Mikhail Coptenkov | © M. Koptenkov

Information security is the security status of the information environment. Information security should be considered as a set of measures, among which it is impossible to allocate more or less important. The concept of information security is closely related to the concept of information protection, which is an activity to prevent leakage of protected information, unauthorized and unintended impacts on it, i.e., a process aimed at achieving the state of information security. However, before protecting information, it is necessary to determine which information should be protected and to what extent. This uses categorization (classification) of information, i.e., establishing gradations of the importance of ensuring information security and attribute specific information resources to the relevant categories. Thus, categorization of information can be called the first step towards providing information security of the organization.

Historically, it is necessary to classify it at the classification of information at the level of secrecy (privacy). At the same time, accessibility and integrity requirements are often not taken into account or are accounted for on par with general requirements for information processing systems. This is a wrong approach. In many areas, the share confidential information Comparatively small. For open informationThe damage to the disclosure of which is missing, the most important properties are: accessibility, integrity and security from unlawful copying. As an example, you can bring an online store, where it is important to constantly maintain accessibility to the company's website. Based on the need to ensure different levels of information security, you can enter various categories of confidentiality, integrity and accessibility.

1. Categories of confidentiality of protected information

Confidentiality of information - the property of information indicating the need to introduce restrictions on the circle of persons with access to this information.
The following confidentiality categories of information are introduced:
– - Information that is confidential in accordance with the requirements of legislation, as well as information, restrictions on the dissemination of which are entered by the decisions of the organization's management, the disclosure of which can lead to a significant damage to the organization's activities.
– Confidential information - Information that is not strictly confidential, the restrictions on the distribution of which are entered only by the decision of the Organization's management, the disclosure of which can lead to damage to the organization's activities.
– Open information - This category includes information to ensure the confidentiality of which is not required.

2. Categories of integrity of information

The integrity of the information is a property, when executing which the data retains a predetermined form and quality (remain unchanged with respect to some fixed state).
The following categories of information integrity are introduced:
– High - This category includes information, unauthorized modification or counterfeiting of which can lead to a significant damage to the organization's activities.
– Low - This category includes information unauthorized modification of which can lead to the application of moderate or minor damage to the organization's activities.
– No requirements - This category includes information to ensure the integrity of which the requirements are not presented.

3. Information available information

Availability is a state of information in which subjects with access rights can implement it unhindered.
The following information availability categories are introduced:
– - Access to information should be provided at any time (the delay in receiving access to information should not exceed a few seconds or minutes).
– High availability - Access to information should be carried out without significant time delays (the delay in receiving access to information should not exceed a few hours).
– Average accessibility - Access to information can be provided with significant temporary delays (the delay in obtaining information should not exceed several days).
– Low accessibility - Time delays in access to information are practically not limited (allowable delay in gaining access to information - a few weeks).

From the above, it is clear that the categories of confidentiality and integrity of information directly depend on the amount of damage to the organization in violation of these properties of information. Availability categories to a lesser extent, but also depend on the amount of damage to the organization. To determine the amount of damage, its subjective assessment is used and a three-level scale is introduced: significant damage, moderate damage and low damage (or no damage).
lowIf the loss of accessibility, confidentiality and / or integrity of information has a slight negative impact on the activities of the organization, its assets and staff.
The negative impact means that:
- the organization remains capable of performing its activities, but the effectiveness of basic functions is reduced;
- An insignificant damage is applied by assets;
- The organization carries minor financial losses.
Damage to the organization is estimated as moderateIf the loss of accessibility, confidentiality and / or integrity has a serious negative impact on the organization, its assets and staff.
The seriousness of the negative impact means that:
- the organization remains capable of performing its activities, but the effectiveness of basic functions is significantly reduced;
- assets of the organization caused significant damage;
- The company carries significant financial losses.
Potential damage to the organization is assessed as significantIf the loss of accessibility, confidentiality and / or integrity is provided by severe (catastrophic) negative impact on the organization, its assets and personnel, i.e.:
- the organization loses the ability to perform all or some of its basic functions;
- the assets of the organization caused major damage;
- The organization carries large financial losses.
Thus, estimating the damage to the organization's activities in violation of the confidentiality, integrity and availability of information and on the basis of this, determining the categories of information, three types of it can be distinguished: the most critical, critical and non-critical.

The type of information is determined by making the categories of this information.
Table 1 shows the type of information.

Information Privacy Category	Category of information integrity	Category of accessibility of information	Information type
Strictly confidential information	*	*
*	High	*	The most critical information
*	*	Unhindered accessibility	The most critical information
Confidential information	*	*	Critical information
*	Low	*	Critical information
*	*	High availability	Critical information
Open information	No requirements	Average accessibility	Non-critical information
Open information	No requirements	Low accessibility	Non-critical information

Table 1: Definition of the type of information

Thus, the categorization of information is the first step towards providing information security of the organization, since before to protect something, first of all, it is worth determining what is required to be protected and to what extent. Categories and user, and system information provided in both electronic form and material carrier are categorized. To determine the type of information protected, it is necessary to determine which damage to the organization will be caused in the loss of confidentiality, integrity and availability of such information.
In the future, by defining what type of information is, you can apply various measures to protect each type of information. This will not only structure the data being processed in the organization, but also to implement the most effectively and use the access control subsystem to the protected information, as well as to optimize the costs of providing information security.

Bibliography:
1. Unless V., Information Security Service: First Steps, 2008, http://www.compress.ru/article.aspx?id\u003d20512
2. Smooth A. A., Dementiev V. E., Basic Information Security Principles computing networks. Ulyanovsk: ULGTU, 2009. - 156 p.

Protected Information (Information to be protected) - information (information), which is the subject of ownership and to be protected in accordance with the requirements of legislative and other regulatory documents or in accordance with the requirements established by the owner of the information (Bank).

Protected resources of the information banking system (IBS resources to be protected) - information, functional tasks, information transfer channels, jobs to be protected to ensure the information security of the bank, its customers and correspondents.

Protected Workplace (RM) - Protection object ( personal Computer With the appropriate set of software and data), which recognized the need to establish a regulated mode of information processing and characterized:

• location, as well as its degree of physical accessibility for unauthorized persons (customers, visitors, employees who were not allowed to work with PM, etc.);

  composition of hardware;

  the composition of the software and solved on it tasks (certain categories of availability);

  the composition of the stored and processed information on the PM information (certain categories of confidentiality and integrity).

Form RM. - a document of the established form (Annex 3), which fixes the characteristics of the PM (location, configuration of hardware and software, the list of tasks solved on the PM, etc.) and certifying the ability to operate this PM (indicating the implementation of the requirements for the protection of the information being processed on the PM information in accordance with category of this PM).

Protected task - The functional task is solved on a separate RM, which recognized the need to establish a regulated mode of information processing mode and characterized:

• a set of used in solving resources (software, data sets, devices);

  the frequency of solutions;

  the maximum allowable time delay in obtaining the problem of solving the problem.

Task form - A document set (Appendix 2), which fixes the characteristics of the task (its name, purpose, the type used in solving it is resources, user groups of this task, their access rights to the resources of the task, etc.).

Protected Information Transmission Channel - The path for which the protected information is transmitted. Channels are divided into physical (from one device to another) and logical (from one task to another).

Confidentiality of information - the subjectively defined (attributed) information characteristic (property), indicating the need to introduce restrictions on a circle of subjects (persons), having access to this information, and ensured by the system (environment) to maintain the specified information in secret from subjects that do not have authority to access To her.

Information integrity - The property of information concluded in its existence in undistorted form (consistently in relation to some fixed state).

Availability of information (tasks) - The property of the processing system (medium) in which the information circulates the information characterized by the ability to ensure timely unhindered access to the subjects to the information you are interested in (if there are relevant access authorities in the subjects) and the readiness of the relevant automated services (functional tasks) to the maintenance of requests from the subjects of requests always When in contacting them there is a need.

1. General Provisions

1.1. This provision is introduced by categories (gradations of the importance of protecting resources) and establishes the procedure for categorizing the resources of the information system to be protected (assigning them to the relevant categories, taking into account the degree of risk of damage to the Bank, its customers and correspondents in the event of unauthorized interference in the process of functioning of the IBS and integrity or confidentiality of the processed information, blocking information or violation of the accessibility of the tasks solved by IBS).

1.2. Categories of resources (definition of resource protection requirements) CHD is a necessary element of the organization of work on ensuring the Bank's information security and has its own goals:

creating a regulatory and methodological basis for a differentiated approach to protecting resources automated system (information, tasks, channels, PM) based on their classification by the degree of risk in case of violation of their availability, integrity or confidentiality;

typization of the ongoing organizational measures and the distribution of hardware and software for the protection of resources by RM IBS and the unification of their settings.

2. Categories of protected information

2.1. Based on the need to provide various levels of protection of different types of information, stored and processed in IBS, as well as taking into account possible paths Damage to the Bank, its customers and correspondents introduces three categories of confidentiality of protected information and three categories of integrity of protected information.

"High" - to this category includes non-Refine information, which is confidential in accordance with the requirements of the current legislation of the Russian Federation (banking secrets, personal data);

"Low" - this category includes confidential information, not related to the category "high", the restrictions on the distribution of which are entered by the decision of the Bank's leadership in accordance with the owner provided to it (authorized by the owner) of information by law by law;

"No requirements" - this category includes information, confidentiality (the introduction of dissemination restrictions) of which is not required.

"High" - this category includes information, unauthorized modification (distortion, destruction) or falsification of which can lead to a significant direct damage to the bank, its customers and correspondents, integrity and authenticity (confirmation of the authenticity of the source) of which should be ensured by guaranteed methods (for example, electronic digital signatures) in accordance with the required requirements of the current legislation;

"Low" - this category includes information, unauthorized modification, removal or falsification of which can lead to the application of minor indirect damage to the Bank, its customers and correspondents, the integrity (and if necessary and authenticity) of which should be ensured in accordance with the decision of the Bank's leadership (methods counting checksums, EDS, etc.);

"No requirements" - this category includes information to ensure the integrity (and authenticity) of which the requirements are not presented.

2.2. In order to simplify operations for categorizing tasks, channels and PM, the confidentiality and integrity of the protected information are combined and established four generalized categories of information: "vital", "very important", "important" and "not important". The assignment of information to a generalized category is carried out based on its privacy and integrity categories in accordance with Table 1.

Table 1

1 - "Vital" information

2 - "Very important" information

3 - "Important" Information

4 - "not important" information

3. Categories of functional tasks

3.1. Depending on the periodicity of solving functional tasks and the maximum allowable delay in obtaining the results of their solution, four required degrees of availability of functional tasks are introduced.

Required degree of availability of functional tasks:

"Unhindered accessibility" - access must be provided at any time (the task is solved constantly, the delay in obtaining the result should not exceed a few seconds or minutes);

"High availability" - access to the task should be carried out without significant time delays (the task is solved daily, the delay of obtaining the result should not exceed a few hours);

"Average Availability" - access to the task can be provided with significant temporary delays (the task is solved once a few days, the delay of obtaining the result should not exceed several days);

"Low accessibility" - temporary delays in access to the task are practically not limited (the task is solved with a period of several weeks or months, the allowable delay in obtaining the result is a few weeks).

3.2. Depending on the generalized category of protected information used in solving the problem, and the required degree of availability of the task is set to four categories of functional tasks: "first", "second", "third" and "fourth" (in accordance with Table 2).

table 2

Definition of the category of functional task
Generalized category of information	Requirement of the availability of the task
	"Unhindered accessibility"	"High availability"	"Average accessibility"	"Low accessibility"
"Vital"	1	1	2	2
"Very important"	1	2	2	3
"Important"	2	2	3	3
"Not important"	2	3	3	4

4. Requirements to ensure the security of the transmission channels of the protected information (channel categories)

4.1. Security Requirements (categories) of the logical transmission channel of protected information are determined by the maximum category of two tasks, between which this channel is installed.

5. Categories PM.

5.1. Depending on the categories, four categories of PM are installed on the PM tasks: "A", "B", "C" and "D".

5.3. The group of PM category "B" includes PM, on which at least one functional task of the second category is solved. Categories of other tasks solved on this PM should not be lower than the third and not higher than the second.

5.4. The category C group of PM includes the PM, on which at least one functional task of the third category is solved. The categories of other tasks decisled on this PM should be no higher than the third.

Table 3.

5.6. Requirements for ensuring the safety of the RM of various categories (on the application of appropriate measures and remedies) are shown in Appendix 5.

6. The procedure for determining the categories of protected resources IBS

6.1. Categories are carried out on the basis of an inventory of the resources of the information banking system (RM, tasks, information) and implies compilation and subsequent maintenance (maintenance of urgency) of lists (sets of formulas) of the IBS resources to be protected.

6.2. Responsibility for drawing up and maintaining lists of IBS resources is assigned:

in terms of drawing up and maintaining a List of PM (indicating their placement, consolidation of banks, the composition and characteristics included in its composition technical means) - on management information technologies (hereinafter WEIT);

in terms of compiling and maintaining a list of system and applied (special) tasks, solved on the PM (indicating the listings of the resources used when solving them - devices, directories, files with information) - to the department technical support Whit.

6.3. Responsibility for determining the requirements for confidentiality, integrity, availability and assigning relevant categories of specific RM resources (information resources and tasks) is assigned to the Bank's divisions, which directly solve the tasks in PM data (information owners), and the information security department.

6.4. The approval of the categories of information resources of the IBS categories appointed in accordance with this "Regulation on the categorization of IBS Resources" is made by the Chairman of the Board of the Bank.

6.6. The categorization of IBS resources can be carried out sequentially for each RM separately, with subsequent association and the formation of uniformists of IBS resources to be protected:

list of information resources IBS to be protected (Appendix 2);

list of tasks to be protected (set of task formulars);

list of PM (set of Molds of PM).

At the first stage of work on the categorization of resources of a specific PM, it is categorized with all types of information used in solving problems in this PM. The generalized categories of information are determined based on the established categories of confidentiality and integrity of specific types of information. Information resources to be protected are included in the "List of information resources to be protected".

At the second stage, taking into account the generalized categories of information used in solving the tasks established earlier, and the requirements for the availability of tasks are categorized to all functional tasks solved in this PM.

At the fourth stage, on the basis of the categories of interacting tasks, a category of logical channel transmission channels between functional tasks (on different PM) is established. 6.7. Retestation (Changing category) of the IBS information resources is made when changing the requirements for ensuring the protection of properties (privacy and integrity) of relevant information.

The transfer (change of category) of functional tasks is made when changing the generalized categories of information resources used in solving this task, as well as when changing the requirements for the availability of functional tasks.

The transfer (change of category) of logical channels is performed when the categories of interacting tasks change.

Rertesting (change of category) of the PM is made when changing categories or the composition of the tasks solved on the PM data.

6.8. Periodically (once a year) or at the request of the heads of structural divisions of the Bank, a revision of the established categories of protected resources for their compliance with the real state of affairs are made.

7. Procedure for review

7.1. In case of changes in the requirements for the protection of the PM of various categories, the audit (followed by approval) is subject to Appendix 5.

7.2. In the case of changes and additions to the "List of information resources to be protected", the review (followed by approval) is subject to Appendix 4.

Appendix 1 - methods categorizing protected resources

This technique is intended to clarify the procedure for conducting work on the categorization of protected resources in the Bank of the Bank in accordance with the "Regulations on categorizing the resources of the information banking system". Categories involves conducting work on the examination of the EBS subsystems and structural divisions of the Bank and identifying (inventory) of all IBS resources to be protected. The approximate sequence and the main content of specific actions to implement these works are shown below.

1. To conduct an informational survey of all subsystems of the Bank's information system and the inventory of IBS resources to be protected, a special working group is formed. This group includes specialists of the Information Security Department and Management of Bank Information Technologies (aware of technology issues automated processing information). To impart the necessary status working Group, the appropriate disposal of the Chairman of the Board of the Bank is published, in which, in particular, are indicated by all heads of the Bank's structural divisions on the provision of assistance and the necessary assistance to the Working Group in conducting work on the survey of IBA. To assist at the time of operation of the Group, employees owners should be allocated to the heads of these divisions. detailed information For information processing in these divisions.

2. During the examination of specific divisions of the Bank and the information subsystems, all the functional tasks solved using IBS are detected and described, as well as all types of information (information) used in solving these tasks in the divisions.

3. A total list of functional tasks is drawn up and for each task is drawn up (start) form (Appendix 2). It should be borne in mind that one and the same task in different units can be called differently, and vice versa, various tasks can have the same name. At the same time, software tools (general, special) used in solving functional tasks of the unit is carried out.

4. When examining subsystems and analysis of tasks, all types of incoming, outgoing, stored, processed, and the like are detected. information. It is necessary to identify not only information that can be attributed to confidential (to banking and commercial secrets, personal data), but also information to be protected due to the fact that its integrity violation (distortion, falsification) or availability (destruction, blocking) can Apply a tangible damage to the Bank, its customers or correspondents.

5. When identifying all types of information, circulating and processed in subsystems, it is desirable to assess the seriousness of the consequences to which violations of its properties (confidentiality, integrity) can lead. To obtain initial evaluations of the severity of such consequences, it is advisable to conduct a survey (for example, in the form of survey) specialists working with this information. At the same time it is necessary to find out who can interest this informationHow can they influence it or illegally use, to which consequences it can lead.

6. Information on the estimates of the likely damage is entered into special forms (Appendix 3). If it is impossible to quantify the likely damage, its qualitative assessment is made (for example: low, medium, high, very high).

7. When drawing up a list and formality of functional tasks solved in the Bank, it is necessary to find out the frequency of their solution, the maximum allowable time delay time for obtaining the results of solving problems and the degree of seriousness of the consequences to which violations of their availability (blocking the possibility of solving problems can be given. Estimates of the likely damage is entered into special forms (Appendix 3). In case of the impossibility of quantitative estimate of the likely damage, a qualitative assessment is made.

8. All identified during the survey, various types of information are recorded in the "List of information resources to be protected".

9. Determined (and then indicated in the list) to which type of secrecy (banking, commercial, personal data, which does not constitute secrets) includes each of the identified types of information (on the basis of the requirements of the current legislation and the rights provided to them).

10. The initial proposals for assessing the categories of ensuring the confidentiality and integrity of specific types of information are clarified from leaders (leading specialists) of the Bank's structural division (based on their personal assessments of the likely damage from violation of the privacy properties and integrity of information). Data estimates of categories of information are entered in the "List of information resources to be protected" (in columns 2 and 3).

11. Then the list is consistent with the heads of security management, WEAT and the information security department and is highlighted for consideration by the Committee for Information Security.

12. When considering the list of information security management committee, changes and additions may be made. The prepared version of the "List of Information Resources to be Protected" is submitted for approval by the Chairman of the Board of the Bank.

13. In accordance with the categories of confidentiality and integrity specified in the approved "list of information resources to be protected", the generalized category of each type of information (in accordance with table 1 of the category of categorization) is determined.

14. At the next stage, the functional tasks are categorized. Based on the availability requirements imposed by the heads of the Bank's operating units and coordinated with the Security and WEAT managers, all special (applied) functional tasks are categorized, solved in units using IBS (Table 2 of the provisions for categorizing resources). Information about the categories of special tasks is entered into the task form. The categorization of common (system) tasks and software outside the binding to a specific PM is not performed.

In the future, with the participation of WIT specialists, it is necessary to clarify the composition of information and software resources of each task and add information to its information on user groups and guidelines to set up the setup of the security tools (the powers of access groups to the listed resources of the task). This information will be used as a reference settings of the protection of the respective PM, on which this task will be solved, and to control the correctness of their installation.

15. Then it is categorized with all logical channels between functional tasks. The category of the channel is established on the basis of the maximum category of tasks involved in the interaction.

16. At the last stage, the RM is categorized. The PM category is established, based on the maximum category of special tasks, solved on it (or the category of information used in solving common tasks). On one PM, any number of tasks, the categories of which are lower than the maximum possible on this PM, are not more than a unit. Information about the category PM is submitted to the RM form.

From the editor

Any type of human activity can be represented as a process resulting in a product, material or intellectual, which has a certain value, that is, the cost. The information is one of the species of such values, it can be so high that its loss or leakage, even partial, is able to question the very existence of the company. Therefore, the protection of information every day is becoming increasingly important, in almost all more or less large organizations there are devices of IB.

In the IT market, the spectrum of information security offers is growing. How to correctly navigate in this stream of products offered? How to choose the optimal software financial costs Option and take into account all the needs of your company? What selection criteria apply? After all, although the service of IB of any organization or enterprise itself does not produce intellectual nor material values, there is no doubt about its need and importance, and there is no doubt, and at the expenses for this service are rarely saved.

What needs to be done so that the costs and level of information security of the company are in the optimal relationship - this publication is devoted to these issues.

Introduction

Information security activities (IB) are known to do not bring revenues, with their help you can only reduce the damage from possible incidents. Therefore, it is very important that the cost of creating and maintaining IB at the proper levels are commens to the value of the assets of the organization related to its information system (IP). Commonity can be provided with categorization of information and information system, as well as the choice of security regulators based on categorization results.

Categories information I. information systems

The assignment of information security categories and information systems is based on damage assessment, which can be applied by security violations. Such incidents may interfere with the organization in the implementation of the missions entrusted to it, compromise assets, put the company to the position of the violator of the current legislation, to create a threat to daily activities, to expose the staff. Security categories are used in conjunction with data on vulnerabilities and threats in the process of analyzing the risks, which are subject to the organization.

There are three main aspects of IB:

• availability;
• confidentiality;
• integrity.

Generally speaking, violations of the IB can affect only a part of these aspects, as well as security regulators can be specific for individual aspects. Therefore, it is advisable to evaluate possible damage separately for disorders of accessibility, confidentiality and integrity, and if necessary, you can get an integral assessment.

The amount of damage is convenient to evaluate the three-level scale as low, moderate or high ().

Figure 1. Damage assessment scale due to informational security

Potential damage to the organization is estimated as low if the loss of accessibility, confidentiality and / or integrity has limited malicious impact on the organization's activities, its assets and personnel. The limited malicious effect means:

• the organization remains capable of carrying out the mission assigned to it, but the effectiveness of basic functions is noticeably reduced;
• the assets of the organization shall be applied minor damage;
• the organization carries minor financial losses;
• human Resources applied minor damage.

Potential damage for the company is estimated as moderateIf the loss of accessibility, confidentiality and / or integrity has a serious malicious impact on the activities of the organization, its assets and personnel. The seriousness of the malicious effect means that:

• the company remains capable of carrying out the mission assigned to it, but the effectiveness of basic functions is significantly reduced;
• the assets of the organization caused significant damage;
• the company carries significant financial losses;
• the staff is applied significant harm that does not create a threat to life or health.

Potential damage to the organization is assessed as tallIf the loss of accessibility, privacy and / or integrity has a heavy or catastrophically, malicious impact on the organization, its assets and staff, that is:

• the company loses the ability to perform all or some of its basic functions;
• the assets of the organization causes major damage;
• the organization carries large financial losses;
• the staff is applied heavy or catastrophic harm that creates a possible threat to life or health.

Categories both user, and system information provided in both electronic form and in the form of a "solid" copy. Open information may not have confidentiality categories. For example, the information contained on a publicly accessible Web server of the organization does not have confidentiality categories, and their availability and integrity are estimated as moderate.

When categorizing the information system, the categories of the stored, processed and transmitted media, as well as the value of the assets itself, i.e. Maximum categories are taken on all types of information and assets. To obtain an integral assessment, you should take a maximum of categories for the main aspects of information security.

Minimum (basic) safety requirements

The minimum (basic) security requirements are formulated in general, excluding category assigned to IP. They ask the basic level of information security, they must satisfy all information systems. The categorization results are important when choosing safety regulators, providing compliance with requirements based on risks analysis (Fig. 2).

Figure 2. Information security levels

The minimum security requirements (Fig. 3) encompass administrative, procedural and software-technical levels of IB and are formulated as follows.

Figure 3. Basic security requirements for information and IP.

• The organization should develop, document and publish an official security policy and formal procedures aimed at fulfilling the requirements below and ensure the effective implementation of policies and procedures.
• The company needs to periodically assess risks, including assessing the threats to the mission, functioning, image and reputation of the organization, its assets and personnel. These threats are a consequence of the operation of the IC and the processing, storage and transfer of data.
• In relation to the purchase of systems and services in the company, it is necessary:
  • allocate sufficient resources for adequate IP protection;
  • in the development of systems to take into account the requirements of the IB;
  • limit the use and installation of software;
  • ensure the allocation by external service providers sufficient resources to protect information, applications and / or services.
• In the field of certification, accreditation and safety assessment in the organization should be carried out:
  • continuous monitoring of safety regulators to have confidence in their effectiveness;
  • periodic assessment of safety regulators used in IP to control their effectiveness;
  • development and implementation of a plan to eliminate deficiencies and decrease or eliminate vulnerabilities to IP;
  • authorization of the commissioning of IP and establishing connections with other information systems.
• In the field of frame security, it is necessary:
  • ensure reliability (power of attorney) of officials occupying responsible posts, as well as the compliance of these persons with security requirements for these posts;
  • ensure the protection of information and information system when conducting disciplinary activities, such as dismissal or movement of employees;
  • apply relevant official sanctions to security policies and safety procedures.
• The organization must provide employee informing and training:
  • so that executives and users of the ICs knew about the risks associated with their activities, and on the relevant laws, regulations, guidelines, standards, instructions, and the like;
  • for the staff to have proper practical training to fulfill information security duties.
• In the planning area, it is necessary to develop, document, periodically change and implement IP security plans that describe security regulators (available and planned) and staff behavior rules with access to IP.
• In order to plan uninterrupted work in the company, to establish, maintain and effectively implement emergency response plans, backup, recovery after accidents to ensure the availability of critical information resources and continuity of operation in emergency situations.
• In terms of response to informational security, the organization must:
  • create an existing structure to respond to incidents, meaning adequate preparatory activities, identification, analysis and localization of violations, recovery after incidents and maintenance of user calls;
  • provide tracking, documenting and reporting on incidents to the appropriate officials of the organization and authorized bodies.
• For the purpose of physical protection, the organization should:
  • provide physical access to IP, equipment, in production premises only authorized personnel;
  • physically protect the equipment and supporting IP infrastructure;
  • ensure proper technical conditions for IP operation;
  • protect IP from environmental threats;
  • ensure control of the conditions in which IP is functioning;
  • provide access control by providing access to IP assets to authorized users, processes acting on behalf of these users, as well as devices (including other IP) to perform allowed transaction and functions.
• To provide logging and audit, it is necessary:
  • create, protect and maintain registration logs that allow you to track, analyze, investigate and prepare reports on illegal, unauthorized or improper activity;
  • ensure the traceability of actions in an IP with an accuracy of the user (user accountability).
• In terms of configuration management in the company follows:
  • install and maintain basic configurations;
  • having an inventory (card) of IP, actualized with the life cycle, which includes equipment, software and documentation;
  • install and provide practical use Settings for configuring security tools in products included in IP.
• In the identification and authentication area, it is necessary to identify and authenticate users of IP, processes acting on username, as well as devices as a necessary condition for providing access to IP.

In addition, it is necessary:

• For accompaniment:
  • carry out periodic and timely maintenance of IP;
  • ensure effective regulators for funds, methods, mechanisms and personnel carrying out support.
• To protect media:
  • protect data carriers both digital and paper;
  • provide access to data on media only to authorized users;
  • sanue or destroy media before conclusion from operation or before transferring to reuse.
• In order to protect systems and communications:
  • track, monitor and protect communication (that is, transmitted and received data) on the external and key internal boundaries of the IP;
  • apply architectural and hardware-software approaches that increase the current IP information security level.
• To ensure the integrity of systems and data:
  • timely identify the defects of IP and data, report and correct them;
  • protect the IP from malicious software;
  • track signals about security violations and reports of new threats for the information system and properly react to them.

Select the basic set of security regulators in order to fulfill safety requirements

A prerequisite for the implementation of safety requirements is the choice and implementation of the relevant safety regulators, that is, the development and application of economically justified countermeasures and means of protection. Security regulators are divided into administrative, procedural and software and technical and serve to ensure the availability, confidentiality and integrity of the information system and processed, stored and data transmitted.

The choice of security regulators is based on the results of categorizing the data and information system. In addition, it should be taken into account which security regulators are already implemented and for which there are specific implementation plans, as well as the required degree of confidence in the effectiveness of the current regulators.

Adequate selection of safety regulators can be simplified if producing it from predefined basic sets associated with the required level of IB. Using a three-level scale, use three basic set, respectively, for the minimum (low, basic), moderate and high level of information security.

Security regulators for minimum IB

At the minimum level of information security, it is advisable to apply the following administrative security regulators.

Figure 4. Security regulators by IB levels

• Risk assessment: Policy and procedures.
  • official documented risk assessment policy, which presents the purpose, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures that contribute to the implementation of policies and associated risk assessment regulators.
• Risk assessment: categorization for safety requirements. Categorization of data and information system, documentation of results, including the rationale for established categories; The document is certified by the manual.
• Risk assessment: Holding. Risk assessment and possible damage from unauthorized access, use, disclosure, disorders, modifications and / or destruction of data and / or information system, including resources managed by external organizations.
• Risk assessment: review of results. The revision of the results of risk assessment is carried out either with a given frequency, or after significant changes in the IC or supporting infrastructure, or after other events that can noticeably affect the level of security level or its accreditation status.
• Safety Planning: Policy and Procedures.
  • the official documented security planning policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associate safety planning regulators.
• Safety Planning: IP Security Plan. Development and implementation for an information system plan, which describes security requirements for IP and available and planned security regulators that serve to fulfill these requirements; The document is certified by the manual.
• Safety Planning: Changing IP Safety Plan. With a given frequency, the safety plan is revised. It makes changes to reflecting changes in the company and in its information system or problems identified during the implementation of the plan or when evaluating security regulators.
• Security planning: rules of behavior. The organization establishes and communicates to the attention of IC users a set of rules describing duties and expected behavior with respect to the use of information and information system. Before you get access to IP and its information resources, users sign a confirmation that they read, understood and agree to fulfill the prescribed rules of behavior.
• Security planning: privacy assessment. The company has an assessment of privacy requirements.
• Purchase of systems and services: Policy and procedures.
  • the official documented procurement policy of systems and services, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures that contribute to the implementation of policies and associated regulators of the procurement of systems and services.
• Purchase of systems and services: allocation of resources. Definition, documentation and allocation of resources necessary for adequate protection of the information system in the company are part of the processes of capital planning and investment management.
• Purchase of systems and services: Support for the life cycle. The organization manages the information system, applying the methodology for supporting the life cycle, taking into account aspects of information security.
• Purchase of systems and services: procurement. Procurement contracts include requirements and / or safety specification, based on risk assessment results.
• It is necessary to ensure the presence, protection and distribution of authorized officials of the company of adequate documentation on the information system and its component parts.
• Purchase of systems and services: restrictions on the use of software. The organization ensures that existing restrictions on the use of software.
• Purchase of systems and services: Software installed by users. It is necessary to implement explicitly formulated rules regarding downloading and installing software users.
• Purchase of systems and services: Outsourcing information services. It is necessary to ensure that external organizations providing information services applied adequate security regulators that meet the current legislation and contract conditions, as well as to track the adequacy of security regulators.
• Certification, accreditation and safety assessment: Policy and procedures. Development, distribution, periodic revision and change:
  • official documented policy of assessing safety, certification and accreditation, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associated regulators of safety assessment, certification and accreditation.
• Certification, accreditation and safety assessment: Connections with other IP. Authorization of all connections of its information system with other IPs, which are outside accreditation boundaries, and constant tracking / control of these compounds; Signing by authorized officers of the Agreement on establishing compounds between systems.
• The organization conducts an assessment of safety regulators used in ICs to check how correctly they are implemented, function in accordance with the specifications and give expected results from the point of view of fulfilling information security requirements.
• Certification, accreditation and safety assessment: calendar plan of events. The organization is developed and a calendar plan of events changes with a given frequency. It describes the planned, implemented and evaluated corrective actions aimed at eliminating all the shortcomings identified in the process of assessing safety regulators, and to reduce or eliminate well-known IP vulnerabilities.
• Certification, accreditation and safety assessment: accreditation. The company clearly authorizes (carries out accreditation) input of the information system into operation and with a given frequency, but not less than once every three years, it conducts re-accreditation.
• Certification, accreditation and safety assessment: constant monitoring. Constant monitoring of safety regulators in IP.

Figure 5. Maintain the required security level

procedural safety regulators.

• Personnel security: politics and procedures. Development, distribution, periodic revision and change:
  • officially documented personnel security policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the life of policies and associate regulators of personnel security.
• Personnel security: categorizing posts. With each position, a certain level of risk is associated and the criteria for selecting candidates for these posts are established. It is advisable at a given frequency to revise the established risk levels.
• Personnel security: personnel selection. Before you provide access to information and information system, there is a check of persons who need similar access.
• Personnel security: dismissal. The dismissed employee deprives access to IP, a final conversation is held with him, check the delivery of the entire state property, including keys, identification cards, passes, and are convinced that the relevant officials have access to official data created by the dismissed employee and stored in the information system .
• Personnel security: travel staff. When moving an employee to another position, the organization revises the rights of access to IP and its resources provided to him, and provides appropriate actions, such as the manufacture of new keys, identification cards, skips, closing the old and institution of new system accounts, as well as the change of access rights.
• Personnel Security: Access agreements. Before you provide access to information and information system, an employee in need of such access is drawn up with appropriate agreements (for example, the non-disclosure of information, the proper use of IP), as well as the rules of conduct, the company provides the signing of these agreements by the parties and with a given frequency revises them.
• Personnel security: security requirements for third-party employees. The organization establishes security requirements, including roles and responsibilities, to third-party employees ( service services, Contractors, Developers, Suppliers of Information Services and Systems Management Services and Networks) and monitors providing third-party organizations of an adequate level of information security.
• Personnel security: sanctions. The company uses a formalized process of punishment of employees who have violated established security policies and procedures.
• Physical Protection: Policy and Procedures. Developed, distributed, periodically revised and change:
  • official documented physical protection policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associated regulators of physical protection.
• Physical Protection: Authorization of Physical Access. The organizations are drawn up and supported up to date, lists of employees who have access to premises in which the components of the information system are located (except for rooms that are officially considered publicly available), relevant certificates (BEJJ, identification cards, intellectual cards) are issued; Relevant officials with a given frequency revise and approve lists and certificates.
• Physical Protection: Managing Physical Access. It is necessary to control the points of physical access, including officially specific entry / output points, in the premises in which the components of the information system are located (except for rooms that are officially considered publicly available). It should be checked by law officials before allowing them to access. In addition, access to premises is controlled, officially considered publicly available, in accordance with the risk assessment.
• Tracking physical access to the system in order to identify and respond to violations.
• Physical access to the information system is monitored by the authentication of visitors before allowing to enter the premises where the components of the IC are located (except for rooms that are officially considered publicly available).
• The company has supported journals visits to premises (except those are officially considered publicly available), where they are recorded:
  • surname, visitor name and organization name;
  • signature of the visitor;
  • submitted documents (identification form);
  • date and access time (input and output);
  • visit purpose;
  • surname, the name of the person visited and its organizational belonging; Relevant officials with a given frequency view visiting logs.
• Physical Protection: Emergency Lighting. The company needs to use and maintain automatic emergency lighting systems, which are included in power interruptions and cover emergency outputs and evacuation paths.
• Devices / fire extinguishing systems and fire detection systems are used.
• Physical Protection: Temperature Control Means and Humidity. Tracking and maintained in permissible temperatures and humidity in rooms containing IP components.
• It is necessary to protect the IP from flooding and leakage arising from damage to the water supply or by virtue of other reasons, ensuring the availability and health of the cranes, overlapping water, and informing the corresponding officials about the location of these cranes.
• Physical protection: delivery and export. The organization is controlled by the delivery and export of the components of the information system (hardware and software) and supports information about the location of these components.
• Uninterrupted work planning: politics and procedures. Developed, distributed, periodically revised and change:
  • the official documented uninterrupted work planning policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the life of politics and associated uninterrupted work regulators.
• A plan to ensure the uninterrupted operation of the information system, which describes the roles, responsibilities of responsible officials, indicate their contact coordinates. In addition, the plan is prescribed actions performed when recovering IP after damage and accidents. Relevant officials revise and approve this plan and bring it to the attention of employees responsible for uninterrupted work.
• Uninterrupted work planning: Changing an uninterrupted work plan. With a given frequency, but at least once a year, the organization revises a plan to ensure the uninterrupted operation of the information system to reflect the changes in the structure of the IP or organization and / or eliminate the problems identified during the implementation, execution and / or testing of the plan.
• With a given frequency is carried out backup Custom and system data contained in the information system (including data on IP status), backup copies are stored in places secure properly.
• The organization uses mechanisms and supporting procedures that allow you to restore the information system after damage or accidents.
• Configuration management: Policy and procedures. Developed, distributed, periodically revised and change:
  • official documented configuration management policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associated configuration control regulators.
• The company is developed, documented and supported by the current basic configuration of the information system, inventory components of the IP and the corresponding data about their owners.
• In company:
  • approved mandatory settings for products of information technologies used in IP;
  • installation settings for information technology products are established in the most restrictive mode compatible with operational requirements;
  • settings are documented;
  • proper settings of all components of the information system are provided.
  • Support: Policy and procedures. Developed, distributed, periodically revised and change:
  • the official documented accompaniment policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associated support regulators.
• Planning, implementation and documentation of the daily, preventive and regular support of the components of the information system in accordance with the specifications of the manufacturer or supplier and / or organizational requirements.
• The organization authorizes, controls and monitors remotely implemented accompanied and diagnostic activities.
• Escort: accompaniment staff. It is necessary to maintain a list of persons authorized to accompany the information system. Only authorized staff performs IP support.
• Integrity of systems and data: politics and procedures. Development, distribution, periodic revision and change:
  • official documented integrity policies of systems and data, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures that contribute to the implementation of policies and associated integrity regulators of systems and data.
• Integrity of systems and data: elimination of defects. Identification of information system defects, informing them and correction.
• The company is implemented in the information system protection against malicious software, including the ability to automatic updates.
• Integrity of systems and data: signals about security violations and reports of new threats. It is necessary to regularly track signals about security violations and reports of new threats for IP, bring them to the attention of appropriate officials and properly react to them.
• Protection of media: Policy and procedures. Development, distribution, periodic revision and change:
  • the official documented media protection policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with the current legislation;
  • formal documented procedures contributing to the life of policies and associated carrier protection regulators.
• It is necessary to ensure that only authorized users have access to information in print form Or on digital media seized from the information system.
• Protection of media: Sanation and output. Organization:
  • sanges media (both paper and digital) before conclusion from operation or transmission for reuse;
  • tracks, documents and verifies the activity on the rehabilitation of carriers;
  • periodically tests the expansive equipment and procedures to make sure that they are correct.
• Responding to information security violations: policies and procedures. Development, distribution, periodic revision and change:
  • official documented response policy for informational security violations, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associate regulators of response to violations of information security.
• The company forms structures to respond to violations of information security (response group), including training, identification and analysis, localization, liquidation of impact and restoration after violations.
• It is necessary to make timely information on violations of IB to the attention of authorized officials.
• The formation of a structure for issuing recommendations and assisting IP users when responding to violations of IB and reports about them; This structure is an integral part of the response group.
• Informing and learning: politics and procedures. Development, distribution, periodic revision and change:
  • the official documented policy of informing and learning the staff in which the goal, coverage, roles, duties, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associate regulators of informing and training of employees.
• Informing and Training: Informing about IB Problems. It should be ensured that all users, including managers, have made basic information on IB, before these users will be provided with access to IP; Such information should continue to continue with a given frequency, but not less than once a year.
• Informing and learning: IB training. It is necessary to identify officials who play an important role and having responsible responsibilities to ensure the information security of the IP, document these roles and obligations and ensure the appropriate training of these persons before providing them with access to IP. Such learning should continue further with a given frequency.
• INFORMATION AND TRAINING: Documentation of IB training training. The company documented and monitors the course of training of each IB employee, including the introductory course and courses specific to the IP.
• Informing and training: contacts with groups and associations of information security. It is advisable to establish and maintain contacts with groups, forums and associations specializing in information security to be aware of the current state of IB, advanced recommended protective equipment, methods and technologies.

At the minimum level of information security, it is recommended to apply the following software and technical safety regulators.

• Identification and authentication: Policy and procedures. Development, distribution, periodic revision and change:
  • official documented identification and authentication policy, which presents the goal, coverage, roles, responsibilities, support management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associated identification and authentication regulators.
• The information system unambiguously identifies and authenticates users (or processes acting on username).
• Identification and Authentication: Managing identifiers. The organization manages user identifiers by:
  • unique identification of each user;
  • verification of the identifier of each user;
  • obtaining an official sanction from authorized officials to the release of user ID;
  • providing identifier output for the desired user;
  • termination of the user ID after a specified activity period;
  • archiving user identifiers.
• Identification and Authentication: Authenticate Management. The company manages authenticators in the information system (tokens, certificates in public key infrastructure, biometric data, passwords, key cards, etc.) by:
  • definitions of initial content of authenticators;
  • regulation of administrative procedures for the initial distribution of authenticators, replacing lost, compromised or damaged authenticators, as well as authenticator reviews;
  • changes to the implied authenticators after installing the information system.
• Identification and authentication: Reference of authenticators. The information system hides the echo-display of authentication information during the authentication process to protect this information from possible use by unauthorized persons.
• Identification and authentication: authentication with respect to cryptographic modules. For authentication with respect to cryptographic modules, the information system applies methods that meet the requirements of standards on such modules.
• Access control: Policy and procedures. Development, distribution, periodic revision and change:
  • official documented access control policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures that contribute to the implementation of policies and associated access control regulators.
• The organization manages accounts in the information system, including their creation, activation, modification, revision (with a given frequency), disconnection and removal.
• The information system implements assigned privileges to manage access to the system in accordance with applicable policies.
• Access control: unsuccessful input attempts. The information system enforces a given limit on the number of consecutive unsuccessful trying Access from the user for a specified period of time, automatically locking the account or delaying according to a given algorithm to issue an invitation to the input at a given time when the maximum permissible number of unsuccessful attempts is exceeded.
• Access control: Warning to use the system. The information system displays an officially approved warning message on the use of the system before you provide access to it, informing potential users:
  • about organizational accessory system;
  • on possible monitoring, logging and audit of the use of the system;
  • about ban and possible punishment for unauthorized use of the system;
  • on the consent of the user on monitoring and logging in the case of system use; A warning message contains the appropriate security policy provisions and remains on the screen until the user will take explicit actions to enter the IP.
• Access control: Supervision and viewing. The organization oversees and checks the actions of users regarding the implementation and use of access regulators available in IC.
• Access control: Actions allowed without identification and authentication. Defining specific actions of users who can be performed in the information system without identification and authentication.
• Documenting, tracking and controlling all types of remote access to IP (for example, through modem inputs or via the Internet), including remote access to perform preferred actions; Relevant officials authorize the use of each type of remote access and authorize to apply only those users with which it is needed.
• Organization:
  • establishes restrictions on the use and manages the implementation of wireless technologies;
  • documents, monitors and controls wireless access to IP; Relevant officials authorize the use of wireless technologies.
• Access control: Personal information systems. Restricting the application of personal information systems for production needs, including processing, storage and transmission of production information.
• Logging and auditing: Policy and procedures. Development, distribution, periodic revision and change:
  • the official documented policies of the protocol and audit, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associated logging regulators and audit.
• Logging and auditing: Logging events. The information system generates registration records for the specified events.
• The information system saves enough information in the registration records to establish which event it happened, which was the source of the event, which was the outcome of the event.
• Logging and auditing: resources for storing registration information. It is necessary to highlight the sufficient amount of resources for storing registration information and configure logging so as to prevent the exhaustion of these resources.
• In the event of a failure of the logging or exhaustion of registering information resources, the information system warns the relevant officials and is taking the given additional actions.
• Logging and auditing: Registration information protection. The information system protects the registration information and means of logging / auditing from unauthorized access, modifications and removal.
• Logging and auditing: Saving registration information. Registration information should be kept for a specified time to ensure the support of investigations of previous information security violations and the fulfillment of the requirements of the current legislation and organizational requirements for saving information.
• Protection of systems and communications: Policy and procedures. Development, distribution, periodic revision and change:
  • the official documented policy of protecting systems and communications, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures that contribute to the implementation of policies and associate regulators of protection of systems and communications.
• Protection of systems and communications: protection against attacks on accessibility. The information system protects against attacks on the availability of specified species or limits their impact.
• The information system monitors and controls communications on its external and key internal limits of IP.
• Protection of systems and communications: the use of printed cryptography. If the information system apply cryptographic productsThey must meet the requirements of current legislation, technical regulations, standards, guideline and regulatory documents, sectoral and organizational standards.
• Protection of systems and communications: protection of publicly available systems. The information system ensures the integrity of data and applications for publicly available systems.

Additional and reinforced security regulators for moderate IB

For a moderate level of information security, it is advisable to apply the following additional and reinforced (compared to the minimum level) safety regulators.

• With a given frequency or after the appearance of information about new Critical for IP vulnerabilities, you must scan vulnerabilities in the information system.
• Security planning: security planning. Ensuring proper planning and coordination of activities related to security and affecting the information system in order to minimize the negative impact on the work and assets of the organization (including its mission, functions, image and reputation).
• Purchase of systems and services: documentation. You must include in the general package of documents, the documentation from the manufacturer / supplier (if any) describing the functional properties of the security regulators involved in the information system are quite detailed in order to make it possible to analyze and test the regulators.
• Purchase of systems and services: Principles of information security design. Design and implementation of the information system is carried out using the principles of information security design.
• Purchase of systems and services: safety testing by the developer. The developer of the information system forms a testing and safety assessment plan implements it and document results; The latter can be used to support certification for safety requirements and accreditation of the supplied IP.
• Certification, accreditation and safety assessment: safety assessment. With a given frequency, but at least once a year, it is advisable to evaluate safety regulators in the information system to determine how correctly they are implemented, function in accordance with the specifications and give expected results from the point of view of the fulfillment of information security requirements.
• Certification, accreditation and safety assessment: security certification. Evaluation of security regulators in the information system for certification purposes by security requirements is carried out by an independent certifying organization.
• Physical Protection: Access control to information display devices. Control of physical access to information display devices in order to protect the latter from viewing by unauthorized persons.
• Physical Protection: Monitoring Physical Access. Real-time coming invasion signals and data from the tracking devices are tracked.
• Physical Protection: Visitors Monitoring. Ensuring the maintenance of visitors and, if necessary, monitoring their activity.
• Physical protection: electrical equipment and wiring. Protection electrical equipment and wiring for the information system from damage and destruction.
• Physical protection: emergency shutdown. For certain rooms in which the information system resources are concentrated (data centers, server rooms, machine rooms for mainframes, etc.), it is necessary to ensure the possibility of turning off the power to any refusal (for example, due to short circuit) Or endangered (for example, due to the breaking of the water supply), the component of the IP, without exposing the hazard personnel associated with access to equipment.
• Providing short-term sources uninterrupted powerTo allow you to carefully turn off the information system in case of the main power supply.
• Physical Protection: Fire Protection. It is necessary to apply and maintain devices / fire extinguishing systems and detecting fires that automatically trigge into a fire.
• Physical Protection: Spare Production Playground. Employees of the Organization at the Spare Production Platform use appropriate security regulators for IP.
• Physical Protection: Location of information system components. The components of the information system should be located in the designated areas so as to minimize potential damage from physical risks and threats from the environment, as well as the possibility of unauthorized access.
• Uninterrupted work planning: Uninterruptible work plan. The organization coordinates the development of an uninterrupted work plan with structures responsible for related plans (for example, recovery plans after accidents, responding to security disorders, etc.).
• The company organizes the training of employees of their roles and responsibilities to ensure the smooth operation of the information system, as well as with a given frequency, but not less often than once a year, workouts are held to maintain practical skills.
• With a given frequency, but at least once a year, the organization is tested by a plan for the uninterrupted operation of the information system. For this, specified tests and training procedures apply to determine the effectiveness of the plan and the readiness of the organization to its implementation. Appropriate officials check the results of the plan testing and initiate corrective actions. The organization coordinates the testing of an uninterrupted work plan with structures responsible for related plans (for example, recovery plans after accidents, responding to security disorders, etc.).
• It is necessary to define a spare place of storage and conclude the necessary agreements to make it possible to store backup data of the information system data; Spare storage locally should be deleted from the main thing in order not to expose it with the same hazards.
• Spare data processing is determined, and the necessary agreements are initiated in order to make it possible to resume the information system of critical production functions for a specified period of time if the basic data processing tools are inaccessible. The spare place of data processing is geographically deleted from the main and, therefore, is not subject to the same hazards. Potential problems with access to a spare data processing in the case of large-scale accidents or natural disasters are determined, obvious actions to mitigate identified problems are scheduled. The Agreement on the Spare Data Processing Place contains a priority service commitment in accordance with the requirements of the organization for accessibility.
• The main and spare sources of telecommunication services supporting the information system are determined. The necessary agreements are initiated in order to make it possible to resume the information system of critical-important production functions during a specified period of time if the main source of telecommunication services is inaccessible. The main and reserve sources of telecommunication services contain priority services obligations in accordance with the requirements of the organization for accessibility. A spare source of telecommunication services does not share a single point of refusal to the main source.
• Uninterrupted work planning: backup. With a given frequency in the organization, backups are tested to make sure that the carriers and the integrity of the data are tested.
• Configuration management: Basic configuration and inventory components of the information system. When installing new components, the basic configuration of the information system and the OPEV components are changed.
• Document and controlled changes in the information system; Relevant officials authorize IP changes in accordance with the policies and procedures adopted.
• Configuration Management: Configuration Monitoring. It is necessary to track changes in the information system and analyze their safety influence to determine the effect of changes.
• The organization enforces the physical and logical restrictions on access associated with changes in the information system, and generates, saves and revises the records reflecting all such changes.
• You should configure the information system so as to provide only the necessary capabilities, and explicitly prohibit and / or limit the use of certain functions, ports, protocols and / or services.
• Support: Periodic support. A registration log is supported by the information system support log in which:
  • date and time of service;
  • surname and name of the person who made service;
  • surname and the name of the accompanying, if necessary;
  • a description of the operations of IP maintenance;
  • list of remote or displaced equipment (with identification numbers).
• The organization authorizes, controls and monitors the use of means of supporting the information system and constantly supports these funds.
• Maintenance: timely service. The organization receives maintenance and spare parts for the key components of the information system for a specified period of time.
• Integrity of systems and data: protection against malicious software. Centralized managing mechanisms for protection against malicious software.
• Integrity of systems and data: Means and methods for monitoring the information system. Application of means and methods for monitoring events in the information system, identifying attacks and identification of unauthorized use of IP.
• The information system is implemented by spam protection.
• Integrity of systems and data: data entry restrictions. The organization provides the right to enter data into the information system only authorized persons.
• Integrity of systems and data: accuracy, completeness, accuracy and authenticity of data. The information system checks the data on accuracy, completeness, accuracy and authenticity.
• Integrity of systems and data: error processing. The information system explicitly reveals and processes erroneous situations.
• Integrity of systems and data: processing and saving output. The output of the information system is processed and persisted in accordance with the policies and operational requirements adopted.
• Protection of media: labels of carriers. Removable data media and IP output are supplied with external marks containing the restrictions on the distribution and processing of this data; The specified types of carriers or hardware components are exempt from tags, since they remain within the limits of the controlled zone.
• Protection of media: storing media. The physical monitoring and secure storage of data carriers, paper and digital, based on the maximum category assigned to the data recorded on the carrier.
• Protection of media: transportation of media. Control of data carriers, paper and digital, and restriction of sending, receiving, transporting and delivering media to authorized persons.
• The company teaches employees to their roles and duties associated with responding to violations of IP information security, and with a given frequency, but not less often than once a year, conducts training to maintain practical skills.
• With a given frequency, but at least once a year, testing means of responding to informational safety of IP are tested, while the specified tests and training procedures are used to determine the response efficiency. Results are documented.
• Response to information security violations: response. To support the response process for information security, automatic mechanisms are applied.
• It is necessary to constantly trace and document information security violations.
• Responding to violations of information security: Reports on violations. The use of automatic mechanisms to facilitate information security violations reports.
• Response to information security violations: assistance. The use of automatic mechanisms to increase the availability of information and support associated with responding to informational security.
• Identification and authentication: Identification and authentication of devices. The information system identifies and authenticates certain devices before installing the connection with them.
• Access Control: Account Management. Application of automatic mechanisms to support account management in the information system; The information system automatically terminates the temporary and emergency accounts after the time specified for each type of time intervals; The information system automatically disables the inactive accounts after the specified period of time.
• Access control: carrying out. The information system ensures that access to security functions (implemented by hardware and / or programmatically) and protective data was provided only to authorized persons (for example, security administrators).
• Access control: Implementing information flow management. The information system enforces assigned privileges to manage information flows in the system and between interconnected systems in accordance with the adopted security policy.
• Access control: Duties separation. The information system implements the separation of responsibilities by assigning access privileges.
• Access control: Minimizing privileges. The information system implements the most restrictive set of rights / privileges of access required by users (or processes acting on behalf of these users) to perform their tasks.
• Access Control: Session Blocking. The information system prevents further access to the IC by blocking the session until the user restores access by applying the appropriate identification and authentication procedures.
• Access control: Session termination. The information system automatically terminates the session after the specified inactivity period.
• Access control: Actions allowed without authentication and authentication. The organization allows the implementation of actions without identification and authentication, only if they are necessary to achieve the key goals of the Organization.
• Access control: Remote access. Application of automatic mechanisms to facilitate monitoring and control of remote access methods, encryption - to protect the privacy of remote access sessions. It is necessary to control all remote access at the controlled access point.
• Access Control: Restrictions on Wireless Access. Apply authentication and encryption to protect wireless access to the information system.
• Access control: Mobile devices. Organization:
  • establishes restrictions on the application and develops manuals on the use mobile devices;
  • documes, monitors and controls access through such devices to the IP; Relevant officials authorize the use of mobile devices; Removable hard drives or cryptography are used to protect data located in mobile devices.
• Logging and auditing: Content registration records. The information system provides the possibility of inclusion in registration records of additional, more detailed information for logoble events identifiable by type, place or subject.
• It is necessary to regularly study / analyze registration information in order to identify inadequate or atypical activity, investigate cases of suspicious activity or alleged violations, report on the results to relevant officials and take the necessary actions.
• The information system provides the ability to reduce registration information and generating reports.
• Logging and auditing: Time Tags. The information system provides time stamps for use when generating registration records.
• Protection of systems and communications: Application separation. The information system shares user interface (including user interface services) from IP control functionality.
• Protection of systems and communications: residual information. The information system prevents unauthorized and unassigned transmission of information through shared system resources.
• Protection of systems and communications: protection of borders. It is advisable to physically place the public components of the information system (for example, publicly available Web servers) in separate subnets with individual physical network interfaces, prevent public access to the internal network, except properly controlled access.
• The information system protects the integrity of the transmitted data.
• The information system protects the confidentiality of the transmitted data.
• Protection of systems and communications: rupture of network connections. The information system is terminated network connection At the end of the session or after the specified period of inactivity.
• Protection of systems and communications: Cryptographic key generation and management of them. The information system applies automatic mechanisms and auxiliary procedures or manual procedures to generate cryptographic keys and key management.
• Protection of systems and communications: collective applications. The information system prohibits remote activation of collective application mechanisms (for example, video or audio conferencing) and provides explicit evidence of their use to local users (for example, indicating the use of video cameras or microphones).
• Protection of systems and communications: Public key infrastructure certificates. The organization develops and implements policies for certificates and certification practice specification for issuing public key certificates used in the information system.
• Protection of systems and communications: Mobile code. Organization:
  • sets restrictions on the application and develops guidelines for the use of technology mobile codebased on the possibility of damaging the information system in the malicious use of these technologies;
  • documents, monitors and controls the use of a mobile code in the information system; Relevant officials authorize the use of mobile code.
• Protection of systems and communications: VoIP protocol. Organization:
  • establishes restrictions on the application and develops guidelines for the use of VoIP technologies, based on the possibility of damaging the information system in the malicious use of these technologies;
  • documents, monitors and controls the use of VoIP in the information system; Relevant officials authorize the use of VoIP.
• Protection of systems and communications: service safe search Names (authorized sources). Information systems (authorized domain name servers), providing external users to access the names for accessing the information resources of the organization via the Internet, provide attributes to authenticate the data source and monitor data integrity to give users the opportunity to receive authenticity and integrity messages when receiving data within Network transactions.

Additional and reinforced security regulators for high-level IB

For high level of information security, it is recommended to apply the following additional and enhanced (compared to moderate level) safety regulators.

Risk assessment: scanning vulnerabilities. Vulnerability scanners include the ability to quickly change the list of scanned vulnerabilities of the information system.

With a given frequency or after the appearance of information about new Critical for Vulnerabilities, the organization changes the list of scanned vulnerabilities of the information system.

• Purchase of systems and services: documentation. You should enable the documentation from the manufacturer / supplier in the general document package (if any) describing the design and implementation of safety regulators involved in the information system, with a degree of details sufficient to make it possible to analyze and test the regulators (including functional interfaces between components of regulators).
• Purchase of systems and services: Configuration management developer. The information system developer creates and implements a configuration management plan that controls the change of the system during the development process, tracing security defects, requiring the authorization of the change, and provides the documentation of the plan and its implementation.
• Physical Protection: Access control to data transmission channels. Controls physical access to the distribution and data transmission lines belonging to the IP and located within protected boundaries to prevent unintentional damage, listening, modifying in the transmission process, gap or physical distortion of lines.
• Physical Protection: Monitoring Physical Access. Automatic mechanisms are used to ensure the identification of potential intrusions and initiating the reaction to them.
• Physical Protection: Access Logging. Automatic mechanisms are applied to facilitate support and viewing registration logs.
• Physical protection: emergency power supply. It is necessary to ensure long-term alternative power sources for an information system that can support the minimum required operational capabilities in the event of a long-term failure of the primary power source.
• Physical Protection: Fire Protection. Devices / fire extinguishing systems and detection of fires that automatically notify organizations and emergency services are applied and maintained.
• Physical protection: protection against flooding. Automatic mechanisms are used to automatically overlap water in case of its intensive leakage.
• Uninterrupted work planning: learning. Event modeling is included in training courses to help effectively respond to employees for possible crisis situations.
• Uninterrupted work planning: Testing an uninterrupted work plan. The uninterrupted work plan is tested at a spare production site to familiarize employees with existing opportunities and resources and evaluate the ability of the site to maintain the continuity of operation.
• Uninterrupted work planning: Spare storage places. Spare storage is configured to facilitate timely and efficient recovery; Potential problems with access to a spare storage place in the case of large-scale accidents or natural disasters are determined and obvious actions to mitigate identified problems are scheduled.
• Uninterrupted work planning: Spare data processing places. Spare data processing is fully configured to maintain the minimum required operational capabilities and availability of use as a production site.
• Uninterrupted work planning: Telecommunication services. A spare source of telecommunication services should be sufficiently removed geographically from the main thing in order not to be subject to the same hazards; The main and reserve sources of telecommunication services have adequate uninterrupted work plans.
• Uninterrupted work planning: backup. To restore the functions of the information system, backups are used as part of the testing plan for uninterrupted operation. Backups The operating system and other software critical for software is stored in a separate place or in a refractory container, located separately from the operational software.
• Uninterrupted work planning: restoring the information system. The organization includes full recovery Information system as part of testing an uninterrupted work plan.
• Configuration management: Basic configuration and inventory components of the information system. Automatic mechanisms are applied to maintain a relevant, complete, accurate and easily accessible basic configuration of the information system and the components of the IP components.
• Configuration Management: Monitoring Configuration Changes. Automatic mechanisms are used to:
  • document the proposed changes in the information system;
  • notify the relevant officials;
  • attract attention to not received promptly affirming visas;
  • postpone changes before obtaining the necessary approving visas;
  • document generated changes in the information system.
• Configuration Management: Access Restriction for Changes. To implement access limits and support the logging of limiting actions, automatic mechanisms are applied.
• Configuration Management: Settings. Automatic mechanisms are used for centralized management, applying and verifying settings.
• Configuration management: Minimizing functionality. With a given frequency, the information system is revised to identify and eliminate functions, ports, protocols and other services that are not necessary.
• Support: Periodic support. Automatic mechanisms apply to ensure the planning and conducting periodic accompaniment in accordance with established requirements, as well as relevance, accuracy, completeness and availability of registration records on the necessary and performed accompanied actions.
• Maintenance: accompaniment tools. It is necessary to inspect all accompanies (for example, diagnostic and test equipment), which are brought to the territory of the organization by attendants, for visible inappropriate modifications. All media containing diagnostic test programs should be checked (for example, software used to accompany and diagnose systems), for malicious software, before carriers are applied in the information system. All equipment used for accompaniment purposes and capable of maintaining information is subject to verification to make sure that the organization is not recorded in the equipment, or that it is properly sanitized before repeat. If the equipment can not be sanitized, it remains on the territory of the organization or is destroyed, with the exception of cases explicitly authorized by the relevant officials.
• Support: Remote accompaniment. All remote accompaniment sessions are recorded, and the corresponding officials are viewing the registration log of remote sessions. Installation and use of remote diagnostic channels are reflected in the safety plan of the information system. Remote diagnostic or support services are permissible only if the service organization supports at least the same level of security in its IC of at least the same level as served.
• Integrity of systems and data: protection against malicious software. The information system automatically changes the mechanisms of protection against malicious software.
• Integrity of systems and data: verification of safety functionality. Information system as part of the technical capabilities, when starting or restarting the system, by command of an authorized user and / or periodically verified with a given frequency verify the correctness of the operation of safety functions and notably system administrator and / or turns off or restarts the system in case of detection of any anomalies.
• Integrity of systems and data: integrity of software and data. The information system reveals and protects against unauthorized changes in software and data.
• Integrity of systems and data: protection against spam. The organization centrally manages spam protection mechanisms.
• Protection of media: access to media. Either security posts are applied, or automatic mechanisms for controlling access to storing media, ensuring protection against unauthorized access, as well as registration of access attempts and access provided.
• Response to information security violations: learning. The training courses include modeling events to contribute to the effective response of employees to possible crisis situations.
• Response to information security violations: Testing. Automatic mechanisms are used for more thorough and efficient testing of response.
• Response to information security violations: monitoring. Automatic mechanisms are used to facilitate the tracking of security disorders, as well as the collection and analysis of information about violations.
• Identification and authentication: Identification and user authentication. The information system applies multifactor authentication.
• Access Control: Account Management. Automatic mechanisms are applied to provide logging and, if necessary, notify the appropriate persons about creating, modifying, disconnecting and terminating accounts.
• Access control: Control parallel sessions. The information system limits the number of parallel sessions for one user.
• Access control: supervision and view. Automatic mechanisms are applied to facilitate viewing user activity.
• Access control: Automatic marking. The information system marks output using standard naming agreements to identify all special instructions for distributing, processing and distributing data.
• Logging and auditing: Content registration records. The information system provides the ability to centrally manage the contents of registration records generated by individual components of the IP.
• Logging and auditing: processing registration information. The information system provides the issuance of a warning message when the share of the busy space allotted to store registration information reaches a specified value.
• Logging and auditing: Monitoring, analysis and registration information report. The use of automatic mechanisms to integrate monitoring, analysis and registration information report to the overall process of identifying and responding to suspicious activity.
• Logging and auditing: registration information reduction and report generation. The information system provides the ability to automatically process registration information about the attention of events, based on the specified selection criteria.
• Protection of systems and communications: isolation of safety functions. The information system isolates security features from other functions.
• Protection of systems and communications: the integrity of the transmitted data. The use of cryptographic mechanisms to ensure recognition of changes in data in the transmission process if the data is not protected by alternative physical measures (for example, a protective distribution system).
• Protection of systems and communications: confidentiality of transmitted data. The use of cryptographic mechanisms to prevent unauthorized disclosure of information during the transmission process, if it is not protected by alternative physical measures (for example, a protective distribution system).
• Protection of Systems and Communications: Safety Name Search Service (Name Resolution). Information systems (authorized domain name servers), providing internal user search service to access information resources, provide mechanisms to authenticate the data source and monitor data integrity, and also carry out these actions at the request of client systems.

Minimum trust requirements for safety regulators

Minimum trust requirements for security regulators are presented to specific processes and actions. Specialists developing and implementing regulators determine and apply (execute) these processes and actions to increase the degree of confidence that regulators are implemented correctly, functioning in accordance with the specifications and give expected results from the point of view of the implementation of information security requirements.

At the minimum level of information security, it is necessary that the security regulators are involved and satisfied explicitly specified in their definition functional requirements.

At a moderate level of information security, the following conditions must be completed. Specialists developing (implementing) regulators provide a description of their functional properties, quite detailed to make it possible to perform analysis and testing of regulators. As an integral part of regulators, developers are documented and the distribution of responsibilities and specific actions are provided, due to which the regulators must meet the functional requirements after the development (implementation). The technology in which regulators are developed should maintain a high degree of confidence in their completeness, consistency and correctness.

Figure 6. Ensuring information security. Process approach.

At a high level of information security, among otherwise, it is necessary to provide a description of the project and implement the regulators, including functional interfaces between their components. Developers require evidence that after the completion of the development (implementation), the implementation of the requirements for regulators will be continuous and consistent on the scale of the entire information system, and the possibility of increasing the efficiency of regulators will be supported.

Conclusion

Ensuring information security is a complex, multidimensional process, requiring the adoption of many solutions, analyzing a plurality of factors and requirements, sometimes contradictory. The presence of categories and minimum security requirements, as well as a predetermined security regulators catalog, is able to serve as a base for a systematic approach to providing IB, an approach that requires reasonable labor and material costs and capable of presenting practically acceptable results for most organizations.

The problem of information protection is difficult to call a contrived. From all sides we hear about hacking, viruses, malicious software, attacks, threats, vulnerabilities ...

Information Security as a system

Information security is a set of measures, including more important ones. Information security can not be perceived anyway as a complex. Everything is important here! It is necessary to follow the protection measures at all points of the network, with any work of any subjects with your information (under the subject in this case, the user system, process, computer or software for information processing) is understood. Each information resource, whether the user's computer, the organization server or network equipment must be protected from all kinds of threats. Protected must be file Systems, Network, etc. Ways to implement the protection We will not consider in this article because of their enormous diversity.

However, it should be understood that it is impossible to ensure one hundred percent protection. At the same time, it is necessary to remember: the higher the level of security, the more expensive the system, the more uncomfortable in use, it turns out for the user, which respectively leads to a deterioration of protection against the human factor. As an example, we recall that excessive complication of the password leads to the fact that the user is forced to record it on a piece of paper, which sticks to the monitor, keyboard, etc.

Exists wide spectrum Software aimed at solving information protection tasks. These are anti-virus programs, firewalls, built-in operating systems and much more. However, it is necessary to remember that the most vulnerable link in defense always remains human! After all, the efficiency of any software depends on the quality of its writing and literacy of the administrator, which sets up a means of protection.

Many organizations in connection with this create services (departments) of information protection or put appropriate tasks to their IT departments. However, it is necessary to understand that it is impossible Calling the IT service unusual functions. This was not already mentioned and wrote. So, suppose in your organization created an information security department. What to do next? Where to begin?

You need to start with employee learning! And in the future to make this process regular. Personnel training The basics of information security should be the permanent task of the Information Protection Division. And you need to do it at least twice a year.

Many managers are trying to immediately receive a document called "Organization's Security Policy" from the Information Security Policy. Is it correct? In my opinion - no. Before you sit down to write this huge work, you need to decide on the following issues:

• what information do you proceed?
• how to classify it according to properties?
• what resources do you possess?
• how is the processing of information on resources?
• how to classify resources?

Classification of information

Historically, it has developed as soon as the question of the classification of information is raised (first of all it refers to the information owned by the state), it immediately begins to classify in the level of secrecy (confidentiality). On the requirements for accessing, integrity, observability, if they remember, Casual, in a number of general requirements To information processing systems.

If such a glance can still somehow justify the need to ensure state secrets, then it looks easy to transfer it to another subject area. For example, according to the requirements of Ukrainian legislation, the owner of the information itself determines the level of its confidentiality (in case this information does not belong to the state).

In many areas, the share of confidential information is relatively small. For open information, the detriment of the disclosure of which is small, the most important properties such as availability, integrity or security from unlawful copying can be. Consider as an example of the website of the Internet publication. In the first place will stand, in my opinion, the availability and integrity of information, and not its confidentiality. Evaluate and classify information only from position and secrecy at least unproductive.

And this can be explained only by the narrowness of a traditional approach to the protection of information, the lack of experience in terms of ensuring the availability, integrity and observability of information, which is not a secret (confidential).

Categories of protected information

Based on the need to provide various levels of protection of information (not containing information constituting a state secret), stored and processed in the organization, let's call several categories of confidentiality and integrity of protected information.

• completely confidential - information recognized by confidential in accordance with the requirements of the law, or information, the restriction on the distribution of which was introduced by the decision by the decision due to the fact that its disclosure could lead to severe financial and economic consequences for the organization up to bankruptcy;
• confidentially - This category includes information that is not attributed to the category "Completely Confidential", the restrictions on the dissemination of which are entered by the decision by the leadership in accordance with the information provided to him as the lawsuit with the rights due to the fact that its disclosure may lead to significant losses and loss of the organization's competitiveness ( applying significant damage to the interests of its clients, partners or employees);
• open - This category includes information, the provision of confidentiality of which is not required.

• high - information, unauthorized modification or fake of which can lead to the application of significant damage to the organization;
• low - This category includes information, unauthorized modification of which can lead to the application of minor damage to the organization, its customers, partners or employees;
• no requirements - This category includes information, to ensure the integrity and authenticity of which the requirements are not presented.

By the degree of availability, we introduce four categories depending on the frequency of solving functional problems and the maximum allowable delay in obtaining the results of their solution:

• real time - access to the task must be provided at any time;
• hour - access to the task should be carried out without significant time sx delays (the task is solved every day, the delay does not exceed several hours);
• day - access to the task can be ensured with significant time smi delays (the task is solved once a few days);
• a week - Time se-delays in access to the task are not established (the period of solving the problem is several weeks or months, the allowable delay in obtaining the result is a few weeks).

Categories information

1. Categorizing all types of information used in solving tasks on specific computers (setting the privacy categories, integrity and availability of specific types of information).
2. Categorizing all tasks that are solved on this computer.
3. Based on the maximum categories of the information being processed, the computer category is set on which it is processed.

Inventory Resources

Before talking about the protection of information in the organization, you need to understand what you are going to protect and what resources you have. To do this, it is necessary to carry out work on inventory and the analysis of all resources of the automated system of organization to be protected:

1. For the inventory and categorization of resources to be protected, a special working group is formed. It includes specialists of computer security divisions and other units of the Organization, which may assist in considering issues of technology of automated processing of information in the organization.
2. In order for the group created by the necessary organizational and legal status, the appropriate order of the Organization's leadership is published, which indicates that all the leaders of the relevant units of the Organization should assist and the necessary assistance to the Working Group in the analysis of all computers.
3. To assist at the time of operation of the Group, the divisions of their leaders should allocate employees who have detailed information on automated information processing in these divisions.
4. This order is brought under the involvement of all managers of the relevant units.
5. During the survey (analysis) of the organization and automated subsystems, all functional tasks decisled using computers, as well as all types of information used to solve these tasks in the divisions are detected and described.
6. At the end of the survey, the task form solved in the organization is drawn up. It should be understood that the same task in different divisions can be called differently and, on the contrary, various tasks can have the same name. At the same time, the software tools used in solving the functional tasks of the unit is carried out.

It should be noted that during the survey, all types of information are identified (incoming, outgoing, stored, processed, etc.). It should be borne in mind that not only confidential information is necessary to identify, but the violation of the integrity or availability of which can cause tangible damage to the organization.

When analyzing information processed in an organization, it is necessary to evaluate the seriousness of the consequences that may be caused by a violation of its properties. For this you need to conduct surveys (testing, surveying) specialists working with it. At the same time, it is primarily to find out who benefits to illegally use or influence this information. If it is impossible to conduct a quantitative assessment of possible damage, it is necessary to give it a qualitative assessment (low, high, very high).

To understand the categories of accessibility when analyzing tasks solved in an organization, it is necessary to identify the maximum allowable time delay time, the frequency of their solution and the severity of the consequences in violating their availability (blocking tasks).

During the analysis, each of the types of information should be attributed to a certain degree (vulture) of confidentiality (on the basis of the requirements of the current legislation and the rights organizations provided).

At the same time, to assess the category of confidentiality of specific types of information from managers (leading specialists) of the structural unit, personal estimates of the likely damage from violation of the privacy properties and integrity of information are found.

At the end of the analysis, a list of information resources to be protected is drawn up.

Then this list Coordinates with the heads of departments of IT and computer security departments and put forward to the management of the organization.

At the end of this stage, it is necessary to categorize functional tasks. Based on the availability requirements imposed by the heads of the organization's units and agreed with IT service, all applied tasks decisled in units are categorized.

In the future, using IT service specialists and information security unit, it is necessary to clarify the composition of the resources (information, program) of each task and make information on user groups of this task and instructions for setting up the security tools used in its solutions (for example, powers Access of user groups to the listed task resources). In the future, on the basis of these information, computers will be configured, on which this task will be solved.

At the next stage, computers are categorized. The computer category is set on the basis of the maximum category of tasks solved on it, and the maximum categories of confidentiality and integrity of information used in solving these tasks. Computer category information is entered into its form.

The concept of resource inventory includes not only reconciliation of existing active and passive network resources with a list of equipment (and its completeness) purchased by the organization. This procedure is implemented using the appropriate software, such as Microsoft Sysytems Management Server. This also includes creating a network card with a description of all possible connection points, drawing up a list of software used, forming the Fund of the Fund of the Licensed Software used in the Organization, the creation of the Foundation for Algorithms and Programs of Own Development.

It should be noted that the software can be admitted to work only after it is verified by the information protection department for compliance with the tasks and the absence of all sorts of bookmarks and "logical bombs".

In this regard, I would like to separately mention the tendency to use the Open Source software code in our country. I do not argue, it provides substantial resource savings. However, in my opinion, in this case, the security problem becomes a matter of trust no longer only to the system developer, but also to your administrator. And if you remember how much it gets, it is not difficult to conclude that buying your secrets in this case is much easier and cheaper than to exercise a direct external attack. It is worth recalling that most of the successful attacks carried out insiders, that is, the company's own employees.

In my opinion, to apply a freely distributed software in the presence of a potential possibility of making serious damage only if it is supplied to you in compilation and with a digital signature of an organization that guarantees the absence of logical bombs in it, all sorts of bookmarks and "black moves" . Moreover, the guarantor's organization must bear material responsibility for its warranty, which, in my opinion, is impossible. However, the choice is yours.

After checking, the reference software is entered into the Foundation of Algorithms and Programs (a reference copy must be accompanied by a file control sumand best - electronic signature developer). In the future, when changing the versions and the appearance of updates, the software check is made in the usual manner.

In the future, information about the installed software, the date of installation, goals solved with this provision of tasks, surnames and signatures of the facial and configuration of programs are entered into the form of each computer. After creating such formulations, the information security service must provide a regular verification of the compliance of the real position to the formulation.

The next step in building the information security service is the analysis of the risk of an organization that should be the basis for creating security policies.

Today it is unlikely to be able to find an organization in which no one would never think about the protection of information. At the same time, it is not always possible to meet the correct understanding of information security as a complex of organizational and technical events. The most important element of its collateral is a person, and he is the main factor of its violation.

Information security should be perceived as a complex of organizational and technical measures, since it is impossible to ensure confidentiality, integrity and accessibility can not be separately taken by technical measures, not only organizational.

Let's say you decide to protect only technical measures, while organizational documents are completely absent. It often happens if the defense is done by the IT department or the head of the Information Security Department (IB) - a former representative of IT structures. What happens in this case? Suppose that one of the company's employees systematically conveys confidential information by email to competitors. You discovered leakage, but you do not have documents, therefore, punish an employee (for example, dismiss it) you simply have no right. And if you do it, a smart attacker will sue you for violating its constitutional rights to personal correspondence. The most sad thing is that legally it will be absolutely right: within your organization is not documented that all information transmitted by means email From addresses belonging to your organization, is the property of the company.

Consider the second extreme. It is usually characteristic of former military personnel and special services staff. You have excellent documents prepared, but absolutely missing them technical support. What happens in this case? Your employees will sooner or later violate the provisions of organizational documents and seeing that no one controls them will do it systematically.

Thus, information security is a flexible system that includes both organizational and technical measures. It should be understood that more significant measures or less significant are imposed here. It is important. It is necessary to observe protection measures at all points of the network, when working any subjects with your information. (Under the subject in this case it is understood as a user system, process, computer or software for information processing). Each information resource, whether the computer user or the organization server must be fully protected. File systems, network, etc. must be protected. We will not discuss here.

There is a huge number of software aimed at solving the protection task of information. These are antivirus programs, and network screens, and built-in tools for operating systems. However, the most vulnerable factor always remains a person. The performance of any software depends on the quality of its writing, from the literacy of the administrator who set up it.

Many organizations in connection with this create information protection departments or set the security challenges to their IT departments. But more than once it was mentioned that it was impossible to take a function to the IT service. Suppose that the IT security department has been created in your organization. What to do next? Where to start his activity?

The first steps of the IB department

In my opinion, you need to start with the training of employees! And in the future to do it at least twice a year. Training of ordinary staff the basics of information protection should be a permanent business of the staff of the Information Protection Department!

Many managers are trying to immediately get a document called "Security Policy" from the Information Policy. This is mistake. Before you are serving the writing of this serious document, which will define all your efforts to ensure the information security of your organization, you need to ask yourself the following questions:

What information do you proceed?

How to classify it?

What resources do you possess?

How is the processing of information on resources?

How to classify resources?

We will try to answer these questions.

Classification of information

In our country, the approach was historically formed to classify information (first of all state) on the levels of requirements for its security on the basis of its property - confidentiality (secrecy).

Requirements to ensure the integrity and availability of information, as a rule, are only indirectly mentioned among the general requirements for data processing systems.

If this approach is to some extent justified to ensure the safety of information constituting the state secret, this does not mean that transferring it to another subject area (with other subjects and their interests) will be correct.

In many areas, the share of confidential information is relatively small. For open information, the detriment of the disclosure of which is insignificant, the most important are completely different properties, let's say such as availability, integrity or protected from unlawful replication. For example, for payment (financial) documents the most important is their integrity (reliability). Then the property should be accomplished (loss of a payment document or delay of payments can be very expensive). Requirements for ensuring the confidentiality of payment documents are usually in third place.

For the Internet newspaper in the first place will stand the availability and integrity of information, and not its confidentiality. Attempts to approach to solving issues of protecting such information from the standpoint of the traditional provision of only confidentiality, failed. The main reasons for this are the narrowness of the traditional approach to the protection of information, the absence of experience in domestic experts and appropriate elaboration in terms of ensuring the integrity and availability of information that is not confidential.

To improve the classification of information, depending on the requirements for its security, enter several degrees (gradations, categories) of requirements for ensuring each of the security properties of the information: availability, integrity, confidentiality.

The amount of gradation and the meaning in them may differ.

Based on the need to provide various levels of protection of different types of information (not containing information constituting a state secret), stored and processed in the organization, we introduce several categories of confidentiality and integrity of the protected information.

"Strictly confidential" - information that is confidential in accordance with the requirements of current legislation (banking secrets, personal data), as well as information, restrictions on the dissemination of which are entered by decisions of the management of the organization (commercial mystery), the disclosure of which can lead to grave financial and economic consequences for the organization, Before bankruptcy (applying a serious damage to the vital interests of customers, correspondents, partners or employees).

"Confidential" - information that is not attributed to the category of "strictly confidential", the restrictions on the distribution of which are entered by the decision of the organization's leadership in accordance with the owner provided to him (authorized by the owner) of information by the current legislation, the disclosure of which can lead to significant losses and loss of the competitiveness of the organization (applying Tangible damage to the interests of customers, correspondents, partners or employees).

"Open" - information, confidentiality (introducing dissemination restrictions) of which is not required.

"High" - This category includes information, unauthorized modification (distortion, substitution, destruction) or falsification (fake) of which can lead to a significant direct damage to the organization, integrity and authenticity (confirmation of the authenticity of the source) of which must be ensured by guaranteed methods (electron digital signatures, EDS) in accordance with the compulsory requirements of the current legislation, orders, directives and other regulatory acts.

"Low" - This category includes information, unauthorized modification, substitution or removal of which can lead to the application of minor indirect damage to the organization, its customers, partners or employees, the integrity of which should be provided in accordance with the decision of the management (methods for counting checksum, hash functions).

"No requirements" - This category includes information to ensure the integrity of (and authenticity) of which the requirements are not presented.

Depending on the frequency of solving functional tasks and the maximum allowable delay of obtaining results, four required degrees (categories) of information available information are introduced.

"Unhindered accessibility" - Access to the task should be provided at any time (the task is solved constantly, the delay of obtaining the result should not exceed a few seconds or minutes).

"High availability" - Access must be carried out without significant time delays (the task is solved daily, the delay of obtaining the result should not exceed a few hours).

"Average accessibility" - Access can be provided with significant time delays (the task is solved once a few days, the delay of obtaining the result should not exceed several days).

"Low accessibility" - time delays when accessing the task is practically not limited (the task is solved with a period of several weeks or months, the allowable delay in obtaining the result is a few weeks).

At the first stage of the work, it is categorized with all types of information used in solving tasks on a specific computer (establishing categories of confidentiality and integrity of specific types of information). Compiled "List of information resources to be protected".

At the second stage, there is a categorization of all functional tasks solved on this computer. During the third stage, the category of the computer is established, based on the maximum categories of the information being processed and the tasks solved on it.

After you have distributed information being processed by your relevant categories, resource inventory should be carried out.

The categorization of resources implies the identification (inventory) and the analysis of all resources of the organization information system to be protected. Here is an exemplary sequence and the main content of these works.

First of all, a special working group is formed to analyze all subsystems of the information system of the organization, inventory and categorization of resources to be protected. It includes specialists (aware of the issues of automated information processing technology) units of computer security and other units of the organization.

The order of the Organization's management is published, in which, in particular, are given to all managers of structural divisions to assist and assist the Working Group in analyzing the resources of all computers.

To assist assistance, employees should be allocated to provide detailed information on automated information processing in the divisions.

In the course of the examination of specific units of the organization and subsystems of the enterprise information system, all functional tasks are detected and described using computers, as well as all types of information used in solving these tasks in the divisions.

After that, a total list of functional tasks is drawn up and the form is issued for each task. It should be borne in mind that the same task in different units may be called differently, and on the contrary, various tasks can have the same name. At the same time, the software tools used in solving the functional tasks of the unit is carried out.

When examining the subsystems and analysis of tasks, all types of incoming, outgoing, stored, processed, etc. are detected. It is necessary to identify not only information that can be attributed to confidential (to banking and commercial secrets, personal data), but also information to be protected due to the fact that the violation of its integrity or accessibility can cause tangible damage to the organization.

Revealing all types of information circulating and processed in subsystems, it is necessary to evaluate the consequences to which disturbances of its properties can lead. To obtain initial estimates, it is advisable to conduct a survey (for example, in the form of survey) specialists working with this information. At the same time, it is necessary to find out who may be interested in this information, as possible on it or illegally use, to which consequences it can lead.

If it is impossible to quantify the likely damage, then its qualitative assessment is given (for example: very low, low, medium, high, very high).

When drawing up a list and formulas of functional tasks solved in an organization, it is necessary to find out the frequency of their solution, the maximum allowable delay time for obtaining results and the degree of seriousness of the consequences to which violations of their availability may lead (blocking the possibility of solving problems).

All information detected during the survey are recorded in the appropriate document.

Next, it is necessary to determine which type of mystery (banking, commercial, personal data, which does not constitute secrets) includes each of the identified types of information (on the basis of the requirements of the current legislation and provided organizations of rights).

Initial proposals for evaluating the categories of confidentiality and integrity of specific types of information are found out from managers (leading specialists) of the structural unit (based on their personal assessments of the likely damage due to violation of the privacy properties and integrity of information). The list is then coordinated with the leaders of the department of automation and computer security departments and is submitted to the organization's management.

At the next step, there is a category of functional tasks. Based on the availability requirements for the heads of the Organization's units and agreed with the IT service, all application functional tasks are categorized, solved in divisions using computer equipment. Information is entered into task form. You should not contain categorization of system tasks and software outside the binding to specific computers and applied tasks.

In the future, with the participation of IT professionals and the IB division, it is necessary to clarify the composition of the information and software resources of each task and make it a form of information on user groups of tasks and guidelines to configure the protection applies when it solving it. These data will be used as a reference settings for the protection of relevant computers, as well as to control the correctness of their installation.

At the last stage, categorization of computers is established, based on the maximum category of special tasks, solved on it, and the maximum categories of confidentiality and integrity of information used in solving these tasks. Computer category information is entered into its form.

The concept of resource inventory includes not only reconciliation of active and passive network resources that you have, with the list of equipment (and its completeness) purchased by the organization. For the reconciliation of equipment and its completeness, you can use the appropriate software (for example, Microsoft SMS Server) and so on.

This can also include creating a network card with a description of all possible connection points, drawing up a list of software used, the formation of the Fund of the Licensed License Software Fund used in the organization, as well as the Foundation for Algorithms and Programs of Own Development.

It should be noted that the software can be admitted to work only after it is verified by the information protection department for compliance with the tasks, the absence of all sorts of bookmarks and "logical bombs".

I would like to say about the tendency to use applications with open codes. Undoubtedly, they bring substantial resource savings. However, it seems, in this case, safety is determined by trust not only to the system developer, but also to your administrator. And if you take into account the salary of the administrator, it is not difficult to conclude that you buy your secrets much easier and cheaper than to carry out a direct external attack. It is worth mentioning that most of the successful attacks carried out insiders (serving the company itself).

It seems that it is necessary to apply a freely distributed software if there is a risk of making serious damage, it is possible only if it will be supplied to you in compilation and with a digital signature of an organization that guarantees the absence of logical bombs, all sorts of bookmarks and "black strokes". Moreover, the guarantor's organization must bear material responsibility. However, today such a proposal should be attributed to the discharge of unreal.

After checking, the reference software is entered into the Algorithms and Programs Foundation (a reference copy must be accompanied by the checksum file, and better - by an electronic signature of the developer). In the future, when changing versions, the appearance of updates, the software check is made by the established procedure.

The form form of the installed software is entered into the form of each computer, the installation date is indicated, the goals solved using this software, the task, the name and signature of the person who has installed and configure software is set. After creating such formulations, the information security service must provide a regular verification of the compliance of the real position to the formulation.

The next step in building the information security service should be the analysis of the risks of the organization, on the basis of which the security policy will be created.