Information security of state institutions
Information security policy - the basis of successful development of any modern organization, including in the public sector. Compliance with the requirements of international and interstate standards in the field of information protection serves as the basis for the stable operation of a state institution. To ensure the security of assets, each organization must develop and maintain processes for managing databases, information and technology, and ensure the appropriate level of integrity, availability and confidentiality of information.
Why should government agencies create information security policies?
The organization and maintenance of the information security (IS) policy of a state institution includes many aspects. All provisions related to information security should be agreed with the organization's management and included in internal standards for information security management systems (ISMS).
The ISMS is designed to provide the required degree of data integrity, availability and confidentiality by applying a quality management process and providing a third party assurance that risk management is carried out correctly.
It is important that the ISMS is an organic part of the business processes of a state institution, is integrated with existing production processes and the general structure of enterprise management. The organization's IS requirements should be taken into account when developing management methods, information systems and controls. Another extremely important aspect is that the scale of implementation of the ISMS is appropriate for the needs of the government agency.
The ISMS of a state institution can be used by third parties to assess the ability to meet the established IS requirements.
The development of the IS policy of a state institution will allow:
- implement security management systems for information resources of a state institution;
- evaluate the ISMS that applies to information protection and concerns the financial activities of the enterprise;
- analyze the ISMS of intellectual property, personal data of employees;
- validate ISMS data entrusted by customers or a third party.
What does it mean to keep government data secure?
Information security of the assets of a public institution includes:
- elimination of the probability of unintentional or unauthorized access to information resources of a state institution;
- organization of appropriate systems and tools that prevent the dissemination of personal data;
- distribution (delimitation) of user access rights to operate with information;
- creation of conditions that prevent leakage, theft, loss, unintentional destruction, copying, alteration (modification), blocking and disclosure of data;
- creation of data banks to ensure their safety, integrity, reliability and confidentiality.
To prevent malicious influence of cybercriminals on information, any progressive state institution supplements the organizational structure with a specialized division. The competence of the department's specialists includes all issues that relate to information security systems and tools, organization of secure storage and distribution of data, work with system users, differentiation of access rights and setting passwords.
The technical, software and software and hardware tools of a state institution intended for the organization of information protection must be certified in accordance with the requirements of the current technical regulatory legal acts (TRLA) and interstate standards. Only an accredited testing laboratory may carry out certification or attestation.
How can a government institution conduct an information security risk analysis?
Regardless of the field of activity and the number of personnel, the state institution must formulate and apply procedures for analyzing information security risk, which:
- establish and control the degree of information security risk (the level of risk acceptance and implementation of risk assessments);
- ensure that reanalysis of information security risk will lead to adequate and logical results;
- provide analysis algorithms aimed at identifying information security risks;
- identify the owners of the risks: internal staff, attackers, third parties and others;
- provide an assessment of potential threats in case of realization of risks and an assessment of the likelihood of recurrence of risks, as well as determining the degree of significance of the risk
What legislative acts regulate the information security of a state institution and the application of ISMS standards?
The comprehensive implementation of the requirements for the ISMS of a state institution will help to ensure the corresponding international standards and documents. The most widespread and large-scale in the field of ISMS is a series of standards developed under the auspices of a common working group ISO (international organization) and IEC (electrotechnical commission). This is a series of standards under the general title “Information Technology. Security Methods", where each separate document is dedicated to a unique field of application and touches upon a variety of aspects in the field of information security.
The total number of international ISO / IEC standards in the field of ISMS exceeds four dozen. Main documents:
- ISO / IEC 27000, which describes the key standards of the ISMS series; introductory provisions of the ISMS; Plan-Do-Control-Act (PDCA) processing activities; terminological base for the ISMS series of standards;
- ISO / IEC 27001, the requirements of which relate to the establishment, implementation, maintenance and continual improvement of an ISMS in the context of government business processes. Certain provisions of the standard are also applicable to the assessment and control of information security risks in accordance with the conditions of the activities of a state institution;
- ISO / IEC 27002, which covers the implementation processes and methods of information security maintenance in a government institution. The purpose of the standard is to establish general guidelines for routine interventions to improve the ISMS;
- ISO / IEC 27004, which provides, in essence, guidance for the development and application of methods for measuring and evaluating the effectiveness of an ISMS. The scope of this International Standard (as defined in ISO / IEC 27001) covers monitoring and control systems (a set of controls). The standard can be applied to government agencies of any type and size.
The implementation of international standards (ISO / IEC) in any government institution begins with harmonization. First, it is required to develop an interstate (GOST) or national (state) standard of the Russian Federation (GOST R), identical to the ISO / IEC standard.
Compliance with the requirements of standards, the inclusion of the provisions of ISO / IEC documents in the information security policy of a state institution will minimize the cost of software and hardware-based information security, will help prevent unintended dissemination of data.
The practical application of ISMS standards has no "contraindications", does not lead to negative consequences in any of the areas and does not depend on the area of activity of the state institution.