Information security management theory
Information security of an enterprise is one of the most important factors that determines the size of the profit and business prospects. Theft of information by cybercriminals results in financial damage and loss of the company's prestige. Information about the company's activities can be transferred to persons interested in undermining its authority and ruin. Kidnappers are capable of blackmailing management or staff.
To avoid such situations, complex information protection is required with the use of software and hardware technologies, organizational methods, methods of ensuring the physical protection of classified materials.
An important role is played by the analysis of the security of information resources and the prediction of unforeseen situations. Confidentiality measures need to be coordinated to ensure the security of proprietary information.
Principles and stages of implementation of information protection
Comprehensive information security measures include the following measures:
- development of rules for storing confidential documents (organizational approach);
- analysis of the security of information related to individual business processes (process approach). These include, for example, the supply of resources, the use of certain technologies. Confidentiality methods that yield the best results are selected;
- adjustment of the applied information protection methods to achieve maximum efficiency (optimization approach);
- organization of strict implementation of "control commands" (legal norms related to information security) by "managed objects" (executors of confidentiality rules) - a cybernetic approach;
- development of a methodology for making decisions related to the protection of information (decision theory).
Information security management should be based on the principles of information integrity, availability and confidentiality. This means that it is necessary to exclude the possibility of its distortion, disclosure, leakage or destruction, and at the same time make the information available for processing by competent employees who have access to it.
The system should be organized so that it is possible to minimize risks at all stages of processing and storage of classified data, to minimize the consequences of their disclosure or loss.
A clear organization of the information security management system allows you to solve the following tasks:
- accounting of information resources and compilation of a list of confidential information;
- distribution of responsibility for the security of classified data and violation of confidentiality;
- assessment and forecasting of risks, development of measures to reduce and eliminate them;
- control over the observance of the rules and norms of safe work with classified materials;
- ensuring the physical protection of information and company personnel involved in its processing;
- determination of the real value of the company's property and losses in case of leakage, intentional or accidental destruction of data. This indicator influences the choice of information security methods and the level of its complexity;
- development of information security requirements and standards.
Management of the information security system is carried out in a certain order. First of all, a "policy" of risks is formed - it is determined what to consider as risks, what the consequences of information threats may be.
Then, an analysis of all business processes and risks that may arise at each stage of work is carried out. Vulnerable moments in the company's activities are identified.
In conclusion, a set of necessary measures and a general scheme for ensuring the safe operation of the enterprise are determined. The procedure for hiring new employees, as well as their familiarization with the norms of corporate ethics and the peculiarities of working with confidential information, is established.
Risk assessment and threat elimination
When developing methods for ensuring information security, the specifics of the organization's activities and the legal norms of the Russian Federation are taken into account. The requirements of international standards are fulfilled, which relate to the principles of secure work, the software and hardware used and legal norms for ensuring confidentiality.
In international practice, in addition to availability, integrity and confidentiality, it is also considered to be the standard principles for the protection of classified information:
- authenticity (confirmation of the source of information);
- reliability (proof of data veracity);
- accountability (responsibility for the provision of information and the results of its use).
Threats related to the security of information resources must be eliminated by legal means. Interference in the business operations of the enterprise, violation of contractual obligations is inadmissible.
When developing methods related to information security, the Constitution of the Russian Federation, Federal laws and codes, Decrees of the President of the Russian Federation are taken into account. The requirements set forth in the regulatory documents of Russian ministries and departments, as well as local government bodies, orders of the FSB are taken into account. The recommendations set forth in the Doctrine of Information Security of the Russian Federation are taken as a basis.
The formulated security policy of the enterprise clearly specifies the information objects that need protection and the possible threats of violations.
The objects of protection include:
- information transmitted orally;
- data stored on electronic media;
- paper documents;
- technical devices for transmitting information;
- the premises in which confidential information is stored, discussed and processed;
- computer information systems;
- documents relating to the operation of technical communication equipment and software used.
Classification of threats
Enterprise information security threats can be intentional and accidental (that is, "external" and "internal").
External threats include:
- actions of competitors capable of intercepting proprietary information and using it in their own interests;
- destruction or distortion of data by third parties who do not have authorized access to valuable materials;
- unintentional disruption of the information and analytical system by employees of related organizations;
- extreme events and unforeseen situations that can lead to leakage or destruction of important information.
Internal threats of information leakage arise when the rules for working with classified materials, as well as their storage and transfer, are not followed.
The reasons may be a lack of coordination in the protection of corporate information. Intentional sabotage by individual employees is possible (out of a sense of revenge, for example). There are also occasional errors of personnel, or the creation of threats due to his negligence or lack of awareness of the confidentiality of information.
Internal breaches of confidentiality are classified into the following types:
- organizational - unauthorized provision and access to the information system, database and servers. Incorrect use of information security means, the introduction of erroneous addresses when sending data over the Internet;
- physical - disablement of hardware protection means or communication lines, theft of documents and electronic media, unauthorized study of their contents;
- electronic - the use of technical means of intercepting information, copying data from monitors, deliberate distortion of transmitted information.
The work of the system is aimed at suppressing such violations and eliminating threats, developing effective methods to counter risks. In the process of their implementation, the effectiveness of the measures taken is monitored, and the necessary amendments are made.
To assess the actions taken, audit (independent reviews) and monitoring (systematic examination of the results of confidentiality protection) are carried out. Simulated database penetration tests are performed periodically.
The management of the enterprise information security system must be effective, consistent and continuous. Its objectives are to predict and coordinate the methods by which threats of theft and destruction of important materials can be identified.
The combination of organizational, technical and physical protection of classified materials reduces the risks of violations to a minimum.
When implementing measures to protect classified information, the principles of legality of actions and authorized accessibility of classified data must be observed. The use of protective measures should not affect the quality and reliability of confidential information. It is important to use modern software and hardware for the transmission, processing and storage of classified materials. Specialists in the field of computer technology and lawyers are involved in the development of measures related to information security.