Information security management system “Basic level of information security of telecom operators. Identify a leadership team to take key actions. Advantages of working with Jet Infosystems

Computer security

Good day, dear!
I haven't written on Habr for a long time, there was no time, there was a lot of work. But now I was unloaded and thoughts were formed for a new post.

I talked with one of my comrades, who was charged with the work of information security in the organization (comrade system administrator), and he asked me to tell you where to start and where to move. He put his thoughts and knowledge in order a little and gave him a rough plan.
Unfortunately, this situation is far from being isolated and occurs frequently. Employers, as a rule, want to have both a Swiss and a reaper and a gamer on the pipe, and all this for one price list. I will return to the question of why information security should not be classified as IT later, but now we will still consider where to start, if this happened and you signed up for a similar adventure, that is, creating a management system information security (ISMS).

Risk analysis

Almost everything in information security begins with a risk analysis, this is the basis and the beginning of all security processes. I will spend short educational program in this area, so many concepts are not obvious and are most often confused.
So there are 3 basic concepts:
  • Probability of realization
  • Vulnerability

Risk is the ability to incur any losses (monetary, reputation, etc.) due to the implementation of a vulnerability.
The likelihood of realization is how likely it is that a given vulnerability will be exploited to materialize the risk.
Vulnerability is directly a breach in your security system, which with a certain degree of probability can do harm, that is, realize a risk.

There are many techniques, different approaches to risk management, I will tell you about the basics, the rest you will not need at first in the formation of an ISMS.
So, all work on risk management is reduced either to reducing the likelihood of implementation, or to minimizing losses from implementation. Accordingly, the risks can be acceptable and unacceptable for the organization. The acceptability of risk is best expressed in specific amounts of losses from its realization (in any case, even seemingly intangible reputational losses eventually translate into lost profits). It is necessary to decide with the management what amount will be the threshold of acceptability for them and make a gradation (preferably 3-5 levels for losses). Next, make a gradation in probability, as well as with losses, and then assess the risks by the sum of these indicators.
After completing the preparatory work, highlight the real vulnerabilities of your organization and assess the risks of their implementation and losses. As a result, you will get 2 sets of risks - acceptable and unacceptable. With acceptable risks, you simply accept and will not take active steps to minimize them (that is, we accept that minimizing these risks will cost us more than losses from them), and with unacceptable there are 2 options for the development of events.

Minimize - reduce the likelihood of occurrence, reduce possible losses, or even take measures to eliminate the risk (closing the vulnerability).
Transfer - simply shift concerns about the risk to another person, for example, insure the organization against risk occurrences or transfer an asset at risk (for example, transferring servers to a data center, thus for uninterrupted power supply and the physical safety of the servers will be the responsibility of the data center).

The scale

First of all, of course, it is necessary to assess the scale of the disaster. I will not touch on the points of protecting personal data, there are already a lot of articles on this subject, there are practical recommendations and action algorithms described more than once.
Let me also remind you that information security is primarily about people, so regulatory documentation is needed. To write it, first you need to understand what to write there.
There are 3 main documents for information security in this regard:
Information security policy
Your main document, handbook, Bible, and other big titles. It is in it that all the procedures for information security are described, the level of security that you follow in your organization is described. That is to say - the perfect cut of security, documented and accepted by all the rules.
Politics should not be a dead weight, the document should live, should change under the influence of new threats, trends in information security or wishes. In this regard, the policy (as, in principle, any process document) should be regularly reviewed for relevance. It is better to do this at least once a year.
Information security concept
A small extract from the policy, which describes the basics of the security of your organization, there are no specific processes, but there are principles for building an ISMS and principles for building security.
This document is more of a branding document, it should not contain any "sensitive" information and should be open and accessible to everyone. Place it on your website, put it in a tray at the information stand, so that your customers and visitors can see it or just see that you care about security and are ready to demonstrate it.
Commercial secret regulation ( confidential information)
In brackets indicated an alternative name for such a document. By and large, com. secret is a special case of confidential, but there are very few differences.
This document must indicate the following: how and where are the documents that make up the com. the secret of who is responsible for storing these documents, how the template of the document containing such information should look like, what will be for the disclosure of confidential information (according to the law and according to internal agreements with the management). And of course, a list of information that is, for your organization, a trade secret or is confidential.
According to the law, without measures taken to protect confidential, you don't have it :-) That is, the information itself seems to be there, but it cannot be confidential. And here there is an interesting point that 90% of organizations sign confidential nondisclosure agreements with new employees, but few have taken the measures required by law. Maximum list of information.

Audit

To write these documents, more precisely, to understand what should be in them, you need to audit the current state of information security. It is clear that, depending on the activities of the organization, territorial distribution, etc., there are a lot of nuances and factors for each specific organization, but there are several main points that are common to all.
Access policy
There are 2 branches - physical access to premises and access to information systems.
Physical access
Describe your access control system. How and when access cards are issued, who determines who has access to which room (provided that the room is equipped with an ACS). It is also worth mentioning the video surveillance system, the principles of its construction (no blind spots in the monitored rooms, mandatory control of entrances and exits to / from the building, control of the entrance to the server room, etc.). Also, do not forget about the visitors, if you do not have a general reception (and if there is one), you should indicate how visitors get into the controlled area (temporary passes, accompanying).
For the server room, there should also be a separate access list with the visit log (it's easier if the ACS is installed in the server room and everything is done automatically).
Access to information systems
Describe the procedure for issuing access, if multi-factor authentication is used, then issuing additional identifiers. Password policy (password expiration date, complexity, number of login attempts, UZ blocking time after exceeding the number of attempts) for all systems to which access is granted, if you do not have Single Log On everywhere.
Building a network
Where are the servers with access from the outside (DMZ) located, how they are accessed from the inside and outside. Segmentation of the network, how it is provided. Firewallswhat segments they protect (if there is one inside the network between segments).
Remote access
How is it organized and who has access. Ideally, it should be like this: VPN only, access only with the approval of senior management and with a justification for the need. If you need access to third parties (vendors, service personnel, etc.), then access is limited in time, that is, the account is issued for a certain period, after which it is automatically blocked. Naturally, for remote access, anyone, rights must be limited to a minimum.
Incidents
How they are processed, who is responsible and how the process of incident management and management problems is structured (if there is, of course). I already had a post on working with incidents: habrahabr.ru/post/154405, you can read more.
It is also necessary to determine the trends in your organization. That is, which incidents occur more often, which ones are more harmful (simple, direct loss of property or money, reputational damage). This will assist in risk control and risk analysis.
Assets
In this case, assets are understood as everything that requires protection. That is, servers, information on paper or removable media, hard drives computers and so on. If any assets contain "sensitive" information, then they should be marked accordingly and there should be a list of actions allowed and prohibited with this asset, such as transferring to third parties, transferring by e-mail within the organization, putting it publicly within the organization etc.

Training

A moment that many people forget about. Employees need to be educated about security measures. It is not enough to familiarize yourself with the instructions and policies against signature, 90% will not read them, but simply sign to get rid of them. I also made a publication about training: habrahabr.ru/post/154031 It contains the main points that are important in training and which you should not forget about. In addition to the training itself, such events are useful in terms of communication between employees and the security officer ( beautiful name, I really like it :-). You can find out about some minor incidents, wishes, and even problems that you would hardly know about in a normal work rhythm.

Conclusion

That, probably, is all that I wanted to tell to beginners in the field of information security. I understand that with such a post, I might deprive some of my colleague's work, since a potential employer will simply assign these duties to the administrator, but I will also protect many organizations from integrator-scammers who like to pump out money for audits and write multi-page pamphlets. about what, passing them off as a normative (http://habrahabr.ru/post/153581/).
Next time I will try to talk about the organization of the information security service as such.

P.S. if you put a minus, please comment so that in the future I do not make such mistakes.

Tags: Add Tags

Jet Infosystems implements complex projects for the construction and implementation of effective information security management systems (ISMS). Projects include analysis, development and implementation of information security management processes. The implemented systems meet both business requirements and the requirements of international standards and best practices. As a result, they bring not only a marketing effect, but also allow you to optimize the IS budget, increase the transparency of IS for business, as well as the level of security and customer maturity.

Problematic

Companies use a variety of information security measures to protect important information; however, the use of even the most modern and expensive means is not a guarantee of their effectiveness and can lead to unreasonable spending on information security. The presence of a large number of measures and means of ensuring information security complicates the management process. Often, the mechanisms that allow monitoring and analyzing the work of the information security system and making adjustments to its work on an ongoing basis are not well-tuned enough.

The lack of formalized processes for managing and ensuring information security leads to an increase in operating costs. Due to the lack of an organizational approach, all emerging issues are resolved in a separate order, which varies from case to case.

Decision

The ISMS is part of common system ensuring information security. One of its main components is the information security risk management process. The results of his work make it possible to develop solutions for the processing of unacceptable risks and the implementation of economically justified measures to ensure information security. Planning the implementation of the selected measures allows you to distribute the costs of providing information security both in the short and long term.

Within the framework of the ISMS, a number of processes for managing and ensuring information security are created and / or described, which makes it possible to structure these processes and ensure their reproducibility. When building it, it is necessary to interact with senior management and representatives of the customer's business units in order to identify their expectations from the system.

Taking into account the fact that the convenience of the IS management and maintenance system for the performers is determined by the efficiency of its work, the Jet Infosystems specialists pay special attention to building and subsequent debugging of the ISMS processes. In the course of work, the existing processes in the company, their characteristics and levels of maturity, as well as the traditions of corporate culture are always taken into account. Particular attention is paid to training employees involved in the implementation of the system, the distribution of responsibilities, as well as the organization of an internal competence center for information security management and maintenance. As a result, the implemented processes become an integral part of the company, working in accordance with the set goals, and do not remain "a folder of papers lying in a closet."

Jet Infosystems provides a wide range of services in the field of information security management and maintenance:

Development and implementation of an ISMS based on the ISO / IEC 27001 standard

The development and implementation of the main IS management processes is carried out taking into account the organizational structure and the specifics of the customer. In addition, key employees are trained to work with the ISMS, and consulting support is provided.

Development and implementation of separate processes for management and information security

The development and implementation of individual processes for managing and ensuring information security (for example, risk management, incident management, internal audits, etc.) is carried out in accordance with the requirements of international and Russian standards for information security (ISO / IEC 27001: 2005, ISO / IEC 27002: 2005, ISO / IEC 27005: 2008, PCI DSS, STO BR IBBS - 1.0, etc.), as well as best practices in this area.

Consultants can draw up a schedule for the sequential implementation of information security management processes in order to further integrate into a single ISMS.

Preparation for certification for compliance with the requirements of the international standard ISO / IEC 27001

Preparation for certification includes a preliminary analysis of compliance with the requirements of ISO / IEC 27001, elimination of identified inconsistencies, bringing the ISMS into compliance of this standard... The audit is carried out by an accredited certification body.

Jet Infosystems provides support to customers in conducting audits and helps to eliminate identified inconsistencies.

Support of the developed ISMS or individual processes

Jet Infosystems carries out:

  • preparation of the customer's ISMS for verification audits: express survey, determination of the work that needs to be done to pass the verification audit of the certification body;
  • completion or implementation of specific ISMS processes. For example, conducting an annual analysis of information security risks or conducting internal information security audits.

Advantages of working with Jet Infosystems:

  • a systematic approach and its own unique methodology that allow you to quickly and efficiently develop and implement processes for ensuring and managing information security;
  • a close-knit project team of certified specialists capable of solving the most complex problems;
  • the company's consultants are trainers in management systems at BSI MS and are involved in conducting audits;
  • main principle work - "every company is unique." The needs in the field of information security for each client are determined and solutions are proposed that will help ensure real security of information, and not just formal compliance with requirements (legislation, partners, counterparties, industry, etc.) and contracts.

Benefits

Implementation of IS management and maintenance procedures allows:

  • optimize and justify the costs of information security;
  • increase the efficiency of information security by achieving complexity, interconnectedness, efficiency and transparency of all measures to ensure information security;
  • ensure compliance of the IS level with both legislative, industry, internal corporate requirements and business goals;
  • reduce operating costs by formalizing and standardizing the management and information security processes;
  • increase the trust of partners and customers of the company by demonstrating a high level of maturity of information security.

In addition, the implementation and certification of an ISMS allows:

  • increase the capitalization and value of the company's shares;
  • to raise the international ratings of the company, which are necessary to attract foreign investments and enter international markets;
  • protect investment.

Experience

Jet Infosystems specialists have the greatest experience in the CIS in building an ISMS and individual information security management processes, including information security risk management, information security incident management and vulnerability management.

Five large projects for the creation and subsequent preparation of an ISMS for certification for compliance with the requirements of the ISO / IEC 27001: 2005 standard have been successfully completed in the following companies:

  • OJSC "Interregional Transit Telecom"
  • OJSC ROSNO
  • Information Security Center LLC
  • Askari Bank (Pakistan)
  • LLC "ELDORADO"

Also, more than 30 projects were completed to build individual IS management processes, support the ISMS and prepare them for supervisory audits by the certification body.

Information security is one of the most important aspects of IS implementation. On the one hand, management informatization creates its invaluable support, but on the other hand, management becomes directly dependent on the level of information security of the IS.

Information security means the security of information and supporting infrastructure from accidental or deliberate influences (attacks), fraught with harm to the owners or users of information and supporting infrastructure.

The objects of encroachment can be themselves technical meanswhich are material objects, and software and databases.

Information security management is a complex process and includes a number of technical, organizational and legal measures that must be fixed in the corporate security policy.

Technical measures include:

Protection against unauthorized access to the system,

Redundancy of especially important supporting subsystems,

Organization computer networks with the ability to distribute resources in the event of a malfunction of individual links,

Installation of equipment for detecting and extinguishing fires,

The use of structural protection measures against theft, sabotage, sabotage, explosions,

Installation of backup power supply systems,

Equipping premises with locks,

Physical differentiation of personnel access to premises,

· Installation of alarm systems, etc.

Organizational measures include:

Protection of information systems,

· Careful selection of personnel,

Exclusion of cases of particularly important work by only one person,

Availability of a plan to restore the system after its failure,

Organization and maintenance of an informatics enterprise by unauthorized persons who are not interested in concealing the facts of violation of its work,

Versatility of protections for all users (including top management),

Separation of powers in the field of data access,

· The imposition of responsibility on persons who must ensure the safety of the work of the informatics enterprise.

Legal measures should include the development of norms establishing responsibility for computer crimes, copyright protection, improvement of legislation in the field of information technology.

Increasing popularity when building corporate systems information security management (ISMS) wins the international standard ISO / IEC 27001: 2005 “Information technology. Security Methods. Information security management systems. Requirements ", according to which companies can formalize and structure information security management processes in the following areas:



Development of policy and organization of information security,

Organization of management of internal assets and resources of the company, which form the basis of its key business processes,

Protection of personnel and reduction of internal threats to the company,

Physical safety in the company and environmental safety,

Management of communications and equipment operation,

Development and maintenance of hardware and software systems,

Management of business continuity in the company,

· Compliance with legal safety regulations.

There are a number of generally accepted techniques to help you effectively manage information security. A well-known and widely used methodology for modeling threats (Microsoft Threat Modeling Methodology), the method of risk assessment DREAD, the model for dividing threats into STRIDE categories (http://msdn.microsoft.com/ru-ru/magazine/cc700352.aspx).

IBM has a Method for Architecting Secure Solutions (MASS) methodology that helps identify security issues, build a robust architecture, and develop a robust security policy (www.redbooks.ibm.com).

Of the well-known and popular techniques, it is necessary to recall the ISS approach to information security, called ADDME, which includes 5 stages.

Stage 1 - assess. At this stage, identification and inventory of all resources of the organization is carried out. At this stage, a risk assessment is carried out, as well as a vulnerability assessment, a penetration assessment and a threat assessment.

Stage 2 - design. At this stage, the organization's security policy is developed and principles for assessing the effectiveness of the measures proposed in it (legislative, organizational, software and technical) are developed. This takes into account the data collected at the first stage about the users available network devices, location of critical information resources etc.

Stage 3 - deployment. Within the framework of this stage, work is carried out on the installation of protective equipment, their integration and testing in the adopted information processing technology, on training users in the requirements of the security policy and the rules for operating the installed protective equipment.

Stage 4 - operation (manage and support). At this stage, the effectiveness of the measures taken and their compliance with the provisions of the developed security policy is assessed. In the event of incidents related to its violation, the incident response plan developed at the second stage is implemented and, as a result, some provisions of the security policy are revised. Changes in information processing technology, the emergence of new protection technologies, etc. are also the impetus for the revision of the developed documents.

Stage 5 - education. Training is an ongoing process carried out at all stages of building an integrated information security system. All employees of the organization participate in it: operators, administrators, managers, etc.

In an ideal company, the information security management process is proactive (preventive and ongoing).

For information security to be effective, it must be closely tied to business security and business needs.
Every process within an IT organization must include security issues. Security is not an autonomous activity; it is the thread running through all the processes of the service provider.
The management of the organization is fully responsible for organizing the information. Management is responsible for answering all questions that affect the protection of information. The board of directors must make information security an integral part of corporate governance.
Permissions

The information security management process and framework typically includes:
- Information security policy, supported by a subset of policies dealing with aspects from strategy, control and regulation
- Information Security Management System
- an overarching security strategy closely linked to business objectives, strategies and
plans

The security model must also include an effective organizational structure.
Security is not the responsibility of one person, it needs to be addressed in role profiles at all levels of the organization.
Security management is needed to maintain policy and manage security risks.
Finally, the security framework should consider and include:
- Monitoring the process to ensure compliance and provide feedback on performance
- Strategy and plan for safety related communications
- Training and strategies and plans to ensure that all staff are knowledgeable about their responsibilities.

Information security policy

Information security management activities should focus on and manage the Information Security Policy.
The information security policy should have the full support of top managers in the management of IT, and ideally the support and commitment of the top executive of the business.
This policy should cover all areas of security, be adequate and meet the needs of the business.
The information security policy should be widely available to all customers and users.
This policy must be approved by senior business and IT leadership.

All security policies should be reviewed at least annually, and if necessary.

Information Security Management System

An information security management system is a framework of policies, processes, standards, guidelines and tools that ensures an organization achieves its objectives in Information Security Management.

The information security management system provides the basis for the development of cost-effective information security programs that support business objectives.
The system should take into account not only technology.

4Rs (People, Processes, Products, and Partners) techniques can be used to ensure that high level safety in all areas.

ISO 27001 is a formal standard that can provide independent certification of an Information Security Management System. Organizations can seek certification to prove they meet security requirements.

An information security management system includes the organizational structure for developing, implementing, managing, maintaining, and enforcing information security and management processes systematically and consistently throughout the organization.

The diagram below shows an approach to information security management
Systems. This approach is widely used, and is based on advice and recommendations described in sources, including ISO 27001.

Control

Information Security Control is the first sub-process of Information Security Management, and refers to organization and Process Management. This activity includes a structured Information Security Management approach that describes the following sub-processes: formulating Security Plans, implementing them, evaluating implementation, and incorporating the evaluation into annual Security Plans (action plans). It also describes the reports provided to the customer through the Service Level Management Process.
This activity defines sub-processes, security functions, roles and responsibilities. It also describes the organizational structure, reporting system and management flows (who instructs whom, who does what, how the progress is reported). The following measures from the collection practical recommendations Information Security Management is implemented as part of this activity.

Internal rules of work (policy):
- development and implementation of internal rules of work (policy), links with other rules;
- goals, general principles and significance;
- description of subprocesses;
- distribution of functions and responsibilities by sub-processes;
- links with other ITIL processes and their management;
- general responsibility of the personnel;
- handling of security incidents.

Organization of information security:
- structural scheme management;
- management structure (organizational structure);
- a more detailed distribution of responsibilities;
- establishment of the Information Security Steering Committee;
- coordination of information security;
- agreement on tools (eg for risk analysis and awareness raising);
- a description of the authorization process for IT facilities in consultation with the customer;
- expert advice;
- cooperation between organizations, internal and external interaction;
- independent audit of information systems;
- principles of security when accessing information by third parties;
- information security in contracts with third parties.

Planning

The planning sub-process boils down to defining the content of the security SLA section with the participation of the Service Level Management Process and describing the security-related activities carried out under the External Agreements. The tasks that are defined in general terms in the SLA are detailed and specified in the form of an Operating Service Level Agreement (OLA). The OLA can be seen as a Security Plan for the organizational structure of the service provider and as a specific Security Plan, for example, for each IT platform, application and network.

The inputs to the planning sub-process are not only the provisions of the SLA, but also the principles of the service provider's security policy (from the control sub-process). Examples of these principles are: "Each user must be uniquely identified"; "Baseline Security is always available for all customers."

Operational Service Level Agreements (OLA) for information security (specific Security Plans) are developed and implemented using normal procedures. This means that if these activities become necessary in other processes, then coordination with these processes is needed. All necessary changes to the IT infrastructure are carried out by the Change Management Process using the input provided by the Information Security Management Process. Responsible for the Change Management Process is the Process Manager.
The planning sub-process is coordinated with the Service Level Management Process to define the content of the security section of the SLA, update it, and ensure compliance with it. The head of the Service Level Management Process is responsible for this coordination.

Security requirements should be defined in the SLA, where possible in measurable terms. The security section of the SLA should ensure that all customer security requirements and standards can be monitored.

Implementation

The task of the implementation (implementation) sub-process is to carry out all the activities identified in the plans. This sub-process can be supported by the following checklist of actions.

Classification and Management of IT Resources:
- providing input data to support Configuration Units (CI) in the CMDB;
- classification of IT resources in accordance with agreed principles.

Personnel safety:
- tasks and responsibilities in the description of work;
- personnel selection;
- confidentiality agreements for staff;
- training;
- guidance for personnel on the resolution of security incidents and the elimination of detected security defects;
- disciplinary action;
- improving awareness of safety issues.

Security Management:
- introduction of types of responsibility and distribution of responsibilities;
- written work instructions;
- internal rules;
- security measures should cover the entire life cycle of systems; there should be security guides for system development, testing, acceptance, operational use, maintenance and removal from the operating environment;
- separation of the development and testing environment from the operational (production) environment;
- incident handling procedures (implemented by the Incident Management Process);
- use of recovery tools;
- providing input information for the Change Management Process;
- implementation of virus protection measures;
- implementation of management methods for computers, applications, networks and network services;
- correct handling and protection of data carriers.

Access control:
- implementation of access policy and access control;
- support for user and application access privileges to networks, network services, computers and applications;
- support for network protection barriers (firewall, access services for telephone line, bridges and routers);
- implementation of identification and authorization methods computer systems, workstations and PCs on the network

Assessment

An independent assessment of the implementation of the planned activities is essential. This assessment is necessary to determine effectiveness and is also required by customers and third parties. The results of the evaluation sub-process can be used to adjust the measures agreed with the customer, as well as for their implementation. Based on the results of the assessment, changes can be proposed, in which case a Request for Change (RFC) is formulated and sent to the Change Management Process.
There are three types of assessment:
- self-assessment: carried out primarily by the line departments of the organization;
- internal audit: carried out by internal IT auditors;
- external audit: performed by external IT auditors.
Unlike self-assessment, audits are not performed by the same staff who are involved in other sub-processes. This is necessary to ensure separation of concerns. The audit can be carried out by the internal audit department.
Evaluation is also carried out in response to incidents.
The main activities are:
- verification of compliance with security policy and implementation of Security Plans;
- conducting an audit of the security of IT systems;
- identifying and taking measures for inappropriate use of IT resources;
- verification of security aspects in other types of IT audits.

Support

Due to the changing risks of changes in the IT infrastructure, in the company and in business processes, it is necessary to ensure proper support for security measures. Security support includes support for relevant security sections of SLAs and support for detailed Security Plans (at the Operating Service Level Agreements).
Maintenance of the effective functioning of the security system is carried out on the basis of the results of the Risk Changes Assessment and Analysis sub-process. Proposals can be implemented either as part of a planning sub-process or as part of supporting the entire SLA. In any case, the proposals made may lead to the inclusion of additional initiatives in the annual Safety Plan. Any changes will be processed as part of the normal Change Management Process.

The objectives of the support are to improve the security arrangement, as
specified in service level agreements and operational level agreements, and
improved implementation of security and control measures.

Maintenance must be achieved with a Plan-Do-Check-Act cycle, which is
formal approach proposed by ISO 27001 for establishing a Security Management Information System. This is detailed in the CSI.

When properly implemented, information security management should have six main outcomes. Below is the full list results and associated data.

Strategic alignment:
o Security requirements should be determined by corporate requirements
o Security solutions must match enterprise processes
information security investments must be aligned with the enterprise strategy and the agreed risks

Shipping Value:
o Standard set of security methods, i.e. Baseline Security compliance requirements
o Correctly allocated priorities and efforts for areas of greatest impact and business benefits
o Institutionalized and mass solutions
o Comprehensive solutions covering the organization and the process, as well as technologies about a culture of continuous improvement

Management of risks:
o Agreed risk profile
o Understanding risk exposure
o Awareness of risk management priorities
o Reducing risk
o Risk of acceptance / respect

Performance management:
o Defined and agreed upon a set of metrics
o A measurement process has been defined to help identify gaps and ensure feedback on progress in resolving issues
o Independent provision

Resource management:
o Knowledge collected and available
o documented security processes and practices
o Designed security architecture for efficient use of infrastructure resources
- business processes support.

VOLUNTARY CERTIFICATION SYSTEM

"COMMUNICATION - EFFICIENCY"

ROSS RU.М821.04FBG0

Information Security Management System " A basic level of information security of telecom operators "

Requirements, program and method of certification tests

1 Introduction 1

2 Scope 2

4.2 Requirements for operator policies 5

4.3 Functionality requirements 6

4.4. Interoperability requirements 7

5 Certification test program 7

5.1. Test object 7

5.2. Test Objective 7

6 Methodology for conducting certification tests 8

6.1. Test conditions 8

6.2. Test Method 9

1. Introduction

Requirements for the Information Security Management System "Basic level of information security of telecom operators" (hereinafter referred to as the Requirements) determine the basic level of information security, using which each operator can assess the state of network and information security, taking into account which security standards are relevant, which of these standards should be used, when they should be used, and how they should be applied. It also describes the carrier's willingness and ability to interact with other carriers, users, and law enforcement agencies to work together to counter information security threats.

The requirements represent a minimum set of recommendations, the implementation of which will guarantee a sufficient level of information security of communication services, while ensuring a balance of interests of operators, users and the regulator.

The program and methodology define all types, conditions, scope and methods of certification tests of the basic level of information security of telecom operators.

This document can be used in cases where the telecom operator:

    needs to demonstrate its ability to provide communication services that meet the established requirements;

    aims to demonstrate to the interacting telecom operators the ability and readiness, together with them, to resist threats to information security.

2 Scope

      These Requirements, the program and the methodology are developed in accordance with the Regulation on the Voluntary Certification System "Communication - Efficiency" based on the Recommendation of the International Telecommunication Union (ITU-T) Standardization Sector, Series X, Appendix 2, "Series X.800-X849 ITU-T - Application on the basic level of information security of telecom operators ”.

      These Requirements, the program and the methodology are developed for the voluntary certification system and are intended for telecom operators, certification centers and laboratories when conducting voluntary certification of the Information Security Management System "Basic level of information security of telecom operators" in the "Communication - Efficiency" voluntary certification system.

3 Normative references, definitions and abbreviations

3.1. In these Requirements, the program and methodology, references to the following regulatory documents are used:

    Federal Law of July 27, 2006 No. No. 149-FZ "On information, information technology and information protection ”.

    Information Security Doctrine of the Russian Federation dated September 09, 2000 No. Pr-1895.

    Rules for the connection of telecommunication networks and their interaction (approved by the Decree of the Government of the Russian Federation of March 28, 2005, N 161).

    GOST R 50739-95 Computer facilities. Protection from tampering with information. General technical requirements.

    GOST R 52448-2005 Information security. Ensuring the security of telecommunication networks. General Provisions.

    GOST R ISO / IEC 15408-2002 Information technology. Security methods and means. Information technology security assessment criteria.

    GOST R ISO / IEC 27001-2006 Information security methods. Information security management systems. Requirements.

    OST 45.127-99. Information security system of the Interconnected communication network Russian Federation... Terms and Definitions.

    International Telecommunication Union (ITU-T) Standardization Sector Recommendation, Series X, Appendix 2, "ITU-T X.800-X849 Series - Supplement on the basic level of information security of telecom operators".

3.2. In these Requirements, the program and methodology, the terms corresponding to the definitions of the Federal Law "On Communications" are used, and the following terms and abbreviations are additionally defined:

Account- personal account of the user of the information system, equipment software, including the username (login), his hidden individual signs (password) and other information required to gain access.

Antivirus software - special software designed to detect and deactivate (block) malicious software code specially designed to violate the integrity, availability and confidentiality of data.

Denial of service attack - deliberate impact on the information system or equipment in order to create conditions under which legitimate users cannot access the resources provided by the system or equipment, or such access will be difficult.

Communication operator information security - the state of protection of the information resources of the telecom operator and the infrastructure supporting them from accidental or intentional influences of a natural or artificial nature, fraught with damage to the telecom operator, users of communication services, and characterized by the ability to ensure confidentiality, integrity and availability of information during its storage, processing and transmission.

License agreement - agreement between the owner of the software and the user of its copy

Telecommunications operator -a legal entity or an individual entrepreneur providing communication services on the basis of an appropriate license.

Provider security policy - the set of documented security policies, procedures, practices or guidelines to be followed by the telecom operator.

Service provider - a legal entity engaged in the provision (delivery) of communication services of a certain type to a subscriber and ensuring the coordinated use of network capabilities associated with these services.

Spam - unsolicited correspondence sent to in electronic format (as a rule, by means of e-mail).

Management of risks - the process of identifying, controlling, reducing or completely eliminating (at an acceptable cost) information security risks that can affect the information systems of a telecom operator and the infrastructure that supports them.

Did you like the article? To share with friends:
You may also be interested in