Under information security of an automated information system, enterprises understand the security of information and supporting infrastructure from accidental or deliberate influences of a natural or artificial nature, fraught with harm to the owners or users of information and supporting infrastructure.
The information security of an enterprise is determined by the presence of the following properties in its information system: Cyber security architect
accessibility - the opportunity for an authorized user of an information system to get an information service provided by functionality in an acceptable time;
integrity - relevance and consistency of information, its protection from destruction and unauthorized changes;
confidentiality - protection against unauthorized access.
Many application systems are focused on the provision of certain information services. If, for one reason or another, their receipt by users becomes impossible, it damages both customers and owners of information systems (service providers). For such systems, the most important element of information security is the availability of the services provided.
For information and reference systems, the main task is to ensure integrity, which primarily means the relevance and consistency of the information provided.
For real-time control systems, unconditional priority is given to data availability - protection against denial of service attacks, redundancy of important components, and prompt notification.
In automated banking systems that provide customer service, the task of ensuring accessibility is also important, however, the task of ensuring the integrity of the transmitted payment information comes first.
The main goals of the information security system are to ensure the stable functioning of the enterprise, to prevent threats to it without danger, to protect its legitimate interests from unlawful encroachments, to prevent the theft of financial resources, disclosure, loss, leakage, distortion and destruction of official information, to ensure the normal production activities of all divisions of the enterprise . Another important goal of the information security system is to improve the quality of services provided by the enterprise and guarantee the security of property rights and interests of customers.
Achieving these goals is possible when the company implements the following measures:
the creation of a mechanism for prompt response to threats to information security and the manifestation of negative trends in functioning, the effective suppression of attacks on resources based on legal, organizational and technical measures and means of ensuring security;
forecasting and timely detection of security threats to information resources, causes and conditions conducive to causing financial, material and moral damage, disruption of the normal functioning and development of the enterprise;
creation of conditions for compensation and localization of damage caused by unlawful actions of individuals and legal entities, mitigation of the negative impact of information security breaches on the achievement of strategic goals.
Measures to protect information at the enterprise cover a number of aspects of a legislative, organizational and program-technical nature. In each of them, a number of tasks are formulated, the implementation of which is necessary to ensure the information security of the enterprise.
In the regulatory aspect, it is necessary to solve the following tasks:
determination of the range of regulatory documents of the federal and industry level, the application of which is required in the design and implementation of information security systems
determination on the basis of regulatory documents of requirements for the categorization of information;
determination on the basis of regulatory documents of a set of requirements for the information security system and its components.
In the organizational aspect, the following tasks should be solved:
formation of a security policy that describes the conditions and rules for access of various users to system resources, as well as the boundaries and methods of monitoring the safe state of the system, monitoring user activity
determining the conformity of categorized information to the resources of the system in which information is stored, processed and transmitted (a register of resources containing information that is significant according to the criteria of confidentiality, integrity, and accessibility should be organized);
defining a set of services providing access control to the information resources of the system (it is necessary to develop and coordinate typical user profiles, maintain a register of such profiles);
providing solutions to information security problems in personnel management;
organization of physical protection of information system components;
Formation, approval and implementation of a plan for responding to violations of the security regime;
making additions related to the specifics of eliminating the consequences of unauthorized access to the rehabilitation plan.
In the software and technical aspect, it is necessary to solve the following problems:
creation of a technical infrastructure aimed at solving the tasks of information security with engineering, hardware and software and hardware;
ensuring architectural security of decisions related to the storage, processing and transmission of confidential information;
ensuring design consistency and completeness of mechanisms without danger;
development and implementation of design solutions for security mechanisms.
From the point of view of choosing the architecture of an information security system, an object, application, or mixed approach is usually used. The object approach builds information security based on the structure of an object (unit, branch, enterprise). The use of the object approach involves the use of a set of universal solutions for security mechanisms that support a uniform set of organizational measures. An example of such an approach is the construction of secure infrastructures for external information exchange, a local network, telecommunications systems, etc. A drawback of the object approach is the incompleteness of its universal mechanisms, especially for organizations with a large number of applications that have complex relationships with each other.
The application approach builds security mechanisms in relation to a specific application. An example of an applied approach is the protection of subsystems for individual automation tasks (accounting, personnel, etc.). With more complete protective measures of this approach, it also has drawbacks, namely, the need to link different security measures in order to minimize the costs of administration and operation.
A mixed approach involves combining the two approaches described above. This approach turns out to be more laborious at the design stage, however, it can give advantages in the cost of implementation and operation of the information security system.
Implementation. The implementation phase includescomplex of sequentially held events:
installation and configuration of security features,
training personnel to work with protective equipment,
preliminary tests
commissioning.
Pilot operation allows identifying and eliminating possible shortcomings in the functioning of the information security system before putting it into operation. If during the trial operation facts of incorrect operation of the components are revealed, adjustments are made to the settings of the protective equipment, the modes of their functioning, etc. This is followed by acceptance tests, commissioning, and the provision of technical support and support.
Certification . Carrying out by the authorized body certification of the information security system allows confirming its functional completeness and ensuring the required level of security of CIS. Certification of the system is one of the types of security audits and provides for a comprehensive check of the protected enterprise in real operating conditions in order to assess the conformity of the applied set of measures and means of protection to the required level of security.
Certification is carried out in accordance with the scheme drawn up at the preparatory stage, based on the following list of works:
analysis of the source data, preliminary familiarization with the certified object of informatization;
expert examination of the object of informatization and analysis of documentation on information protection for compliance with the requirements;
testing of individual tools and information protection systems at a certified facility using special control equipment and test tools;
testing of individual means and systems of information protection in test centers (laboratories);
comprehensive certification tests of the object of informatization in real operating conditions;
analysis of the results of expert examination and certification tests and approval of the conclusion on the results of certification of the object of informatization.
The information security of an enterprise is determined by the presence of the following properties in its information system: Cyber security architect
accessibility - the opportunity for an authorized user of an information system to get an information service provided by functionality in an acceptable time;
integrity - relevance and consistency of information, its protection from destruction and unauthorized changes;
confidentiality - protection against unauthorized access.
Many application systems are focused on the provision of certain information services. If, for one reason or another, their receipt by users becomes impossible, it damages both customers and owners of information systems (service providers). For such systems, the most important element of information security is the availability of the services provided.
For information and reference systems, the main task is to ensure integrity, which primarily means the relevance and consistency of the information provided.
For real-time control systems, unconditional priority is given to data availability - protection against denial of service attacks, redundancy of important components, and prompt notification.
In automated banking systems that provide customer service, the task of ensuring accessibility is also important, however, the task of ensuring the integrity of the transmitted payment information comes first.
The main goals of the information security system are to ensure the stable functioning of the enterprise, to prevent threats to it without danger, to protect its legitimate interests from unlawful encroachments, to prevent the theft of financial resources, disclosure, loss, leakage, distortion and destruction of official information, to ensure the normal production activities of all divisions of the enterprise . Another important goal of the information security system is to improve the quality of services provided by the enterprise and guarantee the security of property rights and interests of customers.
Achieving these goals is possible when the company implements the following measures:
the creation of a mechanism for prompt response to threats to information security and the manifestation of negative trends in functioning, the effective suppression of attacks on resources based on legal, organizational and technical measures and means of ensuring security;
forecasting and timely detection of security threats to information resources, causes and conditions conducive to causing financial, material and moral damage, disruption of the normal functioning and development of the enterprise;
creation of conditions for compensation and localization of damage caused by unlawful actions of individuals and legal entities, mitigation of the negative impact of information security breaches on the achievement of strategic goals.
Measures to protect information at the enterprise cover a number of aspects of a legislative, organizational and program-technical nature. In each of them, a number of tasks are formulated, the implementation of which is necessary to ensure the information security of the enterprise.
In the regulatory aspect, it is necessary to solve the following tasks:
determination of the range of regulatory documents of the federal and industry level, the application of which is required in the design and implementation of information security systems
determination on the basis of regulatory documents of requirements for the categorization of information;
determination on the basis of regulatory documents of a set of requirements for the information security system and its components.
In the organizational aspect, the following tasks should be solved:
formation of a security policy that describes the conditions and rules for access of various users to system resources, as well as the boundaries and methods of monitoring the safe state of the system, monitoring user activity
determining the conformity of categorized information to the resources of the system in which information is stored, processed and transmitted (a register of resources containing information that is significant according to the criteria of confidentiality, integrity, and accessibility should be organized);
defining a set of services providing access control to the information resources of the system (it is necessary to develop and coordinate typical user profiles, maintain a register of such profiles);
providing solutions to information security problems in personnel management;
organization of physical protection of information system components;
Formation, approval and implementation of a plan for responding to violations of the security regime;
making additions related to the specifics of eliminating the consequences of unauthorized access to the rehabilitation plan.
In the software and technical aspect, it is necessary to solve the following problems:
creation of a technical infrastructure aimed at solving the tasks of information security with engineering, hardware and software and hardware;
ensuring architectural security of decisions related to the storage, processing and transmission of confidential information;
ensuring design consistency and completeness of mechanisms without danger;
development and implementation of design solutions for security mechanisms.
From the point of view of choosing the architecture of an information security system, an object, application, or mixed approach is usually used. The object approach builds information security based on the structure of an object (unit, branch, enterprise). The use of the object approach involves the use of a set of universal solutions for security mechanisms that support a uniform set of organizational measures. An example of such an approach is the construction of secure infrastructures for external information exchange, a local network, telecommunications systems, etc. A drawback of the object approach is the incompleteness of its universal mechanisms, especially for organizations with a large number of applications that have complex relationships with each other.
The application approach builds security mechanisms in relation to a specific application. An example of an applied approach is the protection of subsystems for individual automation tasks (accounting, personnel, etc.). With more complete protective measures of this approach, it also has drawbacks, namely, the need to link different security measures in order to minimize the costs of administration and operation.
A mixed approach involves combining the two approaches described above. This approach turns out to be more laborious at the design stage, however, it can give advantages in the cost of implementation and operation of the information security system.
Implementation. The implementation phase includescomplex of sequentially held events:
installation and configuration of security features,
training personnel to work with protective equipment,
preliminary tests
commissioning.
Pilot operation allows identifying and eliminating possible shortcomings in the functioning of the information security system before putting it into operation. If during the trial operation facts of incorrect operation of the components are revealed, adjustments are made to the settings of the protective equipment, the modes of their functioning, etc. This is followed by acceptance tests, commissioning, and the provision of technical support and support.
Certification . Carrying out by the authorized body certification of the information security system allows confirming its functional completeness and ensuring the required level of security of CIS. Certification of the system is one of the types of security audits and provides for a comprehensive check of the protected enterprise in real operating conditions in order to assess the conformity of the applied set of measures and means of protection to the required level of security.
Certification is carried out in accordance with the scheme drawn up at the preparatory stage, based on the following list of works:
analysis of the source data, preliminary familiarization with the certified object of informatization;
expert examination of the object of informatization and analysis of documentation on information protection for compliance with the requirements;
testing of individual tools and information protection systems at a certified facility using special control equipment and test tools;
testing of individual means and systems of information protection in test centers (laboratories);
comprehensive certification tests of the object of informatization in real operating conditions;
analysis of the results of expert examination and certification tests and approval of the conclusion on the results of certification of the object of informatization.
No comments:
Post a Comment