Company information security management
The constant increase in the level of cyber threats forces companies to allocate additional resources for organizing the information security management system of companies. Time dictates the need to build corporate networks on a distributed basis, with the transfer of some of the activities to the cloud environment and the use of remote employees, which determines the specifics of security management.
Regulatory and legal documentation
Provision of information security implies the allocation of an object, for the protection of which resources are spent.
In the work of a private or public company, there are two types of facilities where safety must be ensured:
- commercial secrets of the organization itself and its counterparties, which are of interest to competitors;
- information arrays, the security of which is necessary based on the requirements of the law (state secrets, bank secrets, personal data of citizens).
The logic of creating a corporate information security management system should be based on two groups of regulations:
- laws and by-laws of government agencies that establish the data protection procedure, hardware and software tools necessary for the implementation of this procedure and management of related security processes;
- internal local documentation of the company, which establishes the principles and regulations of compliance with information security, created arbitrarily or on the basis of regulatory requirements of the law and government agencies.
Regulatory acts should form the basis of the created security management system, describing the key goals of protecting data inside the office and when it is transferred from remote devices.
The company's structures responsible for information security management, when developing regulatory documents, must solve the following tasks:
- establish the principles for updating the threat model and the information security risks taken into account;
- structure the data streams entering the company, highlight from them those that should be processed in the first place and not of high value;
- establish the principles of employee responsibility in matters of countering information security threats;
- set up a working mechanism for responding to information security incidents;
- to create principles for assessing the units involved in the protection of information security and criteria for the quality of the system.
The development of these principles and their structuring in regulations will help form a company's information security management strategy and determine the budget for reconfiguring the infrastructure.
Threat models and principles of information security management in the company
Based on the peculiarities of the modern architecture of information networks of corporations, the main task of ensuring its operability and a high level of data security becomes competent and operational management of data processing and protection processes and infrastructure elements. The first task is to update the threat model, increase the company's awareness of information security issues. Its solution differs depending on the economic sector in which the company operates.
The most common threats to information security can be found on the FSTEC RF website. Information security consulting companies often publish information about new computer threats and forecasts. If necessary, a business can order an analytical review or building an individual threat model from them.
Among the most likely threats that companies should be protected from in 2020, taking into account the transfer of part of the business to remote work:
- malware. Last year's leader, the WannaCry ransomware virus, acquired additional exploits, SMBloris and EternalBlue, which instantly spread it across the corporation's information networks, infecting all computers it encounters;
- incorrect use of RAT, or remote administration tools. Software products that allow a system administrator to control the device of a remote employee or other user are increasingly used by cybercriminals to carry out their tasks. Antiviruses can have built-in protection against RAT, which can be enabled or disabled at the request of the administrator;
- The use by cybercriminals of known and not fully resolved vulnerabilities in operating systems and applications. This risk is most relevant for automated production control systems (ACS), but office programs can become a source of problems;
- directing the attack not to workstations, but to elements of the network infrastructure. For this purpose, information networks are infected with VPNFilter and Slingshot malware;
- Changing the way ransomware Trojans operate from general attacks to targeted attacks targeting companies and banks chosen by cybercriminals. There is also a risk of ransomware attacking IoT objects - a virus can exclude the possibility of using a car's on-board computer or an office coffee maker;
- interference of other states in the management of production facilities of military and intelligence agencies of other countries interested in undermining the system of state security of Russia;
- a low degree of security of cloud storage, where information related to trade secrets or personal data is often placed.
At the same time, the means of attacking data security are improving faster than means of protection; hacker groups often act under a false flag, passing off malicious programs as well-known utilities. The risk of DDoS attacks directed at the company's servers or channels connecting it to remote divisions does not disappear, while any schoolchild can use vulnerability testing software to organize such attacks, and IoT objects are increasingly used as bots.
It is also necessary to take into account the change in the vector of attacks on the banking system, on the accounts and deposits of citizens and companies. Vulnerabilities are found in mobile applications of banks that allow remote access control, and they are actively exploited by cybercriminals. Owners of critical information infrastructure facilities should expect an increase in targeted attacks on their control systems, which necessitates the modernization of systems and the introduction of additional security modules into them. It is also necessary to monitor the transfer of the main attack direction to mobile devices, which is most dangerous when transferring some employees to remote work.
Hacker groups invest significant funds in the development of new technologies for stealing information and money, actively using the vulnerabilities of operating systems and cloud technologies. Experts believe that a new malware appears in the world every 14 seconds. Confronting them should be based on understanding the threats and vulnerabilities of their own information system. The creation of viruses aimed at equipment and devices operating on the principles of neural networks and machine learning in order to destabilize their activities is called as significant threats to information security.
Practical implementation of information security management principles
The main task in the framework of information security management of a company is to build such an infrastructure in which the solutions chosen for protection would not conflict with each other, and their management would require an insignificant amount of resources.
Sometimes the right management decision is the transfer of tasks related to the management of information security of companies to outsourcing:
- preliminary system audit, identification of vulnerabilities or redundant protection;
- development of recommendations to improve the security of the information system;
- development of complex software that can solve most of the problems of information security, for example, DLP systems.
It is necessary to make a decision on attracting outsourcing at the level of the company's top management. System integrators and their employees are sometimes found guilty of leaking valuable data on a par with office workers. The agreement with the integrator must provide for the confidentiality condition. Violation of it must be accompanied by severe fines.
Having identified the resources aimed at creating a company's information security management system, it is necessary to think about maintaining its performance. The key role in this should be played by the company's employees, who will need not only to be taught the basics of computer security, but to prepare them for conscious work in an environment of growing information threats. It is necessary to introduce such performance indicators for employees, on which their bonuses are based, which would exclude a careless attitude to information, equipment, security requirements. In parallel with this, a system of differentiated access to data should be introduced with the assignment of confidentiality ranks to various information arrays and the differentiation of employee privileges. This is the best way to avoid unintentional data leaks or system infections.
The implementation of a security system that takes into account all risks, built on the principles of sufficiency and expediency, should proceed according to the following scenario:
- risk assessment;
- system potential assessment;
- optimization strategy development;
- selection of software and technical solutions, when developing new products - determining the need for their certification, this requirement is necessarily applied when launching new ACS;
- implementation of developed or purchased software and hardware for information security;
- commissioning and acceptance tests. This stage is not necessary for commercial companies, but it will be inevitable in the creation or modernization of information systems of state bodies (GIS);
- system performance audit;
- development and implementation of recommendations for further improving the system performance.
It will also be important to respect the resources of the information system, refusal from its excessive overload, which can lead to failures and loss of integrity of information, other risks to its safety. There is a need to use complex solutions with the help of which several tasks are solved.
Among the necessary software tools recommended by the FSTEC RF for building information systems that meet all information security criteria:
- programs that provide two-factor user authentication;
- programs that implement the model of differentiated access to data of varying degrees of secrecy;
- antivirus tools;
- trusted download facilities;
- firewalls. For automated control systems, they allow creating demilitarized zones (buffer zones that exclude the penetration of aggression into the equipment control system) at the junctions between office systems and production management systems, which slows down or eliminates infection with malware, increasing the level of data protection;
- means of cryptographic protection;
- system health monitoring tools;
- means of identifying information security incidents and responding to them - SIEM systems;
- permission checkers that scan mobile apps for built-in security-compromising permissions and revoke those permissions.
If the company is the operator of personal data, when choosing software designed to ensure their security, it is necessary to be guided by the regulatory requirements of the FSTEC of the Russian Federation for determining the protection class of the system and using certified software. When concluding an agreement with cloud storage, where you plan to move all or part of the company's databases, you need to make sure that they are protected in accordance with the requirements of the legislation on ensuring the security of personal data and will not pose a risk to their safety. When developing a company's information security management model, it should be borne in mind that sometimes cloud storage is more secure than a small company can afford. Large providers use all modern means of ensuring data protection, including systems for detecting information security incidents and responding to them, so the transfer of databases containing confidential information to cloud servers can be justified.
Comprehensive implementation of the information security strategy at the enterprise can not only minimize the risks of information leaks, but also optimize business processes, reducing the number of failures in the information system.