#information security
Building an information security system in a company from scratch.
Information security, as well as economic, personal, always begins with the head of the company (business owner), because if he is indifferent to possible problems, then he will not protect himself from them either.
As a person who makes money on that very information security, I am pleased to see that there are not so many people who are not worried about potential problems.
After all, any businessman knows very well that all business in Russia is a stable and constant threat. As soon as a company starts doing something, expect trouble.
Of course, it would be desirable to lay down some straw in advance, but you need to know the place: — where exactly to lay it down.
Most likely, there will be more than one or two such places…
Moreover, threats to information security (hereinafter — IS) of a company are usually not in first place.
However, if an organization has come to the understanding that they need to do something in terms of information security, then along with the discussion of “what and how” to do, there will undoubtedly be a discussion of “who” will do it and “how much it will cost.”
Let’s try to consider these questions.
First, let’s define what is information security of an organization?
Information security of an organization is the state of security of the organization’s information environment, ensuring its formation, use and development.
Information security (data) is determined by the absence of unacceptable risk associated with information leakage through technical channels, unauthorized and unintentional impacts on data and (or) other resources of the automated information system used in the application of information technology.
Information protection— is an activity to prevent leakage of protected information, unauthorized and unintentional impacts on protected information, that is, a process aimed at achieving this state.
Information security — is the protection of information and supporting infrastructure from accidental or intentional impacts of a natural or artificial nature that are fraught with damage to the owners or users of information and supporting infrastructure.
Information security is the protection of confidentiality, integrity and availability of information.
Information security (data) is determined by the absence of unacceptable risk associated with information leakage through technical channels, unauthorized and unintentional impacts on data and (or) other resources of the automated information system used in the application of information technology.
Information security is a state of protection of information (data) that ensures the security of the information for which it is used and the information security of the automated information system in which it is implemented.
Information security — is an activity to prevent leakage of protected information, unauthorized and unintentional impacts on protected information, that is, a process aimed at achieving this state.
There are many more definitions that can be given, but in my opinion, they do not provide much clarity.
In general, the terminology problem in the field of information security is very acute.
There are quite a lot of terms used: information security, information security, information technology security, and, finally, information protection.
It would seem that they are all talking about the same thing, however, experts can discuss the difference between these concepts for hours, because there are hardly more than a dozen people in the entire country who can explain this difference right away and clearly.
In order to avoid such “religious” disputes, I have long been puzzled by the search for a simple and understandable explanation. Especially since communication with owners or managers of organizations still occurs at a conceptual level, without the use of special terms.
During one of these conversations, the rule of three «C's» was formed, figuratively explaining the essence and objectives of information security:
1. So that nothing is stolen;
2. So that there are no problems with regulators;
3. So that it is inexpensive.
Of course, this is a deliberate simplification.
From such a definition to the information security department is a long way.
Where to start creating an information security system if the company has never had such a function before, or it did, but fell in an unequal battle with the budget, IT and other departments?
There are not many options, in fact: try to figure out on your own what information security should do, or hire a person who has already solved a similar problem, or contact a specialized consultant.
Everyone chooses the path they take, but in the vast majority of cases, they first choose option two — hire a person.
In this simple way, people try to shift responsibility to him and hope to get rid of unnecessary headaches.
We pay him a salary, so let him figure out what to do.
Unfortunately, there are very few really good specialists who can “pull” full-fledged information security projects, so they are expensive and not everyone can afford them.
Although, compared to “good” IT specialists, information security specialists are usually cheaper.
However, while the management does not have a basis for comparison: whether the specialist is expensive or cheap, does not understand what tasks he should solve, etc., it can only indirectly (on the advice of friends, acquaintances) evaluate these parameters, it is safe to say that no one will immediately hire an expensive specialist.
And since the specialist is inexpensive and not very qualified, it means that he will not cope on his own, so someone within the organization must take him under their wing. So they begin to choose a place for this specialist, consider various options for the organizational structure and subordination.
Historically, information security is usually subordinated to economic (own, corporate).
With this approach, the employee will most often be formally checked for «innocence» and hired. In this case, the main user of the services provided by the information security specialist will be the person who hires him.
That is, most often — the head of the Security Service.
Accordingly, first of all, the information security specialist will solve his tasks, and they can sometimes differ greatly from the real needs of the organization.
After all, most of the heads of the Security Services wore shoulder straps yesterday, and, to put it mildly, are far from understanding the essence of information security.
In addition, in our country, no one believes in the real power and capabilities of information security, so — «protection from pioneers».
That is why you so often hear complaints from «colleagues in the shop» that it is impossible to get through to the manager, there is no budget, etc.
Where would the budget come from? — if you were hired for a specific position, in a specific cell of the organizational structure, beyond which it is practically impossible to go.
In addition to the location of information security in the security service, there are other options: in IT, in internal control (audit), risks, and finally, the ultimate dream of the average information security specialist — a separate division directly reporting to one of the top officials of the company.
Although direct subordination does not help most information security specialists at all, and even on the contrary, is often harmful.
There is no forum or professional conference dedicated to information security issues where the topic of the connection between information security and (pronounce it with bated breath) “Business” has not been discussed recently.
In this, information security specialists are guided by their colleagues from IT, adopting the corresponding expressions from them, and trying to prove the usefulness of information security for “Business”.
At the same time, they blame everything on the mythical “Business”, saying that it (Business) must realize the problems of information security, and if it does not realize it, then nothing worthwhile will come of it.
Nobody really tries to put themselves in the shoes of the head of that very «Business» and understand what he really needs. The head has a lot of concerns — finances, accounting, personnel, etc.
Information security is far from the first place on this list.
Therefore, of course, it is difficult for the head to understand: why should he allocate a significant amount of money for something unclear.
Especially since the company will not earn anything on this. In this matter, the charisma of the information security specialist plays a very large role.
How clearly he can explain the need and advantages of implementing a particular security tool.
Therefore, there should not be a significant difference between where information security is located in the organizational structure, since it is essentially not a position, but a role (function)!
This role can be dedicated, can be combined, or can be distributed among different employees or departments.
The main thing is that everything works!
If we turn to Western experience, the main practical guide to creating information security is, undoubtedly, the ISO 27000 series of standards. In fact, this is a step-by-step guide on how and what to do.
Unfortunately, in our country, Western standards do not work in most cases (the exception is mainly subsidiaries of Western companies).
A great deal of credit for this goes to home-grown Russian consultants who tell the client that the standard is not applicable in Russia, it simply won’t work, since everything is special here, so the consultants add their own experience to the standard, often distorting or misrepresenting the meaning of the standard’s provisions.
Of course, any sensible person understands that a standard is a standard for a reason, so you don't have to reinvent the wheel, so there is no need to improve it, you just need to know how to apply it correctly. In addition, the people working in organizations involved in standardization are far from stupid, over twenty to thirty years of applying standards, the wording has worked out.
There is even a term «professional services», that is, services based on professional standards.
Unfortunately, there is no market for professional services in Russia yet.
They haven't grown up yet.
In the West, the experience of professional communities is very actively used to hone the provisions of standards.
What prevents them from doing the same in Russia? — it is unclear.
Although, recently there have been positive shifts in the right direction, for example, the Central Bank, with its set of standards on information security, which was widely discussed by specialists.
So, if the ISO 27000 series standards are correctly applied as a basis for creating information security in a company, the result will be much more bearable than if specialists start to engage in “self-indulgence”.
Nevertheless, one should be aware that the standard is not a panacea, but only a means, and a good one only for solving standard problems.
In the future, upon reaching a certain level of maturity of the organization, the role of information security will require adjustment.
What does information security mainly do in Russian companies?
First of all, most managers or owners of companies still perceive information security as something technical.
Therefore, information security primarily deals with:
— installing antivirus software,
— software updates,
— setting up firewalls,
— antispam, etc.
On the one hand, this stage is the most creative, since the IB specialists install and configure really necessary and useful things.
On the other hand, the configuration is not always successful the first time, and our people really don’t like restrictions.
When access to Odnoklassniki is closed, USB ports are blocked, ICQ is removed, the IB thereby sets almost all the company’s users against itself. After all, the security level has not increased much, but it has become really inconvenient to work.
Especially if you consider that after installing and configuring security tools, they usually move on to repression.
They find the worst enemy inside the company who dared (oh, horror!) to try to synchronize the contacts of his cell phone with the mail program and arrange a demonstrative «debriefing».
At the same time, in the settlement center, the entire accounting department has access to the client-bank program and the signature of the General Director, since the token with the key is on the chief accountant's desk.
There are many such stories to tell, banal things, but this is how things are in the overwhelming majority of Russian organizations.
Stage two – business application security usually only comes after a series of thefts, when it is simply impossible to ignore it.
Patchwork technical security is not capable of creating a basis for full-fledged protection of business applications, since most of the problems lie not in the technical, but in the organizational plane.
By auditing internal processes and analyzing the results obtained, you can not only discover weak spots from an information security point of view, but also “dig up” enough opportunities for business optimization.
The results of such studies always arouse the interest of management and increase the authority of information security.
Finally, let's consider another situation when information security is already established and works as it should.
Yes, yes, such companies also exist.
If everything works and no information security violations occur, then over time the management begins to think that the information security specialists are doing nothing and are getting paid in vain.
Therefore, one of the most important elements of information security is the ability to demonstrate your work, to put it in a clear and accessible form.
Information security is the protection of information and supporting infrastructure from accidental or intentional impacts of a natural or artificial nature, fraught with damage to the owners or users of information and supporting infrastructure.
IS specialists have to come up with metrics that allow their work to be assessed. The number and composition of metrics depends on the users for whom they are intended.
My personal experience shows that the total number of metrics for management should not exceed ten, otherwise perception will be greatly hampered.
Denis Muravyov, General Director of the 4×4 Professional Services Bureau Group of Companies
Journal «Security Director», August 2010