Information security measures
In the activities of any organization or enterprise, arrays of information subject to protection are formed. Confidentiality requirements can be determined both by federal laws, this applies to banking secrets or personal data, and the position of the company, which should protect commercial secrets. The security measures taken to ensure information security depend on the regulatory requirements and the company's concept of countering information threats.
How to ensure information security of an enterprise
The management of an enterprise or organization must develop and implement an information security concept. This document is fundamental for the development of internal regulations and a system of protective measures. Security policy development is often entrusted to invited information security experts who can audit both the information system and the organizational structure of the company and its business processes and develop an up-to-date set of measures to protect information.
In the future, the security concept can become the basis for the implementation of a DLP system and other software products that solve the problem of protecting information resources and company infrastructure.
The concept of ensuring information security of an enterprise defines:
- informational arrays of the company subject to protection, grounds for protection (established by law or commercial). The software, physical and electronic media are described, their value for the company, the criticality of change or loss are determined. This section is being prepared in close collaboration with all divisions of the company. The information assessment system should also include setting the level of employee access to resources;
- basic principles of information security. Typically these include confidentiality, commercial viability, legal compliance. The company's information security strategy is entirely based on these principles. In addition, it is necessary to determine the policies and rules on the basis of which the company's information system and the general information protection system are built;
- an information security threat model relevant to the company as a whole and its individual business units, as well as a hypothetical intruder's model. It may be a competitor, a hacker, but most often an insider. The Central Bank of the Russian Federation, in its standards, offering recommendations for ensuring information security, considers the insider to be the main source of risks;
- requirements for the security of the information system and its individual elements, based on the analysis of business processes, system architecture and prepared risk model;
- methods and means of information protection.
The concept in itself does not solve the problem of responsibility of the company's employees for the illegal handling of information, including for its disclosure. To solve this problem, it is necessary to introduce an additional system of organizational measures for the protection of information, which include informing, familiarization against signature, the introduction of appropriate provisions on the protection of information constituting a trade secret into labor contracts.
After developing the concept, you need to start implementing it. The system of the proposed measures should be approved by all the involved divisions of the company, since the issue of budgeting always limits the possibilities for protecting information, the complexity of the activities being carried out and the acquisition of software products.
Objects of protection
Each company itself determines the arrays of information to be protected. This can be development strategies, know-how, patents, business processes, customer bases and other data. But there are general objects of protection, the security of which must be ensured in order to be able to protect data from leaks or deliberate disclosure. These objects primarily include the automated information systems of the enterprise. Computers, servers, communication channels, peripheral devices become the target of hackers or insiders interested in organizing information leaks. The tasks of its theft are solved both through the network and in manual mode, by copying information or installing embedded devices. Organizational and technical measures should be aimed at physically protecting the system and installing software that will eliminate external network interference.
Arrays of information become objects of protection after being recognized as such and classified as confidential information.
The classification is carried out both by the type of information and by the places of its storage.
Confidential information is usually classified as follows:
- personal data subject to protection on the basis of federal legislation;
- programs containing production and financial information, for example, 1C: Enterprise;
- software products created or modified in the interests of the company;
- document flow bases;
- archives of e-mail and internal correspondence;
- production information, strategic documents;
- scientific information, R&D data;
- financial information and analytics prepared on the instructions of the company's management.
Accounting information and other information that is disclosed in connection with legal requirements are usually not classified as confidential data.
Information security measures
Ensuring security should be based on the simultaneous application of the entire range of measures provided by law or proposed by specialists. Technical and organizational measures need to be commensurate with the capabilities of the organization and the information system.
The system of measures recommended for most companies facing the issue of information protection is designed to ensure compliance with the main features of its security:
- availability of information. This definition means the ability for an authorized subject to obtain the required data at any time, and for clients to receive information services on a regular basis;
- integrity of information. This means its immutability, the absence of any outside, unauthorized interventions aimed at changing or destroying data, violation of the system of their location;
- confidentiality or absolute inaccessibility of data for unauthorized subjects;
- absence of refusal or inability to deny ownership of actions or data;
- authenticity or the possibility of reliable confirmation of the authorship of information messages or actions in the system.
Organizational measures to ensure information security primarily include the development of provisions, regulations and interaction processes. The adoption of some internal regulations is governed by the requirements of the law, these include, for example, the regulation on the processing of personal data, which each PD operator must develop and place on its website.
Measures to protect information of an organizational nature are not limited to the development of regulations. In addition, it is necessary to produce:
- documentation and optimization of business processes;
- setting the gradation of employees and their levels of access to information containing commercial secrets;
- creation of departments or appointment of persons responsible for ensuring information security, sometimes changing the structure of the enterprise in accordance with security requirements;
- informing or retraining personnel;
- organization of events for testing personnel training to work with the system in critical situations;
- obtaining licenses, for example, to work with state secrets;
- provision of technical protection of premises and equipment with further certification of protection classes, determination of their compliance with regulatory requirements;
- creation of a security system for a chain of suppliers, in interaction with which confidential data is transferred, introduction of clauses with contractors on the preservation of commercial secrets and measures of responsibility for its disclosure;
- installation of an access system for employees, issuance of electronic means of identification;
- compliance with all legal requirements for the protection of personal data;
- development of a system of interaction with government bodies in the event that they request information from an organization that may be classified as confidential.
The technical means and measures for ensuring information security include not only software products, for example, DLP systems, but also other tools at the disposal of the company. From a technical point of view, information protection measures should be based on the model of building an enterprise information system, which makes it possible to build a defense against encroachments on confidential information.
The principles of building such a system include:
- simplicity of architecture, simplification of components, reduction of the number of channels and protocols of interworking. The system should contain only those elements, without which it would be unviable;
- implementation of only tested software solutions, already tested by other enterprises more than once, the pros and cons of which are obvious;
- minimal modifications of the available licensed software products by our own or outsourced performers;
- use only licensed software, if possible, it must be entered in the state register of computer programs and databases;
- use of only authentic components for building the system, reliable and durable, not capable of unexpected failure and undermining the system's performance. All of them must be compatible with each other;
- manageability, ease of administration of both the system itself and the software products used, minimal use of third-party technical support;
- logging and documenting any user actions carried out with files containing confidential information, cases of unauthorized access;
- echelon defense. Each potential channel of leakage must have several lines of protection that make it difficult for a potential information thief to work.
When implementing these principles of ensuring information security, issues are considered about the use of additional technical means of protecting information, which include:
- means of cryptographic protection, providing encryption at workstations and servers, transmitted over communication channels;
- anti-virus protection means;
- SIEM systems and DLP systems that ensure the closure of all potential channels of information leakage and interception of outgoing traffic.
Information security measures must be reasonable, business processes assume that resources comparable to their cost should not be spent on protecting resources. Excessive burden on business or staff will be inappropriate.