Scientific and technological progress has made information buyable, sellable and exchangeable. Data cost is often several times higher than the cost of the entire technological system which is used to store and process data.
The quality of commercial information ensures the necessary economic benefit for the company. Therefore, critical data should be protected from illegal activities. This will allow the company to be ahead of the competitors in the market.
Definition of Information Security
Information security (IS) is the state of the information system in which it is the least vulnerable to the intervention and damage by third parties. Data security also implies the management of risks associated with the disclosure of information or impact on hardware and software security modules.
The security of information processed in the company implies a set of measures aimed at protecting the information environment within the company. At the same time, there should be no restrictions on the use and dynamic development of the information for authorized individuals.
Requirements for the IS System
Data protection should be:
- Sustained. An intruder can attempt to bypass targeted data protection modules at any time.
- Target. Information must be protected under a specific goal set by a company or data owner.
- Planned. All protection methods must comply with state standards, laws and by-laws that regulate the confidential data protection.
- Active. All activities to support the security system operation and enhancement should be performed on a regular basis.
- Comprehensive. It is not preferable to use separate protection modules or technical means. It is necessary to implement all protection means in full. Otherwise, the system use will be unreasonable and not feasible from an economic point of view.
- Universal. Protection means should be selected according to the existing data channels in the company.
- Reliable. All protection methods must reliably block all possible ways to access protected information by an attacker, regardless of the data presentation.
Security System Model
Information is considered protected if the three main characteristics are provided.
The first – integrity – implies ensuring the reliability and correct display of protected data, regardless of the used security systems and methods of protection. Data processing should not be interrupted, and system users who work with protected files should not face unauthorized modification or destruction of resources, as well as software malfunctions.
The second – confidentiality – means that only authorized users of the protection system can view and edit the data.
Third – accessibility – implies that all authorized users must have access to confidential information.
It is enough to neglect just one characteristics of protected information to make the system use meaningless.
Stages of Development and Maintenance of the Information Security System
The development of an information security system has three stages.
The first stage involves developing a basic model of the system which will function in the company. For this, it is necessary to analyze all types of data that circulate in the company and need protection from the attacks by third parties. The work plan at the initial stage should provide answers to four questions:
- What data sources should be protected?
- What is the aim of gaining access to protected information?
The aim can be to familiarize, change, modify or destroy data. Each action is illegal if performed by an attacker. The familiarization does not result in the destruction of the data structure while modification and destruction lead to partial or complete loss of information.
- What is the source of confidential information?
Sources in this case are people and information resources: documents, flash drives, publications, products, computer systems, and means of work.
- What are the ways to gain access? And how can we protect the system from unauthorized exposure?
There are the following ways of access:
- Unauthorized access – illegal use of data.
- Leakage – uncontrolled dissemination of information outside the corporate network. The leakage occurs due to shortcomings and weaknesses in the technical channel of the security system.
- Disclosure is caused by human factors. Authorized users may expose information to competitors, intentionally or by negligence.
Second stage involves the development of a protection system, or implementation of all selected methods, means and directions of data protection.
The system is built in several areas of protection and at several levels which interact with each other to ensure reliable control of information.
Legal level ensures compliance with state standards in the field of information protection and includes copyright, decrees, patents and job descriptions. A competently developed security system does not violate user rights and data processing standards.
Organizational level allows you to develop the rules for working with confidential information, find employees, organize work with documents and physical data carriers.
The rules for working with confidential information are called access differentiation rules (access control rules). The rules are set by the company's management jointly with the security service and provider who deploys a security system. The goal is to establish access rights for each user, for example, the right to read, edit, and transfer confidential documents. Access control rules are developed at the corporate level and are implemented at the stage of working with the technical components of the system.
Technical level is conditionally divided into physical, hardware, software, and mathematical sublevels.
- Physical – creation of barriers around the protected object: security systems, noise masking, reinforcement of architectural design
- Hardware – installation of hardware: special computers, employee monitoring systems, systems for server and corporate network protection
- Software – installation of software shell, implementation of access differentiation rules, and testing
- Mathematical – implementation of cryptographic and stenographic methods of data protection for secure transmission over a corporate or global network.
The third and final stage is the maintenance of the system, ongoing monitoring and risk management. It is important for the security module to be flexible and allow the security administrator to promptly enhance the system if new potential threats are detected.
Types of Confidential Data
Confidential data is the information access to which is restricted in accordance with the state laws and norms established by companies.
- Personal confidential data: personal data of citizens, the right to privacy, to correspondence, and to concealment of identity. An exception is the information transmitted through the mass media.
- Official confidential data: information which can be restricted only by the state (state authorities).
- Judicial confidential data: secrecy of investigation and legal proceedings.
- Commercial confidential data: all types of information related to commerce (profit) and access to which is restricted by law or by the enterprise (secret developments, production technology, etc.).
- Professional confidential data: data related to the activities of citizens, for example, medical, notarial or advocate secrets whose disclosure is punishable by law.
Threats to Confidentiality of Information Resources
A threat is a possible or actual attempt to seize the protected information resources. The sources of threats can be competitors, intruders, and governing bodies. The aim of any threat is to affect the integrity, completeness and accessibility of data.
Threats can be internal or external. External threats are outside attempts to gain access to data. They are accompanied by the hacking into servers, networks, employee accounts and reading information from technical leak channels (acoustic reading using bugs, cameras, pick up of hardware, reception of vibroacoustic information from windows and architectural structures).
Internal threats include the misconduct of the company’s staff, work department or management. As a result, a system user who works with confidential information can expose information to unauthorized personnel. This threat is the most common. An employee can be leaking confidential data to competitors for years. It is not difficult since the administrator does not recognize the activities of an authorized user as threats.
Unauthorized access can be attempted in several ways:
- Through employees who can transfer confidential data to intruders, take physical media outside or access protected information through printed documents.
- Using software. Attackers can steal username and password pairs, intercept cryptographic keys to decrypt data, and perform unauthorized copying of information.
- Using hardware components of an automated system, for example, the use of listening devices or hardware for reading information from a distance (outside the controlled area).