Information systems have become the basis for the functioning of most companies, the continuity and quality of the flow of business processes depend on their performance. The choice of a protection mechanism depends on the category of information resources.
Information and the need to protect it
Information is information transmitted in any form - oral speech, paper document, file. It is valuable not only for its owner, but also for third parties who can use other people's confidential data to gain a competitive advantage or personal enrichment.
Information arrays are divided into three groups:
- data for which there is no need to protect against leakage, or publicly available, the disclosure of which is required by law;
- protected as a commercial secret, subject to the introduction of a commercial secret regime and compiling a list of information related to it;
- those that need to be protected based on the requirements of the law - banking or state secrets, personal data.
Depending on the category of data, companies choose the necessary means from the arsenal of protection. They are divided into groups:
- administrative and organizational, building the management system in the company in such a way as to exclude unauthorized access to data;
- technical, hardware blocking tampering devices (tokens, with the help of which authentication occurs, stubs for USB inputs to the computer);
- software, equally protecting from unauthorized access by insiders and from external attacks.
State regulation methods
State measures aimed at protecting confidential information are recommendations on mandatory organizational, technical and programmatic methods of data protection that organizations working with personal data or state secrets are obliged to follow. Recommendations are developed by the FSTEC of the Russian Federation and the Federal Security Service of the Russian Federation in terms of cryptographic protection mechanisms. For measures aimed at ensuring the protection of banking secrecy and at excluding illegal access to funds of citizens and companies placed on their card and current accounts, recommendations are developed by the Central Bank of the Russian Federation.
State secrets are usually faced by enterprises that are executors of state contracts, during the implementation of which they gain access to information in this category:
- in the military field;
- in the field of economics, science and technology, but classified as state secrets;
- in the field of foreign policy and foreign economic activity;
- in the field of intelligence, counterintelligence and operational-search activities, as well as in the field of countering terrorism and ensuring the safety of persons in respect of whom a decision has been made to apply state protection measures.
This information is protected by a set of measures - from the organization of a security system that ensures the absence of physical access to the facility, to the use of encryption software and hardware (CIP). Working with government contracts with an increased level of confidentiality without meeting these requirements is impossible.
A different protection principle applies to personal data. This term means any significant information about citizens, both about the company's personnel and about its customers. A citizen, giving the organization the address, phone number, passport data, bank card number, has the right to count on the fact that this information will not be at the disposal of malefactors who can use it to harm health or property.
For the purpose of protection, the state prescribes:
- collect information only if there is a written or electronic consent of the citizen;
- inform the citizen about the purpose of collecting and processing PD;
- not transfer data to third parties without an agreement providing for compliance with measures to protect the confidentiality of information;
- to take a set of organizational and programmatic measures aimed at avoiding the leakage of personal data and preventing unauthorized access to them.
Recommended organizational measures include:
- adoption of the Regulation on the procedure for processing personal data and posting it on the company's website in the public domain;
- development of a consent format for the processing of PD, its physical signature by each client or posting on the site with the approval fixation;
- appointing a person or unit responsible for PD processing;
- creation of a system for differentiated access to data;
- refusal to place PD in cloud storage.
Monitoring compliance with these requirements is carried out during the checks that the FSTEC RF conducts in relation to each operator of personal data.
After the development and implementation of a set of organizational measures, it becomes necessary to introduce software products recommended by the department:
- firewalls;
- anti-virus protection means;
- trusted download facilities;
- intrusion detection tools;
- means of cryptographic protection.
Each software product and its updates must pass the FSTEC RF certification procedure, after which they will be allowed to be used to protect personal data. If these mechanisms for ensuring the security of information systems are not available to the company for financial reasons, it can agree with the regulator on a phased implementation of the software.
Corporate information security
To solve general information security problems that are not exclusively related to personal data or state secrets, companies develop their own security systems based on integrated solutions, for example, SIEM and DLP systems. The choice of software and technical solutions is based on a threat model that depends on the type of information processed and the type of business of the organization. Also, the final software solutions depend on the types of corporate systems, the use of ACS, CRM systems, programs for automated electronic document management.
The construction of a single mechanism for ensuring the security of information systems is based on the algorithm:
- conducting an audit of the existing network, infrastructure elements, software, identifying bottlenecks and determining areas for modernization;
- development and approval of a security policy that defines the key points of its implementation - from the rules for working with removable media to the principles of using the Internet and personal e-mail boxes in professional activities;
- creation of a user authentication system of the required level, if necessary using a two-factor mechanism, excluding the possibility of unauthorized access to protected data;
- implementation of one of the differentiated access models, in which, depending on the rank of the user, he is given the opportunity to perform the necessary operations with files;
- creation of a system for monitoring the performance of IS using scanners that identify vulnerabilities, development of rules for a standard response to them, creation of a database of incidents for the subsequent analysis of statistics;
- creation of protection of communication channels through which users communicate on remote access from unauthorized connections, the use of secure protocols, VPN tunnels;
- the use of cryptographic information protection tools to ensure the security of databases and traffic;
- creation of a configuration management system, maintaining the functions of the IS environment in accordance with the requirements.
To implement the strategy, it is necessary either to attract professional organizations on outsourcing terms, or to create our own capable IT department that can quickly and efficiently respond to information security incidents. The risk management model when building an information security mechanism can be based on national standards, GOSTs or foreign methods. It depends on the level of threats and from whom it is necessary to better protect information - from external or internal intruders. The construction of the mechanism is always based on the principle of expediency: the security measures taken should not be redundant and interfere with the effective functioning of the business. The model of access to information resources should ensure their constant involvement in the company's business processes.
16.12.2020
