Complex systems of information security
Organizations often have to comply with the requirements of various information security regulators. Therefore, companies are introducing integrated information security systems (CSOI), whose task is to answer all the questions of regulators.
Objectives of CSOI
Integrated information security systems are most in demand in government agencies, which, due to the specifics of purchases, are more willing to purchase one system than several products of different classes and purposes. Often KSOI are developed for the tasks of a specific system of state bodies, for example, for the financial bodies of the constituent entities of the Russian Federation.
The architecture of the CSOI should take into account:
- the requirements of specialized regulations governing the activities of a state organization. For financial authorities, the main normative act is the Regulation on the Creation of the General Architecture of the State Integrated Information System for Public Finance Management “Electronic Budget”, prepared by the RF Ministry of Finance;
- the requirements of regulatory enactments regulating the protection of personal data;
- the requirements of FSTEC Order No. 17, which defines the rules for protecting information in state information systems (GIS), if these data do not belong to the category of state secrets;
- requirements for ensuring data security in key information infrastructure systems (FIAC);
- requirements for data protection in public information systems.
For various types of CSOI, only the first item of the list will change, the rest will remain unchanged.
Principles of creating CSOI:
- selection of the most effective and non-redundant measures to protect the information infrastructure provided by regulatory enactments;
- the possibility of seamless integration into the system of interdepartmental electronic interaction (SMEV);
- optimization of expenditures of budgets of all levels for the organization of an information security system.
CSOI cannot be implemented as a ready-made solution, it is created to order for the tasks of a specific state organization or enterprise.
Stages of CSOI creation
After defining the tasks and formulating the terms of reference, the developer proceeds to create the CSOI.
The first stage is design, within which the following tasks are solved:
- formulation of the problem. TK is formulated according to the rules stipulated by GOST 34-602.89;
- research of the current state of the customer's information system;
- identification of interested and coordinating persons and departments;
- object survey;
- setting up criteria for the effectiveness of CSOI.
The stages of creating a CSOI are as follows:
- development of a feasibility study. It substantiates the feasibility of creating a system, determines the timing and procedure for work, and the cost is indicated in the estimate documentation. The feasibility study is coordinated with all involved units;
- development of technical specifications, where all initial data must be taken into account;
- development of a technical project. One or several options for solving the problem are proposed with justification of the effectiveness of each of them, the requirements for the technical means of implementing an integrated information security system are specified, the procedure and terms of their delivery are indicated;
- development of a working project. Design solutions are detailed, job descriptions of personnel are drawn up. At this stage, the project documentation necessarily refers to information with a high degree of confidentiality;
- commissioning of individual elements of the system;
- complex docking of system elements;
- trial operation;
- acceptance tests;
- performance check, revision if necessary.
Upon completion of the integration, commissioning tests of the KSOI must be carried out, it is put into operation by a special act. The contract for the creation of a KSOI always provides for liability for poor-quality work; according to the terms of the tender, fines and penalties can be compensated for from the funds provided by the bank guarantee.
The creation of KSOI is accompanied by the preparation of several categories of support:
- organizational. These are documentation for the development and implementation of the project, orders, changes in the staffing table, contracts and agreements, tendering, approval of the acceptance procedure and the composition of acceptance tests;
- linguistic - a set of design languages used, terms and definitions, rules for formalizing a natural language, methods of compressing and expanding texts;
- mathematical - a set of algorithms for designing an integrated information security system;
- software consisting of system and application programs that meet the requirements of regulators;
- technical, including a line of required technical means;
- informational and regulatory, containing all the data necessary for the design, including regulatory requirements.
The core of the system, which is a set of software solutions, is built into the general architecture of the customer's automated systems and provides the following functions:
- blocking unauthorized and uncontrolled access to databases containing confidential information. As part of this function, access systems are managed, electronic locks to the premises where information is stored or servers are located, login blocking devices, the use of KSOI components when performing any operations in the customer's IS, loading the OS and DBMS, starting processes. At this moment, the KSOI signaling package is initiated, reporting security incidents;
- management of control over all data processing processes, registration of all user actions, including those with administrator rights, with protected arrays of information;
- organization of monitoring of the operation of system elements. Hardware is monitored organizationally and by test programs, software is checked for integrity and the absence of unauthorized changes by control digital values, user activity logs are checked for integrity and security;
- ensuring a response to information security signals in each of the customer's IS components, registering incidents, transmitting information about them according to a given scenario, interrupting data processing and destroying information in removable media connected to protected data, taking measures to arrest the offender;
- keeping records of information security tools operation, subsequent analytics.
The creation of an integrated system (CSOI) is a complex and systemic process that takes several months, its performance largely depends on the accuracy of the technical specifications. Such systems are developed only for a specific customer and take into account his needs in creating an integrated information security system.