Practical rules for information security management
The efficiency of activity in any area of production largely depends on how information security is ensured.
Information security management should be an integral part of any company's business. At the same time, it is important to consider the importance of maintaining confidentiality, the integrity of secret information, and the availability of data.
Owners or authorized managers of enterprises are responsible for organizing the protection of valuable information.
We will talk about the standards and management rules that should be followed, focusing on the point that information security is achieved through the implementation of an appropriate set of measures at all stages of the production process or the provision of services.
Normative base
The problem of information security management has exacerbated with the development of information technology and the Internet, when hackers were able to use the information obtained for fraudulent purposes.
The first BS 7799 standard was developed by the British Standards Institute (BSI) in 1995. It provided guidelines for managing access to classified information and certification.
Combining the best world experience, taking British developments as a basis, the international organization for standardization ISO issued in 1999 a new document regulating the issues of organizing information security. The latest revision of ISO / IEC 17799: 2005.
The uniqueness of this document lies in the possibility of its application in any organization, regardless of its field of activity.
As part of the implementation of the privacy policy in Russia, a number of GOSTs related to information technologies were adopted and put into effect, which meet the requirements of Federal Law No. 184 "On Technical Regulation".
The rules for applying national standards are enshrined in GOST R 1.0-2004 “Standardization in the Russian Federation. Basic provisions".
Consider what measures are proposed in the framework of managing the protection of important data, which can affect the economic result in the end, providing liquidity, profitability of the organization, maximum return on investment.
Components of practical rules for information security management
Before deciding on the direction of the security policy, it is necessary to analyze the specific needs of the organization related to the specifics of the activity, the forms of information used, the means of its distribution and storage.
Requirements for ensuring confidential access of only authorized users to information constituting a commercial or other secret, maintaining data integrity and availability as needed by other employees are determined taking into account:
- risks of potential threats to valuable assets;
- regulation from a legal point of view of safety issues by the terms of contracts concluded with partners;
- principles of information processing that are acceptable in this area of production or provision of services.
Attention is focused on the fact that risks can be assessed both for the entire organization and for individual structural divisions directly related to information systems.
From time to time it is necessary to analyze new threats and vulnerabilities, the effectiveness of information security management.
At the next stage, a set of standard measures is chosen, which will ensure the maximum reduction of probable security threats, in particular:
- computer fraud and espionage;
- deliberate sabotage, destruction of information;
- data loss due to emergencies, accidents, fires or floods;
- computer hacks or virus attacks.
It is necessary to calculate the ratio of future costs, expected effect and possible material losses in the event of leakage of classified information or other information security breaches.
Measures can be selected not only in the proposed standard, but also developed independently, taking into account the specific needs of ensuring information security.
Information security management framework standards
Having developed a clear position on the solution of data protection problems, the top management issues the relevant local regulations, orders for internal use. Employees who have access to confidential information are introduced to the documents against signature.
The documents must reflect:
- the concept of information security and its purpose;
- requirements for personnel in accordance with contractual terms that do not contradict the law;
- duties of employees in the framework of compliance with information security and responsibility for violations;
- questions concerning the order of training in information technologies that ensure data security.
A person responsible for the implementation of the established protection measures in relation to information data, the timely revision of the adopted management policy or the implementation of other standards is appointed by a written order.
It is also important to resolve organizational issues related to information security. The standard provides for the creation of governing councils and committees to coordinate the implementation of information security measures.
Recommended:
- provide for a full-time internal information security specialist;
- to establish contact with external specialists in the field of protection for a timely response to emerging industry incidents, the ability to take more effective management measures;
- cooperate with other organizations in the field of information security, ensuring the protection of confidential information from unauthorized access;
- audit the approved internal security policy.
To ensure the protection of all information resources, their inventory is carried out.
Usually clearly identified by specifying the location and details of the owner responsible for the preservation:
- system documentation, databases and information data files;
- application software, other tools;
- computer and technical equipment (routers, magnetic media, etc.).
To determine the degree of protection required, the standard provides guidelines for classifying data according to the degree of sensitivity to threats.
Information assets presented in physical, electronic form are subject to labeling to take into account the type of their processing:
- storage or destruction;
- copying;
- sending by mail or electronically;
- voice transmission.
In order to minimize the risks arising from the human factor, management pays attention to the issues of personnel selection. A standard check of candidates for positions is carried out, where with access to especially important information, classified data. A nondisclosure agreement is signed with staff and third-party representatives using the organization's information, specifying the measures of responsibility for non-compliance.
The responsibilities of employers include training staff in standard security procedures, information processing rules.
Employees must know the procedure for informing management about incidents, threats, failures, system vulnerabilities and be aware of disciplinary measures for violations.
In the standard, the procedure for managing information assets includes the placement of processing facilities for critical, secret service information in areas that are not accessible for free visits. Standard control procedures include the need to take measures to protect such equipment, including from environmental influences.
In addition to the fact that when placing equipment it is necessary to restrict access to it, it is important to minimize the risks of potential threats associated with flooding, interference in the power supply, chemical or electromagnetic effects.
To protect appliances and equipment from power outages, the standard proposes the use of a backup generator and uninterruptible power supplies.
The standard recommends protecting information from interception and damage through power and telecommunication cable networks. If your organization uses networked resources (for example, cloud storage), additional measures may be required to manage them to protect important data. Access to internal and external network services should be controlled.
To ensure the continued operability and integrity of the equipment, it is necessary to periodically maintain it by authorized personnel in accordance with the instructions developed by the suppliers.
According to the standard, general measures for the management and protection of information should prevent the risks of information theft, exclude the possibility of compromise. It also discusses business continuity management issues.
The organization's safety management policy should be consistent with applicable legal requirements. Guided by the practical recommendations proposed in the national standard (GOST R ISO / IEC 17799-2005), you can achieve effective protection of information assets.
17.12.2020
