Categorization of information and information systems. Ensuring a basic level of information security
Mikhail Koptenkov | © M. Koptenkov
Information security is the state of security of the information environment. Information security should be considered as a set of measures, among which it is impossible to single out more or less important ones. The concept of information security is closely related to the concept of information security, which is an activity to prevent the leakage of protected information, unauthorized and unintentional influences on it, i.e., a process aimed at achieving a state of information security. However, before protecting information, it is necessary to determine what kind of information should be protected and to what extent. To do this, categorization (classification) of information is used, i.e., the establishment of gradations of the importance of ensuring the security of information and the assignment of specific information resources to the appropriate categories. Thus, the categorization of information can be called the first step towards ensuring the information security of the organization.
Historically, when information is classified, it immediately begins to be classified according to the level of secrecy (confidentiality). At the same time, the requirements for ensuring availability and integrity are often not taken into account or taken into account along with the general requirements for information processing systems. This is the wrong approach. In many areas, the share of confidential information is relatively small. For open information, the damage from disclosure of which is absent, the most important properties are: availability, integrity and protection from illegal copying. An example is an online store, where it is important to keep the company website always available. Based on the need to provide different levels of information protection, you can enter different categories of confidentiality, integrity and availability.
1. Categories of confidentiality of protected information
Confidentiality of information is a property of information that indicates the need to introduce restrictions on the circle of persons who have access to this information.
The following categories of information confidentiality are introduced:
– - information that is confidential in accordance with the requirements of the law, as well as information, restrictions on the dissemination of which are introduced by decisions of the organization's management, the disclosure of which can lead to significant damage to the organization's activities.
– Confidential information- information that is not strictly confidential, restrictions on the dissemination of which are introduced only by the decision of the organization's management, the disclosure of which can lead to damage to the organization's activities.
– open information This category includes information that is not required to be kept confidential.
2. Categories of information integrity
Information integrity is a property in which the data retains a predetermined form and quality (remains unchanged with respect to some fixed state).
The following categories of information integrity are introduced:
– High- this category includes information, unauthorized modification or falsification of which can lead to significant damage to the organization's activities.
– Low- this category includes information, unauthorized modification of which can lead to moderate or minor damage to the organization's activities.
– No requirements- this category includes information, to ensure the integrity of which there are no requirements.
3. Categories of information availability
Availability is the state of information in which subjects with the right to access can exercise it without hindrance.
The following categories of information accessibility are introduced:
– – access to information should be provided at any time (the delay in obtaining access to information should not exceed a few seconds or minutes).
– High availability– access to information should be carried out without significant time delays (the delay in obtaining access to information should not exceed several hours).
– Average availability– access to information can be provided with significant time delays (the delay in obtaining information should not exceed a few days).
– low availability- time delays in accessing information are practically unlimited (the permissible delay in obtaining access to information is several weeks).
From the above, it can be seen that the categories of confidentiality and integrity of information directly depend on the amount of damage to the organization's activities in case of violation of these properties of information. Accessibility categories to a lesser extent, but also depend on the amount of damage to the organization's activities. To determine the amount of damage, its subjective assessment is used and a three-level scale is introduced: significant damage, moderate damage and low damage (or no damage).
short if the loss of availability, confidentiality and/or integrity of information has little effect negative impact on the activities of the organization, its assets and personnel.
Negligible negative impact means that:
- the organization remains able to carry out its activities, but the effectiveness of the main functions is reduced;
- there is little damage to the organization's assets;
- the organization suffers minor financial losses.
The damage to the organization's activities is estimated as moderate if the loss of availability, confidentiality and/or integrity has a serious negative impact on the organization's operations, assets and personnel.
The severity of an adverse impact means that:
- the organization remains able to carry out its activities, but the effectiveness of the main functions is significantly reduced;
- significant damage is caused to the assets of the organization;
- the company suffers significant financial losses.
Potential damage to the organization is estimated as significant if the loss of availability, confidentiality and / or integrity has a severe (catastrophic) negative impact on the organization's activities, its assets and personnel, i.e.:
- the organization loses the ability to perform all or some of its main functions;
- the assets of the organization are severely damaged;
- the organization suffers large financial losses.
Thus, assessing the damage to the organization's activities in case of violation of the confidentiality, integrity and availability of information and, on the basis of this, determining the categories of information, three types of information can be distinguished: the most critical, critical and non-critical.
The type of information is determined by comparing the categories of this information.
Table 1 defines the type of information.
Information privacy category | Information integrity category | Information accessibility category | Information type |
---|---|---|---|
Strictly confidential information | * | * | |
* | High | * | The most critical information |
* | * | Unhindered Accessibility | The most critical information |
Confidential information | * | * | Critical Information |
* | Low | * | Critical Information |
* | * | High availability | Critical Information |
open information | No requirements | Average availability | Non-critical information |
open information | No requirements | low availability | Non-critical information |
Table 1: Information type definition
Thus, the categorization of information is the first step towards ensuring the information security of an organization, since, before something is protected, it is first of all necessary to determine what exactly needs to be protected and to what extent. Categorize both user and system information presented as in electronic form, as well as on a material carrier. To determine the type of information to be protected, it is necessary to determine how much harm the organization will incur if the confidentiality, integrity and availability of such information is lost.
In the future, having determined which type of information belongs to, you can apply various measures to protect each type of information. This will allow not only structuring the data processed in the organization, but also the most efficient implementation and use of the subsystem for managing access to protected information, as well as optimizing the costs of information security.
Bibliography:
1. V. Bezmaly, Information Security Service: First Steps, 2008, http://www.compress.ru/Article.aspx?id=20512
2. Gladkikh A. A., Dementiev V. E., Basic principles of information security of computer networks. Ulyanovsk: UlGTU, 2009. - 156 p.
location, as well as the degree of its physical accessibility for unauthorized persons (clients, visitors, employees not allowed to work with the RM, etc.);
the composition of the hardware;
the composition of the software and the tasks solved on it (certain categories of accessibility);
the composition of the information stored and processed on the RM (certain categories of confidentiality and integrity).
a set of resources used in solving (software, data sets, devices);
the frequency of the decision;
the maximum allowable delay time for obtaining the result of solving the problem.
Protected information (information subject to protection)- information (information) that is the subject of property and subject to protection in accordance with the requirements of legislative and other normative documents or in accordance with the requirements established by the owner of the information (the Bank).
Protected Information Resources banking system(IBS resources to be protected)- information, functional tasks, information transmission channels, workplaces subject to protection in order to ensure the information security of the Bank, its customers and correspondents.
Protected workplace (PM)- an object of protection (a personal computer with an appropriate set of software and data), for which the need to establish a regulated mode of information processing is recognized and characterized by:
Form RM- a document of the established form (Appendix 3), fixing the characteristics of the RM (location, configuration of hardware and software, a list of tasks solved on the RM, etc.) category of this RM).
Protected task- a functional task solved on a separate RM, for which the need to establish a regulated mode of information processing is recognized and characterized by:
Task Form- a document of the established form (Appendix 2), fixing the characteristics of the task (its name, purpose, type, resources used in solving it, groups of users of this task, their access rights to task resources, etc.).
Protected information transmission channel- the way in which the protected information is transmitted. Channels are divided into physical (from one device to another) and logical (from one task to another).
Information privacy- a characteristic (property) subjectively determined (attributed) to information, indicating the need to introduce restrictions on the circle of subjects (persons) with access to this information, and provided by the ability of the system (environment) to keep this information secret from subjects who do not have access rights To her.
Information integrity- the property of information, which consists in its existence in an undistorted form (invariant with respect to some fixed state of it).
Availability of information (objectives)- a property of the processing system (environment) in which information circulates, characterized by the ability to provide timely unhindered access of subjects to the information they are interested in (if the subjects have the appropriate access rights) and the readiness of the relevant automated services (functional tasks) to service requests from subjects always when the need arises to refer to them.
1. General Provisions
1.1. This Regulation introduces categories (grades of importance of ensuring protection) of resources and establishes the procedure for categorizing information system resources to be protected (assigning them to the appropriate categories, taking into account the degree of risk of damage to the Bank, its customers and correspondents in the event of unauthorized interference in the process of functioning of the IBS and violation of integrity or confidentiality of processed information, blocking of information or violation of the availability of tasks solved by IHD).
1.2. Categorization of resources (definition of requirements for resource protection) IBS is a necessary element of the organization of work to ensure the information security of the Bank and has the following objectives:
creation of a regulatory and methodological basis for a differentiated approach to resource protection automated system(information, tasks, channels, PM) based on their classification according to the degree of risk in case of violation of their availability, integrity or confidentiality;
typification of the organizational measures taken and the distribution of hardware and software resources for the protection of resources for RM IHD and the unification of their settings.
2. Categories of protected information
2.1. Based on the need to provide different levels of protection different types information stored and processed in the IBS, as well as taking into account possible ways causing damage to the Bank, its customers and correspondents, three categories of confidentiality of protected information and three categories of integrity of protected information are introduced.
"HIGH" - this category includes unclassified information that is confidential in accordance with the requirements of the current legislation Russian Federation(bank secrecy, personal data);
"LOW" - this category includes confidential information not classified as "HIGH", restrictions on the dissemination of which are introduced by the decision of the Bank's management in accordance with the rights granted to it as the owner (authorized person) of the information by the current legislation;
"NO REQUIREMENTS" - this category includes information that is not required to ensure confidentiality (restrictions on distribution).
"HIGH" - this category includes information, unauthorized modification (distortion, destruction) or falsification of which can lead to significant direct damage to the Bank, its customers and correspondents, the integrity and authenticity (authentication of the source) of which must be ensured by guaranteed methods (for example, by means of an electronic digital signature) in accordance with the mandatory requirements of the current legislation;
"LOW" - this category includes information, unauthorized modification, deletion or falsification of which may cause minor indirect damage to the Bank, its customers and correspondents, the integrity (and, if necessary, authenticity) of which must be ensured in accordance with the decision of the Bank's management (methods checksum calculation, EDS, etc.);
“NO REQUIREMENTS” - this category includes information for which integrity (and authenticity) is not required.
2.2. In order to simplify the operations for categorizing tasks, channels and RMs, the categories of confidentiality and integrity of protected information are combined and four generalized categories of information are established: "vital", "very important", "important" and "not important". The assignment of information to one or another generalized category is carried out on the basis of its categories of confidentiality and integrity in accordance with Table 1.
Table 1
1 - "Vital" information
2 - "Very important" information
3 - "Important" information
4 - "Not important" information
3. Categories of functional tasks
3.1. Depending on the frequency of solving functional tasks and the maximum allowable delay in obtaining the results of their solution, four required degrees of accessibility of functional tasks are introduced.
Required degrees of availability of functional tasks:
"FREE AVAILABILITY" - access to the task must be provided at any time (the task is being solved constantly, the delay in obtaining the result should not exceed a few seconds or minutes);
"HIGH AVAILABILITY" - access to the task should be carried out without significant time delays (the task is solved daily, the delay in obtaining the result should not exceed several hours);
"MEDIUM AVAILABILITY" - access to the task can be provided with significant time delays (the task is solved once every few days, the delay in obtaining the result should not exceed several days);
"LOW AVAILABILITY" - time delays in accessing the task are practically unlimited (the task is solved with a period of several weeks or months, the allowable delay in obtaining the result is several weeks).
3.2. Depending on the generalized category of protected information used in solving the problem and the required degree of accessibility of the task, four categories of functional tasks are established: "first", "second", "third" and "fourth" (in accordance with Table 2).
table 2
Definition of the functional task category | ||||
---|---|---|---|---|
Generalized category of information | Required task availability | |||
"Unhindered Accessibility" | "High Availability" | "Medium Availability" | "Low Availability" | |
"Vital" | 1 | 1 | 2 | 2 |
"Very important" | 1 | 2 | 2 | 3 |
"Important" | 2 | 2 | 3 | 3 |
"Not Important" | 2 | 3 | 3 | 4 |
4. Requirements for ensuring the security of channels for the transmission of protected information (categories of channels)
4.1. The security requirements (categories) of a logical channel for the transmission of protected information are determined by the maximum category of the two tasks between which this channel is established.
5. RM categories
5.1. Depending on the categories of tasks solved on the RM, four categories of RM are established: "A", "B", "C" and "D".
5.3. The group of RMs of category "B" includes RMs that solve at least one functional task of the second category. The categories of other tasks solved on this RM should not be lower than the third and not higher than the second.
5.4. The group of RMs of category "C" includes RMs that solve at least one functional task of the third category. The categories of other tasks solved on this RM should not be higher than the third.
Table 3
5.6. The requirements for ensuring the safety of RM of various categories (for the application of appropriate measures and means of protection) are given in Appendix 5.
6. The procedure for determining the categories of protected IBS resources
6.1. Categorization is carried out on the basis of an inventory of information banking system resources (RM, tasks, information) and involves the compilation and subsequent maintenance (updating) of lists (sets of forms) of IBS resources to be protected.
6.2. Responsibility for compiling and maintaining lists of CHD resources lies with:
in terms of compiling and maintaining a list of RM (indicating their location, assigning to the Bank's divisions, the composition and characteristics of its technical means) - to the Department information technologies(hereinafter referred to as UIT);
in terms of compiling and maintaining a list of system and applied (special) tasks solved on the RM (indicating the lists of resources used in solving them - devices, directories, files with information) - to the department technical support WIT.
6.3. Responsibility for determining the requirements for ensuring confidentiality, integrity, availability and assigning appropriate categories to specific RM resources (information resources and tasks) rests with the Bank's divisions that directly solve tasks on RM data (information owners) and the information security department.
6.4. The approval of the categories of information resources of the IBS assigned in accordance with this "Regulations on Categorization of IBS Resources" is made by the Chairman of the Management Board of the Bank.
6.6. The categorization of IBS resources can be carried out sequentially for each RM separately with subsequent merging and formation of unified lists of IBS resources to be protected:
the list of IBS information resources to be protected (Appendix 2);
a list of tasks to be protected (a set of task forms);
the list of RMs subject to protection (a set of RM forms).
At the first stage of work on categorizing the resources of a specific RM, all types of information used in solving problems on a given RM are categorized. Generalized categories of information are determined based on the established categories of confidentiality and integrity of specific types of information. Information resources to be protected are included in the "List of information resources to be protected".
At the second stage, taking into account the generalized categories of information used in solving the tasks established earlier, and the requirements for the degree of accessibility of tasks, the categorization of all functional tasks solved on this RM takes place.
At the fourth stage, based on the categories of interacting tasks, the category of logical channels for transmitting information between functional tasks (on different RMs) is established. 6.7. Recertification (category change) of IBS information resources is carried out when the requirements for ensuring the protection of the properties (confidentiality and integrity) of the relevant information change.
Recertification (category change) of functional tasks is carried out when the generalized categories of information resources used in solving this task are changed, as well as when the requirements for the availability of functional tasks change.
Recertification (category change) of logical channels is performed when the categories of interacting tasks are changed.
Re-certification (category change) of the RM is carried out when the categories or composition of the tasks solved on the basis of the RM data are changed.
6.8. Periodically (once a year) or at the request of the heads of structural subdivisions of the Bank, the established categories of protected resources are reviewed for their compliance with the real state of affairs.
7. Procedure for the revision of the Regulations
7.1. In case of changes in the requirements for the protection of RM of various categories, Appendix 5 is subject to revision (with subsequent approval).
7.2. If changes and additions are made to the "List of Information Resources to be Protected", Appendix 4 is subject to revision (with subsequent approval).
Annex 1 - Methodology for categorizing protected resources
This methodology is intended to clarify the procedure for categorizing protected resources in the IBS of the Bank in accordance with the "Regulations on the categorization of resources of the information banking system". Categorization involves carrying out work to examine the IBS subsystems and structural divisions of the Bank and identify (inventory) all IBS resources that are subject to protection. An approximate sequence and the main content of specific actions for the implementation of these works are given below.
1. To conduct an information survey of all subsystems of the Bank's information system and to conduct an inventory of the IBS resources to be protected, a special working group is formed. This group includes specialists from the Information Security Department and the Information Technology Department of the Bank (who are knowledgeable in the technology of automated information processing). To give the necessary status working group, an appropriate order is issued by the Chairman of the Management Board of the Bank, which, in particular, gives instructions to all heads of structural divisions of the Bank to provide assistance and necessary assistance to the working group in conducting work on the examination of coronary artery disease. To provide assistance during the work of the group in the divisions, the heads of these divisions should be allocated employees who have detailed information on the processing of information in these divisions.
2. In the course of the survey of specific divisions of the Bank and information subsystems, all functional tasks solved using the IBS, as well as all types of information (information) used in solving these problems in divisions, are identified and described.
3. A general list of functional tasks is compiled and a form is drawn up (started) for each task (Appendix 2). In this case, it should be borne in mind that the same task in different departments can be called differently, and vice versa, different tasks can have the same name. At the same time, accounting is kept of software tools (general, special) used in solving the functional tasks of the unit.
4. When examining subsystems and analyzing tasks, all types of incoming, outgoing, stored, processed, etc. are revealed. information. It is necessary to identify not only information that can be classified as confidential (banking and commercial secrets, personal data), but also information subject to protection due to the fact that violation of its integrity (distortion, falsification) or accessibility (destruction, blocking) can cause tangible damage to the Bank, its customers or correspondents.
5. When identifying all types of information circulating and processed in subsystems, it is desirable to assess the severity of the consequences that may result from violations of its properties (confidentiality, integrity). To obtain initial estimates of the severity of such consequences, it is advisable to conduct a survey (for example, in the form of a questionnaire) of specialists working with this information. At the same time, it is necessary to find out who may be interested in this information, how they can influence it or use it illegally, and what consequences this may lead to.
6. Information about estimates of probable damage is entered in special forms (Appendix 3). If it is impossible to quantify the likely damage, a qualitative assessment is made (for example: low, medium, high, very high).
7. When compiling a list and forms of functional tasks solved in the Bank, it is necessary to find out the frequency of their solution, the maximum allowable delay in obtaining the results of solving problems and the severity of the consequences that violations of their availability can lead to (blocking the possibility of solving problems). Estimates of probable damage are recorded in special forms (Appendix 3). If it is impossible to quantify the probable damage, a qualitative assessment is made.
8. All identified during the survey, different kinds information is entered in the "List of information resources to be protected".
9. It is determined (and then indicated in the List) to which type of secret (banking, commercial, personal data that does not constitute a secret) each of the identified types of information belongs (based on the requirements of the current legislation and the rights granted to them).
10. Initial proposals for assessing the categories of ensuring the confidentiality and integrity of specific types of information are clarified with managers (leading specialists) structural unit Bank (based on their personal assessments of the likely damage from a violation of the properties of confidentiality and integrity of information). The evaluation data of information categories are entered in the "List of information resources to be protected" (in columns 2 and 3).
11. Then the List is agreed with the heads of the Security Department, IT and Information Security Division and put forward for consideration by the Information Security Management Committee.
12. When considering the List by the Information Security Management Committee, it may be amended and supplemented. The prepared version of the "List of Information Resources to be Protected" is submitted for approval to the Chairman of the Management Board of the Bank.
13. In accordance with the categories of confidentiality and integrity specified in the approved "List of Information Resources to be Protected", a generalized category of each type of information is determined (in accordance with Table 1 of the Regulation on categorization).
14. The next step is the categorization of functional tasks. Based on the accessibility requirements set by the heads of the Bank's operational divisions and agreed with the Security and IT Department, all special (applied) functional tasks solved in the divisions using the IBS are categorized (Table 2 of the Regulations on the categorization of resources). Information about categories of special tasks is entered in task forms. The categorization of general (system) tasks and software tools outside of specific RM is not performed.
In the future, with the participation of IT specialists, it is necessary to clarify the composition of the information and software resources of each task and enter into its form information on task user groups and instructions on setting up the protection tools used in solving it (permissions for access of user groups to the listed task resources). This information will be used as a reference for the settings of the protection means of the corresponding RM, on which it will be decided given task, and to check the correctness of their installation.
15. The categorization of all logical channels between functional tasks is then performed. The channel category is set based on the maximum category of tasks involved in the interaction.
16. At the last stage, the RM is categorized. The RM category is set based on the maximum category of special tasks solved on it (or the category of information used in solving general tasks). On one RM, any number of tasks can be solved, the categories of which are lower than the maximum possible on the given RM, by no more than one. Information about the RM category is entered in the RM form.
The problem of information security can hardly be called far-fetched. From all sides we hear about hacks, viruses, malware software, attacks, threats, vulnerabilities…
Information security as a system
Information security is a set of measures, among which it is impossible to single out more important ones. Information security cannot be perceived otherwise than as a complex. Everything is important here! It is necessary to observe protection measures at all points of the network, in any work of any subjects with your information (in this case, the subject means a system user, process, computer or information processing software). Each information resource, whether it is a user's computer, an organization's server or network equipment, must be protected from all kinds of threats. File systems, network, etc. must be protected. In this article, we will not consider methods for implementing protection due to their huge variety.
However, it should be understood that it is impossible to provide one hundred percent protection. At the same time, it must be remembered: the higher the level of security, the more expensive the system, the more inconvenient it is to use for the user, which accordingly leads to a deterioration in protection from the human factor. As an example, let's recall that the excessive complexity of the password leads to the fact that the user is forced to write it down on a piece of paper, which he sticks to the monitor, keyboard, etc.
There is a wide range of software aimed at solving information security problems. it antivirus programs, firewalls, built-in tools operating systems and much more. However, it is worth remembering that the most vulnerable link in protection is always human! After all, the performance of any software depends on the quality of its writing and the literacy of the administrator who configures a particular protection tool.
Many organizations, in this regard, create information protection services (departments) or set appropriate tasks for their IT departments. However, it must be understood that it is forbidden to charge the IT service with functions that are unusual for it. This has been said and written about many times. So, let's say your organization has an information security department. What to do next? Where to begin?
Start with employee training! And in the future to make this process regular. Training personnel in the basics of information security should be a permanent task of the information security department. And you need to do this at least twice a year.
Many executives try to immediately get a document called "Organization Security Policy" from the information security department. Is it correct? In my opinion - no. Before you sit down to write this huge work, you need to decide on the following questions:
- what information do you process?
- how to classify it by properties?
- what resources do you have?
- How is information processing distributed among resources?
- how to classify resources?
Information classification
Historically, as soon as the question of classifying information is raised (primarily this applies to information owned by the state), it immediately begins to be classified according to the level of secrecy (confidentiality). The requirements for ensuring availability, integrity, observability, if they remember, then in passing, in a number of general requirements for information processing systems.
If such a view can still be somehow justified by the need to ensure state secrets, then transferring it to another subject area looks simply ridiculous. For example, according to the requirements of Ukrainian legislation, the owner of information determines the level of its confidentiality (in case this information does not belong to the state).
In many areas, the share of confidential information is relatively small. For open information, the damage from disclosure of which is small, the most important properties may be such properties as accessibility, integrity or protection from illegal copying. Let's take the website of an online publication as an example. In the first place, in my opinion, will be the availability and integrity of information, and not its confidentiality. Evaluating and classifying information only in terms of position and secrecy is at least unproductive.
And this can only be explained by the narrowness of the traditional approach to protecting information, the lack of experience in terms of ensuring the availability, integrity and observability of information that is not secret (confidential).
Categories of protected information
Based on the need to provide different levels of protection of information (not containing information constituting a state secret) stored and processed in an organization, we will name several categories of confidentiality and integrity of protected information.
- completely confidential- information recognized as confidential in accordance with the requirements of the law, or information, the restriction on the dissemination of which was introduced by the decision of the management due to the fact that its disclosure can lead to serious financial and economic consequences for the organization up to bankruptcy;
- confidentially- this category includes information that is not classified as “completely confidential”, restrictions on the distribution of which are introduced by the decision of the management in accordance with the rights granted to it as the owner of information by the current legislation due to the fact that its disclosure can lead to significant losses and loss of competitiveness of the organization ( causing significant damage to the interests of its customers, partners or employees);
- open- This category includes information that is not required to be kept confidential.
- high- information, unauthorized modification or falsification of which can lead to significant damage to the organization;
- low- this category includes information, unauthorized modification of which can lead to minor damage to the organization, its customers, partners or employees;
- no requirements- this category includes information, to ensure the integrity and authenticity of which there are no requirements.
By the degree of accessibility, we introduce four categories depending on the frequency of solving functional problems and the maximum allowable delay in obtaining the results of their solution:
- real time- access to the task should be provided at any time;
- hour- access to the task should be carried out without significant time s x delays (the task is solved every day, the delay does not exceed a few hours);
- day- access to the task can be provided with significant time s mi delays (the task is solved every few days);
- a week- temporary s There are no delays in accessing the task (the period for solving the task is several weeks or months, the allowable delay in obtaining the result is several weeks).
Information categorization
- Categorization of all types of information used in solving problems on specific computers (setting categories of confidentiality, integrity and availability of specific types of information).
- Categorization of all tasks that are solved on this computer.
- Based on the maximum categories of processed information, the category of the computer on which it is processed is set.
Resource Inventory
Before talking about protecting information in an organization, you need to understand what you are going to protect and what resources you have. To do this, it is necessary to carry out work on the inventory and analysis of all the resources of the automated system of the organization to be protected:
- A special working group is formed to conduct an inventory and categorize the resources to be protected. It includes specialists from the department computer security and other departments of the organization that can assist in considering the technology of automated information processing in the organization.
- In order for the created group to have the necessary organizational and legal status, an appropriate order of the organization's management is issued, which states that all heads of the relevant departments of the organization must provide assistance and necessary assistance to the working group in analyzing the resources of all computers.
- To provide assistance during the work of the group in the divisions, their leaders should be assigned employees who have detailed information on the issues of automated information processing in these divisions.
- This order is brought under the signature of all the heads of the relevant departments.
- During the survey (analysis) of the organization and automated subsystems, all functional tasks solved using computers, as well as all types of information used to solve these tasks in departments, are identified and described.
- At the end of the survey, a form of tasks to be solved in the organization is compiled. It should be understood that the same task in different departments may be called differently and, conversely, different tasks may have the same name. At the same time, accounting is kept of software tools used in solving the functional tasks of the unit.
It should be noted that the survey identifies all types of information (incoming, outgoing, stored, processed, etc.). It should be borne in mind that it is necessary to identify not only confidential information, but also that, the violation of the integrity or availability of which can cause significant damage to the organization.
When analyzing information processed in an organization, it is necessary to assess the severity of the consequences that may be caused by a violation of its properties. To do this, it is necessary to conduct surveys (testing, questioning) of specialists working with it. In this case, first of all, it is worth finding out who benefits from illegally using or influencing this information. If it is not possible to quantify the possible damage, it should be given a qualitative assessment (low, high, very high).
To understand the categories of accessibility when analyzing tasks solved in an organization, it is necessary to identify the maximum allowable delay time for results, the frequency of their solution, and the severity of the consequences if their availability is violated (blocking tasks).
In the course of the analysis, each type of information should be assigned to a certain degree (label) of confidentiality (based on the requirements of the current legislation and the rights granted to the organization).
At the same time, in order to assess the category of confidentiality of specific types of information, the heads (leading specialists) of the structural unit are given personal assessments of the likely damage from a violation of the confidentiality and integrity of information.
Upon completion of the analysis, a "List of information resources to be protected" is compiled.
Then this list is agreed with the heads of IT and computer security departments and put forward for consideration by the organization's management.
At the end of this stage, it is necessary to categorize functional tasks. Based on the availability requirements set by the heads of the organization's departments and agreed with the IT service, all application tasks solved in the departments are categorized (in terms of accessibility).
In the future, with the help of IT service specialists and the information security department, it is necessary to clarify the composition of resources (information, software) of each task and enter into the form (of a specific task) information on groups of users of this task and instructions on setting up the protection tools used to solve it (for example, permissions access of user groups to the listed task resources). In the future, based on this information, the protection tools for computers on which this task will be solved will be configured.
The next step is the categorization of computers. The category of a computer is set based on the maximum category of tasks performed on it, and the maximum categories of confidentiality and integrity of information used in solving these tasks. Information about the category of the computer is entered in its form.
The concept of resource inventory includes not only the reconciliation of existing active and passive network resources with a list of equipment (and its completeness) purchased by the organization. This procedure is implemented using appropriate software such as Microsoft Sysytems Management Server. This also includes the creation of a network map with a description of all possible connection points, a list of software used, the formation of a fund of standards for licensed software used in an organization, the creation of a fund of algorithms and programs of our own design.
It should be noted that the software can be allowed to work only after it has been checked by the information security department for compliance with the tasks set and the absence of all kinds of bookmarks and "logic bombs".
In this regard, I would like to separately mention the trend towards the use of Open Source software code in our country. I do not argue, this provides a significant savings in resources. However, in my opinion, in this case, the security problem becomes a matter of trust not only to the system developer, but also to your administrator. And if you remember how much he receives, then it is not difficult to conclude that in this case it is much easier and cheaper to buy your secrets than to carry out a direct external attack. It is worth recalling that most of the successful attacks were carried out by insiders, that is, their own employees of the company.
In my opinion, the only way to use free software with the potential to cause serious damage is if it is delivered to you in a compiled form and with a digital signature of an organization that guarantees the absence of logic bombs, all kinds of bookmarks and "back doors" . Moreover, the guarantor organization must bear financial responsibility for its guarantee, which, in my opinion, is impossible. However, the choice is yours.
After verification, the reference software is entered into the fund of algorithms and programs (the reference copy must be accompanied by a checksum file, and best of all, by the developer's electronic signature). In the future, when versions are changed and updates appear, the software is checked in the usual way.
In the future, information about the installed software, installation date, purpose, tasks solved with the help of this software, names and signatures of the person who installed and configured the programs are entered into the form of each computer. After creating such forms, the information security service must ensure regular verification of the compliance of the real situation with the form.
The next step in building an information security service is an organization's risk analysis, which should become the basis for creating a security policy.
categorization protected resources - grading the importance of protection (categories) of resources and assigning specific resources to the appropriate categories.
Simplified scoring algorithm security of the informatization object:
Inventory information resources and identification of protected information
Identification of sources potential threats
Identification of vulnerable links informatization object
Listing potential threats
Grade possible implementation and danger threats , compiling a list of current threats
1. If in file available protected information , then the entire file is protected and the file is assigned the appropriate level of importance;
2. in terms of ensuring privacy fully determined by the secrecy assigned to it or privacy. For confidential information, the confidentiality label is determined depending on which circle of persons has the right to familiarize with it, and is determined primarily by the user;
3. Information criticality gradation from the standpoint of ensuring integrity or accessibility user defined and depends on the level and acceptability of costs (time, labor resources, financial resources) to restore the integrity or availability of information;
4. Executable files of application programs, the launch of which causes access to user data files, are no less important from the standpoint of ensuring both integrity and their availability than the user data files themselves;
5. Information files, the violation of the integrity or availability of which leads to the disruption of the OS, are of greater importance from the standpoint of ensuring their integrity or availability than the rest of the files stored in the system;
6. If confidential information is stored in the premises or the premises are allocated for confidential negotiations, then it is considered that the information disseminated during the conversations officials or when transmitted over communication lines, information has highest level confidentiality provided for this room, that is, information leakage with the highest level of criticality for this room is possible.
creation of a normative and methodological basis for a differential approach to protection. automation resources. systems based on their classification according to the degree of risk in the event of a violation of their availability, integrity or confidentiality;
typification of the organizational measures taken and the distribution of hardware and software resources for the protection of resources across the workstation of the organization's AS and unification of their settings.
« high » - this category includes non-classified information that is confidential in accordance with the requirements of the current legislation of the Russian Federation (bank secrecy, personal data);
« low "- this category includes confidential information that is not classified as "high", restrictions on the distribution of which are introduced by the decision of the organization's management in accordance with the rights granted to it as the owner of information by the current legislation;
« no requirements » - this category includes information that is not required to ensure confidentiality (restrictions on distribution).
« high » - this category includes information, unauthorized modification or falsification of which can lead to significant direct damage to the organization, its customers and correspondents, the integrity and authenticity of which must be ensured by guaranteed methods in accordance with the mandatory requirements of the current legislation;
« low "- this category includes infa, unauthorized modification, removal or falsification of which can lead to minor indirect damage to the organization, its customers and correspondents, the integrity (and, if necessary, authenticity) of which must be ensured in accordance with the decision of the organization's management (methods of calculating control amounts, EDS, etc.);
« no requirements » - this category includes information, to ensure the integrity (and authenticity) of which there are no requirements.
Required levels of accessibility functional tasks:
« unhindered accessibility » - access to the task must be provided at any time (the task is being solved constantly, the delay in obtaining the result should not exceed a few seconds or minutes);
« high availability » - access to the task should be carried out without significant time delays (the task is solved daily, the delay in obtaining the result should not exceed several hours);
« medium availability » - access to the task can be provided with significant time delays (the task is solved once every few days, the delay in obtaining the result should not exceed several days);
« low availability » - time delays in accessing the task are practically unlimited (the task is solved with a period of several weeks or months, the allowable delay in obtaining the result is several weeks).
Categories AWP. Depending on the categories of tasks solved at the workstation, there are 4 categories of workstations: “ A », « B », « C " and " D ". To group AWP category "A" include workstations on which at least one function is solved. task of the first category. The categories of other tasks solved on this workstation should not be lower than the second. To group AWP category "B" include workstations on which at least one functional task of the second category is solved. The categories of other tasks solved on this workstation must be no lower than the third and no higher than the second. To group AWP category "C" include workstations on which at least one functional task of the third category is solved. The categories of other tasks solved on this workstation should not be higher than the third. To group AWP category "D" include workstations on which functional tasks of only the fourth category are solved.
The problem of information security can hardly be called far-fetched. Everywhere we hear about hacks, viruses, malware, attacks, threats, vulnerabilities… And every time we have to think, is everything done for our security? Can we sleep peacefully? Let's try to figure out how the work of the information security service begins.
Information security as a system
Information security is a set of measures, among which it is impossible to single out more or less important ones. And otherwise it can not be perceived. Everything is important here! Security measures must be observed at all points of the network, when any subjects work with your information (in this case, the subject means a system user, process, computer or information processing software). Each information resource, whether it is a user's computer, an organization's server or network equipment, must be protected from all kinds of threats. File systems, network, etc. must be protected. We will not consider ways to implement protection in this article because of their huge variety.
It is impossible to provide 100% protection. At the same time, it should be understood that the higher the level of security, the more expensive the system and the more inconvenient it becomes for the user to use, which naturally leads to a deterioration in protection due to the influence of the human factor. For example, overcomplicating a password leads users to stick password stickers on monitors, keyboards, and so on. It is worth remembering the fact that, according to some Western researchers, up to 45% of the time the user support service spends on recovering passwords lost by users!
There is a huge amount of software aimed at solving information security problems: anti-virus software, firewalls, built-in operating system tools, and much more. However, the most vulnerable link in protection is a person, because the performance of any software depends on the quality of its writing, on the literacy of the administrator of the corresponding protection tool, on the level of discipline of users who work with this software. In this regard, many organizations create information protection services (departments) or set appropriate tasks for their IT departments. However, it is impossible to charge the IT service with functions that are unusual for it. This has already been said more than once. After all, if you entrust information security to the IT department, then these tasks will be performed either last or to the detriment of its main tasks. And all this will happen only if your IT department understands what and how it should do.
So let's say your organization has an information security department. What to do next? Where to begin?
You need to start with training the employees of the information security department, and in the future make it a regular process (they must be trained at least twice a year). Training regular personnel in the basics of information security is the responsibility of the information security department, and it should also be carried out at least twice a year.
Many managers immediately want to receive a document from the information security department called the “Organization Security Policy”. Is it correct? In my opinion - no. Before you start writing this huge work, you need to answer the following questions:
- what information do you process?
- how to classify it by properties?
- what resources do you have?
- How is information processing distributed among resources?
- how to classify resources?
Information classification
Historically, as soon as the question of classifying information is raised (primarily this applies to information owned by the state), it immediately begins to be classified according to the level of secrecy (confidentiality). At the same time, if they remember the requirements for ensuring availability, integrity, observability, then in passing, along with the general requirements for information processing systems.
If such an approach can still be somehow justified in relation to state information, then transferring it to another subject area is simply ridiculous.
In many areas, the share of confidential information is relatively small. For open information, the damage from disclosure of which is small, the most important properties are such as accessibility, integrity and protection from illegal copying. Let's take as an example the website of an online publication, for which, in my opinion, the priorities will be the availability and integrity of information, and not its confidentiality.
If we consider and classify information only from a position of secrecy, this will lead to failure. The main reasons for this behavior are the narrowness of the traditional approach to protecting information, the lack of experience in terms of ensuring the availability, integrity and observability of information that is not secret (confidential). According to the requirements of the law, the owner of the information determines the level of its confidentiality (if this information does not belong to the state).
Categories of protected information
Based on the need to ensure different levels of protection of information (not containing information constituting a state secret) stored and processed in an organization, we will introduce several categories of confidentiality and several categories of integrity of protected information.
- Withcompletely confidential- information recognized as confidential in accordance with the requirements of the law, or information, the restrictions on the dissemination of which are introduced by the decision of the management and the disclosure of which can lead to serious financial and economic consequences for the organization, up to bankruptcy;
- confidentially- this category includes information that did not fall into the “completely confidential” category, restrictions on the distribution of which were introduced by the decision of the management in accordance with the rights granted to it, as the owner of the information, by the current legislation, the disclosure of which can lead to significant losses and loss of competitiveness of the organization (causing significant damage to the interests of its customers, partners or employees);
- open- This category includes information that is not required to be kept confidential.
- inhigh- information, unauthorized modification or falsification of which can lead to significant damage to the organization;
- low- this category includes information, unauthorized modification of which can lead to minor damage to the organization, its customers, partners or employees;
- no requirements- this category includes information, to ensure the integrity and authenticity of which there are no requirements.
By the degree of accessibility, we introduce four categories depending on the frequency of solving functional problems and the maximum allowable delay in obtaining the results of their solution:
- real time- access to the task should be provided at any time;
- hour- access to the task should be carried out without long time s x delays (the task is solved every day, the delay does not exceed a few hours);
- day- access to the task can be provided with significant time s mi delays (the task is solved every few days);
- a week- temporary s There are no delays in accessing the task (the period for solving the task is several weeks or months, the allowable delay in obtaining the result is several weeks).
Information categorization
- Categorization of all types of information used in solving problems on specific computers (setting categories of confidentiality, integrity and availability of specific types of information).
- Categorization of all tasks that are solved on this computer.
- Based on the maximum categories of processed information, the category of the computer on which it is processed is set.
Resource Inventory
Before talking about protecting information in an organization, you should clearly define what you are going to protect and what resources do you have? To do this, it is necessary to carry out work on the inventory and analysis of all the resources of the automated system of the organization to be protected. To do this, you need to perform the following work:
- A special working group is formed to conduct an inventory and categorize the resources to be protected. It includes specialists from the computer security department and other departments of the organization who can assist in considering the technology of automated information processing in the organization.
- In order for the created group to have the necessary organizational and legal status, an appropriate order of the organization's management is issued, which states that all heads of the relevant departments of the organization must provide assistance and necessary assistance to the working group in analyzing the resources of all computers.
- To provide assistance during the work of the group in the divisions, their leaders should allocate employees who have detailed information on the issues of automated information processing in these divisions.
- This order is brought to the attention (under signature) of the heads of all departments.
- During the survey (analysis) of the organization and automated subsystems, all functional tasks solved with the help of computers, as well as all types of information used to solve these tasks in departments, are identified and described.
- At the end of the survey, a form is compiled for each task solved in the organization. It should be understood that the same task in different departments can be called differently, and vice versa - different tasks can have the same name. At the same time, accounting is kept of software tools used in solving the functional tasks of the unit.
The survey identifies all types of information (incoming, outgoing, stored, processed, etc.). It is necessary to take into account not only confidential information, but also information, the violation of the integrity or availability of which can cause significant damage to the organization.
When analyzing information processed in an organization, it is necessary to assess the severity of the consequences that a violation of its properties can lead to. To do this, it is necessary to conduct surveys (testing, questioning) of specialists who work with it. At the same time, it should be clarified who benefits from illegally using this information or influencing it. If you cannot quantify the potential damage, do a qualitative assessment (low, high, very high).
To understand the availability categories, it is necessary, when analyzing the tasks solved in the organization, to find out the maximum allowable delay time for results, the frequency of their solution, and the severity of the consequences if their availability is violated (task blocking).
In the course of the analysis, each type of information should be assigned to a certain degree (label) of confidentiality (based on the requirements of the current legislation and the rights granted to the organization). At the same time, in order to assess the category of confidentiality of specific types of information, the heads (leading specialists) of the structural unit are asked for their personal assessments of the likely damage from a violation of the confidentiality and integrity of information.
Upon completion of the analysis, a "List of information resources to be protected" is compiled. Then it is agreed with the heads of IT and computer security departments and put forward for consideration by the organization's management.
Next, you need to categorize functional tasks. Based on the availability requirements set by the heads of the organization's departments and agreed with the IT service, all applied tasks solved in the departments are categorized. Information about the categories of applied tasks is entered into task forms. It should be noted that it is impossible to categorize system tasks and software without reference to specific computers and application tasks.
In the future, with the participation of specialists from the IT service and the information security department, it is necessary to clarify the composition of resources (information, software) for each task and enter into the form of a specific task information on groups of users of this task and instructions on setting up the protection tools used to solve it (for example, permissions access of user groups to the listed task resources). In the future, based on this information, the protection tools for computers on which this task will be solved will be configured.
The next step is the categorization of computers. The category of a computer is set based on the maximum category of tasks performed on it, and the maximum categories of confidentiality and integrity of information used to perform these tasks. Information about the category of the computer is entered in its form.
The concept of resource inventory includes not only reconciliation of those active and passive network resources that you have with a list of equipment (and its completeness) purchased by the organization (you can use appropriate software for this, such as Microsoft Systems Management Server). This also includes the creation of a network map with a description of all possible connection points, a list of software used, a fund of licensed software standards used in the organization, and a fund of algorithms and programs of our own design.
It should be noted that the software can be allowed to work only after it has been checked by the information security department for compliance with the tasks set and the absence of all kinds of bookmarks and "logic bombs".
In this regard, I would like to note the trend that has appeared in our country towards the use of Open Source program code. I do not argue, this allows you to significantly save resources. However, in my opinion, in this case, the issue of security becomes a matter of trust not only to the system developer, but also to your administrator. And if you remember how much your administrator earns, it is not difficult to conclude that it is much easier and cheaper to buy your secrets than to carry out a direct external attack. It is also worth mentioning that about Most of the successful attacks were carried out by insiders, that is, their own employees of the company.
In my opinion, you can use free software only if it is delivered to you in a compiled form and with a digital signature of an organization that guarantees the absence of logic bombs, various kinds of bookmarks and backdoors in it. Moreover, the organization must be financially responsible for its guarantee, which, in my opinion, is impossible. However, the choice is yours.
After verification, the reference software is entered into the fund of algorithms and programs (the reference copy must be accompanied by a checksum file, or better, by the developer's electronic signature). In the future, when versions are changed and updates appear, the software is checked in the prescribed manner.
In the future, information about the installed software, the date of its installation, goals, tasks solved with its help, as well as the names and signatures of the persons who installed and configured the programs are entered into the form of each computer. After the creation of such forms, the information security service must ensure regular verification of the compliance of the real state of affairs with the form.
I would especially like to consider such a difficult item as the "inventory" of personnel. When your organization was created, it is not at all a fact that personnel were recruited who understood what and how to do. Therefore, it is necessary to check the knowledge and train the staff. In parallel with the knowledge test, it is mandatory to familiarize the staff with the relevant articles of the Criminal Code against signature, so that in case of their violation, the employees understand what they are doing.
The next step in building an information security service is the organization's risk analysis, which determines the security policy.
Conclusion
Upon completion of the described work, you will receive the initial data for writing a security policy that will be based on relevant international standards.