Information security management system
In the reign of public or private enterprise is impossible without the development and implementation of integrated management systems. However, many entrepreneurs do not realize the scale of this challenge. The management system includes not only personnel management, but also control over all strategic processes, including the information security of the enterprise. This element of the management system is called the information security management system.
The concept and principles of information security management
An information security management system (ISMS) is a set of measures for planning, developing, implementing and controlling an information security system at an enterprise. It is an integral part of the overall enterprise management system. Therefore, during its development, parameters are determined that can be integrated into the overall management system of the organization. Simply put, managing the security of an enterprise's information assets should not run counter to other management functions.
One of the most important factors affecting an information security system is its reliability. To ensure effective protection of the information assets of an enterprise, managers use all possible methods and means of ensuring information security. These include computer programs, special equipment, security systems and other methods of protecting information.
When developing an information security system, responsible persons calculate the ratio of its cost, efficiency and the scale of possible damage. If data leakage leads to insignificant losses, then the installation of expensive means of protection will be impractical.
Based on the above, we can formulate three basic principles for creating a security system in the field of protecting information assets:
Based on these principles, managers of public and private enterprises develop ISMS.
The legislative framework
The creation, implementation and use of an ISMS is determined by the state standard ISO / IEC 27001: 2013, IDT. This is an international standard that all large corporations are guided by. It outlines all the nuances that should be considered in the process of creating and using information security management systems.
In addition to international standards, the management of Russian enterprises provides for the use of the national standard GOST R ISO / IEC 27001-2006. Its criteria are close to international standards, but adapted to Russian realities. A separate advantage of GOST R ISO / IEC 27001-2006 is that it is regularly revised and republished, making adjustments and making it as relevant as possible.
The procedure for creating an ISMS
To ensure the information security of an enterprise, a clear sequence of actions must be followed. Its phased implementation will create an effective data protection system.
The first stage of work is the analysis of the company's activities.
The manager must answer the questions:
- How important is the information the employees of the company operate on?
- What equipment and technologies do employees of the organization use to create, process and transmit data?
- What is the threat of disclosure of information on electronic and paper carriers of the enterprise?
- Based on the information collected, it is necessary to determine the scope and boundaries of protection of confidential information.
The second stage of work is the formation of an enterprise policy regarding confidentiality. For this, the management of the company creates internal documentation in which it sets out the main provisions of the regime. This is necessary in order to ensure comprehensive data protection that will comply with the requirements of Russian legislation.
There is an important nuance regarding the privacy regime. If the company's policy is not formulated in the form of a specific package of documents, then measures to counter information leakage can be called illegal.
This can be easily explained with an example. Imagine a situation in which an employee accidentally or intentionally divulged confidential information. It will be possible to dismiss him or prosecute him only if the employees of the enterprise were notified in the manner prescribed by law about the introduction of the confidentiality regime.
Therefore, the formation of an enterprise policy regarding measures and methods of information protection is an important stage in the work of the company's management.
The third stage of work is the identification and assessment of risks. At this stage, the manager evaluates the reliability and loyalty of the enterprise personnel, the technologies and equipment used, the degree of danger of information for official use. In addition, it identifies vulnerabilities in the existing data protection complex.
Having identified and assessed the risks, the manager determines their acceptability. If the risks are insignificant, then there is no need to make changes in the existing policy of the enterprise. If serious risks are identified, you should proceed to the next stage of work.
The fourth stage of work is the comparison and selection of possible ways to protect information. These include various software, hardware and management tools for dealing with risks. Comparing different ways of protecting information, it is important to evaluate all the advantages and disadvantages: efficiency, cost, functionality, convenience. Of these, you need to choose those that are best suited for the enterprise. If the company does not have a specialist who can adequately assess and compare the methods of protecting information, intermediaries should be involved. These include organizations that develop custom-made individual protection systems.
The fifth and final stage of work is the creation of an effective complex for protecting information:
- revision and approval of documents regulating the company's policy regarding confidentiality;
- purchase and installation of equipment, hardware, software required to protect information;
- training of the company's employees in the use of information security tools;
- appointment of persons responsible for maintaining the confidentiality regime.
After completing the listed stages of work, the company's management can proceed to the implementation and use of the developed ISMS.
How to ensure effective management of the information security complex?
Before you start developing and implementing an ISMS, you should objectively assess the need for such protection, and most importantly, the real possibility of using it. Statistical studies show that even the most effective protection measures do not help if the staff of the enterprise does not respect the confidentiality regime. Therefore, to ensure the effectiveness of the planned protection methods, it is important to correctly approach the development of a personnel management policy.
The second condition for the success of the implemented protection method is its constant updating and improvement. Information technologies are constantly evolving, and with them the methods of industrial espionage are developing. Cybercrime is also on the rise. In this regard, data protection methods must be relevant.
The third factor for effective information security is constant control and monitoring of the data protection complex. This is the main task of the enterprise management - to establish management processes and control them.