IT departments are not the only ones to resolve issues of technical support of information security of an enterprise. The management and other services of the company are interested in the safe use of information resources.
Protection concept
The implementation of a security strategy begins with the development of an Information Security Concept, which includes:
- principles of classifying infrastructure objects, software, information and physical, as critical, in need of increased protection;
- basic principles and methods of protection, mechanisms for building the rules according to which the implementation of certain protective elements is carried out;
- threat model, typical security intruder profile;
- safety requirements formed as a result of risk audit;
- all protective measures intended to be implemented;
- additional responsibility for compliance with information security measures and data leakage adopted under the current legislation.
The concept is accepted at the level of the top management of the enterprise and should be revised as the information infrastructure evolves and the threat model changes. At the first stage, for its development, opinions are collected from all departments interested in a systematic solution to the problem of technical information security. In the future, the task of its completion based on the results of performance monitoring can be assigned to the supervising IT department.
Objects of protection
Unexpectedly for the employees of IT departments, but important for the economic security of the enterprise, such an object of protection as the investments made in the creation of the technical infrastructure becomes. Their payback should become one of the important tasks of the enterprise; redundancy is unacceptable, in which information security becomes an end in itself, taking resources from business processes.
The economic effect of introducing a system of technical protection of confidential data is manifested in:
- availability of information, when the IT infrastructure of the enterprise allows you to get the necessary information at any time. An example of an infrastructure inconsistency with accessibility criteria is the Rosreestr website, from which sometimes even the Bailiffs Service and the Moscow Government cannot obtain information, which attracted the attention of the Control Directorate of the Presidential Administration;
- in the integrity of data, the absence of failures or outside interference in their structure, which caused distortion of information, which can lead to incorrect decisions based on them. In the same Rosreestr, to request an extract for a real estate object in Ryazan, due to failures in the system, a client can receive information about an apartment in Ufa;
- confidentiality of information. Compliance with this requirement will help avoid losses from theft of confidential information and fines as a result of violation of the requirements of legislation on personal data;
- the lack of opportunities to refuse a transaction, this is important, for example, when using online payments;
- authenticity, or a complete system for confirming the authenticity of information or electronic messages.
Traditionally, objects of protection are:
- IS nodes (servers, workstations);
- hardware, routers;
- communication channels, remote access protocols;
- software, regardless of whether they are developed independently or by third-party developers;
- databases, own and located in the cloud;
- data protection methods.
Objects are often scattered in space; in industrial plants, many of them can be located in hard-to-reach places. Each item to be protected must be described in a security concept taking into account its relative value and replaceability.
User classification
Often, the choice of technical support for information security of an enterprise depends on the types of users and the number of user groups in the enterprise. In general, a user means an employee who is identified in the system under his own username and password and who has access to data in accordance with his job duties. Technical and software means of information protection should make it possible not only to identify users, but also to delimit their access to data of different categories.
In an ordinary company, it is enough to select persons with user rights and administrator rights. In a manufacturing enterprise, the following user groups are distinguished:
- leadership;
- engineers and developers;
- equipment adjusters;
- personnel servicing equipment, including moving objects;
- office staff;
- employees of outsourcing companies.
For all, it is necessary to establish the rules of admission, as well as the procedure for changing them. Rights are granted on the basis of the minimum necessary for the solution of official tasks. The simplest solution is to open access to resources to users based on the type of software modules. Specialized modules include ACS, banking programs, security management systems, publicly available - electronic document management (EDM) programs, CRM systems, corporate e-mail.
The group of administrators in the IT department is also not united, depending on the complexity of the tasks facing the service, departments can be allocated within it:
- development and technical exploitation of IP;
- information security;
- monitoring threats and incidents;
- technical support for users;
- information and analytical.
Also, employees of branches and remote workplaces are allocated to a separate group.
The functionality of each division in terms of technical support for the information security of the enterprise is prescribed in the general position and job descriptions of employees.
Enterprise corporate network
The IS acts as an independent object of protection, since it is necessary to ensure its integrity based on the TCP / IP network protocol.
When forming the architecture, address spaces are allocated:
- allocated to branches and separate divisions;
- allocated to the company's management staff;
- for addressing the backbone segment of the corporate network;
- backup.
This segmentation allows you to separate groups of users by firewalls and provide independent launch of individual applications.
Technological elements of networks
The right technological solutions ensure the operability of the network as a whole, the clarity of business processes, the stable quality of applications and the safety of information.
Basic structural units of IP common to all types of companies:
- servers - divided into support groups for specialized applications, support for public services and servers that support technological services of the corporate network;
- user workstations. The IS structure includes both stationary computers and mobile devices;
- IP telephony and peripheral equipment for it;
- communication lines, trunk data exchange channels. Their performance is ensured by network equipment, most often supplied by Cisco Systems Inc.
To ensure the operability of the technological elements of the system, the employee responsible for this requires the skills of an engineer and a working monitoring model, the scanners of which will detect deviations from the specified operating parameters. Information resources require a different approach to protection.
Enterprise information resources
The value of data processed in the local network is determined by each company that develops an information security system based on business goals.
The following groups of information resources are often distinguished:
- personal data of employees and customers, the protection mode of which is determined by the legislation of the Russian Federation;
- data related to state secrets;
- service information;
- the commercial secret of the enterprise, for its protection it is necessary to introduce a regime of protection of the commercial secret;
- internal correspondence of employees, letters in their e-mail;
- design and technological documentation, long-term plans for development, modernization of production, sales of products and other information that constitutes scientific, technical and technological information protected by patents or related to confidential data.
Protected objects can be structured and stored in databases managed by a DBMS, or they can be scattered on employees' computers. An audit of information resources will help to get an idea of the object of protection and develop an optimal protection mechanism. Large amounts of publicly available data do not require additional protection and the diversion of resources for these tasks.
When building a model for protecting information, it is necessary to pay attention to the structure of information flows circulating within the enterprise and coming from external sources.
The following internal flows should be monitored:
- transfer of files between file servers and user workstations using the SMB protocol (protocol for open information exchange between workstations and servers based on the TCP / IP stack);
- files in the electronic document management system;
- forwarding e-mail messages through a hashed connection of Lotus Notes software or similar office programs;
- transfer of legal and reference information between database servers (on which programs such as "Consultant" or "Garant", other databases are installed) and user workstations;
- business correspondence within corporate messaging systems, in working forums;
- transfer of operational information from users to specialized accounting and reporting systems, for example, "1C Warehouse" or "1C Enterprise";
- data transfer between the head office and regional structures;
- transfer of accounting and tax information between user workstations and the database server within the framework of automated accounting systems.
Within the framework of external flows of information subject to special protection, there are:
- interaction with banks on the Bank-Client payment system;
- transfer of accounting, tax, statistical reports to the Federal Tax Service and off-budget funds;
- trade transactions when conducting transactions for the sale of goods or services on the Internet;
- interaction with clients by email;
- interaction on the Internet with exchanges and trading platforms to participate in tenders or purchases;
- sending reporting information to auditing organizations.
These types of communication contain large amounts of confidential information that must be protected from leaks.
Interaction is organized along three channels:
- dedicated trunk communication channel with the corporate network using VPN protocols that hide traffic;
- backup line of communication with the Internet;
- dial-up communication channel using GPRS technology.
The combination of these three secure channels helps to protect information of greatest interest to attackers. From the means of technical support for the information security of the enterprise, backbone routers and firewalls are additionally used. The task of regulated connection of users to the Internet is solved on the basis of the company's system policies.
Factors taken into account when developing an information security strategy
The changing reality and the growing volume of threats are prompting organizations to constantly reshape the concept of protecting information assets.
Among the factors of the external and internal environment, which must be taken into account:
- the emergence of new partners and clients. Today the FTS is actively using information intelligence tools to identify unreliable taxpayers. Their appearance among the partners of the enterprise creates problems of bringing to tax liability, if the partner does not pay VAT, he may be recognized as a link in the tax planning chain. Providers supply the department with data on the IP-addresses of the companies submitting the reporting, and if they coincide for some counterparties, this may become the basis for additional verification;
- automation and optimization of business processes, for which such solutions were not previously implemented, for example, the introduction of logistics programs and "smart" equipment in the warehouse;
- attraction of new software developers to solve technical problems, the need to organize interaction with them;
- expansion of the company's information network, the emergence of new divisions and employees, including remote access;
- changes in the model of external threats, the emergence of new types of attacks.
These factors, when working on the network architecture and its technical support, require the company IT department and contractors to adhere to the following principles:
- simplicity of architecture. The links between the components should be implemented according to the same model and simplified. The number of networking protocols needs to be reduced. Taking into account the requirements of reliability and further development of the network, everything that can be simplified should be simplified;
- verification of solutions. New ideas are unacceptable in production, where business continuity is paramount, components that have not been tested many times should not be used;
- all components must be reliable and free of maintenance problems;
- manageability in any conditions, monitoring systems should collect data on all components in real time, identifying vulnerabilities and deviations;
- ease of operation, installation of "foolproof" to avoid failure due to user or system administrator error;
- the presence of several lines of defense. For each node and object, it is necessary to implement several protection mechanisms, in this case, a hypothetical attacker will need knowledge in several areas to hack them;
- continuity of protection in space and time. Maintenance work on the server or reinstalling software should not weaken the security level; an attacker who is informed about such situations will try to take advantage of them;
- uniformity of defense in all its blocks, complete exclusion of unauthorized access to network resources by employees of any level. This is implemented by the adoption of administrative internal documents and control over all connections;
- prevention of information security violations, which helps to prevent risky situations from the side of personnel. Among the protection measures - the introduction of identification and authentication means, access control, personnel training, clarifications from the personnel departments that in the event of an information security incident, the culprit will be brought to justice;
- minimization of privileges. Implementation of the principle “No one should have more authority than necessary” will become not only the basis of information security, but also during the audit will be sufficient confirmation that the audited data has not been changed or adjusted;
- economic expediency. When implementing any security technology, it is necessary to check whether it will interfere with the normal flow of business processes. In practice, the priority of safety over economic solutions is found only at facilities with an increased level of danger, for example, at nuclear power plants;
- continuous improvement of the system based on the best foreign and national methods;
- unification of developers and suppliers, striving for uniformity of applied solutions for all system components.
Compliance with these principles, to a greater extent minimizing costs, should be given special attention by the internal audit service of the enterprise when evaluating the concept.
Organization of work on the creation and implementation of the concept
Internal audit is linked to the Concept assessment task at one of the final stages, and its preparation is carried out by the IT and security departments under the leadership of one of the deputy directors or board members. He must be distinguished by a sufficient level of competence and authority. There are state standards that describe the preparation of technical specifications when creating a Concept. Following them will shorten the term of work, since most of the regulations have already been created.
The project manager, when preparing the basic document containing the basic principles of technical support for the information security of the enterprise, determines the executors, the timing and budget for the activities:
- appointment of responsible persons, distribution of roles, preparation of instructions for the development of a strategy;
- development, approval of organizational documents: methods and regulations governing user behavior - from the rules for working with text documents to regulations for the use of removable media;
- training of users and technical personnel, preparation for the implementation of new security measures and the need to maintain a new security system model;
- design and deployment of a new system architecture, its implementation at the enterprise;
- audit of the implemented model, analysis of results, revision after implementation.
The implementation of the process according to a four-link mechanism - development, implementation, analysis, revision, helps to improve the performance of the protection system at an early stage. Private companies can do without formal acceptance tests, but GIS requires them.
After its implementation, the technical support of information security of an enterprise is designed to solve the following tasks:
- protection of the network perimeter from unauthorized external intrusions and connections. For these purposes, routers, firewalls, remote access control are used;
- protection of company servers from unauthorized access, both external and insider, through the implementation of authentication systems and a differentiated access model;
- comprehensive anti-virus protection, the implementation of which solves the problem of protecting servers, user workstations, external gateway connecting to the Internet;
- organization of a system for monitoring vulnerabilities and responses to them, instantly notifying system administrators about threats. Monitoring software should be updated to detect new threats;
- protecting applications and services, eliminating the threat of their failure and stopping the implementation of business processes;
- protection of inter-network interactions, the allocation of separate zones for launching significant processes.
The audit should check the fulfillment of all requirements and prepare a report with recommendations for further improvement of the system.
Organizational, technical and software protection means
For any company, the implementation of the infrastructure technical security system begins with the adoption of a package of applied organizational measures. The main document will be the Information Security Policy; many internal regulations can be developed as annexes to it. It is not recommended to draw up documents as attachments, the development of which is regulated by the need to protect personal data and comply with the requirements of the regulator.
The reviewing organizations request by separate documents:
- Regulation on the procedure for processing personal data.
- Regulation on the unit entrusted with the protection of personal data.
- Other documents, in particular, the journal for recording the movement of removable media.
Their absence can lead to fines. In addition to documents related to personal data, it is necessary to develop and implement:
- the policy of control and prevention of unauthorized access to information and infrastructure facilities;
- methodology for determining the degree of differentiation of access;
- rules for managing passwords, providing for their complexity, timely replacement, responsibility for transfer;
- IS recovery policy after accidents, indicating the time periods required for it;
- data backup policy indicating their volume, frequency of copying, storage location;
- Internet practices and software installation policies;
- policy on working with paper documents (printing, copying, scanning);
- regulations on divisions and job descriptions of employees.
The staff must be familiar with the documents. They should be stored in an accessible place, for example, on the company's server.
Procedural tasks
In addition to the documentary, the solution to the problem of technical support for the information security of the enterprise is implemented at the procedural level. Required:
- organize personnel management at a level that excludes the occurrence of security incidents by insiders;
- provide physical protection for documents and infrastructure elements, in some cases, and personnel. In the same group of tasks, fire-prevention measures and other safety measures are introduced to exclude damage to objects as a result of an accident;
- organize the process of constant maintenance of the system performance;
- plan incident response and further recovery work.
At the software level, the following steps are implemented:
- installation of SIEM systems that detect security incidents and DLP systems that exclude data leakage from the protected perimeter;
- implementation of firewalls (firewalls) and intrusion detection tools that reduce the risk of external attacks;
- expansion of the bandwidth, reducing the likelihood of successful DDoS attacks;
- installation of a service for continuous audit and monitoring of system performance;
- the use of cryptographic protection tools that have passed certification.
If the implementation of measures to create a system of technical support for information security of an enterprise is carried out by a contractor organization, it must have a license. The implementation of a set of measures will ensure the protection of the company's interests at the highest level.
16.12.2020
