Methodology for constructing a corporate information security system.

metodika postroeniya korporativnoi sistemi zashiti inform

Methodology for building a corporate information security system.

Methodology for building a corporate information security system.

Methodology for building a corporate information security system.
Sergey Petrenko

Source —

  Most of the directors of automation services (CIO) and information security (CISO) of Russian companies have probably asked themselves the question: «How to assess the level of security of the company's information assets and determine the prospects for the development of a corporate information security system?». Let's try to find an answer to this pressing question.

  The pace of development of modern information technologies significantly outpaces the pace of development of the advisory and regulatory framework of governing documents in force in Russia. Therefore, the solution to the issue of assessing the level of protection of a company's information assets is necessarily associated with the problem of selecting criteria and indicators of protection, as well as the effectiveness of the corporate information security system. As a result, in addition to the requirements and recommendations of standards1, the Constitution and federal laws2, the governing documents of the State Technical Commission of Russia and FAPSI3, it is necessary to use a number of international recommendations. Including adapting to domestic conditions and applying in practice the methods of international standards, such as ISO 17799, 9001, 15408, BSI4 and others, as well as using information risk management methods in conjunction with assessments of the economic efficiency of investments in ensuring the protection of the company's information.

  Modern methods of risk management, design and maintenance of corporate information security systems should allow solving a number of tasks of the long-term strategic development of the company.

  First, to quantitatively assess the current level of information security of the company, which will require identifying risks at the legal, organizational and managerial, technological, and technical levels of ensuring information security.

  Second, to develop and implement a comprehensive plan for improving the corporate information security system to achieve an acceptable level of security of the company's information assets. To do this, it is necessary: ​​

  • justify and calculate financial investments in ensuring security based on risk analysis technologies, correlate security costs with potential damage and the likelihood of its occurrence;
  • identify and carry out priority blocking of the most dangerous vulnerabilities before attacks on vulnerable resources are carried out;
  • define functional relationships and areas of responsibility in the interaction of departments and individuals to ensure the company's information security, create the necessary package of organizational and administrative documentation;
  • develop and coordinate with the organization's services and supervisory authorities a project for the implementation of the necessary security systems, taking into account the current level and trends in the development of information technology;
  • ensure the maintenance of the implemented security system in accordance with the changing operating conditions of the organization, regular revisions of organizational and administrative documentation, modification of technological processes and modernization of technical means of protection.

  The solution to these problems opens up new broad opportunities for officials at various levels.

  This will help top managers to objectively and independently assess the current level of information security of the company, ensure the formation of a unified security concept, calculate, agree and justify the necessary costs of protecting the company. Based on the assessment received, heads of departments and services will be able to develop and justify the necessary organizational measures (composition and structure of the information security service, regulations on commercial secrets, a package of job descriptions and instructions for action in emergency situations). Middle managers will be able to reasonably select information security tools, as well as adapt and use in their work quantitative indicators for assessing information security, methods for assessing and managing security with reference to the economic efficiency of the company.

  Practical recommendations for neutralizing and localizing the identified system vulnerabilities, obtained as a result of analytical research, will help in working on information security issues at various levels and, most importantly, identify the main areas of responsibility, including material, for the improper use of the company's information assets. When determining the scope of material liability for damage caused to the employer, including disclosure of commercial secrets, one should be guided by the provisions of Chapter 39 of the Labor Code of the Russian Federation.

Types of analytical work on security assessment

  Analytical work in the field of information security can be carried out in the following areas:

  1) «Comprehensive analysis of information systems (IS) of the company and the information security subsystem at the legal, methodological, organizational and managerial, technological and technical levels. Risk analysis»;

  2) »Development of comprehensive recommendations on methodological, organizational and managerial, technological, general technical and software and hardware support for the company's IS regime»;

  3) «Organizational and technological analysis of the company's IS»;

  4) «Expertise of solutions and projects»;

  5) «Works on document flow analysis and delivery of standard sets of organizational and administrative documentation»;

  6) «Works supporting the practical implementation of the plan protection»;

  7) «Advanced training and retraining of specialists».

  Let's briefly consider each of them.

  Research and assessment of the state of information security of the IS and the information security subsystem of the company involve their assessment for compliance with the standard requirements of the guidelines of the State Technical Commission under the President of the Russian Federation, the standard requirements of international ISO standards and the relevant requirements of the customer company. The first area also includes work carried out on the basis of risk analysis, instrumental research (research of elements of the computer network infrastructure and corporate information system for vulnerabilities, research of the security of Internet access points). This set of works also includes the analysis of document flow, which, in turn, can be identified as an independent area.

  Recommendations may concern general fundamental issues of ensuring information security (development of an information security concept, development of a corporate information security policy at the organizational and managerial, legal, technological and technical levels), applicable to many companies. Also, recommendations may be quite specific and relate to the activities of a single company (information security plan, additional work on analysis and creation of methodological, organizational and managerial, technological, infrastructural and technical support for the company's information security regime).

  Organizational and technological analysis of the company's IS mainly involves assessing compliance with the standard requirements of the governing documents of the Russian Federation for the company's information security system in the field of organizational and technological standards and analyzing the company's document flow of the «confidential» category for compliance with the requirements of the information security concept, the provision on commercial secrets, and other internal company requirements to ensure the confidentiality of information. At the same time, the internal corporate concept of information security (IS) and the provision on commercial secrets must comply with the current legislation, namely the requirements of the Constitution of the Russian Federation, Articles 128 and 139 of the Civil Code of the Russian Federation, the Federal Law «On Information, Informatization and Protection of Information», the Federal Law «On Participation in International Information Exchange», and other regulatory acts.

  Correct examination of solutions and projects plays an important role in ensuring the functioning of the entire information security system and must comply with the requirements for ensuring information security by the expert-documentary method. Examination of subsystem projects — security requirements by the expert-documentary method.

  Work on document flow analysis and delivery of standard sets of organizational and administrative documentation, as a rule, includes two areas:

  • analysis of document flow of a company in the category «confidential» for compliance with the requirements of the information security concept, the provisions on commercial secrets, and other internal requirements of the company to ensure confidentiality of information;
  • delivery of a set of standard organizational and administrative documentation in accordance with the recommendations of the company's corporate information security policy at the organizational, managerial and legal levels.

  Work supporting the practical implementation of the information security plan, in particular, consists of the following:

  • development of a technical project for the modernization of information security tools installed at the company based on the results of a comprehensive analytical study of the corporate network;
  • preparation of the company for certification (for certification of the customer's information technology facilities for compliance with the requirements of the governing documents of the State Technical Commission under the President of the Russian Federation, as well as for compliance with the security requirements of international standards ISO 15408, ISO 17799, ISO 9001 while ensuring the company's information security requirements);
  • development of an expanded list of restricted information as part of the security policy;
  • development of a package of organizational and administrative documentation in accordance with the recommendations of the company's corporate information security policy at the organizational, managerial and legal levels;
  • delivery of a set of standard organizational and administrative documentation in accordance with the recommendations of the company's corporate information security policy at the organizational, managerial and legal levels.

  The level of information security of a company largely depends on the qualifications of its specialists. In order to improve the qualifications and retrain personnel, it is recommended to conduct trainings on the use of information security tools, information security technologies, and to teach employees the basics of economic security.

  An annual reassessment of the company's information security status also plays an important role.

Methodology for building a corporate information security system

  In accordance with Article 20 of the Federal Law «On Information, Informatization and Information Protection», the purposes of information protection include: preventing leakage, theft, loss, distortion, forgery of information; preventing unauthorized actions to destroy, modify, distort, copy, block information; preventing other forms of illegal interference in information resources and information systems.

  The main goal of any information security system is to ensure the stable functioning of the facility: preventing threats to its security, protecting the legitimate interests of the information owner from illegal encroachments, including criminal acts in the considered sphere of relations stipulated by the Criminal Code of the Russian Federation5, ensuring the normal production activities of all divisions of the facility. Another task is to improve the quality of services provided and guarantees the security of property rights and interests of clients6.

  To do this, it is necessary: ​​

  • classify the information as a restricted access category (official secret)7;
  • predict and promptly identify threats to the security of information resources, the causes and conditions that contribute to causing financial, material and moral damage, disruption of its normal functioning and development8;
  • create conditions for functioning with the least probability of the implementation of threats to the security of information resources and causing various types of damage9;
  • create a mechanism and conditions for prompt response to threats to information security and manifestations of negative trends in functioning, effective suppression of attacks on resources on the basis of legal, organizational and technical measures and means of ensuring security10;
  • create conditions for the maximum possible compensation and localization of damage caused by illegal actions of individuals and legal entities, and thereby reduce the possible negative impact of the consequences of a breach of information security11.

  When performing work, you can use the following model for building a corporate information security system (Fig. 1), based on the adaptation of the General Criteria (ISO 15408) and risk analysis (ISO 17799). This model complies with special regulatory documents on information security adopted in the Russian Federation, the international standard ISO/IEC 15408 «Information Technology — Protection Methods — Information Security Assessment Criteria», the standard ISO/IEC 17799 «Information Security Management» and takes into account the trends in the development of the domestic regulatory framework (in particular, the State Technical Commission of the Russian Federation) on information security issues.

Fig. 1. Model for building a corporate information security system

  The presented model of information security is a set of objective external and internal factors and their impact on the state of information security at the facility and on the safety of material or information resources.

  The following objective factors are considered:

  • information security threats, characterized by the probability of occurrence and the probability of implementation;
  • vulnerabilities of the information system or countermeasure system (information security system), affecting the probability of threat implementation;
  • risk — a factor reflecting the possible damage to an organization as a result of the implementation of an information security threat: information leakage and its illegal use (risk ultimately reflects probable financial losses — direct or indirect).

  To build a balanced information security system, it is assumed that an initial risk analysis in the field of information security will be conducted. Then, the optimal risk level for the organization will be determined based on the specified criterion. The information security system (countermeasures) will have to be built in such a way as to achieve the specified risk level.

  The proposed methodology for conducting analytical work allows for a complete analysis and documentation of requirements related to ensuring information security, avoiding expenses on unnecessary security measures that are possible with a subjective risk assessment, providing assistance in planning and implementing protection at all stages of the life cycle of information systems, ensuring that work is carried out in a short time, providing justification for the selection of countermeasures, assessing the effectiveness of countermeasures, and comparing various options for countermeasures.

  During the work, the boundaries of the study must be established. To do this, it is necessary to allocate the resources of the information system for which risk assessments will be obtained in the future. In this case, it is necessary to separate the resources under consideration and the external elements with which interaction is carried out. Resources can be computing equipment, software, data, and, in accordance with Art. 2 of the Federal Law «On Information, Informatization and Information Protection», information resources — individual documents and individual document arrays, documents and document arrays in information systems (libraries, archives, funds, databases, other information systems). Examples of external elements are communication networks (paragraph 4 of Art. 2 of the Federal Law «On Communications»), external services, etc.

  When building a model, the relationships between resources will be taken into account. For example, failure of some equipment may lead to data loss or failure of another critical element of the system. Such relationships determine the basis for building an organization model from the point of view of information security.

  This model, in accordance with the proposed methodology, is constructed as follows: for the allocated resources, their value is determined both from the point of view of the possible financial losses associated with them, and from the point of view of damage to the organization's reputation, disruption of its activities, non-material damage from disclosure of confidential information, etc. Then the interrelations of resources are described, security threats are determined and the probabilities of their implementation are assessed.

  Based on the constructed model, it is possible to reasonably select a system of countermeasures that reduce risks to acceptable levels and have the greatest cost effectiveness. Part of the countermeasures system will be recommendations for conducting regular checks of the effectiveness of the protection system.

  Ensuring increased requirements for information security involves appropriate measures at all stages of the life cycle of information technologies. Planning of these measures is carried out upon completion of the risk analysis and selection of countermeasures stage. A mandatory component of these plans is a periodic check of the compliance of the existing information security regime with the security policy, certification of the information system (technology) for compliance with the requirements of a certain security standard.

  Upon completion of the work, it will be possible to determine the level of assurance of the information environment security, based on the assessment with which the object's information environment can be trusted. This approach assumes that greater assurance results from the application of greater efforts in conducting a security assessment. The adequacy of the assessment is based on the involvement in the assessment of a larger number of elements of the object's information environment, the depth achieved through the use of a larger number of projects and descriptions of implementation details in the design of the security system, and the rigor that consists in the use of a larger number of search tools and methods aimed at detecting less obvious vulnerabilities or reducing the likelihood of their presence.

Formation of an organizational security policy

  Before proposing any solutions for the information security system, it is necessary to develop a security policy. The organizational security policy describes the procedure for granting and using user access rights, as well as the requirements for user reporting for their actions in security matters. The information security system (ISS) will be effective if it reliably supports the implementation of the rules of the security policy, and vice versa. The stages of developing an organizational security policy are the introduction of a value structure into the description of the automation object and the conduct of a risk analysis, and the definition of rules for any process of using this type of access to the resources of the automation object that have this degree of value.

  The organizational security policy is drawn up as a separate document, which is agreed upon and approved by the Customer.

  First of all, it is necessary to draw up a detailed description of the general goal of building a facility security system, expressed through a set of factors or criteria that specify the goal. The set of factors serves as a basis for determining the requirements for the system (choice of alternatives). Security factors, in turn, can be divided into legal, technological, technical and organizational.

  The requirements for guaranteeing the achieved protection are expressed through assessments of the security functions of the object's ISS. The assessment of the strength of the security function is performed at the level of an individual protection mechanism, and its results allow us to determine the relative ability of the corresponding security function to counter the identified threats. Based on the known attack potential, the strength of the protection function is determined, for example, by the categories «basic», «medium», «high». The attack potential is determined by examining the capabilities, resources and motives of the attacker.

  The list of requirements for the information security system, the draft design, the protection plan (hereinafter referred to as technical documentation, TD) contains a set of requirements for the security of the object's information environment, which can refer to the corresponding protection profile, and also contain requirements formulated explicitly.

  In general, the development of TD includes:

  • clarification of protection functions;
  • selection of architectural principles for building the ISS;
  • development of the logical structure of the ISS (clear description of interfaces);
  • clarification of the requirements of the functions to ensure the reliability of the SIB;
  • development of a methodology and program for testing compliance with the formulated requirements.

  At the stage of assessing the achieved security, an assessment of the measure of guarantee of the security of the information environment is made. The measure of guarantee is based on the assessment with which, after the implementation of the recommended measures, one can trust the information environment of the object. The basic provisions of this methodology assume that the degree of guarantee follows from the effectiveness of efforts in conducting a security assessment. An increase in the assessment efforts assumes:

  • a significant number of elements of the object's information environment participating in the assessment process;
  • expansion of project types and descriptions of implementation details when designing a security assurance system;
  • rigor, consisting in the use of a larger number of search tools and methods aimed at detecting less obvious vulnerabilities or reducing the likelihood of their presence.

Conclusion

  In general, the above-considered methodology allows you to assess or reassess the level of the current state of security of the company's information assets, as well as develop recommendations for ensuring (improving) the company's information security. Including reducing the company's potential losses by increasing the sustainability of the corporate network, developing a concept and policy for the company's security. Also, the considered methodology allows you to propose plans for protecting the company's confidential information transmitted over open communication channels, protecting the company's information from deliberate distortion (destruction), unauthorized access to it, copying or use.

 Literature

  1. GOST 51583-00 «Information protection. Procedure for creating automated systems in a secure design. General requirements.» GOST R 51624-00 «Information protection. Automated systems in a secure design. General requirements.»

  2. Federal Law «On Information, Informatization and Information Protection», No. 24-FZ, 1995, Art. 2, Constitution of the Russian Federation, Art. 23, Civil Code of the Russian Federation, Part I, Art. Art. 139, 128.

  3. See footnote 1, GOST R ISO 7498-2-99 «Information technology. Open Systems Interconnection. Basic reference model. Part 1. Information security architecture».

  4. International security standards ISO were developed by the International Organization for Standartization (ISO) and the International Electrotechnical Commission (IEC) and regulate information security issues. In Russia, ISO standards are not yet generally accepted, with the exception of ISO 15408, an adapted version of which was adopted by the State Standard and the State Technical Commission in the summer of 2002. ISO do not conflict with the standards and recommendations of the State Technical Commission under the President of the Russian Federation, FAPSI, in force in the Russian Federation and are recommended for use by leading experts in the field of information security. ISO texts can be found at: http://iso.org/

  5. Criminal Code of the Russian Federation, 1996, Articles 183, 272 — 274.

  6. Rumyantsev O. G., Dodonov V. N., Legal Encyclopedic Dictionary, Moscow, «INFRA-M», 1997.

  7. Decree of the President of the Russian Federation of March 6, 1997 No. 188 «On Approval of the List of Confidential Information». Resolution of the Government of the Russian Federation of December 5, 1991 No. 35 «On the List of Information That May Not Constitute a Commercial Secret».

  8. See footnote 1, 2.

  9 Federal Law «On Information, Informatization and Protection of Information», No. 24-FZ, 1995, Art.

  10. See footnote 8, Constitution of the Russian Federation, Art. 23.

  11. See footnote 9, Civil Code of the Russian Federation, Part I, Art. Art. 139, 128.

Мы используем cookie-файлы для наилучшего представления нашего сайта. Продолжая использовать этот сайт, вы соглашаетесь с использованием cookie-файлов.
Принять