hydra, was even going to hold an ICO.
All users of the corporate system should be familiar with simple security rules:
- use and periodically change complex passwords, never transfer identification means - password and login - to other employees;
- do not store confidential information in the "clouds", even if you need to work with the annual report from home;
- destroy unnecessary documents in a shredder;
- not transmit information without an official request;
- do not mix corporate and personal mail;
- back up important files;
- lock the computer before leaving the workplace;
- be able to recognize phishing emails;
- Become familiar with and resist the practice of social engineering.
Testing in a playful way for knowledge of information security rules at an enterprise will allow you to turn theoretical information into established skills. The second important way to maintain the required level of information security in the office will be access control.
This solution is implemented at the physical, hardware and software levels. The rule applies: no one should have more privileges than allowed by his job description. A lawyer does not need access to accounting software, and a programmer does not need access to a management chat. System administrators must implement a differentiated access model by assigning each user and user group a role so that only certain files and resources are available to them. The same applies to administrator rights.
A complex approach
This rule should become unshakable for system administrators and developers of information security structures. It is impossible to eliminate vulnerabilities and shortcomings with partial solutions, patching holes one by one until system administration becomes impossible. It is necessary from the very beginning to build IS as a single system, taking into account the possibilities of its growth and forecasting the directions of further development. The system should include a single set of organizational, hardware and software tools and be monitored as a whole.
IS rules when working on remote access to the network
The regulation of employees' work on remote access becomes an independent problem. Modern business is inherent in the desire to minimize costs; hundreds of developers and programmers located in different countries and on one virtual platform engaged in software development can work for a company. This erosion of the information security perimeter is very dangerous, since competitors are seriously interested in unauthorized access to new developments.
At the 2016 Mobile World Congress, open source antivirus developer Avast did a little experiment by creating three open Wi-Fi hotspots with the familiar names Starbucks, MWC Free WiFi, and Airport_Free_Wifi_AENA. They were joined by 2,000 people who declare themselves to be professionals in the field of information technology. At the end of the exhibition, a report was made, from which it followed that the authors of the scheme managed to obtain data on the traffic of all those who connected, and 63% disclosed their logins, passwords, e-mail addresses. This suggests that connecting remotely over a public network is rarely secure.
In many companies, even full-time employees often work remotely, while on a business trip or on vacation.
There are rules to make these remote working relationships as secure as possible:
- exclude the possibility of remote employees using open Wi-Fi networks to connect to the corporate network, in which traffic interception is possible;
- employees' home networks must be protected with passwords and at least WPA2 encryption. The company needs to develop information security rules for remote employees to protect home networks;
- mobile devices should only connect to the corporate network via VPN channels. It is desirable for the company to choose a reliable VPN service provider itself and provide employees with remote access to work with this service;
- to work, you must have a separate mobile device and not mix private and corporate information, the company's information security system must provide for measures to protect such remote devices;
- information about working remotely should not be published on social networks so as not to arouse the interest of attackers. Oral and written disclosure of confidential data is unacceptable;
- passwords on resources related to work on remote access must be changed regularly;
- plugins and software containing vulnerabilities known to hackers (for example, Adobe Flash, Acrobat Reader, Java, and others) should be updated regularly;
- computer and mobile devices need to be password protected, even at home, so that a guest or repair worker cannot steal or accidentally damage data.
These rules must be negotiated with each employee remotely at the first stage of cooperation. The company is required to organize its own system of measures to secure work with any employee remotely, whether staff or freelance:
- implement a user authentication mechanism (passwords, hardware-tokens, biometric data);
- organize a unified access control system (centralized access control to the company's IT resources);
- systematically use a tool for organizing your own VPN protocols (hardware devices, software solutions, firewall extensions);
- Implement anti-attack tools (protecting the internal network and employees from attacks).
The remote access protection program is also relevant for information security in production, where many objects are controlled via wireless communication channels.
IS in production
Information security rules are of particular relevance when they relate to production and automated control systems (ACS TP). Control systems are responsible for the operation of such objects as blast furnaces, rolling mills, hydroelectric power plants. Any external interference in their information infrastructure can cause accidents and human casualties. Therefore, the requirements for IS ACS are based on their own principles, which differ from the principles of information systems management in general. Threats to such systems can come from terrorist groups, including Islamic ones. Ordinary hackers have no direct selfish interest in them. Such systems are often affected by specially designed viruses aimed at disabling industrial infrastructure facilities and exploiting vulnerabilities in classical information systems.
APCS requires the highest degree of protection in those industries, in which accidents can cause damage to the greatest number of people and property:
- electric power industry;
- enterprises of the fuel and energy complex;
- mechanical engineering.
The main problem of creating an information security system is that the use of modern software solutions can harm the overall reliability of the system, therefore, the main task is often to maximize the protection of the ACS from contacts with the outside world through any type of connection, including the installation of firewalls and the creation of demilitarized zones on the borders with office networks.
In 2015, a steel business management system was attacked in Germany. The blast furnace was put out of action, the company went down for a long time due to the fact that hackers managed to infect the office network with malware. In Ukraine, hackers infiltrated the local network and deleted data from hard drives at workstations and SCADA servers and changed the settings of uninterruptible power supplies, which left more than 200,000 people without power.
The regulations for creating an information security system for the ACS IP are approved in the form of international standards and Russian GOST. As one of the fundamental documents, this area is regulated by Order of the FSTEC RF No. 31.
When developing information security rules for industrial production in relation to ACS, it should be borne in mind that the system has three levels of control:
- operator (dispatch) control level (upper level);
- automatic control level (middle level);
- input (output) level of the executive devices data (lower (field) level).
The objects of protection for ACS, according to the norms of Order No. 31, are:
- information (data) on the parameters (state) of a controlled (monitored) object or process (input (output) information, control (command) information, control and measuring information, other critical (technological) information);
- software and hardware complex, including hardware (workstations, industrial servers, telecommunications equipment, communication channels, programmable logic controllers, actuators), software (including firmware, general system, application), as well as information security tools.
The protection of these objects is possible only on the basis of an integrated approach, which provides for:
- systematic audit of the degree of APCS by interviewing the organization's specialists, studying project documentation, analyzing the structure and architecture of information systems;
- organization of technical analysis of security to find vulnerabilities using scanners;
- manual and software risk analysis;
- identification and monitoring of new types of threats that pose a threat to the functioning of the facility.
A typical ICS architecture usually does not require a lot of resources to host security software. It is intended to use only two types - activity monitoring and threat detection systems and threat prevention systems implying access control.
Activity monitoring and threat detection systems
The greatest risks for ICS are borne by insider employees who are allowed to operate and use removable devices that may be infected with a virus. But if the system is connected to the office, external risks are possible. Monitoring systems are limited in functionality, they are not allowed to control the process control systems and cannot block user actions. They are only able to track outbursts of suspicious activity and notify about them according to a given algorithm. Their functions:
- detection of external attacks and anomalies in the behavior of network elements;
- monitoring of information security incidents;
- passive analysis of vulnerabilities;
- analysis of equipment configurations, network equipment access rules;
- control of data and software integrity.
The systems analyze network flows, reveal anomalies and unknown IP addresses, attacks on previously unrecorded vulnerabilities.
Threat prevention systems
These software tools are proactive: they not only inform but also act. Basically, they control user access by having the authority to block unauthorized actions. In the event of an undefined transaction, they have the right to request its authorization from a higher-level manager and, in his absence, block the operation.
Responsibility for violation of information security rules
The company can apply disciplinary measures to an employee for violation of information security rules. This is a remark, a reprimand, sometimes dismissal. Depreciation is a serious incentive to scrupulously follow the rules. The decision to prosecute is made by the head of the organization on the proposal of the immediate superior of the culprit. When choosing a measure of responsibility, one must assume that violations of information security rules can be passive and active.
- obtaining information by the violator for their own purposes;
- analysis of information characteristics without access to the information itself.
- change of information;
- entering false information;
- violation (destruction) of information;
- malfunction of the information processing system.
Active violations are more dangerous for business and indicate a higher degree of guilt of the offender, they should be punished more severely. Sometimes it is necessary to move from corporate liability measures to civil law, by filing a lawsuit against the violator with a claim for damages or an application to law enforcement agencies to initiate a criminal case. The loss or deliberate disclosure of confidential information can become the basis for recovering from the perpetrator of damage, and its amount can reach millions of rubles.
A reasonable solution is to periodically conduct inspections of the company's divisions in order to determine the degree of compliance with safety rules by all users - from the equipment adjuster to the CEO. Managers are more likely to disregard rules, which is why they are the main sources of threats. The results of the audit can become the basis for official investigations or recertification for professional aptitude, therefore they have an additional disciplinary character.
Regardless of the conditions in which the information security rules of the enterprise work, they must be strictly observed. Only this will lead to the level of information security that will avoid damage and accidents.