Categorization of information systems. Additional and enhanced security controls for a moderate level of information security. Categories of functional tasks

Editorial

Any type of human activity can be represented as a process, as a result of which a product appears, material or intellectual, having a certain value, that is, cost. Information is one of the varieties of such values, its value can be so high that its loss or leakage, even partial, can call into question the very existence of the company. Therefore, information security is becoming more and more important every day, almost all more or less large organizations have their own information security departments.

The IT market is growing a range of proposals to ensure information security. How to navigate this flow of products offered? How to choose the best option in terms of financial costs and take into account all the needs of your company? What selection criteria to apply? After all, although the information security service of any organization or enterprise does not in itself produce either intellectual or material values, no one doubts its necessity and importance, and they rarely save on the costs of this service.

What needs to be done so that the costs and the level of information security of the company are in the optimal ratio - this publication is devoted to these issues.

Introduction

Measures to ensure information security (IS), as you know, do not generate income, they can only reduce the damage from possible incidents. Therefore, it is very important that the costs of creating and maintaining information security at the proper level are commensurate with the value of the organization's assets associated with its information system (IS). Proportionality can be ensured by categorizing the information and the information system, and by selecting security controls based on the results of the categorization.

Categorizing information and information systems

The assignment of security categories to information and information systems is based on an assessment of the damage that may be caused by security breaches. Such incidents can prevent an organization from fulfilling its mission, compromise assets, place the company in a position to violate applicable law, threaten day-to-day operations, and endanger personnel. Security categories are used in conjunction with vulnerability and threat data in the risk analysis process to which an organization is exposed.

There are three main aspects of IB:

  • availability;
  • confidentiality;
  • integrity.

Generally speaking, information security breaches may affect only a subset of these aspects, just as security controls may be specific to individual aspects. Therefore, it is advisable to assess the possible damage separately for violations of availability, confidentiality and integrity, and if necessary, an integral assessment can be obtained.

It is convenient to estimate the amount of damage on a three-level scale as short, moderate or high ().

Figure 1. Scale for assessing damage in case of violation of information security

The potential impact on an organization is assessed as low if the loss of availability, confidentiality and/or integrity has a limited adverse impact on the organization's operations, assets and personnel. Limitation of harmful impact means that:

  • the organization remains capable of fulfilling the mission entrusted to it, but the effectiveness of the main functions is noticeably reduced;
  • there is little damage to the organization's assets;
  • the organization suffers minor financial losses;
  • there is little harm to personnel.

Potential damage to the company is estimated as moderate if the loss of availability, confidentiality and/or integrity has a serious detrimental effect on the organization's operations, assets and personnel. The severity of the harmful impact means that:

  • the company remains capable of fulfilling the mission assigned to it, but the effectiveness of the main functions is significantly reduced;
  • significant damage is caused to the assets of the organization;
  • the company suffers significant financial losses;
  • significant harm is caused to personnel that does not pose a threat to life or health.

Potential damage to the organization is estimated as high if the loss of availability, confidentiality and/or integrity has a severe or catastrophically harmful effect on the organization's operations, assets and personnel, i.e.:

  • the company loses the ability to perform all or some of its core functions;
  • major damage is caused to the assets of the organization;
  • the organization suffers major financial losses;
  • severe or catastrophic harm is inflicted on personnel, creating a possible threat to life or health.

It is necessary to categorize both user and system information presented both in electronic form and in the form of a "hard" copy. Public information may not have a confidentiality category. For example, information held on an organization's public web server does not have a sensitivity rating, and its availability and integrity are rated as moderate.

When categorizing an information system, the categories of information stored, processed and transmitted by means of IS are taken into account, as well as the value of the assets of the IS itself, i.e. maximum categories are taken for all types of information and assets. To obtain an integral assessment, you should take a maximum of categories for the main aspects of information security.

Minimum (basic) security requirements

The minimum (basic) security requirements are formulated in general terms, without taking into account the category assigned to the IS. They set the basic level of information security, they must satisfy all information systems. The results of the categorization are important when choosing safety regulators that ensure compliance with the requirements formulated on the basis of risk analysis (Fig. 2).

Figure 2. Levels of information security

The minimum security requirements (Fig. 3) cover the administrative, procedural and software and hardware levels of information security and are formulated as follows.

Figure 3. Basic security requirements for information and IP.

  • The organization shall develop, document and publicize a formal security policy and formal procedures to address the requirements listed below and ensure that the policies and procedures are effectively implemented.
  • The company needs to periodically conduct a risk assessment, including an assessment of threats to the mission, functioning, image and reputation of the organization, its assets and personnel. These threats are a consequence of the operation of IS and the processing, storage and transmission of data carried out.
  • With regard to the purchase of systems and services in a company, it is necessary:
    • allocate sufficient resources for adequate IP protection;
    • when developing systems, take into account the requirements of information security;
    • restrict the use and installation of the software;
    • ensure that external service providers allocate sufficient resources to protect information, applications and/or services.
  • In the field of certification, accreditation and safety assessment in the organization should be carried out:
    • continuous monitoring of safety regulators to have confidence in their effectiveness;
    • periodic evaluation of the security controls used in the IS to monitor their effectiveness;
    • development and implementation of an action plan to eliminate deficiencies and reduce or eliminate vulnerabilities in IP;
    • authorization of the commissioning of the IS and the establishment of connections with other information systems.
  • In the field of personnel security it is necessary:
    • ensure the reliability (power of attorney) of officials holding responsible positions, as well as the compliance of these persons with the security requirements for these positions;
    • ensure the protection of information and the information system during disciplinary actions, such as dismissal or relocation of employees;
    • apply appropriate official sanctions to violators of security policies and procedures.
  • The organization shall ensure that employees are informed and trained on:
    • that IP managers and users are aware of the risks associated with their activities and of relevant laws, regulations, guidelines, standards, instructions, etc.;
    • that personnel have the appropriate practical training to perform information security related duties.
  • In the area of ​​planning, it is necessary to develop, document, periodically change and implement IS security plans that describe security controls (existing and planned) and rules of conduct for personnel with access to IS.
  • For business continuity planning, a company should establish, maintain, and effectively implement disaster response, backup, and disaster recovery plans to ensure the availability of critical information resources and continuity of operation in emergency situations.
  • In terms of responding to information security breaches, the organization should:
    • establish an operational structure for incident response, bearing in mind adequate preparatory measures, detection, analysis and localization of violations, recovery from incidents and handling of user requests;
    • ensure that incidents are traced, documented and reported to the appropriate organization officials and authorities.
  • For the purpose of physical protection, the organization should:
    • provide physical access to IS, equipment, production facilities only to authorized personnel;
    • physically protect the equipment and supporting infrastructure of the IS;
    • provide proper technical conditions for the functioning of the IS;
    • protect IP from threats from the environment;
    • ensure control of the conditions in which the IS operates;
    • provide access control by restricting access to IP assets to authorized users, processes acting on behalf of these users, and devices (including other IS) to perform transactions and functions authorized by users.
  • To ensure logging and auditing, it is necessary to:
    • create, protect, and maintain logs to track, analyze, investigate, and report on illegal, unauthorized, or inappropriate activity;
    • ensure traceability of actions in the IS to the user (user accountability).
  • In terms of configuration management, a company should:
    • install and maintain basic configurations;
    • have an inventory (map) of IP, updated taking into account the life cycle, which includes hardware, software and documentation;
    • establish and ensure the practical application of settings for configuring security tools in products included in the IS.
  • In the field of identification and authentication, it is necessary to ensure the identification and authentication of IS users, processes acting on behalf of users, as well as devices as a necessary condition for granting access to IS.

In addition, you need:

  • For accompaniment:
    • carry out periodic and timely maintenance of IP;
    • provide effective controls for the means, methods, mechanisms and personnel providing support.
  • To protect media:
    • protect data carriers, both digital and paper;
    • provide access to data on media only to authorized users;
    • sanitize or destroy media before decommissioning or before handing over for reuse.
  • To protect systems and communications:
    • monitor, control and protect communications (i.e. transmitted and received data) at the external and key internal boundaries of the IS;
    • apply architectural and hardware-software approaches that increase the current level of IS information security.
  • To ensure the integrity of systems and data:
    • timely identify IS and data defects, report and correct them;
    • protect IP from malicious software;
    • Monitor security alerts and reports of new threats to the information system and respond appropriately to them.

Selection of a basic set of safety regulators in order to meet safety requirements

A necessary condition for meeting security requirements is the selection and implementation of appropriate security regulators, that is, the development and application of economically viable countermeasures and means of protection. Security regulators are divided into administrative, procedural and software and hardware and serve to ensure the availability, confidentiality and integrity of the information system and the data processed, stored and transmitted by it.

The choice of security regulators is based on the results of data categorization and the information system. In addition, consideration should be given to which safety regulators have already been implemented and for which there are specific implementation plans, as well as the required degree of confidence in the effectiveness of current regulators.

An adequate choice of security regulators can be simplified if it is made from predefined base sets associated with the required level of information security. Using a three-level scale, three base sets are used, respectively, for the minimum (low, basic), moderate and high level of information security.

Security controls for the minimum level of information security

At the minimum level of information security, it is advisable to apply the following administrative security controls.

Figure 4. Security regulators by IS levels

  • Risk Assessment: Policies and Procedures.
    • a formal, documented risk assessment policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
    • formal documented procedures to facilitate policy enforcement and associated risk assessment controls.
  • Risk assessment: categorization by security requirements. Categorization of data and information system, documentation of results, including justification of established categories; the document is certified by the management.
  • Risk assessment: conducting. Assessment of risks and possible damage from unauthorized access, use, disclosure, disruption, modification and / or destruction of data and / or information system, including resources managed by external organizations.
  • Risk assessment: revision of results. The results of the risk assessment are reviewed either at a specified frequency, or after significant changes in the IP or supporting infrastructure, or after other events that can significantly affect the level of security of the IP or its accreditation status.
  • Security Planning: Policies and Procedures.
    • a formal documented security planning policy that outlines the purpose, scope, roles, responsibilities, management support, coordination among organizational structures, and compliance with applicable laws;
    • formal documented procedures to facilitate policy enforcement and associated security planning controls.
  • Security planning: IP security plan. Development and implementation of a plan for the information system that describes the security requirements for IS and the existing and planned security regulators that serve to fulfill these requirements; the document is certified by the management.
  • Security planning: changing the IP security plan. The IP security plan is reviewed with a given frequency. It is amended to reflect changes in the company and its information system, or problems identified in the implementation of the plan or in the assessment of security regulators.
  • Security planning: rules of conduct. The organization establishes and communicates to IS users a set of rules that describe the responsibilities and expected behavior in relation to the use of information and the information system. Before accessing the IS and its information resources, users sign an acknowledgment that they have read, understood and agree to comply with the prescribed rules of conduct.
  • Security planning: privacy assessment. The company evaluates compliance with privacy requirements in the IS.
  • Procurement of systems and services: policies and procedures.
    • a formal documented policy for the procurement of systems and services, which presents the purpose, scope, roles, responsibilities, management support, coordination among organizational structures and compliance with applicable law;
    • formal documented procedures to facilitate the enforcement of policies and associated regulators for the procurement of systems and services.
  • Procurement of systems and services: allocation of resources. Determining, documenting and allocating the resources needed to adequately secure an information system in a company is part of the capital planning and investment management processes.
  • Procurement of systems and services: life cycle support. The organization manages the information system using a life cycle support methodology that takes into account information security aspects.
  • Procurement of systems and services: procurement. Purchase contracts include security requirements and/or specifications based on the results of a risk assessment.
  • Adequate documentation of the information system and its components must be available, protected, and distributed to authorized company officials.
  • Purchase of systems and services: restrictions on the use of software. The organization enforces existing restrictions on the use of the software.
  • Procurement of systems and services: software installed by users. Explicit rules regarding downloading and installation of software by users should be enforced.
  • Purchase of systems and services: outsourcing of information services. It is necessary to ensure that external organizations providing information services apply adequate security controls that comply with applicable law and contract conditions, and also monitor the adequacy of security controls.
  • Certification, Accreditation and Safety Assessment: Policies and Procedures. Development, dissemination, periodic review and modification:
    • a formal documented policy for safety assessment, certification, and accreditation that outlines the purpose, scope, roles, responsibilities, management support, coordination among organizational structures, and compliance with applicable laws;
    • formal documented procedures to facilitate policy enforcement; and associated controls for safety assessment, certification, and accreditation.
  • Certification, accreditation and security assessment: connections with other IS. Authorization by the company of all connections of its information system with other IS that are outside the boundaries of accreditation, and constant monitoring / control of these connections; signing by authorized officials of an agreement on establishing connections between systems.
  • The organization evaluates the security controls applied to the IS to verify that they are implemented correctly, function in accordance with the specifications, and give the expected results in terms of meeting the information security requirements for the IS.
  • Certification, accreditation and safety assessment: calendar plan of events. The organization develops and changes the schedule of events with a given frequency. It describes planned, implemented and assessed corrective actions aimed at addressing any deficiencies identified in the process of evaluating security regulators and at reducing or eliminating known IS vulnerabilities.
  • Certification, accreditation and safety assessment: accreditation. The company explicitly authorizes (performs accreditation) the commissioning of the information system and re-accredits it at a specified frequency, but at least once every three years.
  • Certification, accreditation and safety assessment: continuous monitoring. Constant monitoring of security regulators in IS.

Figure 5. Maintaining the required level of security

procedural safety controls.

  • Personnel security: policies and procedures. Development, dissemination, periodic review and modification:
    • a formal, documented personnel security policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
    • formal documented procedures to facilitate policy enforcement and associated personnel security regulators.
  • Personnel security: categorization of positions. Associated with each position a certain level risk and establish criteria for the selection of candidates for these positions. It is advisable to review the established risk levels with a given frequency.
  • Personnel security: personnel selection. Before granting access to information and the information system, a check is made of persons who need such access.
  • Personnel security: dismissal. The dismissed employee is deprived of access to the IS, a final conversation is held with him, the handover of all state property, including keys, identification cards, passes is checked, and they are convinced that the relevant officials have access to official data created by the dismissed employee and stored in the information system .
  • Personnel security: personnel transfer. When an employee moves to another position, the organization reviews the access rights granted to him to IS and its resources, and takes appropriate actions, such as issuing new keys, identification cards, passes, closing old and establishing new system accounts, as well as changing access rights.
  • Personnel security: access agreements. Before providing access to information and the information system to an employee who needs such access, appropriate agreements are drawn up (for example, on non-disclosure of information, on the proper use of IP), as well as rules of conduct, the company ensures that these agreements are signed by the parties and reviews them with a given frequency.
  • Personnel security: security requirements for employees of third-party organizations. The organization establishes security requirements, including roles and responsibilities, for third-party employees (service providers, contractors, developers, information service providers, and systems and network management services) and monitors that third-party organizations provide an adequate level of information security.
  • Personnel security: sanctions. The company has a formalized process for punishing employees who violate established security policies and procedures.
  • Physical Protection: Policies and Procedures. Developed, distributed, periodically reviewed and modified:
    • a formal documented physical protection policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
    • formal documented procedures to facilitate the enforcement of physical protection policies and associated controls.
  • Physical protection: physical access authorization. The organization develops and maintains up to date lists of employees who have access to the premises where the components of the information system are located (except for the premises officially considered public), appropriate certificates (badges, identification cards, smart cards) are issued; relevant officials review and approve the lists and certificates with a predetermined frequency.
  • Physical security: physical access control. It is necessary to control physical access points, including officially defined entry/exit points, to the premises where the components of the information system are located (except for the premises that are officially considered public). You should check the rights granted to employees before allowing them access. In addition, access to premises officially considered to be public access is controlled in accordance with the risk assessment.
  • Physical access to the system is monitored to detect and respond to violations.
  • Physical access to the information system is controlled by the authentication of visitors before being allowed to enter the premises where the IS components are located (except for the premises officially considered public).
  • The company maintains logs of visits to the premises (except those that are officially considered public), which record:
    • surname, name of the visitor and name of the organization;
    • visitor signature;
    • submitted documents (form of identification);
    • date and time of access (entry and exit);
    • visit purpose;
    • surname, name of the visited person and his organizational affiliation; the relevant officials review the logs of visits with a given frequency.
  • Physical protection: emergency lighting. The company needs to use and maintain automated systems emergency lighting, which turn on during power outages and cover emergency exits and escape routes.
  • Fire suppression and fire detection devices/systems are applied and maintained.
  • Physical protection: means of control of temperature and humidity. The temperature and humidity in rooms containing IC components are monitored and maintained within acceptable limits.
  • It is necessary to protect the IC from flooding and leakage due to damage to the water supply or for other reasons, ensuring the availability and serviceability of the taps that shut off the water, and informing the appropriate officials of the location of these taps.
  • Physical protection: delivery and removal. The organization controls the delivery and removal of information system components (hardware and software) and maintains information about the location of these components.
  • Business continuity planning: policies and procedures. Developed, distributed, periodically reviewed and modified:
    • a formal, documented business continuity planning policy that outlines purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
    • formal documented procedures to facilitate the enforcement of business continuity planning policies and associated controls.
  • A plan is being developed and implemented to ensure the smooth operation of the information system, which describes the roles and responsibilities of responsible officials, and indicates their contact details. In addition, the plan prescribes the actions to be taken when restoring the IP after damage and accidents. The appropriate officials review and approve this plan and communicate it to business continuity officers.
  • Continuity Planning: Change the business continuity plan. With a specified frequency, but at least once a year, the organization reviews the information system business continuity plan to reflect changes in the structure of the IS or the organization and / or eliminate problems identified during the implementation, execution and / or testing of the plan.
  • Conducted at a given frequency backup of user and system data contained in the information system (including data on the state of the IS), backup copies are stored in places that are properly protected.
  • The organization uses mechanisms and supporting procedures to recover the information system after damage or accidents.
  • Configuration management: policies and procedures. Developed, distributed, periodically reviewed and modified:
    • a formal, documented configuration management policy that outlines purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
    • formal documented procedures to facilitate the enforcement of configuration management policies and associated controls.
  • The company develops, documents and maintains the current basic configuration of the information system, an inventory of IS components and relevant data about their owners.
  • In company:
    • mandatory settings for products are approved information technologies used in IS;
    • the security settings of information technology products are set to the most restrictive mode consistent with operational requirements;
    • settings are documented;
    • proper settings of all components of the information system are ensured.
    • Maintenance: policies and procedures. Developed, distributed, periodically reviewed and modified:
    • a formal, documented maintenance policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
    • formal documented procedures to facilitate the enforcement of policies and associated maintenance controls.
  • Planning, implementing and documenting the day-to-day, preventive and regular maintenance of information system components in accordance with the manufacturer's or supplier's specifications and/or organizational requirements.
  • The organization authorizes, controls and monitors remote maintenance and diagnostic activities.
  • Escort: escort staff. It is necessary to maintain a list of persons authorized to maintain the information system. Only authorized personnel maintain the IS.
  • Systems and Data Integrity: Policies and Procedures. Development, dissemination, periodic review and modification:
    • a formal documented system and data integrity policy that outlines purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
    • formal documented procedures to facilitate policy enforcement; and associated system and data integrity controls.
  • Integrity of systems and data: elimination of defects. Identification of defects in the information system, informing about them and correcting them.
  • The company implements protection against malicious software in the information system, including the possibility of automatic updates.
  • System and Data Integrity: Security Alerts and New Threat Reporting. Security alerts and reports of new threats to IP need to be regularly monitored, brought to the attention of the appropriate officials, and responded to appropriately.
  • Media Protection Policies and Procedures. Development, dissemination, periodic review and modification:
    • a formal, documented media protection policy that outlines purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
    • formal documented procedures to facilitate policy enforcement and associated media protection controls.
  • Ensure that only authorized users have access to information in printed form or on digital media withdrawn from the information system.
  • Media protection: sanitation and decommissioning. Organization:
    • sanitizes media (both paper and digital) before decommissioning or reuse;
    • traces, documents and verifies media sanitization activities;
    • Periodically tests sanitizing equipment and procedures to ensure they are functioning correctly.
  • Response to Information Security Violations: Policies and Procedures. Development, dissemination, periodic review and modification:
    • a formal, documented information security breach response policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable law;
    • formal documented procedures to facilitate policy enforcement and associated controls for responding to information security breaches.
  • Structures are formed in the company to respond to information security breaches (response team), including preparation, detection and analysis, localization, elimination of impact and recovery from breaches.
  • It is necessary to bring information about IS violations to the attention of authorized officials in a timely manner.
  • Formation of a structure for issuing recommendations and assisting IS users in responding to and reporting on IS violations; this structure is indispensable integral part response groups.
  • Information and education: policies and procedures. Development, dissemination, periodic review and modification:
    • a formal, documented employee information and training policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
    • formal documented procedures to help enforce the policy; and associated controls for informing and educating employees.
  • Informing and training: informing about the problems of information security. It should be ensured that all users, including managers, are provided with basic information on information security issues before these users are granted access to IS; such informing should continue further with a given frequency, but not less than once a year.
  • Informing and training: training on the issues of information security. It is necessary to identify officials who play an important role and have responsible responsibilities for ensuring the information security of the IP, document these roles and responsibilities and provide appropriate training to these individuals before granting them access to the IP. Such training should continue further with a given frequency.
  • Informing and training: documenting training on information security issues. The company documents and tracks the progress of each employee's training on IS issues, including an introductory course and courses specific to IS.
  • Informing and educating: contacts with information security groups and associations. It is advisable to establish and maintain contacts with groups, forums and associations specializing in the field of information security in order to keep abreast of the current state of information security, advanced recommended protective means, methods and technologies.

At a minimum level of information security, it is recommended to use the following software and hardware safety regulators.

  • Identification and authentication: policies and procedures. Development, dissemination, periodic review and modification:
    • a formal documented identification and authentication policy that outlines purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
    • formal documented procedures to facilitate policy enforcement; and associated identification and authentication controls.
  • The information system uniquely identifies and authenticates users (or processes acting on behalf of users).
  • Identification and authentication: identity management. An organization manages user identities through:
    • unique identification of each user;
    • verification of the identifier of each user;
    • obtaining official approval from authorized officials to issue a user identifier;
    • ensure that the identifier is issued to the correct user;
    • termination of the user ID after given period inactivity;
    • archiving user IDs.
  • Identification and authentication: management of authenticators. The company manages authenticators in the information system (tokens, certificates in the public key infrastructure, biometric data, passwords, key cards, etc.) through:
    • determining the initial content of authenticators;
    • regulation of administrative procedures for the initial distribution of authenticators, replacement of lost, compromised or damaged authenticators, as well as revocation of authenticators;
    • changes in implied authenticators after the installation of the information system.
  • Identification and authentication: the response of authenticators. The information system hides the echo of the authentication information during the authentication process in order to protect this information from possible use by unauthorized persons.
  • Identification and authentication: authentication against cryptographic modules. For authentication with respect to cryptographic modules, the information system uses methods that meet the requirements of the standards for such modules.
  • Access Control: Policies and Procedures. Development, dissemination, periodic review and modification:
    • a formal, documented access control policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
    • formal documented procedures to facilitate policy enforcement and associated access controls.
  • The organization manages accounts in the information system, including their creation, activation, modification, revision (with a given frequency), deactivation and deletion.
  • The information system enforces assigned privileges to control access to the system in accordance with applicable policy.
  • Access control: failed login attempts. The information system enforces given constraint by the number of consecutive unsuccessful access attempts by the user during a specified period of time, automatically locking the account or delaying the issuance of an invitation to enter according to a given algorithm given time when the maximum allowed number of failed attempts is exceeded.
  • Access control: system usage warning. The information system displays an officially approved warning message about the use of the system before granting access to it, informing potential users:
    • about the organizational affiliation of the system;
    • about possible monitoring, logging and auditing of the use of the system;
    • on the prohibition and possible punishment for unauthorized use of the system;
    • about the user's consent to monitoring and logging in case of using the system; the warning message contains the relevant provisions of the security policy and remains on the screen until the user takes explicit action to enter the IS.
  • Access control: supervision and viewing. The organization supervises and checks the actions of users in relation to the implementation and use of access controls available in the IS.
  • Access control: actions allowed without identification and authentication. Definition of specific user actions that can be performed in the information system without identification and authentication.
  • Documentation, tracking and control of all types of remote access to IS (for example, via modem inputs or via the Internet), including remote access to perform privileged actions; appropriate officials authorize the use of each type of remote access and authorize only those users who need it to use it.
  • Organization:
    • establishes restrictions on the use and manages the implementation of wireless technologies;
    • documents, monitors and controls wireless access to IS; relevant officials will authorize the use of wireless technologies.
  • Access control: personal information systems. Limitation of the use of personal information systems for production needs, including the processing, storage and transfer of production information.
  • Logging and auditing: policies and procedures. Development, dissemination, periodic review and modification:
    • a formal documented logging and auditing policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
    • formal documented procedures to facilitate policy enforcement; and associated record and audit controls.
  • Logging and auditing: logged events. The information system generates registration records for given events.
  • The information system stores enough information in the records to establish what event occurred, what was the source of the event, what was the outcome of the event.
  • Logging and auditing: Resources for storing registration information. It is necessary to allocate sufficient resources to store registration information and configure logging to prevent exhaustion of these resources.
  • In the event of a logging failure or exhaustion of registration information storage resources, the information system warns the relevant officials and takes the specified additional actions.
  • Logging and auditing: protection of registration information. The information system protects registration information and logging/audit tools from unauthorized access, modification and deletion.
  • Recording and audit: preservation of registration information. Registration information should be retained for a specified period of time to support investigations of past information security breaches and to comply with applicable laws and organizational retention requirements.
  • Protecting Systems and Communications: Policies and Procedures. Development, dissemination, periodic review and modification:
    • a formal, documented system and communications security policy that outlines purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable law;
    • formal documented procedures to facilitate policy enforcement and associated systems and communications security controls.
  • Protection of systems and communications: protection against accessibility attacks. The information system protects against attacks on the availability of specified types or limits their impact.
  • The information system monitors and controls communications at its external and key internal IS boundaries.
  • Protection of systems and communications: the use of legalized cryptography. If the information system uses cryptographic means, they must meet the requirements of the current legislation, technical regulations, standards, guidelines and normative documents, industry and organizational standards.
  • Security of systems and communications: protection of public systems. An information system ensures the integrity of data and applications for public systems.

Additional and enhanced security controls for a moderate level of information security

For a moderate level of information security, it is advisable to use the following additional and enhanced (compared to the minimum level) security regulators.

  • With a given frequency or after the appearance of information about new IS-critical vulnerabilities, it is necessary to scan the vulnerabilities in the information system.
  • Security planning: planning activities related to security. Ensuring proper planning and coordination of security-related activities affecting the information system in order to minimize negative impact on the work and assets of the organization (including its mission, functions, image and reputation).
  • Purchase of systems and services: documentation. It is necessary to include in the general package of documents the documentation from the manufacturer/supplier (if any), describing the functional properties of the security regulators involved in the information system, sufficiently detailed to make it possible to analyze and test the regulators.
  • Procurement of systems and services: information security design principles. The design and implementation of an information system is carried out using the principles of information security design.
  • Procurement of systems and services: security testing by the developer. The information system developer forms a security testing and assessment plan, implements it and documents the results; the latter can be used to support security certification and delivered IS accreditation.
  • Certification, accreditation and safety assessment: safety assessment. With a given frequency, but not less than once a year, it is advisable to evaluate the security controls in the information system in order to determine how well they are implemented, operate in accordance with the specifications and give the expected results in terms of meeting the information security requirements for the IS.
  • Certification, accreditation and safety assessment: certification for safety requirements. The assessment of security regulators in the information system for the purposes of certification for security requirements is carried out by an independent certification organization.
  • Physical protection: control of access to information display devices. Control of physical access to information display devices in order to protect the latter from viewing by unauthorized persons.
  • Physical protection: physical access monitoring. In real time, incoming intrusion signals and data from tracking devices are monitored.
  • Physical protection: control of visitors. Ensuring visitor escort and, if necessary, monitoring their activity.
  • Physical protection: electrical equipment and wiring. Protection of electrical equipment and wiring for the information system from damage and destruction.
  • Physical protection: emergency shutdown. For certain areas where information system resources are concentrated (data centers, server rooms, mainframe computer rooms, etc.), it should be possible to turn off power to any failed (for example, due to a short circuit) or endangered (for example, due to a rupture of the water supply) to the IC component, without exposing personnel to the danger associated with access to the equipment.
  • Providing short-term sources uninterruptible power supply to enable the information system to be gracefully shut down in the event of a mains power failure.
  • Physical protection: fire protection. Fire suppression and fire detection devices/systems that automatically operate in the event of a fire should be implemented and maintained.
  • Physical protection: spare production site. Employees of the organization at the spare production site apply the appropriate security controls for IS.
  • Physical protection: location of information system components. The components of the information system should be located in designated areas so as to minimize potential damage from physical risks and environmental threats, as well as the possibility of unauthorized access.
  • Business continuity planning: business continuity plan. The organization coordinates the development of the business continuity plan with entities responsible for related plans (eg disaster recovery plans, security incident response plans, etc.).
  • The company organizes training for employees on their roles and responsibilities to ensure the smooth operation of the information system, as well as with a given frequency, but at least once a year, training is held to maintain practical skills.
  • With a given frequency, but at least once a year, the organization tests a plan to ensure the smooth operation of the information system. To do this, predetermined tests and training procedures are applied to determine the effectiveness of the plan and the readiness of the organization to implement it. Appropriate officials review the test results of the plan and initiate corrective actions. The organization coordinates the testing of the business continuity plan with entities responsible for related plans (eg disaster recovery plans, security breach response plans, etc.).
  • It is necessary to define an alternative storage location and conclude the necessary agreements to make it possible to store backup copies of information system data there; the spare storage location must be geographically removed from the main one so as not to expose it to the same dangers.
  • A fallback data processing location is identified and the necessary agreements initiated to allow the information system to resume critical business functions within a specified period of time if the underlying data processing facilities are unavailable. The backup data processing site is geographically removed from the main one and, therefore, is not subject to the same dangers. Potential problems with access to a backup data processing site in the event of large-scale accidents or natural disasters are identified, and explicit actions are outlined to mitigate the identified problems. The Alternate Processing Location Agreement contains priority service commitments in accordance with the organization's availability requirements.
  • The main and backup sources of telecommunication services that support the information system are determined. Necessary agreements are initiated to enable the information system to resume performing critical business functions within a given period of time if the primary source of telecommunications services is unavailable. The primary and secondary telecommunications service agreements contain priority service commitments in accordance with the organization's availability requirements. The backup source of telecommunications services does not share a single point of failure with the primary source.
  • Business continuity planning: backup. Backups are tested at a specified frequency within the organization to ensure media reliability and data integrity.
  • Configuration management: basic configuration and inventory of information system components. When installing new components, the basic configuration of the information system and the inventory of IS components change.
  • Documented and controlled changes in the information system; relevant officials authorize changes to the IS in accordance with the policies and procedures adopted by the organization.
  • Configuration Management: Monitor Configuration Changes. Changes to the information system should be tracked and their security impact analyzed to determine the effect of the changes.
  • The organization enforces physical and logical access restrictions associated with changes to the information system and generates, maintains and reviews records reflecting all such changes.
  • The information system should be configured to provide only the necessary capabilities and explicitly prohibit and/or restrict the use of certain features, ports, protocols and/or services.
  • Maintenance: Periodic maintenance. An information system maintenance log is maintained, which records:
    • date and time of service;
    • surname and name of the person who performed the service;
    • surname and name of the accompanying person, if necessary;
    • description of the actions taken to maintain the IS;
    • list of removed or relocated equipment (with identification numbers).
  • The organization authorizes, controls and monitors the use of information system maintenance tools and maintains these tools at all times.
  • Escort: timely service. The organization receives maintenance and spare parts for specified key components of the information system within a specified period of time.
  • Integrity of systems and data: protection against malicious software. Centralized management of anti-malware mechanisms.
  • Integrity of systems and data: means and methods of information system monitoring. Application of tools and methods for monitoring events in the information system, identifying attacks and identifying unauthorized use of IP.
  • The information system implements spam protection.
  • Systems and Data Integrity: Restrictions on Data Entry. The organization grants the right to enter data into the information system only to authorized persons.
  • System and Data Integrity: Accuracy, Completeness, Validity and Authenticity of Data. The information system checks the data for accuracy, completeness, reliability and authenticity.
  • System and Data Integrity: Error Handling. The information system explicitly detects and processes erroneous situations.
  • System and Data Integrity: Processing and Preservation of Output Data. The output of the information system is processed and stored in accordance with the organization's policies and operational requirements.
  • Media Protection: Media Marks. Removable storage media and IC output data are supplied with external labels, containing restrictions on the distribution and processing of these data; specified types of media or hardware components are unlabeled as long as they remain within the controlled area.
  • Media Protection: Media Storage. Physical control and secure storage of data media, paper and digital, should be organized based on the maximum category assigned to the data recorded on the media.
  • Media Protection: Media Transport. Control of data media, paper and digital, and restriction of sending, receiving, transporting and delivering media to authorized persons.
  • The Company trains employees in their roles and responsibilities related to responding to information security breaches of IP, and with a given frequency, but at least once a year, conducts training to maintain practical skills.
  • With a given frequency, but not less than once a year, the means of responding to information security violations of IS are tested, while using specified tests and training procedures to determine the effectiveness of the response. The results are documented.
  • Responding to Information Security Violations: Response. Automatic mechanisms are used to support the process of responding to information security breaches.
  • It is necessary to constantly monitor and document information security violations of IS.
  • Response to information security breaches: reports of breaches. Use of automated mechanisms to facilitate reports of information security breaches.
  • Responding to Information Security Violations: Help. The use of automated mechanisms to increase the availability of information and support associated with responding to information security breaches.
  • Identification and Authentication: Identification and authentication of devices. The information system identifies and authenticates certain devices before establishing a connection with them.
  • Access control: account management. Application of automatic mechanisms to support the management of accounts in the information system; the information system automatically terminates temporary and emergency accounts after a period of time specified for each type of accounts; the information system automatically disables inactive accounts after a specified period of time.
  • Access control: enforcement. The information system ensures that access to security functions (implemented in hardware and/or software) and security data is provided only to authorized persons (eg, security administrators).
  • Access control: enforcement of control information flows. An information system enforces assigned privileges to manage information flows within the system and between interconnected systems in accordance with the accepted security policy.
  • Access control: separation of duties. The information system enforces separation of duties through the assignment of access privileges.
  • Access Control: Privilege Minimization. An information system enforces the most restrictive set of access rights/privileges required by users (or processes acting on behalf of those users) to perform their tasks.
  • Access control: session blocking. The information system prevents further access to the IS by blocking the session until the user restores access by applying the appropriate identification and authentication procedures.
  • Access control: session termination. The information system automatically terminates the session after a specified period of inactivity.
  • Access control: actions allowed without identification and authentication. The organization allows actions without identification and authentication only if they are necessary to achieve the organization's key goals.
  • Access control: remote access. The use of automatic mechanisms to facilitate the monitoring and control of remote access methods, encryption - to protect the confidentiality of remote access sessions. You need to control all remote access on a managed access control point.
  • Access control: restrictions on wireless access. Apply authentication and encryption for security wireless access to the information system.
  • Access control: mobile devices. Organization:
    • establishes restrictions on use and develops guidelines for use mobile devices;
    • documents, monitors and controls access to IS through such devices; appropriate officials authorize the use of mobile devices; removable hard disks or cryptography to protect data stored in mobile devices.
  • Logging and auditing: contents of registration records. The information system provides the ability to include in the records additional, more detailed information for logged events, identified by type, place or subject.
  • Registration information should be reviewed/analyzed regularly to identify inappropriate or atypical activity, investigate suspicious activity or suspected violations, report findings to appropriate officials, and take appropriate action.
  • The information system provides the possibility of reducing registration information and generating reports.
  • Logging and auditing: timestamps. The information system provides timestamps for use in generating registration records.
  • Protection of systems and communications: separation of applications. The information system shares user functionality (including services user interface) from the IS management functionality.
  • Protection of systems and communications: residual information. The information system prevents unauthorized and inadvertent transmission of information through shared system resources.
  • Protection of systems and communications: protection of borders. It is advisable to physically place public information system components (eg, public web servers) on separate subnets with separate physical network interfaces, to prevent public access to the internal network, except for properly controlled access.
  • The information system protects the integrity of transmitted data.
  • The information system protects the confidentiality of transmitted data.
  • Protection of systems and communications: breaking network connections. Information system terminates network connection at the end of a session or after a specified period of inactivity.
  • Protection of systems and communications: development and management of cryptographic keys. The information system uses automatic mechanisms and ancillary procedures or manual procedures to generate cryptographic keys and manage keys.
  • Protection of systems and communications: collective applications. The information system prohibits remote activation of mechanisms for collective applications (for example, video or audio conferences) and provides clear evidence of their use to local users (for example, an indication of the use of video cameras or microphones).
  • Protecting Systems and Communications: Public Key Infrastructure Certificates. The organization develops and implements a certificate policy and a certification practice specification for issuing public key certificates used in an information system.
  • Protection of systems and communications: mobile code. Organization:
    • establishes restrictions on the use and develops guidelines for the use of technologies mobile code based on the possibility of causing damage to the information system in case of malicious use of these technologies;
    • documents, monitors and controls the use of the mobile code in the information system; the relevant officials will authorize the use of the mobile code.
  • Protection of systems and communications: VoIP protocol. Organization:
    • establishes restrictions on the use and develops guidelines for the use of VoIP technologies, based on the possibility of damaging the information system in case of malicious use of these technologies;
    • documents, monitors and controls the use of VoIP in the information system; appropriate officials authorize the use of VoIP.
  • Protecting Systems and Communications: Secure Name Lookup Service (Authoritative Sources). Information systems (authoritative domain name servers) that provide external users with a name lookup service for accessing an organization's information resources via the Internet provide attributes for data source authentication and data integrity control to enable users to obtain guarantees of the authenticity and integrity of messages when receiving data within network transactions.

Additional and enhanced security controls for a high level of information security

For a high level of information security, the use of the following additional and enhanced (compared to a moderate level) security regulators is recommended.

    Risk Assessment: Vulnerability Scanning. Vulnerability scanning tools include the ability to quickly change the list of scanned information system vulnerabilities.

    With a given frequency or after the appearance of information about new IS-critical vulnerabilities, the organization changes the list of scanned information system vulnerabilities.

  • Purchase of systems and services: documentation. Documentation from the manufacturer/supplier (if any) describing the design and implementation details of the security controls involved in the information system should be included in the overall package of documents, with a level of detail sufficient to allow analysis and testing of the controls (including functional interfaces between regulator components).
  • Procurement of systems and services: configuration management by the developer. The information system developer creates and implements a configuration management plan that controls changes to the system during development, traces security defects, requires authorization of changes, and provides documentation of the plan and its implementation.
  • Physical protection: control of access to data transmission channels. Physical access to distribution and data transmission lines belonging to the IC and located within secure boundaries is controlled to prevent inadvertent damage, eavesdropping, modification in transit, breaking or physical distortion of the lines.
  • Physical protection: physical access monitoring. Automatic mechanisms are in place to ensure that potential intrusions are detected and a response initiated.
  • Physical protection: access logging. Automatic mechanisms are used to facilitate the maintenance and review of logs.
  • Physical protection: emergency power supply. It is necessary to provide long-term alternative power sources for the information system, capable of maintaining the minimum required operational capabilities in the event of a long-term failure of the primary power source.
  • Physical protection: fire protection. Fire extinguishing and fire detection devices/systems are used and maintained that automatically notify the organization and emergency services of their activation.
  • Physical protection: flood protection. Automatic mechanisms are used to automatically shut off the water in the event of an intense leakage.
  • Business continuity planning: training. Event modeling is included in training courses to facilitate effective response of employees to possible crisis situations.
  • Continuity Planning: Testing the business continuity plan. The business continuity plan is tested at the alternate site to familiarize employees with the capabilities and resources available and to assess the site's ability to maintain business continuity.
  • Continuity Planning: Spare Storage Locations. The spare storage location is configured to facilitate timely and efficient recovery actions; Potential problems with access to alternate storage space in the event of large-scale accidents or natural disasters are identified and explicit actions are outlined to mitigate the identified problems.
  • Continuity Planning: Spare Data Processing Locations. The spare data site is fully configurable to maintain the minimum required operational capability and readiness for use as a production site.
  • Business continuity planning: telecommunications services. The backup source of telecommunications services should be geographically distant enough from the main source so as not to be exposed to the same dangers; The main and backup sources of telecommunications services have adequate business continuity plans.
  • Business continuity planning: backup. Backups are selectively used to restore information system functionality as part of testing the business continuity plan. Backups operating system and other IS-critical software are stored in a separate location or in a fireproof container located separately from the operational software.
  • Business continuity planning: information system recovery. The organization includes a full recovery of the information system as part of the testing of the business continuity plan.
  • Configuration management: basic configuration and inventory of information system components. Automatic mechanisms are applied to maintain an up-to-date, complete, accurate and easily accessible basic configuration of the information system and an inventory of IS components.
  • Configuration management: control of configuration changes. Automatic mechanisms are used to:
    • document proposed changes to the information system;
    • notify relevant officials;
    • draw attention to not received timely approval visas;
    • postpone changes until the necessary approval visas are obtained;
    • document the changes made to the information system.
  • Configuration management: Restrict access for changes. Automatic mechanisms are used to enforce access restrictions and maintain logging of restrictive actions.
  • Configuration management: settings. Automatic mechanisms are used for centralized management, application and verification of settings.
  • Configuration management: minimizing functionality. The information system is reviewed at a specified frequency to identify and eliminate functions, ports, protocols and other services that are not necessary.
  • Maintenance: Periodic maintenance. Automatic mechanisms are applied to ensure that periodic maintenance is planned and conducted in accordance with established requirements, as well as that records of necessary and performed maintenance activities are up to date, accurate, complete and available.
  • Accompanying: accompaniment tools. All maintenance aids (e.g., diagnostic and test equipment) brought into the facility by maintenance personnel should be inspected for visible inappropriate modifications. All media containing diagnostic test programs (eg, software used for system maintenance and diagnostics) should be checked for malware before the media is applied to an information system. All equipment used for maintenance purposes and capable of storing information is subject to verification to ensure that the equipment does not contain information belonging to the organization or that it is properly sanitized before reuse. If equipment cannot be sanitized, it remains on the premises of the organization or destroyed, except as expressly authorized by the appropriate officials.
  • Escort: remote support. All remote maintenance sessions are logged, and the appropriate officials review the log of remote sessions. The installation and use of remote diagnostic channels are reflected in the security plan of the information system. Remote diagnostic or maintenance services are acceptable only if the service organization maintains at least the same level of security in its IS as the service organization.
  • Integrity of systems and data: protection against malicious software. The information system automatically changes protection mechanisms against malicious software.
  • System and data integrity: verification of security functionality. Information system within technical capabilities, upon system startup or restart, at the command of an authorized user and/or periodically with a specified frequency, verifies the correct operation of the security functions and notifies system administrator and/or shuts down or restarts the system if any anomalies are detected.
  • Systems and Data Integrity: Software and Data Integrity. The information system detects and protects against unauthorized changes to software and data.
  • Integrity of systems and data: protection against spam. The organization centrally manages anti-spam mechanisms.
  • Media protection: access to media. Either guard posts or automatic mechanisms are used to control access to media storage locations, provide protection against unauthorized access, and log access attempts and access granted.
  • Responding to Information Security Violations: Training. Event simulations are included in the training courses to help employees respond effectively to potential crises.
  • Responding to Information Security Violations: Testing. Automatic mechanisms are used to test response capabilities more thoroughly and efficiently.
  • Responding to Information Security Violations: Monitoring. Automatic mechanisms are used to facilitate the tracking of security violations, as well as the collection and analysis of information about violations.
  • Identification and authentication: Identification and authentication of users. The information system uses multi-factor authentication.
  • Access control: account management. Automatic mechanisms are in place to ensure that account creation, modification, deactivation and termination are logged and, if necessary, notified to the appropriate persons.
  • Access Control: Manage concurrent sessions. The information system limits the number of concurrent sessions per user.
  • Access Control: Oversight and View. Automatic mechanisms are applied to make viewing user activity easier.
  • Access control: automatic marking. The information system labels the output using standard naming conventions to identify any special instructions for disseminating, processing, and distributing the data.
  • Logging and auditing: contents of registration records. The information system provides the ability to centrally manage the content of registration records generated by individual IS components.
  • Logging and auditing: processing of registration information. The information system provides issuance of a warning message when the proportion of occupied space allocated for storing registration information reaches a predetermined value.
  • Logging and auditing: monitoring, analysis and reporting of registration information. The use of automated mechanisms to integrate the monitoring, analysis and reporting of registration information into the overall process of detecting and responding to suspicious activity.
  • Logging and auditing: reduction of registration information and generation of reports. The information system provides the ability to automatically process registration information about events requiring attention, based on specified selection criteria.
  • Protection of systems and communications: isolation of security functions. An information system isolates security functions from other functions.
  • Protection of systems and communications: integrity of transmitted data. The use of cryptographic mechanisms to provide recognition of changes in data in transit if the data is not protected by alternative physical measures (for example, a protective distribution system).
  • Protection of systems and communications: confidentiality of transmitted data. The use of cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless it is protected by alternative physical measures (eg, a secure distribution system).
  • Protection of systems and communications: secure name lookup service (name resolution). Information systems (authoritative domain name servers), which provide internal users with a name lookup service for accessing information resources, provide mechanisms for data source authentication and data integrity control, and also perform these actions at the request of client systems.

Minimum Trust Requirements for Security Regulators

The minimum trust requirements for security regulators apply to certain processes and activities. Control developers and implementers define and apply (perform) these processes and actions to increase confidence that controls are implemented correctly, operate in accordance with specifications, and deliver expected results in terms of meeting information security requirements for IS.

At a minimum level of information security, it is necessary that security controls be enabled and satisfy the functional requirements explicitly specified in their definition.

At a moderate level of information security, the following conditions must additionally be met. Specialists who develop (implement) regulators provide a description of their functional properties, detailed enough to make it possible to analyze and test regulators. As an integral component regulators, the developers document and provide the distribution of responsibilities and specific actions due to which, after the development (implementation) is completed, the regulators must satisfy the functional requirements imposed on them. The technology by which regulators are developed must maintain a high degree of confidence in their completeness, consistency, and correctness.

Figure 6. Ensuring information security. Process approach.

At a high level of information security, in addition to all of the above, it is necessary to provide a description of the design and implementation of regulators, including functional interfaces between their components. Developers are required to provide evidence that after the development (implementation) is completed, the fulfillment of the requirements for regulators will be continuous and consistent throughout the entire information system, and the possibility of increasing the efficiency of regulators will be supported.

Conclusion

Ensuring information security is a complex, multifaceted process that requires making many decisions, analyzing many factors and requirements, sometimes contradictory. The presence of categories and minimum safety requirements, as well as a predefined catalog of safety regulators, can serve as a basis for systems approach to ensuring information security, an approach that requires reasonable labor and material costs and is capable of producing practically acceptable results for most organizations.

    Protected information (information subject to protection)- information (information) that is the subject of ownership and subject to protection in accordance with the requirements of legislative and other regulatory documents or in accordance with the requirements established by the owner of the information (the Bank).

    Protected resources of the information banking system (IBS resources to be protected)- information, functional tasks, information transmission channels, workplaces subject to protection in order to ensure the information security of the Bank, its customers and correspondents.

    protected workplace(RM)- object of protection ( Personal Computer with matching set software tools and data), for which the need to establish a regulated mode of information processing is recognized and characterized by:

    • location, as well as the degree of its physical accessibility for unauthorized persons (clients, visitors, employees not allowed to work with the RM, etc.);

      the composition of the hardware;

      the composition of the software and the tasks solved on it (certain categories of accessibility);

      the composition of the information stored and processed on the RM (certain categories of confidentiality and integrity).

    Form RM- a document of the established form (Appendix 3), fixing the characteristics of the RM (location, configuration of hardware and software, a list of tasks solved on the RM, etc.) and certifying the possibility of operating this RM (evidencing the fulfillment of the requirements for protecting information processed on the RM in accordance with category of this RM).

    Protected task- a functional task solved on a separate RM, for which the need to establish a regulated mode of information processing is recognized and characterized by:

    • a set of resources used in solving (software, data sets, devices);

      the frequency of the decision;

      the maximum allowable delay time for obtaining the result of solving the problem.

    Task Form- a document of the established form (Appendix 2), fixing the characteristics of the task (its name, purpose, type, resources used in solving it, groups of users of this task, their access rights to task resources, etc.).

    Protected information transmission channel- the way in which the protected information is transmitted. Channels are divided into physical (from one device to another) and logical (from one task to another).

    Information privacy- a characteristic (property) subjectively determined (attributed) to information, indicating the need to introduce restrictions on the circle of subjects (persons) having access to this information, and provided by the ability of the system (environment) to keep this information secret from subjects who do not have access rights To her.

    Information integrity- the property of information, which consists in its existence in an undistorted form (invariant with respect to some fixed state of it).

    Availability of information (objectives)- a property of the processing system (environment) in which information circulates, characterized by the ability to provide timely unhindered access of subjects to the information they are interested in (if the subjects have the appropriate access rights) and the readiness of the relevant automated services (functional tasks) to service requests from subjects always when the need arises to refer to them.

1. General Provisions

1.1. This Regulation introduces categories (gradations of the importance of ensuring protection) of resources and establishes the procedure for categorizing information system resources to be protected (assigning them to the appropriate categories, taking into account the degree of risk of damage to the Bank, its customers and correspondents in case of unauthorized interference in the process of functioning of the IBS and violation of integrity or confidentiality of processed information, blocking of information or violation of the availability of tasks solved by IHD).

1.2. Categorization of resources (definition of requirements for resource protection) IBS is a necessary element of the organization of work to ensure the information security of the Bank and has the following objectives:

    creation of a regulatory and methodological basis for a differentiated approach to resource protection automated system(information, tasks, channels, PM) based on their classification according to the degree of risk in case of violation of their availability, integrity or confidentiality;

    typification of the organizational measures taken and the distribution of hardware and software resources for the protection of resources for RM IHD and the unification of their settings.

2. Categories of protected information

2.1. Based on the need to provide different levels of protection different types information stored and processed in the IBS, as well as taking into account possible ways causing damage to the Bank, its customers and correspondents, three categories of confidentiality of protected information and three categories of integrity of protected information are introduced.

    "HIGH" - this category includes unclassified information that is confidential in accordance with the requirements of the current legislation Russian Federation(bank secrecy, personal data);

    "LOW" - this category includes confidential information not classified as "HIGH", restrictions on the dissemination of which are introduced by the decision of the Bank's management in accordance with the rights granted to it as the owner (authorized person) of the information by the current legislation;

    "NO REQUIREMENTS" - this category includes information that is not required to ensure confidentiality (restrictions on distribution).

    "HIGH" - this category includes information, unauthorized modification (distortion, destruction) or falsification of which can lead to significant direct damage to the Bank, its customers and correspondents, the integrity and authenticity (authentication of the source) of which must be ensured by guaranteed methods (for example, by means of an electronic digital signature) in accordance with the mandatory requirements of the current legislation;

    "LOW" - this category includes information, unauthorized modification, deletion or falsification of which may cause minor indirect damage to the Bank, its customers and correspondents, the integrity (and, if necessary, authenticity) of which must be ensured in accordance with the decision of the Bank's management (methods checksum calculation, EDS, etc.);

    “NO REQUIREMENTS” - this category includes information for which integrity (and authenticity) is not required.

2.2. In order to simplify the operations for categorizing tasks, channels and PM, the categories of confidentiality and integrity of protected information are combined and four generalized categories of information are established: "vital", "very important", "important" and "not important". The assignment of information to one or another generalized category is carried out on the basis of its categories of confidentiality and integrity in accordance with Table 1.

Table 1

    1 - "Vital" information

    2 - "Very important" information

    3 - "Important" information

    4 - "Not important" information

3. Categories of functional tasks

3.1. Depending on the frequency of solving functional tasks and the maximum allowable delay in obtaining the results of their solution, four required degrees of accessibility of functional tasks are introduced.

Required degrees of availability of functional tasks:

    "FREE AVAILABILITY" - access to the task must be provided at any time (the task is being solved constantly, the delay in obtaining the result should not exceed a few seconds or minutes);

    "HIGH AVAILABILITY" - access to the task should be carried out without significant time delays (the task is solved daily, the delay in obtaining the result should not exceed several hours);

    "MEDIUM AVAILABILITY" - access to the task can be provided with significant time delays (the task is solved once every few days, the delay in obtaining the result should not exceed several days);

    "LOW AVAILABILITY" - time delays in accessing the task are practically unlimited (the task is solved with a period of several weeks or months, the allowable delay in obtaining the result is several weeks).

3.2. Depending on the generalized category of protected information used in solving the problem and the required degree of accessibility of the task, four categories of functional tasks are established: "first", "second", "third" and "fourth" (in accordance with Table 2).

table 2

Definition of the functional task category
Generalized category of informationRequired task availability
"Unhindered Accessibility""High Availability""Medium Availability""Low Availability"
"Vital" 1 1 2 2
"Very important" 1 2 2 3
"Important" 2 2 3 3
"Not Important" 2 3 3 4

4. Requirements for ensuring the security of channels for the transmission of protected information (categories of channels)

4.1. The security requirements (categories) of a logical channel for the transmission of protected information are determined by the maximum category of the two tasks between which this channel is established.

5. RM categories

5.1. Depending on the categories of tasks solved on the RM, four categories of RM are established: "A", "B", "C" and "D".

5.3. The group of RMs of category "B" includes RMs that solve at least one functional task of the second category. The categories of other tasks solved on this RM should not be lower than the third and not higher than the second.

5.4. The group of RMs of category "C" includes RMs that solve at least one functional task of the third category. The categories of other tasks solved on this RM should not be higher than the third.

Table 3

5.6. The requirements for ensuring the safety of RM of various categories (for the application of appropriate measures and means of protection) are given in Appendix 5.

6. The procedure for determining the categories of protected IBS resources

6.1. Categorization is carried out on the basis of an inventory of information banking system resources (RM, tasks, information) and involves the compilation and subsequent maintenance (updating) of lists (sets of forms) of IBS resources to be protected.

6.2. Responsibility for compiling and maintaining lists of CHD resources lies with:

    in terms of compiling and maintaining a list of RM (indicating their location, assigning to the Bank's divisions, the composition and characteristics of its technical means) - to the Information Technology Department (hereinafter referred to as DIT);

    in terms of compiling and maintaining a list of system and applied (special) tasks solved on the RM (with an indication of the lists of resources used in solving them - devices, directories, files with information) - to the technical support department of the UIT.

6.3. Responsibility for determining the requirements for ensuring confidentiality, integrity, availability and assigning appropriate categories to specific RM resources (information resources and tasks) rests with the Bank's divisions that directly solve tasks on RM data (information owners) and the information security department.

6.4. The approval of the categories of information resources of the IBS assigned in accordance with this "Regulations on Categorization of IBS Resources" is made by the Chairman of the Management Board of the Bank.

6.6. The categorization of IBS resources can be carried out sequentially for each RM separately with subsequent merging and formation of unified lists of IBS resources to be protected:

    the list of IBS information resources to be protected (Appendix 2);

    a list of tasks to be protected (a set of task forms);

    the list of RMs subject to protection (a set of RM forms).

At the first stage of work on categorizing the resources of a specific RM, all types of information used in solving problems on a given RM are categorized. Generalized categories of information are determined based on the established categories of confidentiality and integrity of specific types of information. Information resources to be protected are included in the "List of information resources to be protected".

At the second stage, taking into account the generalized categories of information used in solving the tasks established earlier, and the requirements for the degree of accessibility of tasks, the categorization of all functional tasks solved on this RM takes place.

At the fourth stage, based on the categories of interacting tasks, the category of logical channels for transmitting information between functional tasks (on different RMs) is established. 6.7. Recertification (category change) of IBS information resources is carried out when the requirements for ensuring the protection of the properties (confidentiality and integrity) of the relevant information change.

Recertification (category change) of functional tasks is carried out when the generalized categories of information resources used in solving this task are changed, as well as when the requirements for the availability of functional tasks change.

Recertification (category change) of logical channels is performed when the categories of interacting tasks are changed.

Re-certification (category change) of the RM is carried out when the categories or composition of the tasks solved on the basis of the RM data are changed.

6.8. Periodically (once a year) or at the request of the heads of structural subdivisions of the Bank, the established categories of protected resources are reviewed for their compliance with the real state of affairs.

7. Procedure for the revision of the Regulations

7.1. In case of changes in the requirements for the protection of RM of various categories, Appendix 5 is subject to revision (with subsequent approval).

7.2. If changes and additions are made to the "List of Information Resources to be Protected", Appendix 4 is subject to revision (with subsequent approval).

Annex 1 - Methodology for categorizing protected resources

This methodology is intended to clarify the procedure for categorizing protected resources in the IBS of the Bank in accordance with the "Regulations on the categorization of resources of the information banking system". Categorization involves carrying out work to examine the IBS subsystems and structural divisions of the Bank and identify (inventory) all IBS resources that are subject to protection. An approximate sequence and the main content of specific actions for the implementation of these works are given below.

1. To conduct an information survey of all subsystems of the Bank's information system and to conduct an inventory of the IBS resources to be protected, a special working group is formed. This group includes specialists from the Information Security Department and the Information Technology Department of the Bank (who are knowledgeable in the technology of automated information processing). To give the necessary status working group, an appropriate order of the Chairman of the Board of the Bank is issued, which, in particular, gives instructions to all heads of structural divisions of the Bank to provide assistance and necessary assistance to the working group in conducting work on the examination of coronary artery disease. To provide assistance during the work of the group in the divisions, the heads of these divisions should be allocated employees who have detailed information on the processing of information in these divisions.

2. In the course of the survey of specific divisions of the Bank and information subsystems, all functional tasks solved using the IBS, as well as all types of information (information) used in solving these problems in divisions, are identified and described.

3. A general list of functional tasks is compiled and a form is drawn up (started) for each task (Appendix 2). In this case, it should be borne in mind that the same task in different departments can be called differently, and vice versa, different tasks can have the same name. At the same time, accounting is kept of software tools (general, special) used in solving the functional tasks of the unit.

4. When examining subsystems and analyzing tasks, all types of incoming, outgoing, stored, processed, etc. are revealed. information. It is necessary to identify not only information that can be classified as confidential (banking and commercial secrets, personal data), but also information subject to protection due to the fact that violation of its integrity (distortion, falsification) or accessibility (destruction, blocking) can cause tangible damage to the Bank, its customers or correspondents.

5. When identifying all types of information circulating and processed in subsystems, it is desirable to assess the severity of the consequences that may result from violations of its properties (confidentiality, integrity). To obtain initial estimates of the severity of such consequences, it is advisable to conduct a survey (for example, in the form of a questionnaire) of specialists working with this information. At the same time, it is necessary to find out who may be interested this information how they can influence it or illegally use it, what consequences this may lead to.

6. Information about estimates of probable damage is entered in special forms (Appendix 3). If it is impossible to quantify the likely damage, a qualitative assessment is made (for example: low, medium, high, very high).

7. When compiling a list and forms of functional tasks to be solved in the Bank, it is necessary to find out the frequency of their solution, the maximum allowable delay in obtaining the results of solving tasks and the severity of the consequences that violations of their availability can lead to (blocking the possibility of solving tasks). Estimates of probable damage are recorded in special forms (Appendix 3). If it is impossible to quantify the probable damage, a qualitative assessment is made.

8. All various types of information identified during the survey are entered in the "List of information resources to be protected".

9. It is determined (and then indicated in the List) to which type of secret (banking, commercial, personal data that does not constitute a secret) each of the identified types of information belongs (based on the requirements of the current legislation and the rights granted to them).

10. Initial proposals for assessing the categories of ensuring the confidentiality and integrity of specific types of information are clarified with the heads (leading specialists) of the structural unit of the Bank (based on their personal assessments of the likely damage from a violation of the confidentiality and integrity of information). The evaluation data of information categories are entered in the "List of information resources to be protected" (in columns 2 and 3).

11. Then the List is agreed with the heads of the Security Department, IT and Information Security Division and put forward for consideration by the Information Security Management Committee.

12. When considering the List by the Information Security Management Committee, it may be amended and supplemented. The prepared version of the "List of Information Resources to be Protected" is submitted for approval to the Chairman of the Management Board of the Bank.

13. In accordance with the categories of confidentiality and integrity specified in the approved "List of Information Resources to be Protected", a generalized category of each type of information is determined (in accordance with Table 1 of the Regulation on categorization).

14. The next step is the categorization of functional tasks. Based on the accessibility requirements set by the heads of the Bank's operational divisions and agreed with the Security and IT Department, all special (applied) functional tasks solved in the divisions using the IBS are categorized (Table 2 of the Regulations on the categorization of resources). Information about categories of special tasks is entered in task forms. The categorization of general (system) tasks and software tools outside of specific RM is not performed.

In the future, with the participation of IT specialists, it is necessary to clarify the composition of the information and software resources of each task and enter into its form information on task user groups and instructions on setting up the protection tools used in solving it (permissions for user groups to access the listed task resources). This information will be used as a standard for the settings of the protection tools of the corresponding RMs on which this task will be solved, and to control the correctness of their installation.

15. The categorization of all logical channels between functional tasks is then performed. The channel category is set based on the maximum category of tasks involved in the interaction.

16. At the last stage, the RM is categorized. The RM category is set based on the maximum category of special tasks solved on it (or the category of information used in solving general tasks). On one RM, any number of tasks can be solved, the categories of which are lower than the maximum possible on the given RM, by no more than one. Information about the RM category is entered in the RM form.

The problem of information security can hardly be called far-fetched. From all sides we hear about hacks, viruses, malware software, attacks, threats, vulnerabilities…

Information security as a system

Information security is a set of measures, among which it is impossible to single out more important ones. Information security cannot be perceived otherwise than as a complex. Everything is important here! It is necessary to observe protection measures at all points of the network, in any work of any subjects with your information (in this case, the subject means a system user, process, computer or information processing software). Each information resource, whether it is a user's computer, an organization's server, or network hardware, must be protected from all kinds of threats. Must be protected file systems, network, etc. In this article, we will not consider methods for implementing protection due to their huge variety.

However, it should be understood that it is impossible to provide one hundred percent protection. At the same time, it must be remembered: the higher the level of security, the more expensive the system, the more inconvenient it is to use for the user, which, accordingly, leads to a deterioration in protection against human factor. As an example, let's recall that the excessive complexity of the password leads to the fact that the user is forced to write it down on a piece of paper, which he sticks to the monitor, keyboard, etc.

There is a wide range of software aimed at solving information security problems. This antivirus programs, firewalls, built-in tools operating systems and much more. However, it is worth remembering that the most vulnerable link in protection is always Human! After all, the performance of any software depends on the quality of its writing and the literacy of the administrator who configures a particular protection tool.

Many organizations, in this regard, create information protection services (departments) or set appropriate tasks for their IT departments. However, it must be understood that it is forbidden to charge the IT service with functions that are unusual for it. This has been said and written about many times. So, let's say your organization has an information security department. What to do next? Where to begin?

Start with employee training! And in the future to make this process regular. Training personnel in the basics of information security should be a permanent task of the information security department. And you need to do this at least twice a year.

Many executives try to immediately get a document called "Organization Security Policy" from the information security department. Is it correct? In my opinion - no. Before you sit down to write this huge work, you need to decide on the following questions:

  • what information do you process?
  • how to classify it by properties?
  • what resources do you have?
  • How is information processing distributed among resources?
  • how to classify resources?

Information classification

Historically, as soon as the issue of classifying information is raised (primarily this applies to information owned by the state), it immediately begins to be classified according to the level of secrecy (confidentiality). The requirements for ensuring availability, integrity, observability, if they remember, then in passing, in a number of general requirements for information processing systems.

If such a view can still be somehow justified by the need to ensure state secrets, then transferring it to another subject area looks simply ridiculous. For example, according to the requirements of Ukrainian legislation, the owner of information determines the level of its confidentiality (in case this information does not belong to the state).

In many areas, the share of confidential information is relatively small. For open information, the damage from disclosure of which is small, the most important properties may be such properties as accessibility, integrity or protection from illegal copying. Let's take the website of an online publication as an example. In the first place, in my opinion, will be the availability and integrity of information, and not its confidentiality. Evaluating and classifying information only in terms of position and secrecy is at least unproductive.

And this can only be explained by the narrowness of the traditional approach to protecting information, the lack of experience in terms of ensuring the availability, integrity and observability of information that is not secret (confidential).

Categories of protected information

Based on the need to provide different levels of protection of information (not containing information constituting a state secret) stored and processed in an organization, we will name several categories of confidentiality and integrity of protected information.

  • completely confidential- information recognized as confidential in accordance with the requirements of the law, or information, the restriction on the dissemination of which was introduced by the decision of the management due to the fact that its disclosure can lead to serious financial and economic consequences for the organization up to bankruptcy;
  • confidentially- this category includes information that is not classified as “completely confidential”, restrictions on the distribution of which are introduced by the decision of the management in accordance with the rights granted to it as the owner of information by the current legislation due to the fact that its disclosure can lead to significant losses and loss of competitiveness of the organization ( causing significant damage to the interests of its customers, partners or employees);
  • open- This category includes information that is not required to be kept confidential.
  • high- information, unauthorized modification or falsification of which can lead to significant damage to the organization;
  • low- this category includes information, unauthorized modification of which can lead to minor damage to the organization, its customers, partners or employees;
  • no requirements- this category includes information, to ensure the integrity and authenticity of which there are no requirements.

According to the degree of accessibility, we introduce four categories depending on the frequency of solving functional problems and the maximum allowable delay in obtaining the results of their solution:

  • real time- access to the task should be provided at any time;
  • hour- access to the task should be carried out without significant time s x delays (the task is solved every day, the delay does not exceed a few hours);
  • day- access to the task can be provided with significant time s mi delays (the task is solved every few days);
  • a week- temporary s There are no delays in accessing the task (the period for solving the task is several weeks or months, the allowable delay in obtaining the result is several weeks).

Information categorization

  1. Categorization of all types of information used in solving problems on specific computers (setting categories of confidentiality, integrity and availability of specific types of information).
  2. Categorization of all tasks that are solved on this computer.
  3. Based on the maximum categories of processed information, the category of the computer on which it is processed is set.

Resource Inventory

Before talking about protecting information in an organization, you need to understand what you are going to protect and what resources you have. To do this, it is necessary to carry out work on the inventory and analysis of all the resources of the automated system of the organization to be protected:

  1. A special working group is formed to conduct an inventory and categorize the resources to be protected. It includes specialists from the computer security department and other departments of the organization who can assist in considering issues of automated information processing technology in the organization.
  2. In order for the created group to have the necessary organizational and legal status, an appropriate order of the organization's management is issued, which states that all heads of the relevant departments of the organization must provide assistance and necessary assistance to the working group in analyzing the resources of all computers.
  3. To provide assistance during the work of the group in the divisions, their leaders should be allocated employees who have detailed information on the issues of automated processing of information in these divisions.
  4. This order is brought under the signature of all the heads of the relevant departments.
  5. During the survey (analysis) of the organization and automated subsystems, all functional tasks solved using computers, as well as all types of information used to solve these tasks in departments, are identified and described.
  6. At the end of the survey, a form of tasks to be solved in the organization is compiled. It should be understood that the same task in different departments may be called differently and, conversely, different tasks may have the same name. At the same time, accounting is kept of software tools used in solving the functional tasks of the unit.

It should be noted that the survey identifies all types of information (incoming, outgoing, stored, processed, etc.). It should be borne in mind that it is necessary to identify not only confidential information, but also that, the violation of the integrity or availability of which can cause significant damage to the organization.

When analyzing information processed in an organization, it is necessary to assess the severity of the consequences that may be caused by a violation of its properties. To do this, it is necessary to conduct surveys (testing, questioning) of specialists working with it. In this case, first of all, it is worth finding out who benefits from illegally using or influencing this information. If it is not possible to quantify the possible damage, it should be given a qualitative assessment (low, high, very high).

To understand the categories of accessibility when analyzing tasks solved in an organization, it is necessary to identify the maximum allowable delay time for results, the frequency of their solution, and the severity of the consequences if their availability is violated (blocking tasks).

In the course of the analysis, each type of information should be assigned to a certain degree (label) of confidentiality (based on the requirements of the current legislation and the rights granted to the organization).

At the same time, in order to assess the category of confidentiality of specific types of information, the heads (leading specialists) of the structural unit are given personal assessments of the likely damage from a violation of the confidentiality and integrity of information.

Upon completion of the analysis, a "List of information resources to be protected" is compiled.

Then this list is agreed with the heads of IT and computer security departments and put forward for consideration by the organization's management.

At the end this stage it is necessary to categorize functional tasks. Based on the availability requirements set by the heads of the organization's departments and agreed with the IT service, all application tasks solved in the departments are categorized (in terms of accessibility).

In the future, with the help of IT service specialists and the information security department, it is necessary to clarify the composition of the resources (information, software) of each task and enter into the form (of a specific task) information on groups of users of this task and instructions for setting up the protection tools used to solve it (for example, permissions access of user groups to the listed task resources). In the future, based on this information, the protection tools for computers on which this task will be solved will be configured.

The next step is the categorization of computers. The category of a computer is set based on the maximum category of tasks performed on it, and the maximum categories of confidentiality and integrity of information used in solving these tasks. Information about the category of the computer is entered in its form.

The concept of resource inventory includes not only reconciliation of existing active and passive network resources with a list of equipment (and its completeness) purchased by the organization. This procedure is implemented using appropriate software such as Microsoft Sysytems Management Server. This also includes the creation of a network map with a description of all possible connection points, a list of software used, the formation of a fund of standards for licensed software used in an organization, the creation of a fund of algorithms and programs of our own design.

It should be noted that the software can be allowed to work only after it has been checked by the information security department for compliance with the tasks set and the absence of all kinds of bookmarks and "logic bombs".

In this regard, I would like to separately mention the trend towards the use in our country program code open source. I do not argue, this provides a significant savings in resources. However, in my opinion, in this case, the security problem becomes a matter of trust not only to the system developer, but also to your administrator. And if you remember how much he receives, then it is not difficult to conclude that in this case it is much easier and cheaper to buy your secrets than to carry out a direct external attack. It is worth recalling that most of the successful attacks were carried out by insiders, that is, their own employees of the company.

In my opinion, the only way to use free software where it has the potential to cause serious damage is if it comes pre-compiled and pre-compiled to you. digital signature an organization that guarantees the absence of logical bombs, all sorts of bookmarks and "back doors" in it. Moreover, the guarantor organization must bear financial responsibility for its guarantee, which, in my opinion, is impossible. However, the choice is yours.

After verification, the reference software is entered into the fund of algorithms and programs (the reference copy must be accompanied by a file checksum, and best of all - electronic signature developer). In the future, when versions are changed and updates appear, the software is checked in the usual way.

In the future, information about the installed software, installation date, goals solved with the help of this security tasks, names and signatures of the person who installed and configured the programs. After creating such forms, the information security service must ensure regular verification of the compliance of the real situation with the form.

The next step in building an information security service is an organization's risk analysis, which should become the basis for creating a security policy.

Today it is hardly possible to find an organization in which no one would ever think about protecting information. At the same time, it is not always possible to find a correct understanding of information security as a complex of organizational and technical measures. The most important element of its provision is a person, and he is also the main factor in its violation.

Information security should be perceived as a complex of organizational and technical measures, since confidentiality, integrity and availability cannot be ensured either by individual technical measures, or only by organizational ones.

Let's say you decide to provide protection only by technical measures, while you have no organizational documents at all. This often happens if the IT department or the head of the information security (IS) department, a former representative of IT structures, is engaged in protection. What will happen in this case? Let's assume that one of the employees of the company systematically sends confidential information by e-mail to competitors. You have discovered a leak, but you do not have documents, therefore, you simply do not have the right to punish an employee (for example, fire him). And if you do, a smart attacker will sue you for violating his constitutional rights to private correspondence. The saddest thing is that legally he will be absolutely right: it is not documented within your organization that all information transmitted by means of Email from addresses belonging to your organization is the property of the firm.

Consider the second extreme. It is, as a rule, characteristic of former military personnel and intelligence officers. You have excellent documents prepared, but they are absolutely absent technical support. What will happen in such a case? Sooner or later, your employees will violate the provisions of organizational documents and, seeing that no one controls them, they will do it systematically.

Thus, information security is a flexible system that includes both organizational and technical measures. At the same time, it should be understood that here it is impossible to single out more significant measures or less significant ones. Everything is important. It is necessary to observe security measures at all points of the network, when any subjects work with your information. (The subject in this case refers to the user of the system, process, computer or information processing software). Each information resource, whether it is a user's computer or an organization's server, must be fully protected. File systems, network, etc. must be protected. We will not discuss implementation methods here.

There is a huge amount of software aimed at solving the problem of information security. These are anti-virus programs, and firewalls, and built-in tools of operating systems. However, the most vulnerable factor is always the person. The performance of any software depends on the quality of its writing, on the literacy of the administrator who set it up.

Many organizations therefore create information security departments or assign information security tasks to their IT departments. But more than once it has been said that it is impossible to charge the IT service with functions that are not characteristic of it. Let's say your organization has an IT security department. What to do next? Where to start his work?

The first steps of the information security department

In my opinion, you need to start with employee training! And then do it at least twice a year. Training ordinary personnel in the basics of information security should be a permanent activity of the information security department!

Many managers try to immediately get a document called "Security Policy" from the information security department. This is mistake. Before you sit down to write this most important document, which will determine all your future efforts to ensure the information security of your organization, you need to ask yourself the following questions:

What information do you process?

How to classify it?

What resources do you have?

How is information processing distributed among resources?

How to classify resources?

Let's try to answer these questions.

Information classification

In our country, there has historically been an approach to classifying information (primarily state information) according to the levels of requirements for its security, based on one of its properties - confidentiality (secrecy).

The requirements for ensuring the integrity and availability of information, as a rule, are only indirectly mentioned among the general requirements for data processing systems.

If such an approach is justified to some extent to ensure the security of information constituting a state secret, this does not mean that transferring it to another subject area (with other subjects and their interests) will be correct.

In many areas, the share of confidential information is relatively small. For open information, the damage from the disclosure of which is insignificant, the most important are completely different properties, such as accessibility, integrity, or protection from illegal replication. For example, for payment (financial) documents, the most important thing is their integrity (reliability). Then comes the availability property (losing a payment document or late payments can be very costly). Requirements for ensuring the confidentiality of payment documents, as a rule, are in third place.

For an Internet newspaper site, the availability and integrity of information will be in the first place, and not its confidentiality. Attempts to approach the solution of issues of protection of such information from the standpoint of the traditional provision of only confidentiality fail. The main reasons for this are the narrowness of the traditional approach to information protection, the lack of experience and relevant developments among domestic specialists in terms of ensuring the integrity and availability of information that is not confidential.

To improve the classification of information, depending on the requirements for its security, several degrees (gradations, categories) of requirements should be introduced to ensure each of the properties of information security: availability, integrity, confidentiality.

The number of gradations and the meaning attached to them may vary.

Based on the need to provide different levels of protection for different types of information (not containing information constituting a state secret) stored and processed in an organization, we will introduce several categories of confidentiality and integrity of protected information.

"Strictly Confidential"- information that is confidential in accordance with the requirements of the current legislation (bank secrecy, personal data), as well as information, the distribution of which is restricted by decisions of the organization's management (trade secret), the disclosure of which can lead to serious financial and economic consequences for the organization, up to to bankruptcy (causing serious damage to the vital interests of customers, correspondents, partners or employees).

"Confidential"- information not classified as "strictly confidential", restrictions on the dissemination of which are introduced by the decision of the organization's management in accordance with the rights granted to him as the owner (authorized person) of the information by the current legislation, the disclosure of which can lead to significant losses and loss of competitiveness of the organization (causing tangible damage to the interests of customers, correspondents, partners or employees).

"Open"- information that is not required to ensure confidentiality (restrictions on distribution).

"High"- this category includes information whose unauthorized modification (distortion, substitution, destruction) or falsification (fake) of which can lead to significant direct damage to the organization, the integrity and authenticity (authentication of the source) of which must be ensured by guaranteed methods (means of electronic digital signature, EDS) in accordance with the mandatory requirements of the current legislation, orders, directives and other regulations.

"Low"- this category includes information, unauthorized modification, substitution or deletion of which can lead to minor indirect damage to the organization, its customers, partners or employees, the integrity of which must be ensured in accordance with the decision of the management (methods of calculating checksums, hash functions).

"No Requirements"- this category includes information, to ensure the integrity (and authenticity) of which there are no requirements.

Depending on the frequency of solving functional problems and the maximum allowable delay in obtaining results, four required degrees (categories) of information availability are introduced.

"Unhindered Accessibility"- access to the task should be provided at any time (the task is being solved constantly, the delay in obtaining the result should not exceed a few seconds or minutes).

"High Availability"- access should be carried out without significant time delays (the task is solved daily, the delay in obtaining the result should not exceed several hours).

"Medium Availability"- access can be provided with significant time delays (the task is solved every few days, the delay in obtaining the result should not exceed several days).

"Low Availability"- delays in time when accessing the task are practically unlimited (the task is solved with a period of several weeks or months, the allowable delay in obtaining the result is several weeks).

At the first stage of work, the categorization of all types of information used in solving problems on a particular computer is carried out (the categories of confidentiality and integrity of specific types of information are established). A "List of information resources to be protected" is compiled.

At the second stage, the categorization of all functional tasks performed on a given computer takes place. During the third stage, the category of the computer is established, based on the maximum categories of information processed and the tasks solved on it.

After you have distributed the information you process into the appropriate categories, you should conduct an inventory of resources.

Categorization of resources implies the identification (inventory) and analysis of all resources of the organization's information system that are subject to protection. Here is an approximate sequence and the main content of these works.

First of all, a special working group is formed to analyze all subsystems of the organization's information system, inventory and categorize resources to be protected. It includes specialists (knowledgeable in matters of automated information processing technology) of the computer security department and other departments of the organization.

An order is issued by the organization's management, which, in particular, instructs all heads of structural divisions to assist and assist the working group in analyzing the resources of all computers.

To provide assistance, employees who have detailed information on automated information processing in departments should be allocated.

In the course of a survey of specific departments of the organization and subsystems of the enterprise information system, all functional tasks solved using computers, as well as all types of information used in solving these problems in departments, are identified and described.

After that, a general list of functional tasks is compiled and a form is drawn up for each task. It should be borne in mind that the same task in different departments may be called differently, and vice versa, different tasks may have the same name. At the same time, accounting is kept of software tools used in solving the functional tasks of the unit.

When examining subsystems and analyzing tasks, all types of incoming, outgoing, stored, processed, etc. information are identified. It is necessary to identify not only information that can be classified as confidential (banking and commercial secrets, personal data), but also information that must be protected due to the fact that a violation of its integrity or availability can cause significant damage to the organization.

By identifying all types of information circulating and processed in subsystems, it is necessary to assess the consequences that may result from violations of its properties. To obtain initial estimates, it is advisable to conduct a survey (for example, in the form of a questionnaire) of specialists working with this information. At the same time, it is necessary to find out who may be interested in this information, how it can be influenced or illegally used, and what consequences this may lead to.

If it is impossible to quantify the likely damage, then a qualitative assessment is given (for example: very low, low, medium, high, very high).

When compiling a list and forms of functional tasks to be solved in an organization, it is necessary to find out the frequency of their solution, the maximum allowable delay time for obtaining results, and the severity of the consequences that violations of their availability can lead to (blocking the ability to solve problems).

All types of information identified during the survey are recorded in the relevant document.

Next, it is necessary to determine what type of secret (banking, commercial, personal data that is not a secret) each of the identified types of information belongs to (based on the requirements of the current legislation and the rights granted to the organization).

Initial proposals for assessing the categories of ensuring confidentiality and integrity of specific types of information are clarified with the heads (leading specialists) of the structural unit (based on their personal assessments of the likely damage due to violation of the confidentiality and integrity of information). Then the list is agreed with the heads of departments of the automation and computer security divisions and submitted for consideration by the organization's management.

The next step is the categorization of functional tasks. Based on the accessibility requirements set by the heads of the organization's departments and agreed with the IT service, all applied functional tasks that are solved in departments using computer technology are categorized. Information is entered into task forms. You should not categorize system tasks and software tools outside of specific computers and application tasks.

In the future, with the participation of IT specialists and the information security department, it is necessary to clarify the composition of the information and software resources of each task and enter into its form information on task user groups and instructions on setting up the protection tools used to solve it. This data will be used as a reference for the security settings of the respective computers, as well as to control their installation.

At the last stage, the categorization of computers is established, based on the maximum category of special tasks solved on it, and the maximum categories of confidentiality and integrity of information used in solving these tasks. Information about the category of the computer is entered in its form.

The concept of resource inventory includes not only reconciliation of the active and passive network resources that you have with a list of equipment (and its completeness) purchased by the organization. To verify the equipment and its completeness, you can use the appropriate software (for example, Microsoft SMS Server), etc.

This also includes the creation of a network map with a description of all possible connection points, a list of software used, the formation of a fund of standards for licensed software used in an organization, as well as a fund of algorithms and programs of its own design.

It should be noted that the software can be allowed to work only after it has been checked by the information security department for compliance with the tasks set, the absence of all kinds of bookmarks and "logic bombs".

I would like to say about the trend that has appeared in our country towards the use of applications with open source. Undoubtedly, they bring significant savings in resources. However, it seems that in this case, security is determined by trust not only in the system developer, but also in your administrator. And if you take into account the salary of an administrator, it is not difficult to conclude that it is much easier and cheaper to buy your secrets than to carry out a direct external attack. It is worth mentioning that most of the successful attacks were carried out by insiders (employees of the company itself).

It seems that free software, if there is a risk of causing serious damage, can be used only on the condition that it is delivered to you in a compiled form and with a digital signature of the organization, which guarantees the absence of logic bombs, all kinds of bookmarks and backdoors. Moreover, the guarantor organization must bear financial responsibility. However, today such a proposal should be classified as unrealistic.

After verification, the reference software is entered into the fund of algorithms and programs (the reference copy must be accompanied by a checksum file, or better, by the developer's electronic signature). In the future, when changing versions, updates appear, the software is checked in the prescribed manner.

Information about the installed software is entered into the form of each computer, the installation date is indicated, the goals solved with the help of this software, tasks, the name and signature of the person who installed and configured the software is put. After creating such forms, the information security service must ensure regular verification of the compliance of the real situation with the form.

The next step in building an information security service should be an organization's risk analysis, on the basis of which a security policy will be created.

Mikhail Koptenkov | © M. Koptenkov

Information security is the state of security of the information environment. Information security should be considered as a set of measures, among which it is impossible to single out more or less important ones. The concept of information security is closely related to the concept of information security, which is an activity to prevent the leakage of protected information, unauthorized and unintentional influences on it, i.e., a process aimed at achieving a state of information security. However, before protecting information, it is necessary to determine what kind of information should be protected and to what extent. To do this, categorization (classification) of information is used, i.e., the establishment of gradations of the importance of ensuring the security of information and the assignment of specific information resources to the appropriate categories. Thus, the categorization of information can be called the first step towards ensuring the information security of the organization.

Historically, when information is classified, it immediately begins to be classified according to the level of secrecy (confidentiality). At the same time, the requirements for ensuring availability and integrity are often not taken into account or taken into account along with the general requirements for information processing systems. This is the wrong approach. In many areas, the share of confidential information is relatively small. For open information, the damage from disclosure of which is absent, the most important properties are: availability, integrity and protection from illegal copying. An example is an online store, where it is important to keep the company website always available. Based on the need to provide different levels of information protection, you can enter different categories of confidentiality, integrity and availability.

1. Categories of confidentiality of protected information

Confidentiality of information is a property of information that indicates the need to introduce restrictions on the circle of persons who have access to this information.
The following categories of information confidentiality are introduced:
- information that is confidential in accordance with the requirements of the law, as well as information, the restrictions on the dissemination of which are introduced by decisions of the organization's management, the disclosure of which can lead to significant damage to the organization's activities.
Confidential information- information that is not strictly confidential, restrictions on the dissemination of which are introduced only by the decision of the organization's management, the disclosure of which can lead to damage to the organization's activities.
open information This category includes information that is not required to be kept confidential.

2. Categories of information integrity

Information integrity is a property in which the data retains a predetermined form and quality (remains unchanged with respect to some fixed state).
The following categories of information integrity are introduced:
High- this category includes information, unauthorized modification or falsification of which can lead to significant damage to the organization's activities.
Low- this category includes information, unauthorized modification of which can lead to moderate or minor damage to the organization's activities.
No requirements- this category includes information, to ensure the integrity of which there are no requirements.

3. Categories of information availability

Availability is the state of information in which subjects with the right to access can exercise it without hindrance.
The following categories of information accessibility are introduced:
– access to information should be provided at any time (the delay in obtaining access to information should not exceed a few seconds or minutes).
High availability– access to information should be carried out without significant time delays (the delay in obtaining access to information should not exceed several hours).
Average availability– access to information can be provided with significant time delays (the delay in obtaining information should not exceed a few days).
low availability- time delays in accessing information are practically unlimited (the permissible delay in obtaining access to information is several weeks).

From the above, it can be seen that the categories of confidentiality and integrity of information directly depend on the amount of damage to the organization's activities in case of violation of these properties of information. Accessibility categories to a lesser extent, but also depend on the amount of damage to the organization's activities. To determine the amount of damage, its subjective assessment is used and a three-level scale is introduced: significant damage, moderate damage and low damage (or no damage).
short if the loss of availability, confidentiality and/or integrity of information has a minor negative impact on the organization's operations, its assets and personnel.
Negligible negative impact means that:
- the organization remains able to carry out its activities, but the effectiveness of the main functions is reduced;
- there is little damage to the organization's assets;
- the organization suffers minor financial losses.
The damage to the organization's activities is estimated as moderate if the loss of availability, confidentiality and/or integrity has a serious negative impact on the organization's operations, assets and personnel.
The severity of an adverse impact means that:
- the organization remains able to carry out its activities, but the effectiveness of the main functions is significantly reduced;
- significant damage is caused to the assets of the organization;
- the company suffers significant financial losses.
Potential damage to the organization is estimated as significant if the loss of availability, confidentiality and / or integrity has a severe (catastrophic) negative impact on the organization's activities, its assets and personnel, i.e.:
- the organization loses the ability to perform all or some of its main functions;
- the assets of the organization are severely damaged;
- the organization suffers large financial losses.
Thus, assessing the damage to the organization's activities in case of violation of the confidentiality, integrity and availability of information and, on the basis of this, determining the categories of information, three types of information can be distinguished: the most critical, critical and non-critical.

The definition of the type of information is carried out by comparing the categories of this information.
Table 1 defines the type of information.

Information privacy category Information integrity category Information accessibility category Information type
Strictly confidential information * *
* High * The most critical information
* * Unhindered Accessibility The most critical information
Confidential information * * Critical Information
* Low * Critical Information
* * High availability Critical Information
open information No requirements Average availability Non-critical information
open information No requirements low availability Non-critical information

Table 1: Information type definition

Thus, the categorization of information is the first step towards ensuring the information security of an organization, since before something is protected, it is first of all necessary to determine what exactly needs to be protected and to what extent. Both user and system information presented both in electronic form and on a tangible medium should be categorized. To determine the type of information to be protected, it is necessary to determine how much damage the organization will incur if the confidentiality, integrity and availability of such information is lost.
In the future, having determined which type of information belongs to, you can apply various measures to protect each type of information. This will allow not only structuring the data processed in the organization, but also the most efficient implementation and use of the subsystem for managing access to protected information, as well as optimizing the costs of information security.


Bibliography:
1. V. Bezmaly, Information Security Service: First Steps, 2008, http://www.compress.ru/Article.aspx?id=20512
2. Gladkikh A. A., Dementiev V. E., Basic principles of information security computer networks. Ulyanovsk: UlGTU, 2009. - 156 p.

Read Also

Google

Download games for android 2

2022-05-06 03:12:33

Liked? Like us on Facebook