The creation of an information security system in a company requires the adoption of regulations that will determine the user's actions both during standard business processes and in emergency situations. Such regulations and provisions solve several problems - they streamline the work with information, form the basis for the security policies of DLP systems, and if they are violated by a specific employee, the fact of familiarization with them will become an unconditional basis for prosecution.
What is the reason for the need to adopt regulations
Regulatory acts in Russia do not insist on the mandatory adoption of information security regulations; this decision is an initiative of a company that wants to increase the degree of data security in the information system. To ensure the correct operation of a DLP system, the security policies contained in it must reflect the regulations.
As part of a pre-installation audit, the business processes described in the regulation can be investigated for appropriateness and, possibly, partially optimized to avoid unnecessary transactions. Thus, obtaining written consent from the management and the security service for the transfer of information via e-mail channels can be replaced by pressing one button in the electronic document management system.
Structure of the regulation
When developing information security regulations, each company takes into account the peculiarities of production processes and information infrastructure, system architecture. A bank, the internal system of which cannot have access to the Internet and the rules for the work of employees of which are established by the standards of the Central Bank of the Russian Federation, and a thermal power plant, where the main task of the information system is to maintain security, will have a different model of employee interaction with workstations and networks. The regulations will also differ. For a small firm operating in the trade or service sector, the information security regulation they develop will have a standardized structure.
General provisions and basic responsibilities of the user
This section discloses the basic concepts used in the document, the regulations that the developers relied on when preparing the document, the responsibilities of security personnel. Usually, it is in this section that the responsibility for compliance with the rules of the regulation and for ensuring the safety of confidential information is spelled out. This is extremely important, since employees who are not notified of the obligation to protect trade secrets, confidential information and other information with a special access mode can transfer it to third parties, either intentionally or not, becoming a victim of social engineering specialists.
Information security requirements cannot be met if employees are not notified of them against signature.
Other possible responsibilities of company employees and employees of IT departments:
- exclude the possibility of third parties' access to documents containing confidential information;
- do not use someone else's means of identification and do not transfer your own to anyone, do not enter the system under someone else's login;
- observe the established levels of access to information;
- not to rewrite confidential data on removable media without the authorization of the manager, not to transfer it through any communication channels, not to disclose to persons who do not have the appropriate level of access;
- comply with the requirements and rules for working with technical protection equipment, including cryptographic protection equipment;
- monitor the state of the automated workstation, inform the security service about all situations that have the nature of information security incidents, namely: violation of the integrity of the seals, indicating an attempt to enter the protected area, incorrect operation of anti-virus protection, software malfunctions, detected file changes, exit from building peripheral devices;
- ensure that there are no independently installed programs on your workstation;
- exclude copying of any files or text information for any purpose without obtaining the approval of the head.
This list of rules is not exhaustive. Often, in order to ensure information security, these standards are taken out in a separate instruction for working with computers and storage media, leaving only general provisions in the regulations.
Providing anti-virus security
Information leaks due to targeted hacker attacks are less frequent than information theft for competitive intelligence aimed at obtaining valuable information about the company's business. But most often information is lost, loses its integrity, or falls into the hands of third parties due to the action of malicious computer programs - viruses, Trojans, logic bombs.
Therefore, it is advisable to devote a separate section of the regulations to ensuring anti-virus protection.
This section needs to consider:
- the main ways and means of getting information infected with a virus into the company's system;
- cases in which the user is entitled or obliged to independently use anti-virus protection and in which he is obliged to report an incident to the IT department so that they can make a decision in their area of competence;
- actions that are prohibited to the user when working with anti-virus protection, in particular, disabling it.
Personal data security
If an organization processes personal data of employees, customers or other third parties, the legal regulation of such processing is quite strict. The allocation of a special section in the information security regulations, on the one hand, will be a duplication of the Regulation on the processing of personal data, on the other hand, will once again remind the user of the seriousness of the task of maintaining their confidentiality.
The section may contain the following provisions:
- grounds for access to information resources and the processing of files containing personal data. Usually, such a reason is the inclusion of an employee in the list of persons entitled to work with personal data. Enforcing security clearance facilitates control over employees who may delete, modify, or disclose information;
- the duty of the employee to study the regulatory legal acts on the protection of personal data, as well as technical means and regulations aimed at solving this problem;
- actions that are prohibited to an employee admitted to PD processing. Make changes to the configuration of a computer or software products, process personal data in the presence of third parties, leave documents or electronic media containing PD at the workplace, use errors in programs to distribute or change PD;
- measures of responsibility applied to persons admitted to the processing of personal data and due to whose actions their disclosure occurred.
Working on the Internet
Ensuring information security is impossible without observing the rules and regulations for working with the Internet, e-mail, instant messengers, and other communication channels and information transfer. This section sets out how your company can use the Internet, including:
- maintaining the company's website;
- disclosure of information about the activities of the company in cases stipulated by federal laws;
- information and analytical work;
- sending mail messages. Most often, a company installs an email client that allows you to track correspondence.
In most cases and companies, other ways of using the Internet must be coordinated with the security service or the head of the department in order to ensure information security. Some companies form bundles of Internet resources available to users in accordance with their service status. It also stipulates the use of anti-virus and other technical protection, the obligation to archive mail traffic, the prohibition on the use of laptops or smartphones in the workplace with independent access to the Network.
Other norms
This section can describe the rules for working with digital signature keys, with removable media, information security tools, and the specifics of using corporate laptops outside the company's information perimeter.
The rules introduced in this section depend on the features of the information system and business processes, for example, on the availability of special software that requires compliance with the standards established in the company for administration and work, for example, such rules may relate to the transfer of information from 1C to management accounting systems.
The regulations are always approved at the level of the company's management. It is advisable to include references to it and the need for its rigorous implementation in job descriptions and employment contracts. This will increase the executive discipline of employees, realizing that they can be held liable for incomplete provision and non-compliance with information security regulations.
18.12.2020
