Information security policies. Organization information security policy

Politics information security(IB) is a set of measures, rules and principles that are followed in their daily practice by employees of an enterprise / organization in order to protect information resources.

During the time that has passed since the very concept of information security arose, many such policies have been developed - in each company, the management decides for itself how and what information to protect (in addition to those cases that are subject to official legal requirements). Russian Federation). Policies are usually formalized: an appropriate regulation is developed. Employees of the enterprise are required to comply with such a document. Although not all of these documents end up being effective. Below we will consider all the components of an information security policy and determine the main aspects that are necessary for its effectiveness.

Why is information security formalized?

The provisions on the information security policy most often appear in the form of a separate document in pursuance of the requirements of the regulator - an organization that regulates the rules of work legal entities in one industry or another. If there is no provision on information security, then certain reprisals against the violator are not ruled out, which may even result in the suspension of the latter's activities.

Also, the security policy is a mandatory component of certain standards (local or international). It is necessary to meet the specific requirements that are usually put forward by external auditors who study the activities of the organization. The absence of a security policy generates negative feedback, and such assessments negatively affect such indicators as rating, reliability level, investment attractiveness, etc.

Materials about information security appear when top management itself comes to understand the need for a structured approach to the topic of information security. Such solutions can be implemented after the introduction of technical means, when it becomes clear that these means must be managed, they must be under constant control. Often, information security also includes issues of relationships with personnel (an employee can be considered not only as a person to be protected, but also as an object from which information must be protected), other aspects and factors that go beyond the protection alone computer network and prevent unauthorized access to it.

The presence of relevant provisions indicates the viability of the organization in matters of information security, its maturity. A clear formulation of information security rules is evidence that in this process significant progress has been made.

Failed Policies

The mere existence of a document with the title "Regulations on Information Security" is not a guarantee of information security as such. If it is considered only in the context of compliance with some requirements, but without practical application, the effect will be zero.

Ineffective security policy, as practice shows, is of two types: well-formulated, but not implemented, and implemented, but not clearly formulated.

The first, as a rule, is quite common in organizations in which the information protection officer simply downloads similar documents from the Internet, makes minimal edits and issues general rules for management approval. At first glance, this approach seems pragmatic. The principles of security in different organizations, even if the focus of their activities varies, are often similar. But problems with information security can arise when moving from the general concept of information security to everyday work with documents such as procedures, methodologies, standards, etc. Since the security policy was originally formulated for a different structure, there may be certain difficulties in adapting everyday documents.

The ineffective policy of the second type includes an attempt to solve the problem not by adopting general strategic plans, but by momentary decisions. For example, System Administrator, tired of the fact that users disrupt the network with their careless manipulations, takes the following actions: takes a sheet of paper and in ten minutes sketches out the rules (what is allowed and what is not allowed, who is allowed access to data of a certain property, and who is not) and titles it "Policy". If the management approves such a "Policy", then it can later serve as the basis for the activities of the structure in the field of information security for years, creating tangible problems: for example, with the introduction of new technologies, you can not always install the necessary software. As a result, exceptions to the rules begin to be allowed (for example, some kind of program is needed, it is expensive, and the employee convinces management to use an unlicensed version contrary to previously established security rules), which nullifies all protection.

Development of an effective information security system

For creating effective system information security should be developed:

the concept of information security (generally defines the policy, its principles and goals);
standards (rules and principles of information security in each specific area);
procedure (description of specific actions to protect information when working with it: personal data, access to information media, systems and resources);
instructions ( detailed description what and how to do for the organization information protection and ensuring existing standards).

All of the above documents should be interconnected and not contradict each other.

Also, for the effective organization of information protection, emergency plans should be developed. They are necessary in case of restoration of information systems in the event of force majeure: accidents, disasters, etc.

Structure of the protection concept

We note right away that the concept of information security is not identical to strategy. The first is static, while the second is dynamic.

The main sections of the security concept are:

definition of IB;
security structure;
description of the security control mechanism;
risk assessment;
information security: principles and standards;
duties and responsibilities of each division, office or department in the implementation of protection information carriers and other data;
references to other safety regulations.

In addition, a section describing the main criteria for effectiveness in the field of protection will not be superfluous. important information. Protection effectiveness indicators are necessary, first of all, for top management. They allow you to objectively assess the organization of security, without delving into technical nuances. The security organization owner also needs to know clear criteria for assessing the effectiveness of information security in order to understand how management will evaluate his work.

List of basic requirements for safety documentation

The security policy should be formulated taking into account two main aspects:

The target audience for which all safety information is intended is middle managers and ordinary employees who do not know specific technical terminology, but must understand and assimilate the information provided when reading the instructions.
Instructions must be concise and contain all necessary information about the policy being pursued. No one will study the voluminous “folio” in detail, let alone remember it.

From the above, there are two requirements for teaching materials for security:

they must be written in plain Russian, without the use of special technical terms;
the text on security should contain goals, ways to achieve them, indicating the assignment of a measure of responsibility for non-compliance with information security. All! No technical or other specific information.

Organization and implementation of information security

After the documentation on information security is ready, a planned organization of work is needed to implement it into daily work. For this you need:

familiarize the team with the approved information processing policy;
familiarize all new employees with this information processing policy (for example, conduct information seminars or courses in which to provide comprehensive explanations);
carefully study existing business processes in order to detect and minimize risks;
actively participate in the promotion of new business processes in order not to become hopelessly lagging behind in the field of information security;
draw up detailed methodological and informational materials, instructions that supplement the information processing policy (for example, rules for granting access to work on the Internet, the procedure for entering premises with limited access, a list of information channels through which confidential data can be transmitted, instructions for working with information systems, etc.);
once every three months, review and adjust access to information, the procedure for working with it, update the documentation adopted on IS, constantly monitor and study existing IS threats.

Persons trying to gain unauthorized access to information

Finally, we categorize those who can or want to gain unauthorized access to information.

Potential external intruders:

Office visitors.
Previously fired employees (especially those who left with a scandal and know how to access information).
Hackers.
Third-party structures, including competitors, as well as criminal groups.

Potential insiders:

Users of computer equipment from among employees.
Programmers, system administrators.
Technical staff.

For organization reliable protection information from each of these groups requires its own rules. If a visitor can simply take some sheet with important data with him, then a technical person can create an unregistered point of entry and exit from the LAN. Each of the cases is a leak of information. In the first case, it is enough to develop rules for the behavior of staff in the office, in the second - to resort to technical means that increase information security, such as DLP systems and SIEM systems that prevent leaks from computer networks.

When developing information security, it is necessary to take into account the specifics of the listed groups and provide effective measures to prevent information leakage for each of them.

Information security policy - a set of laws, measures, rules, requirements, restrictions, instructions, normative documents, recommendations, etc., regulating the procedure for processing information and aimed at protecting information from certain types of threats.

The information security policy is a fundamental document for ensuring the entire cycle of information security in a company. Therefore, the top management of the company should be interested in the knowledge and strict observance of its main points by all company personnel. All employees of the departments responsible for the information security regime of the company must be familiarized with the information security policy against signature. After all, they will be responsible for verifying compliance with the requirements of the information security policy and knowledge of its main points by the company's personnel in the part that concerns them. The process for conducting such inspections, the responsibilities of the officials carrying out such inspections, and a schedule of inspections should also be defined.

An information security policy can be developed both for a separate component of an information system and for an information system as a whole. The information security policy should take into account the following features of the information system: information processing technology, computing environment, physical environment, user environment, access control rules, etc.

The information security policy should ensure the integrated use of legal, moral and ethical standards, organizational and technical measures, software, hardware and software and hardware to ensure information security, as well as determine the rules and procedures for their use. The information security policy should be based on the following principles: continuity of protection, sufficiency of measures and means of protection, their compliance with the likelihood of threats, cost-effectiveness, structure flexibility, ease of management and use, etc.

A security policy is a set of preventive measures to protect confidential data and information processes at the enterprise. The security policy includes requirements for personnel, managers and technical services. The main directions of security policy development:

determining what data and how seriously it needs to be protected,
determining who and what damage can cause to the company in the informational aspect,
calculation of risks and determination of a scheme to reduce them to an acceptable value.

There are two systems for assessing the current situation in the field of information security in the enterprise. They have received the figurative names "research from the bottom up" and "research from the top down". The first method is quite simple, requires much less capital investment, but also has fewer capabilities. It is based on the well-known scheme: "You are an intruder. What are you doing?". That is, the information security service, based on data on all known types of attacks, tries to put them into practice in order to check whether such an attack is possible from a real attacker.

The "top-down" method is, on the contrary, a detailed analysis of the entire existing scheme for storing and processing information. The first step in this method is, as always, to determine which information objects and streams need to be protected. This is followed by a study of the current state of the information security system in order to determine which of the classical methods of protecting information has already been implemented, to what extent and at what level. At the third stage, all information objects are classified into classes in accordance with its confidentiality, requirements for availability and integrity (immutability).

What follows is a clarification of how serious damage a disclosure or other attack on each specific information object can bring to a company. This step is called "risk calculation". In a first approximation, the risk is the product of the "possible damage from an attack" by the "probability of such an attack."

The information security policy should contain clauses containing information from the following sections:

the concept of information security;
determination of the components and resources of the information system that can become sources of information security violations and the level of their criticality;
comparison of threats with objects of protection;
risk assessment;
assessment of the amount of possible losses associated with the implementation of threats;
estimate the cost of building an information security system;
determination of requirements for methods and means of ensuring information security;
selection of basic information security solutions;
organizing restoration work and ensuring the continuous operation of the information system;
access control rules.

The information security policy of an enterprise is very important to ensure integrated security enterprises. It can be implemented in hardware and software using DLP solutions.

Related publications


April 29, 2014 Many companies purchase mobile gadgets at their own expense for employees who often go on business trips. Under these conditions, the IT service has an urgent need to control devices that have access to corporate data, but are outside the perimeter of the corporate network.

Regardless of the size of the organization and the specifics of its information system, work to ensure the IS regime usually consists of the following steps (Figure 1):

- defining the scope (boundaries) of the information security management system and specifying the goals of its creation;

– risk assessment;

– selection of countermeasures that ensure the IS mode;

- Management of risks;

– audit of the information security management system;

- Development of a security policy.

DIV_ADBLOCK340">

Stage 3. Structuring countermeasures to protect information on the following main levels: administrative, procedural, software and hardware.

Stage 4. Establishing the procedure for certification and accreditation of CIS for compliance with IS standards. Appointment of the frequency of meetings on the subject of information security at the management level, including the periodic review of the provisions of the information security policy, as well as the procedure for training all categories of users of the information system in the field of information security. It is known that the development of an organization's security policy is the least formalized stage. However, in Lately this is where the efforts of many information security professionals are concentrated.

Stage 5. Determining the scope (boundaries) of the information security management system and specifying the goals of its creation. At this stage, the boundaries of the system for which the IS mode should be provided are determined. Accordingly, the information security management system is built within these boundaries. The description of the boundaries of the system itself is recommended to be carried out according to the following plan:

- the structure of the organization. Presentation of the existing structure and changes that are expected to be made in connection with the development (modernization) of the automated system;

– information system resources to be protected. It is advisable to consider resources automated system following classes: SVT, data, system and application software. All resources are of value to the organization. To evaluate them, a system of criteria and a methodology for obtaining results according to these criteria should be selected;

· development of principles for classifying information assets of a company and evaluating their security;

assessment of information risks and their management;

training the company's employees in the methods of ensuring information security, conducting briefings and monitoring the knowledge and practical skills of implementing the security policy by the company's employees;

· advising company managers on management issues information risks;

harmonization of private security policies and regulations among company divisions;

Control over the work of the quality and automation services of the company with the right to check and approve internal reports and documents;

interaction with the personnel service of the company to verify the personal data of employees when hiring;

organization of measures to eliminate emergency situations or emergencies in the field of information security in case of their occurrence;

The integrity of information is the existence of information in an undistorted form (unchanged in relation to some fixed state). Usually, subjects are interested in providing a broader property - the reliability of information, which consists of the adequacy (completeness and accuracy) of the state display subject area and directly the integrity of the information, i.e. its non-distortion.

There is a distinction between static and dynamic integrity. In order to violate static integrity, an attacker can: enter incorrect data; To change the data. Sometimes meaningful data changes, sometimes service information. Threats to dynamic integrity are violation of the atomicity of transactions, reordering, theft, duplication of data, or the introduction of additional messages (network packets, etc.). The corresponding actions in the network environment are called active listening.

The threat to integrity is not only the falsification or alteration of data, but also the failure to committed actions. If there is no means to ensure "non-repudiation", computer data cannot be considered as evidence. Potentially vulnerable from the point of view of integrity violations are not only data, but also programs. The introduction of malware is an example of such a breach.

up-to-date and very dangerous threat is the introduction of rootkits (a set of files installed in the system in order to change its standard functionality in a malicious and secretive way), bots (a program that automatically performs a certain mission; a group of computers on which the same type of bots operate is called a botnet), secret passages ( malware, listening for commands on specific TCP or UDP ports) and spyware software(malicious software aimed at compromising user confidential data. For example, Back Orifice and Netbus "Trojans" allow gaining control over user systems With various options MS Windows.

Privacy Threat

The threat of a breach of confidentiality lies in the fact that information becomes known to someone who does not have the authority to access it. Sometimes, in connection with the threat of confidentiality, the term "leakage" is used.

Information confidentiality is a subjectively determined (attributed) characteristic (property) of information, indicating the need to introduce restrictions on the circle of subjects having access to this information, and provided by the ability of the system (environment) to save specified information secret from subjects who do not have the authority to access it. The objective prerequisites for such a restriction on the availability of information for some subjects are in the need to protect their legitimate interests from other subjects of information relations.

Confidential information can be divided into subject and service. Service information (for example, user passwords) does not belong to a specific subject area, it plays a technical role in the information system, but its disclosure is especially dangerous, since it is fraught with unauthorized access to all information, including subject information. A dangerous non-technical threat to confidentiality is methods of moral and psychological influence, such as "masquerade" - performing actions under the guise of a person with authority to access data. Abuse of power is one of the most nasty threats that are difficult to defend against. On many types of systems, a privileged user (for example, a system administrator) is able to read any (unencrypted) file, access the mail of any user.

Currently, the most common so-called "phishing" attacks. Phishing (fishing - fishing) - a type of Internet fraud, the purpose of which is to gain access to confidential user data - logins and passwords. This is achieved by carrying out mass mailings emails on behalf of popular brands, as well as personal messages within various services, for example, on behalf of banks, services (Rambler, Mail.ru) or within social networks(Facebook, Vkontakte, Odnoklassniki. ru). The target of phishers today are customers of banks and electronic payment systems. For example, in the United States, masquerading as the Internal Revenue Service, phishers collected significant taxpayer data in 2009.

The TSF software outside the core consists of trusted applications that are used to implement security features. Note that shared libraries, including PAM modules in some cases, are used by trusted applications. However, there is no instance where the shared library itself is treated as a trusted object. Trusted commands can be grouped as follows.

System initialization
Identification and authentication
Network Applications
batch processing
System management
User level audit
Cryptographic support
Virtual machine support

The execution components of the kernel can be divided into three parts: the main kernel, kernel threads, and kernel modules, depending on how they will be executed.

The core core includes code that is executed to provide a service, such as servicing a user system call or servicing an exception event or interrupt. Most compiled kernel code falls into this category.
Kernel threads. To perform certain routine tasks, such as flushing disk caches or freeing up memory by swapping out unused page frames, the kernel creates internal processes or threads. Threads are scheduled just like regular processes, but they don't have a context in non-privileged mode. Kernel threads perform certain functions of the kernel C language. Kernel threads reside in kernel space, and only run in privileged mode.
The kernel module and device driver kernel module are pieces of code that can be loaded and unloaded into and out of the kernel as needed. They expand functionality kernel without having to reboot the system. Once loaded, the kernel module object code can access other kernel code and data in the same way as statically linked kernel object code.

A device driver is a special type of kernel module that allows the kernel to access hardware connected to the system. These devices can be hard drives, monitors, or network interfaces. The driver communicates with the rest of the kernel through a specific interface that allows the kernel to deal with all devices. universal way, regardless of their underlying implementations.

The kernel consists of logical subsystems that provide various functionality. Even though the kernel is the only executable program, the various services it provides can be separated and combined into different logical components. These components interact to provide specific functionality. The kernel consists of the following logical subsystems:

File subsystem and I/O subsystem: This subsystem implements functions related to objects file system. Implemented features include those that allow a process to create, maintain, interact with, and delete file system objects. These objects include regular files, directories, symbolic links, hard links, device-specific files, named pipes, and sockets.
Process Subsystem: This subsystem implements functions related to process control and thread control. The implemented functions allow creating, scheduling, executing, and deleting processes and thread subjects.
Memory subsystem: This subsystem implements functions related to managing system memory resources. Implemented features include those that create and manage virtual memory, including managing pagination algorithms and page tables.
Network subsystem: This subsystem implements UNIX and Internet domain sockets, as well as the algorithms used to schedule network packets.
IPC Subsystem: This subsystem implements functions related to IPC mechanisms. Implemented features include those that facilitate the controlled exchange of information between processes, allowing them to share data and synchronize their execution when interacting with a shared resource.
Kernel Module Subsystem: This subsystem implements the infrastructure to support loadable modules. Implemented functions include loading, initializing, and unloading kernel modules.
Extensions linux security : Linux security extensions implement various aspects of security that are provided throughout the kernel, including the framework of the Linux Security Module (LSM). The LSM framework serves as the basis for modules that allow you to implement various security policies, including SELinux. SELinux is an important logical subsystem. This subsystem implements the mandatory access control functions to achieve access between all subjects and objects.
Device driver subsystem: This subsystem implements support for various hardware and software devices through a common, device-independent interface.
Audit Subsystem: This subsystem implements functions related to recording security-critical events in the system. Implemented functions include those that capture each system call to record security-critical events and those that implement the collection and recording of control data.
KVM Subsystem: This subsystem implements virtual machine life cycle maintenance. It performs statement completion, which is used for statements requiring only minor checks. For any other instruction completion, KVM invokes the user-space component of QEMU.
Crypto API: This subsystem provides a kernel-internal cryptographic library for all kernel components. It provides cryptographic primitives for callers.

The core is the core operating system. It interacts directly with the hardware, implements resource sharing, provides shared services for applications, and prevents applications from directly accessing hardware-dependent functions. The services provided by the kernel include:

1. Management of the execution of processes, including the operations of their creation, termination or suspension, and interprocess data exchange. These include:

Equivalent scheduling of processes to run on the CPU.
Separation of processes in the CPU using time-sharing mode.
Process execution in the CPU.
Suspend the kernel after its time quantum has elapsed.
Allocation of kernel time to execute another process.
Rescheduling kernel time to execute a suspended process.
Manage process security related metadata such as UIDs, GIDs, SELinux labels, feature IDs.

2. Selection random access memory for the running process. This operation includes:

Permission granted by the kernel to processes to share a portion of their address space under certain conditions; however, in doing so, the kernel protects the process's own address space from outside interference.
If the system is low on free memory, the kernel frees memory by writing the process temporarily to second-level memory or the swap partition.
A consistent interaction with the machine's hardware to establish a mapping of virtual addresses to physical addresses that establishes a mapping between compiler-generated addresses and physical addresses.

3. Life cycle maintenance virtual machines which includes:

Set limits on resources configured by the emulation application for this virtual machine.
launch program code virtual machine for execution.
Handling the shutdown of virtual machines either by terminating the instruction or delaying the completion of the instruction to emulate user space.

4. Maintenance of the file system. It includes:

Allocation of secondary memory for efficient storage and retrieval of user data.
Selection external memory for user files.
Utilize unused storage space.
Organization of the file system structure (using clear structuring principles).
Protection of user files from unauthorized access.
Organization of controlled access of processes to peripherals such as terminals, tape drives, disk drives, and network devices.
Organization of mutual access to data for subjects and objects, providing controlled access based on the DAC policy and any other policy implemented by the loaded LSM.

The Linux kernel is a type of OS kernel that implements preemptive scheduling. In kernels that do not have this capability, execution of the kernel code continues until completion, i.e. the scheduler is not capable of rescheduling a task while it is in the kernel. In addition, kernel code is scheduled to execute cooperatively, without preemptive scheduling, and execution of this code continues until it terminates and returns to user space, or until it explicitly blocks. In preemptive kernels, it is possible to unload a task at any point, as long as the kernel is in a state in which it is safe to reschedule.

In this topic, I will try to compile a development manual normative documentation in the field of information security for a commercial structure, based on personal experience and materials from the web.

Here you can find answers to questions:

Why is an information security policy needed?
how to compose it;
how to use it.

The need for an information security policy

This section describes the need to implement the information security policy and its accompanying documents not in the beautiful language of textbooks and standards, but using examples from personal experience.

Understanding the goals and objectives of the information security department

First of all, the policy is necessary in order to convey to the business the goals and objectives of the company's information security. A business should understand that a security officer is not only a tool for investigating data leaks, but also an assistant in minimizing company risks, and, consequently, in increasing company profitability.

Policy requirements are the basis for implementing safeguards

The information security policy is necessary to justify the introduction of protective measures in the company. The policy must be approved by the highest administrative body of the company (general director, board of directors, etc.)

Any safeguard is a compromise between risk reduction and user experience. When a security person says that a process should not happen in any way due to the appearance of some risks, he is always asked a reasonable question: “How should it happen?” The security officer needs to propose a process model in which these risks are reduced to some extent that is satisfactory for the business.

At the same time, any application of any protective measures regarding the interaction of the user with the information system of the company always causes a negative reaction from the user. They do not want to be retrained, read instructions designed for them, and so on. Very often users ask reasonable questions:

why should I work according to your invented scheme, and not those in a simple way which I have always used
who came up with all this

Practice has shown that the user does not care about the risks, you can explain to him for a long time and tediously about hackers, the criminal code, and so on, nothing will come of this but a waste of nerve cells.
If the company has an information security policy, you can give a concise and concise answer:

this measure was introduced to comply with the requirements of the company's information security policy, which was approved by the company's highest administrative body

As a rule, after the energy of most users comes to naught. The rest can be offered to write a memo to this very highest administrative body of the company. Here the rest are eliminated. Because even if the note goes there, we can always prove the need for the measures taken to the leadership. We do not eat our bread in vain, right? There are two things to keep in mind when developing a policy.

The target audience of the information security policy is end users and top management of the company who do not understand complex technical expressions, but should be familiar with the provisions of the policy.
No need to try to shove the unimaginable to include everything that is possible in this document! There should be only IB goals, methods for achieving them and responsibility! No technical details if they require specific knowledge. These are all materials for instructions and regulations.

The final document must meet the following requirements:

conciseness - a large volume of the document will scare away any user, no one will ever read your document (and you will use the phrase more than once: “this is a violation of the information security policy that you have been introduced to”)
accessibility to a simple layman - the end user must understand WHAT is written in the policy (he will never read and remember the words and phrases "journaling", "violator model", "information security incident", "information infrastructure", "technogenic", "anthropogenic", "risk factor", etc.)

How to achieve this?

In fact, everything is very simple: the information security policy should be a first-level document, it should be expanded and supplemented by other documents (regulations and instructions), which will already describe something specific.
It is possible to draw an analogy with the state: the first level document is the constitution, and the doctrines, concepts, laws and other normative acts existing in the state only supplement and regulate the implementation of its provisions. An exemplary scheme is shown in the figure.

In order not to smear porridge on a plate, let's just look at examples of information security policies that can be found on the Internet.

	Usable number of pages*	Terms loaded	Overall score
OJSC "Gazprombank"	11	Very high
JSC “Entrepreneurship Development Fund “Damu”	14	High	A complex document for thoughtful reading, the layman will not read, and if he reads, he will not understand and will not remember
JSC NC KazMunayGas	3	Low	An easy-to-understand document that is not overloaded with technical terms
JSC "Radiotechnical Institute named after Academician A. L. Mints"	42	Very high	Difficult document for thoughtful reading, the layman will not read - too many pages

* Useful I call the number of pages without a table of contents, title page and other pages that do not carry specific information

Summary

The information security policy should fit into several pages, be easy to understand for the average person, describe in general terms the goals of information security, methods for achieving them and the responsibility of employees.

Implementation and use of information security policy

After the IS policy is approved, it is necessary to:

familiarize all existing employees with the policy;
familiarize all new employees with the policy (how to do this is a topic for a separate discussion, we have an introductory course for newcomers, where I speak with explanations);
analyze existing business processes in order to identify and minimize risks;
take part in the creation of new business processes, so as not to run after the train;
develop regulations, procedures, instructions and other documents that supplement the policy (instructions for providing access to the Internet, instructions for providing access to premises with limited access, instructions for working with information systems companies, etc.);
review the IS policy and other IS documents at least once a quarter in order to update them.

For questions and suggestions, welcome to the comments and PM.

Question %username%

When it comes to politics, bosses don't like what I want in simple words. They tell me: “Besides me and you and 10 more IT employees, who themselves know and understand everything, there are 2 hundred who do not understand anything about this, half of them are pensioners.”
I took the path of medium brevity of descriptions, for example, the rules antivirus protection, and below I write like there is an anti-virus protection policy, etc. But I don’t understand if the user signs for the policy, but again he needs to read a bunch of other documents, it seems to have reduced the policy, but it seems to be not.

Here I would follow the path of process analysis.
Let's say anti-virus protection. Logically it should be like this.

What risks do viruses pose to us? Violation of the integrity (damage) of information, violation of the availability (downtime of servers or PCs) of information. At proper organization network, the user should not have local administrator rights in the system, that is, he should not have the rights to install software (and, consequently, viruses) into the system. Thus, pensioners fall off, because they do not do business here.

Who can mitigate the risks associated with viruses? Users with domain admin rights. Domain admin - a sensitive role, issued to employees of IT departments, etc. Accordingly, they should install antiviruses. It turns out that they are also responsible for the activity of the anti-virus system. Accordingly, they must sign the instruction on the organization of anti-virus protection. Actually, this responsibility must be spelled out in the instructions. For example, the security officer rules, the admins execute.

Question %username%

Then the question is, what should not the responsibility for the creation and use of viruses be included in the instructions of the Anti-virus SI (or is there an article and you can not mention it)? Or that they are required to report a virus or strange PC behavior to the Help Desk or IT staff?

Again, I would look from the side of risk management. It smacks of, so to speak, GOST 18044-2007.
In your case, "strange behavior" is not necessarily a virus. It can be a system brake or a gp, etc. Accordingly, this is not an incident, but an information security event. Again, according to GOST, any person can declare an event, but it is possible to understand the incident or not only after analysis.

Thus, this question of yours no longer translates into information security policy, but into incident management. It should be stated in your policy that the company must have an incident handling system.

That is, as you can see, the administrative execution of the policy is mainly assigned to admins and security guards. Users remain custom.

Therefore, you need to draw up some kind of "Procedure for the use of CBT in the company", where you must specify the responsibilities of users. This document should correlate with the information security policy and be, so to speak, an explanation for the user.

In this document, you can specify that the user is obliged to notify the appropriate authority about abnormal computer activity. Well, you can add everything else custom there.

In total, you need to familiarize the user with two documents:

information security policy (so that he understands what is being done and why, does not rock the boat, does not swear when introducing new control systems, etc.)
this "Procedure for the use of CBT in the company" (so that he understands what exactly to do in specific situations)

Accordingly, when implementing new system, you simply add something to the "Order" and notify employees about it by sending the order by e-mail (or through the EDMS, if any).

Tags: Add tags