Information Systems Security Policy

Now every person or organization has information that there is no desire to publish, or, conversely, there are plans to say goodbye to it as expensive as possible. And for this, a security policy is needed. This is such an operating time, the task of which is to suppress the uncontrolled distribution of data that should not be known to the general public. She is working on issues of possible loss or non-access, which in any case will affect the work. Also, if this still happened, a set of measures is usually provided to minimize damage. In fact, a security policy is a set of rules and regulations regarding the equipment and personnel of an organization, to which it also applies. How should its effectiveness be maximized?

Complexity Above All

The issue of information protection should be fully addressed, but first of all, it is necessary to block all possible channels of data loss. This is necessary because the application of individual measures almost does not increase the security of the entire system. Let's look at an example. We have a house. In it, we installed an armored door in which there are extremely complex locks. But at the same time we left the windows open! Is our home protected? The answer is no. Although, if we still live not in a one-story house, but on the 125th floor of a skyscraper, then still we will slightly increase security. A similar principle applies to protection in information systems. Separate measures can significantly increase safety, or bring minimal effect. In any case, it is necessary to approach from the point of view of complexity.

What is desirable to do?

Often, in order to ensure security, they create a full-fledged integrated information protection system (ISIS), which is a combination of engineering and organizational measures, as well as software and hardware. Together, they ensure the normal operation of automated systems. Security policy management is desirable not only relying on computer technology, but also on the organization’s staff.

Organizational measures

It is a very important and often underestimated component. Under organizational measures understand the development and implementation in practice of an official policy regarding information security. This includes:

1. Drafting of job descriptions that users and service personnel must adhere to.
2. Development of administration rules for individual system components.
3. Creation of an action plan for identifying unauthorized access attempts.
4. Development of rules that will stipulate the accounting, storage, reproduction and destruction of confidential information media.
5. The study of identification issues.
6. Development of a plan in case of failure of protective equipment and the occurrence of an extremely situation.
7. Training all users in the rules and recommending information security, as well as monitoring their implementation.

Problems in ignoring organizational measures

What will happen if you do not conduct training in this area? Then people become the most difficult part of the defense system. The result of ignoring this aspect is often even the impossibility of restoring the information system in general. And the goals of security policy will not always be achieved and with big problems. But even if there is a backup copy of the data, it will take some time to recreate.In addition, the creation of instructions will make it easier to work in situations where everything was created by one employee, and restored or refined by another.

The most important aspect of organizational measures

Users should be trained to recognize attackers. Let's give some examples that will demonstrate to you how tricky they are:

1. The employee receives a call or email from the director or other senior manager asking for his password, which will give access to the database to test the system, modify the software component, or perform another plausible task. The result will be the receipt by the fraudster of the possibility of its removal or significant distortion, which will entail losses.
2. The employee visits the web page, as he believes, of his company, but is actually fake. Enters his data. And that’s all - an attacker has access to the system. Moreover, so that the employee does not realize that he is not there, redirection and automatic authorization on the official website can be carried out.
3. An employee infected with an attacker is flushed with media on which the program will open access to the database, delete it, or take some other unpleasant actions.

And these are not all possible options, but only some.

Preparation of the basis of an integrated information security system

Developing a security policy requires a serious and inclusive approach. This is done in stages. First you need to examine the information and telecommunication system. The analysis of its architecture, topology, components, an inventory of information resources. All owners and users are required to be identified and possess relevant documentation. Depending on the importance, different vultures of secrecy. It should be remembered that the security policy is based on the collected and analyzed data. The larger the array of information will be processed, the better the final result.

Defined with protection

It is necessary to build a threat model. In it, a computer system is presented as a set of services. Each of them has its own set of functions, which allows you to identify many threats. Among them:

1. Threats to privacy. This includes everything related to unauthorized reading of the contents;
2. Threats to integrity. Everything that relates to unauthorized modification or entails the destruction of information;
3. Threats to accessibility. This includes the possibility of misuse of the information system;
4. Threats of observation. It explores all the possibilities of problems with identification and ensuring control over user actions.

Security policy frameworks must have solutions for every possible threat. But at the same time it is necessary to adhere to a reasonable line. So, it makes no sense to work out the confidentiality of information that is posted on the organization’s official website and should be accessible to all who wish for the idea.

Nature of threats

It is determined by what acts as the cause of the problems. There are three types:

1. Natural character. This includes natural disasters, fires and similar problems. They do the greatest physical damage. It is most difficult to defend against them. But the likelihood of such a threat is the lowest. As protection, placement on different territories and structural features of the building (thickening of the wall, fire protection, and so on) are used.
2. Technical character. This includes accidents, equipment failures, malfunctions. They cause relatively high damage. They are protected from them using data duplication mechanisms.
3. Human factor. By it is not always understood intentional evil intent.This can also include errors in the design, operation, development of system components, unintended actions by users. From a purely technical point of view, an untrained cleaning lady in the server room poses no less a threat to the equipment than an organized and experienced group of computer crackers.

The objectives of the security policy are to prevent these problems, and if they did happen, then implement a set of measures that minimizes the damage received.

Threat Model Features

When developing it, it should be borne in mind that different types of information must have a different security system. So, regarding the public data that is on the website, we can say that it is necessary to take care of their integrity and accessibility. Since everyone should see them, the privacy issue can be ignored. Whereas the data that circulate inside the company must be protected from unauthorized access. But the full protection of everything at the highest level requires a lot of strength and resources. Therefore, they are determined with the most important data, which ensures the greatest security. And other information is protected in accordance with its value.

Intruder Model

It is built on people. It identifies all possible types of violators and gives them a detailed description. So, models are created relative to professional crackers, inexperienced mercenaries, ordinary hooligans, employees of the enterprise. The greatest danger in this case is provided by the former. This is due to the fact that they have the necessary set of knowledge and technical means to carry out unauthorized access. Professionals are followed by employees of enterprises, since they have access to information, and can also be acquainted with the organization of the security system. This already provides minimal opportunities to influence resources. Therefore, if there is motivation, employees can cause significant damage (which, in general, is not uncommon). And if attackers also turn to them, then this is generally a sad story.

Documentation

When all the previous steps are completed, then all the necessary papers are worked out, such as: “Information Security Policy”, “Terms of Reference for the Creation of a CSIS” and other issues. After that, a selection of software and hardware protection is carried out, and their characteristics are configured. Ultimately, documentation is being developed on the “Technical Project for the Creation of a CSIS”. When everything is ready, it is already possible to start implementing the selected tools, measures and ways to protect the information system.

Control

But just creating is not enough. It is also necessary to make sure that everything is working correctly, and periodically see that this condition persists. To do this, integrity monitoring, clarification of requirements (revision) is carried out and the state of the information system is analyzed. If we talk about the administrator responsible for security, then the rule “a good admin is someone who has the ability to constantly sleep” does not apply here. The information system is a dynamic object in which internal and external conditions are constantly changing. Likewise, the structure of an organization is not something permanent. New structural units or departments, services (such as support or databases) may be created, or there will be a move from one room to another. The information that circulates through the system also changes. Therefore, the security policy in information systems should take into account all the above aspects and take them into account. This is not to say that security is something that has settled down. No, given the need for continuous improvement and adaptation to challenges, it would be better to call it a process.

Score

Used to determine effectiveness.There are special techniques with which you can determine this parameter. It's just that conducting such a check on its own is quite difficult due to the fact that all visible flaws should have been eliminated by the creators of the protection system. Therefore, as a rule, this task is often entrusted to a third party. And she, from a different position, will approach the test and it is very likely that she will be able to notice a weak spot that was missed by the developers themselves. In fact, such inspectors act as crackers, but they have already benefited from using all possible data in the form of cash payments from the company itself. It is from such moments that the implementation of the security policy is made.

Conclusion

Perhaps small business does not make sense to develop its own security policy. But for large enterprises that plan to operate for a very long time, its value at certain points in time can be extraordinary. If a security policy is developed at a high level, then company representatives may never even know what it protected them from. And even if it seems that it does not make sense, the use of this experience in any field of activity is extremely important.