Information security levels
The practice of information security based on the concept of defense in depth, in which the data protection occurs at multiple security levels. Each of them unfolds gradually, forcing the attacker to solve several problems simultaneously.
Information security levels concept
The qualification of hackers is constantly growing; new means of breaking protection are being developed in clandestine laboratories. According to experts, one new malware is created every 14 seconds in the world. And publicly available vulnerability testing software allows you to hack the protection of a small online store website. This encourages organizations to address data protection challenges based on the concept of creating multiple levels of information security.
Hacking schemes based on standard security systems will fail if criminals are confronted with elaborate security systems, each stage of which will make it difficult to penetrate the database.
Information security levels
In practice, an echeloned defense system includes four levels:
- administrative (organizational);
- software and hardware.
Before building it, it is necessary to develop and adopt a security strategy. It should describe each level, the strategy for its deployment, and the department responsible for maintaining performance.
These stages unfold gradually, each subsequent one arises from the prerequisites set at a higher level.
The state, within the framework of its powers, can determine the strategy of a private company in the field of information protection if it processes personal data or state secrets. Protected at the stage of legislation and the commercial secret of the company.
At the legislative level of information security, the following are determined:
- general strategy for the protection of information and communication systems in the country;
- practical steps to implement the state data protection strategy;
- requirements for the protection of state secrets, control and communication systems of state bodies;
- security requirements for information systems of private companies, if they process personal data or contain information related to state secrets;
- rules for ensuring the security of personal data;
- rules for licensing software developers, software certification, certification of premises where information is processed with an increased level of confidentiality.
Laws and regulations are often drafted and adopted in packages as part of a national program or project. So, within the framework of the practical implementation of the Information Security Doctrine, a system for ensuring the security of critical information infrastructure facilities and a GosSOPK system are given. And within the framework of the national project "Digital Economy", the concept of a sovereign Runet was developed.
The innovations adopted by the state and regulators (FSTEC RF, Central Bank, FSB) affect the interests of society, therefore any new measures to enhance security are submitted for discussion by the expert community before their approval.
Last year, controversy was caused by the draft law on a sovereign Runet. Reaching a civil agreement with telecommunication service providers within the framework of public discussion of the draft law required certain concessions from the legislator. The project of mandatory certification of all updates to mobile applications for online banking was also frozen, as this could slow down the work of banks. Although attackers often use flaws in mobile applications to gain access to citizens' funds.
At the legislative level of ensuring information security, norms are also adopted aimed at bringing to justice violators of the confidentiality of information.
There are the following degrees of responsibility:
- civil law. The offender is financially liable for willful violation of the requirements for the integrity, confidentiality or availability of information;
- disciplinary and labor. A violator of the confidentiality regime may be reprimanded or fired;
- administrative. Violation of the rules for processing personal data is punishable by a fine;
- criminal. Using malware to steal data can lead to jail time.
The existence of such an extensive system of measures of responsibility at the legislative stage of ensuring information security prevents the commission of crimes.
The company has the right to develop its own list of administrative measures designed to exclude information leaks. If she is the operator of personal data, these measures will be based on the requirements of the FSTEC RF. Otherwise, the company is free to choose a protection strategy. International organizations prefer to use the ISO / IEC 27000: 2008 series. The implementation of these recommendations and the certification of the company helps to improve its image among customers and partners.
The first degree document is the security policy or strategy adopted by the top management of the organization, the board of directors or the CEO. It contains basic definitions, data protection principles and provides a reference to local regulations that do not have the force of law. If the company is the operator of personal data, then this level of significance will have the Personal Data Processing Policy, which must be published on the company's website.
The list of annexes to these documents is established by the regulations of the FSTEC RF or Roskomnadzor, or is developed by the organization independently.
Among such applications:
- regulation on commercial secrets;
- list of information constituting a commercial secret;
- regulations on the procedure for users' access to information with the establishment of the ranks of users and the procedure for changing the levels of privileges;
- regulation on the procedure for the use of mobile devices;
- regulations on the use of removable media;
- regulations on work with paper carriers of trade secrets, their copying.
Also, at the documentary level of ensuring information security, additional agreements to labor contracts are being developed, obliging to keep the commercial secrets of the company and its counterparties. The administrative stage also includes such practical steps as supplying the entrances to the protected premises with electronic locks, installing a video surveillance system.
The procedural level, or regulation of user actions, is applied at the organizational and program-technical stages, expressed in the regulation of business and management processes. At the procedural stage, many years of management experience is realized, expressed in generally accepted management procedures or offered by international standards.
Procedural measures are being implemented in the following areas:
- personnel management, information and training . Here, personnel motivation systems are established, a key part of which are performance indicators related to compliance with information security rules, methods for training and informing employees about current threats are developed, mechanisms for monitoring their activities are determined;
- maintaining the health of the information system . Here, a set of tasks related to improving the efficiency and competence of IT departments is being solved, regulations for monitoring the operation of IS are being developed, mechanisms for monitoring the system's performance are being introduced, and rules and regulations for responding to failures are established, including the minimum recovery time for the system after a failure, and the procedure is also determined. creating backup copies of data;
- planning of restoration works . The goal of this group of regulations should be to reduce system downtime. If now the average time it takes for an IS to be lost as a result of failures, malware infection or hacker attacks reaches several hours, the target for this group of actions should be a recovery period that would not interfere with the flow of business processes. In practice, the expected time is 1-2 hours;
- physical protection . It regulates the protection of servers from penetration, technical failures and accidents. They must be located in a protected room, excluding accidents in the power supply system. In parallel with this, logs of user actions should be kept;
- response to violation of the safe mode . This system of measures is implemented at the programmatic stage, blocking incorrect user actions or canceling operations, and at the organizational level by establishing a differentiated access system.
The measures taken will increase the degree of information security by improving system performance and monitoring user actions.
Software and technical
This area of the organization should not be completely outsourced to IT staff. Close control is required from the side of management, so that when determining the degree of protection, it does not create an excessive burden on the company's budget.
The software and technical stage of information security is implemented in order to solve the following tasks:
- creating a differentiated access system, assigning confidentiality labels to user accounts and files;
- the use of firewalls at the entrance to the system from the outside and to delineate the various sectors within it;
- user authentication and identification;
- maintaining a register of user actions;
- response to information security incidents;
- cryptographic protection of valuable information.
The implementation of the data protection system at the listed levels of information security will solve the main tasks of maintaining a high degree of confidentiality.