Information Security Management System “The basic level of information security for telecom operators. Risks of threats to the organization’s information system. Normative references, definitions and abbreviations

Useful programs

© Vadim Grebennikov, 2018

ISBN 978-5-4493-0690-6

Created by Ridero Intelligent Publishing System

1. Family of information security management standards

1.1. History of the development of information security management standards

Today, the security of digital space shows a new path of national security for every country. In accordance with the role of information as a valuable commodity in business, its protection is, of course, necessary. To achieve this goal, each organization, depending on the level of information (from the point of view of economic value), requires the development of an information security management system (hereinafter - ISMS), while it is possible to protect its information assets.

In organizations whose existence is significantly dependent on information technology (hereinafter referred to as IT), all data protection tools can be used. However, information security is necessary for consumers, cooperation partners, other organizations and the government. In this regard, to protect valuable information, it is necessary that every organization strives for a particular strategy and implementation of a security system based on it.

The ISMS is part of an integrated management system based on risk assessment and analysis, for the development, implementation, administration, monitoring, analysis, maintenance and improvement of information security (hereinafter - IS) and its implementation, obtained from the organization’s goals and requirements, security requirements used procedures and the size and structure of its organization.

The origin of the principles and rules of information security management began in the UK in the 1980s. In those years, the UK Department of Trade and Industry (DTI) organized a working group to develop a set of best practices for providing information security.

In 1989, “DTI” published the first standard in this field, which was called PD 0003 “Practical Information Security Management Rules”. It was a list of security controls that were considered adequate, normal, and good at that time, applicable to both technology and the environment of that time. DTI was published as the governing document of the British Standard System (British Standard, BS).

In 1995, the British Standards Institution (BSI) adopted the national standard BS 7799-1 "Practical rules for managing information security." She described 10 areas and 127 control mechanisms necessary for building an ISMS (English Information Security Management System, ISMS), determined on the basis of best examples from world practice.

This standard has become the progenitor of all international ISMS standards. Like any national standard BS 7799 in the period 1995-2000, enjoyed, let's say, moderate popularity only within the countries of the British Commonwealth.

In 1998, the second part of this standard appeared - BS 7799-2 “ISMS. Specification and application manual ”, which determined the general model of building the ISMS and a set of mandatory requirements for compliance with which certification should be made. With the advent of the second part of BS 7799, which determined what the ISMS should be, the active development of the certification system in the field of security management began.

At the end of 1999, experts from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) concluded that there was no specialized standard for managing information security within existing standards. Accordingly, it was decided not to develop a new standard, but in agreement with BSI, taking BS 7799-1 as the base, adopt the corresponding international ISO / IEC standard.

At the end of 1999, both parts of BS 7799 were revised and harmonized with the international standards of ISO / IEC 9001 quality management systems and the ISO / IEC 14001 environment, and a year later, without changes, BS 7799-1 was adopted as the international standard ISO / IEC 17799: 2000 “Information technology (hereinafter - IT). Practical rules for managing information security. "

In 2002, the first part of BS 7799-1 (ISO / IEC 17799) and the second part of BS 7799-2 were updated.

As for official certification according to ISO / IEC 17799, it was not initially provided (full analogy with BS 7799). Only certification according to BS 7799-2 was provided, which represented a number of mandatory requirements (not included in BS 7799-1) and the list of conditionally mandatory (at the discretion of the certifier) \u200b\u200bmost important requirements of BS 7799-1 (ISO / IEC 17799) in the appendix.

In the CIS, the first country to adopt the ISO / IEC 17799: 2000 standard as a national in November 2004 was Belarus. Russia introduced this standard only in 2007. The Central Bank of the Russian Federation on its basis has created an IS management standard for the banking sector of the Russian Federation.

As part of ISO / IEC, subcommittee No. 27 is responsible for the development of a family of international standards for information security management; therefore, a numbering scheme for this family of standards was adopted using a series of consecutive numbers starting from 27000 (27k).

In 2005, subcommittee SC 27 “IT Protection Techniques” of the Joint Technical Committee JTC 1 “IT” ISO / IEC developed the ISO / IEC 27001 “IT. Methods of protection. ISMS. Requirements ”, which replaced BS 7799-2, and now certification is already carried out according to ISO 27001.

In 2005, based on ISO / IEC 17799: 2000, ISO / IEC 27002: 2005 “IT. Methods of protection. Code of norms and rules of information security management. ”

In early 2006, the new British national standard BS 7799-3, ISMS. Information security risk management manual ”, which in 2008 received the status of the international standard ISO / IEC 27005“ IT. Methods of protection. IS risk management. ”

In 2004, the British Standards Institute published ISO / IEC TR 18044, IT. Methods of protection. IS Incident Management. ” In 2011, on its basis, the standard ISO / IEC 27035 “IT. Methods of protection. IS Incident Management. ”

In 2009, ISO / IEC 27000 “IT. ISMS. General overview and terminology. " It provides an overview of information security management systems and defines relevant terms. The dictionary of carefully formulated formal definitions covers most of the specialized IS-related terms used in the standards of the ISO / IEC 27 group.

On September 25, 2013, new versions of the ISO / IEC 27001 and 27002 standards were published. From now on, the ISO / IEC 27k series standards (IS management) are fully integrated with the ISO / IEC 20k series standards (IT service management). All terminology from ISO / IEC 27001 is transferred to ISO / IEC 27000, which defines a common terminological apparatus for the entire family of ISO / IEC 27k standards.

1.2. Standard ISO / IEC 27000-2014

The latest update to ISO / IEC 27000 “IT. ISMS. General review and terminology ”took place on January 14, 2014.

The standard consists of the following sections:

- introduction;

- scope of application;

- Terms and Definitions;

- IS management systems;

- The ISMS family of standards.

Introduction

Overview

International management system standards provide a model for establishing and operating a management system. This model includes functions for which experts reached agreement on the basis of international experience gained in this area.

Using the ISMS family of standards, organizations can implement and improve the ISMS and prepare for its independent evaluation, which is used to protect information, such as financial information, intellectual property, personnel information, and information trusted by customers or a third party. These standards can be used by the organization to prepare an independent assessment of its ISMS used to protect information.

ISMS family of standards

The ISMS family of standards, collectively known as Information Technology. Security techniques ”(Information technology. Security methods), is intended to help organizations of any type and size in the implementation and operation of the ISMS and consists of the following international standards:

- ISO / IEC 27000 ISMS. General overview and terminology;

- ISO / IEC 27001 ISMS. Requirements;

- ISO / IEC 27002 Code of Practice for Information Security Management;

- ISO / IEC 27003 Guidelines for the implementation of the ISMS;

- ISO / IEC 27004 UIB. Measurements;

- ISO / IEC 27005 IS risk management;

- ISO / IEC 27006 Requirements for bodies providing audit and certification of ISMS;

- ISO / IEC 27007 Guidance on the conduct of an ISMS audit;

- ISO / IE TR 27008 Guidance on the audit of IS control mechanisms;

- ISO / IEС 27010 UIB for intersectoral and interorganizational communications;

- ISO / IEC 27011 Guidance on the PSI for telecommunications organizations based on ISO / IEC 27002;

- ISO / IEC 27013 Guidelines for the integrated implementation of ISO / IEC 27001 and ISO / IEC 20000-1;

- ISO / IEC 27014 IS Management by senior management;

- ISO / IEС TR 27015 Manual on PSB for financial services;

- ISO / IEС TR 27016 UIB. Organizational economics;

- ISO / IEС 27035 Management of information security incidents (not specified in the standard).

International Standard without this common name:

- ISO 27799 Health informatics. PEB according to ISO / IEC 27002.

Standard purpose

The standard provides an ISMS overview and defines the relevant conditions.

The ISMS family of standards contains standards that:

- determine the requirements for the ISMS and certification of such systems;

- include industry guidelines for the ISMS;

- direct the conduct of the ISMS conformity assessment.

1. Scope

The standard provides an overview of the ISMS, as well as the terms and definitions commonly used in the ISMS family of standards. The standard is applicable to all types and sizes of organizations (for example, commercial enterprises, government agencies, non-profit organizations).

2. Terms and definitions

The section contains a definition of 89 terms, for example:

information system- applications, services, IT assets and other components of information processing;

information security (IS)- maintaining confidentiality, integrity and accessibility of information;

availability- the property of being available and ready for use at the request of an authorized person;

confidentiality- the property of information to be inaccessible or closed to unauthorized persons;

integrity- property of accuracy and completeness;

non-repudiation- the ability to certify the occurrence of an event or action and their creating subjects;

iB event  - the detected state of the system (service or network), indicating a possible violation of IS policy or measures, or a previously unknown situation that may concern security;

information security incident  - one or more information security events that, with a significant degree of probability, lead to a compromise of business operations and create threats to information security;

incident managementIB  - processes for detecting, alerting, evaluating, responding to, examining and studying IS incidents;

control system  - a set of interrelated elements of the organization to establish policies, goals and processes to achieve these goals;

monitoring- determination of the status of a system, process or action;

politics  - the general intention and direction, officially expressed by the leadership;

risk  - the effect of uncertainty in purpose;

a threat  - a possible cause of an unwanted incident that could be harmful;

vulnerability - lack of an asset or protective measure that can be used by one or more threats.

3. IS management systems

The ISMS section consists of the following main points:

- description of the ISMS;

- implementation, monitoring, maintenance and improvement of the ISMS;

- the benefits of introducing the ISMS family of standards.

3.1. Introduction

Organizations of all types and sizes:

- collect, process, store and transmit information;

- recognize that information and related processes, systems, networks and people are important assets to achieve the goals of the organization;

- face a number of risks that may affect the functioning of assets;

- eliminate the perceived risk through the implementation of measures and means of information security.

All information stored and processed by the organization is an object for threats of attack, error, nature (for example, fire or flood), etc., and an object of vulnerabilities inherent in its use.

Typically, the concept of information security is based on information that is considered as a valuable asset and requires appropriate protection (for example, from the loss of availability, confidentiality and integrity). The ability to receive timely access by authorized persons to accurate and complete information is a catalyst for business efficiency.

Effective protection of information assets by identifying, creating, maintaining and improving information security is a prerequisite for the organization to achieve its goals, as well as maintain and improve legal compliance and reputation. These coordinated actions aimed at introducing appropriate protection measures and handling unacceptable IS risks are well known as elements of IS management.

As the risks of information security and the effectiveness of protection measures, depending on changing circumstances, the organization should:

- monitor and evaluate the effectiveness of implemented protective measures and procedures;

- identify emerging processing risks;

- Choose, implement and improve appropriate safeguards appropriately.

For the interconnection and coordination of the information security activities of each organization, it is necessary to formulate the information security policy and goals and effectively achieve these goals using a management system.

3.2. Description of the ISMS

The ISMS description provides the following components:

- provisions and principles;

- information;

- Information Security;

- management;

- control system;

- process approach;

- the importance of the ISMS.

Provisions and principles

An ISMS consists of policies, procedures, guidelines and related resources and actions collectively managed by an organization to achieve the protection of its information assets. The ISMS defines a systematic approach to the creation, implementation, processing, control, review, maintenance and improvement of the organization’s information security to achieve business goals.

It is based on a risk assessment and acceptable risk levels of an organization designed to effectively manage and manage risks. An analysis of the protection requirements of information assets and the application of appropriate protection measures to ensure the necessary protection of these assets contributes to the successful implementation of the ISMS.

The following key principles contribute to the successful implementation of the ISMS:

- understanding of the need for an information security system;

- assignment of responsibility for information security;

- combining management commitments and the interests of stakeholders;

- the growth of social values;

- risk assessments defining appropriate protective measures to achieve acceptable levels of risk;

- Security as an integral element of IP and networks;

- active prevention and identification of IS incidents;

- providing an integrated approach to the PSI;

- continuous revaluation and a corresponding improvement in information security.

Information

Information is an asset that, along with other important business assets, is important to the organization’s business and therefore needs to be adequately protected. Information can be stored in various forms, including digital form (for example, data files stored on electronic or optical media), tangible form (for example, on paper), as well as in intangible form in the form of employee knowledge.

Information can be transmitted in a variety of ways, including courier, electronic or voice communication. Regardless of the form in which information is presented and in what way it is transmitted, it must be properly protected.

In many organizations, information depends on information and communication technology. This technology is an essential element in any organization and facilitates the creation, processing, storage, transmission, protection and destruction of information.

Information Security

IS includes three main dimensions (properties): confidentiality, accessibility and integrity. IS provides for the application and management of appropriate security measures, which include the consideration of a wide range of threats, in order to ensure long-term success and business continuity and minimize the impact of IS incidents.

IS is achieved by applying an appropriate set of safeguards identified through a risk management process and managed using the ISMS, including policies, processes, procedures, organizational structures, software and hardware, to protect identified information assets.

These safeguards should be defined, implemented, monitored, tested and, if necessary, improved to ensure that the IS level is consistent with the organization’s business goals. Appropriate IS measures and tools should be organically integrated into the organization’s business processes.

Control

Management includes actions for the management, control and continuous improvement of the organization within the relevant structures. Management activities include actions, methods or practices of the formation, processing, direction, monitoring and control of resources. The size of the managerial structure can vary from one person in small organizations to the managerial hierarchy in large organizations consisting of many people.

Regarding the ISMS, management includes monitoring and developing decisions necessary to achieve business goals by protecting information assets. Information security management is expressed through the formulation and use of information security policies, procedures and recommendations, which are then applied universally in the organization by all persons associated with it.

Control system

The management system uses a combination of resources to achieve the goals of the organization. The organization’s management system includes structure, policies, planning, commitments, methods, procedures, processes and resources.

In terms of information security, the control system allows organizations to:

- satisfy the safety requirements of customers and other interested parties;

- improve the plans and activities of the organization;

- meet the goals of the organization’s information security;

- comply with regulations, legislation and industry orders;

- Organize the management of information assets to facilitate continuous improvement and correction of the current goals of the organization.

3.3. Process approach

An organization needs to conduct and manage different types of activities in order to function efficiently and effectively. Any activity that uses resources needs to be managed in order to enable the conversion of inputs to outputs through a combination of interconnected actions - this is also called a process.

The output of one process can directly form the input of the next process, and usually such a transformation takes place in planned and controlled conditions. The use of a process system within an organization along with the identification and interaction of these processes, as well as their management, can be defined as a “process approach”.

Additional Information (not in the standard)

The founder of the process approach to quality management is considered to be the American scientist Walter Schuhart. His book begins by highlighting 3 stages in quality management of the results of the organization:

1) development of specifications (terms of reference, specifications, criteria for achieving goals) of what is required;

2) production of products that meet the specifications;

3) verification (control) of the manufactured products to assess its compliance with the specification.

Shekhart was one of the first to propose a linear perception of these stages in a cycle that he identified with the “dynamic process of acquiring knowledge."

After the first cycle, verification results should be the basis for improving product specifications. Further, the production process is adjusted based on the revised specification, and the new result of the production process is again verified, etc.

The American scientist Edwards Deming has transformed the Shewhart cycle into the form most commonly found today. To move from quality control to quality management, he gave more general names to each of the stages, and, in addition, added another, 4th stage, with which he wanted to draw the attention of American managers to the fact that they do not analyze enough in the third stage, information does not improve the process. That is why this stage is called “Act” (Act), and, accordingly, the Shekhart-Deming cycle is called the “PDCA” or “PDSA” model:

PlanPlanning  - identification and analysis of problems; assessment of opportunities, setting goals and developing plans;

DoImplementation  - search for solutions to problems and implementation of plans;

Check (Study)Performance assessment  - Evaluation of implementation results and conclusions in accordance with the task;

ActImprovement  - making decisions based on the findings, correction and improvement of work.

Model "PDCA" for ISMS

Planning - Implementation - Control - Improvement

1.  Planning (development and design): setting goals, policies, controls, processes and procedures of the ISMS to achieve results that are consistent with the overall policies and goals of the organization.

2. Implementation (implementation and maintenance):  implementation and application of IS policies, controls, ISMS processes and procedures for assessing and processing IS risks and incidents.

3. Control (monitoring and analysis of functioning):  assessment of the effectiveness of fulfilling the requirements of policies, IS objectives and the effectiveness of the ISMS and notifying senior management of the results.

4. Improvement (maintenance and improvement):  carrying out corrective and preventive actions based on the results of the audit and analysis by management to achieve improvement of the ISMS

The Shekhart-Deming method and cycle, which is more often called the Deming cycle, usually illustrates a control scheme for any activity process. With the necessary clarifications, it has so far been widely used in international management standards:

- product quality ISO 9000;

- environmental protection ISO 14000;

- Health and Safety OHSAS 18000;

- information services ISO / IEC 20000;

- food safety ISO 22000;

- information security ISO / IEC 27000;

- safety of ISO 28000;

- business continuity ISO 22300;

- risks of ISO 31000;

- energy ISO 50,000.

3.4. The importance of the ISMS

An organization should identify the risks associated with information assets. Achieving IS requires risk management and covers physical, human and technological risks related to threats related to all forms of information within the organization or used by the organization.

The adoption of the ISMS is a strategic decision for the organization, and it is necessary that this decision is continuously integrated, evaluated and updated in accordance with the needs of the organization.

The organization’s ISMS design and implementation is influenced by the organization’s needs and goals, security requirements, business processes used, and the size and structure of the organization. The development and functioning of the ISMS should reflect the interests and requirements of information security of all interested parties of the organization, including customers, suppliers, business partners, shareholders and other third parties.

In an interconnected world, information and related processes, systems and networks constitute critical assets. Organizations and their IPs and networks face security threats from a wide range of sources, including computer fraud, espionage, sabotage, vandalism, and fire and floods. Damage to IP and systems caused by malware, hackers, and DoS attacks has become more widespread, wider, and more sophisticated.

The ISMS is important for enterprises in both the public and private sectors. In any industry, the ISMS is a necessary tool to support e-business and is important for risk management activities. The interconnection of public and private networks and the exchange of information assets complicate the management of access to information and its processing.

In addition, the proliferation of mobile storage devices containing information assets may weaken the effectiveness of traditional protection measures. When organizations adopt the ISMS family of standards, the ability to apply consistent and mutually recognized IS principles can be demonstrated to business partners and other interested parties.

IS is not always taken into account when creating and developing IS. In addition, it is often believed that information security is a technical problem. However, the IS that can be achieved by technical means is limited and may be ineffective without being supported by appropriate management and procedures in the context of the ISMS. Embedding a security system in a functionally complete IP can be complex and expensive.

The ISMS includes the identification of existing safeguards and requires careful planning and attention to detail. For example, access control measures, which can be technical (logical), physical, administrative (managerial), or a combination of these, ensure that access to information assets is authorized and limited based on business and IS requirements.

The successful implementation of the ISMS is important for protecting information assets, as it allows:

- increase guarantees that information assets are adequately protected on an ongoing basis from IS threats;

- maintain a structured and comprehensive system for assessing IS threats, selecting and applying appropriate protection measures, measuring and improving their effectiveness;

- constantly improve the management environment of the organization;

- effectively comply with legal and regulatory requirements.

3.5. Implementation, monitoring, maintenance and improvement of the ISMS

The implementation, monitoring, maintenance and improvement of the ISMS are the operational stages of the development of the ISMS.

The operational stages of the ISMS are determined by the following components:

- general provisions;

- requirements of information security;

- Decisive success factors for the ISMS.

The operational stages of the ISMS provide the following activities:

- IS risk assessment;

- IS risk treatment;

- selection and implementation of protective measures;

- control and maintenance of the ISMS;

- continuous improvement.

General Provisions

The organization should take the following steps to implement, monitor, maintain and improve its ISMS:

- Definition of information assets and related IS requirements;

- assessment and processing of IS risks;

- selection and implementation of appropriate safeguards to manage unacceptable risks;

- control, maintenance and increasing the effectiveness of protective measures related to the information assets of the organization.

To ensure that the ISMS effectively protects the organization’s information assets on an ongoing basis, it is necessary to constantly repeat all steps in order to identify changes in risks or organizational strategies or business goals.

IS requirements

Within the general strategy and business goals of the organization, its size and geographical distribution, IS requirements can be determined as a result of understanding:

- information assets and their values;

- business needs for working with information;

- legal, regulatory and contractual requirements.

Conducting a methodological risk assessment associated with the information assets of an organization includes an analysis of:

- threats to assets;

- asset vulnerabilities;

- the probability of materialization of the threat;

- the possible impact of an IS incident on assets.

The costs of appropriate safeguards should be proportionate to the anticipated business impact of materializing the risk.

IS risk assessment

IS risk management requires an appropriate method of risk assessment and processing, which may include an assessment of costs and benefits, legal requirements, stakeholder concerns, and other input and variable data.

Risk assessments should identify, measure and prioritize risks taking into account risk acceptance criteria and organizational objectives. The results will help to develop and make appropriate management decisions for action and prioritization of information security risk management and implementation of protection measures selected to protect against these risks.

Risk assessment should include a systematic approach to assessing the extent of risks (risk analysis) and the process of comparing the assessed risks with the risk criterion to determine the severity of the risks (risk assessment).

Risk assessments should be carried out periodically in order to make changes in IS requirements and risk situations, for example, in assets, threats, vulnerabilities, influences, risk assessment, and in case of significant changes. These risk assessments should be carried out methodically to ensure comparable and reproducible results.

The risk assessment of information security should clearly define the scope to be effective, and contain interactions with risk assessments in other areas, if possible.

The ISO / IEC 27005 standard provides guidance on information security risk management, including recommendations on assessment, processing, acceptance, notification, monitoring and risk analysis.

IS risk treatment

Before considering an organization’s risk treatment, a criterion should be established to determine whether risks can be accepted or not. Risks can be accepted if the risk is low or the cost of processing is not profitable for the organization. Such decisions should be recorded.

For each risk identified by the risk assessment, a decision should be made on how to handle it. Possible risk treatment options include:

- Applying appropriate protective measures to reduce risks;

- informed and objective acceptance of risks in strict accordance with the organization’s policies and risk acceptance criteria;

- prevention of risks by eliminating actions leading to the appearance of risks;

- exchange of associated risks with other parties, for example, insurers or suppliers.

Appropriate protective measures against those risks for which a decision has been made to apply them in order to handle risks must be selected and implemented.

Selection and implementation of protective measures

Promote employee awareness

An essential factor for the effective implementation of these principles is the linking cycle of activities, which ensures that information security management is constantly focused on current risks. It is important that the top management of the organization recognizes the risks of disruption of business processes related to the security of information systems. The basis for the development and implementation of policies and the selection of the necessary controls is the risk assessment of individual business applications. The steps taken will increase user awareness of risks and related policies. The effectiveness of controls is subject to assessment through various studies and audits. The results obtained provide an approach to the subsequent risk assessment and determine the necessary changes in policies and controls. All these actions are centrally coordinated by the security service or a staff of specialists consisting of consultants, representatives of business units and management of the organization. The risk management cycle is illustrated in the figure.

Methods for implementing an information security program

The following sixteen methods used to implement the five principles of risk management are highlighted in the following illustration. These methods are key to the effective implementation of the organization’s information security program.

Assess risk and identify needs

Risk assessment is the first step in implementing an information security program. Security is not considered in itself, but as a set of policies and appropriate controls designed to ensure business processes and reduce associated risks. Thus, identifying business risks associated with information security is the starting point of the risk management (information security) cycle.

Recognize information resources as significant (integral) assets of an organization

Recognition of information security risks by the organization’s management, as well as a set of measures aimed at identifying and managing these risks, is an important factor in the development of an information security program. Such a management approach will ensure that information security is seriously considered at lower organizational levels of the organization, and information security specialists are provided with the resources necessary for the effective implementation of the program.

Develop practical risk assessment procedures linking security and business requirements

There are various risk assessment methodologies, ranging from an informal discussion of risk to fairly sophisticated methods involving the use of specialized software. However, the global experience of successful risk management procedures describes a relatively simple process, involving the participation of various departments of financial organizations with the involvement of specialists with knowledge of business processes, technical specialists and specialists in the field of information protection.

It is worth emphasizing that understanding the risks does not provide for their precise quantification, including the probability of an incident or the cost of damage. Such data is not available, since losses may not be detected, and management is not informed. In addition, data on the total cost of repairing damage caused by weak security control mechanisms, as well as the operational cost of these mechanisms (control mechanisms) are limited. Due to the swept changes in technology, as well as the software and tools available to attackers, the use of statistics collected in previous years is doubtful. As a result, it is difficult, if at all possible, to accurately compare the cost of controls with the risk of loss in order to determine which control is the most cost-effective. In any case, managers of business units and specialists in the field of information security should rely on the most complete information available to them when deciding on the choice of necessary means (methods) of control.

Establish responsibility for business managers and managers participating in the security program

Managers of the business unit should be primarily responsible for determining the level of security (confidentiality) of information resources that support business processes. It is managers of business units who are most able to determine which of the information resources is the most critical, as well as the possible impact on the business in case of violation of its integrity, confidentiality or accessibility. In addition, business unit managers can point to control tools (mechanisms) that can harm business processes. Thus, by involving them in the selection of controls, it can be guaranteed that controls meet the requirements and will be successfully implemented.

Continuously manage risk

Information security should be given constant attention to ensure the adequacy and effectiveness of controls. As noted earlier, modern information and related technologies, as well as factors related to information security, are constantly changing. Such factors include threats, technologies and system configurations, known vulnerabilities in software, the level of reliability of automated systems and electronic data, and the criticality of data and operations.

Establish centralized management

The steering group acts primarily in the role of an adviser or consultant to business units, and cannot impose information security methods (tools).

Identify a steering group to take key actions

In general, the steering group should be (1) a catalyst (accelerator) of the process, ensuring that information security risks are continuously considered; (2) a central consulting resource for organizational units; (3) a means of informing the organization’s management of information on the state of information security and the measures taken. In addition, the management group allows you to centrally manage tasks, otherwise these tasks can be duplicated by various departments of the organization.

Provide the management team with easy and independent access to senior management

We note the need for discussion of information security problems by managers of the management group with senior management of the organization. Such a dialogue will allow us to act effectively and avoid disagreements. Otherwise, conflicts may arise with business unit managers and system developers who wish to introduce new software products as soon as possible and, therefore, dispute the use of control tools that may hamper the efficiency and comfort of working with software. Thus, the possibility of discussing information security problems at the highest level can guarantee a complete understanding of risks and their acceptability before final decisions are made.

Define and allocate budget and staff

The budget will allow you to plan and set goals for the information security program. At a minimum, the budget includes employee salaries and training costs. The staffing of the management group (security unit) can vary and envy both the goals set and the projects under consideration. As noted earlier, both technical specialists and employees of business units can be involved in the work in the group.

Improve the professionalism and technical knowledge of employees

Organization staff must be involved in various aspects of the information security program and have the appropriate skills and knowledge. The necessary level of professionalism of employees can be achieved with the help of trainings, which can be carried out by both specialists of the organization and external consultants.

Implement the necessary policies and appropriate controls

Information security policies are the basis for the adoption of certain procedures and the choice of means (mechanisms) of control (management). Politics is the primary mechanism by which management communicates its opinions and requirements to employees, customers and business partners. For information security, as well as for other areas of internal control, the requirements of policies directly depend on the results of risk assessment.

Establish a relationship between policies and business risks

A comprehensive set of adequate policies that are accessible and understandable to users is one of the first steps in establishing an information security program. It is worth emphasizing the importance of continuous support (adjustment) of policies for timely response to identified risks and possible disagreements.

Distinguish between policies and guidelines

A general approach to creating information security policies should include (1) concise (concise) high-level policies and (2) more detailed information presented in practical guidelines and standards. Policies provide for the basic and mandatory requirements adopted by senior management. While practical guides are not mandatory for all business units. This approach allows senior management to focus on the most important elements of information security, as well as provide the ability to maneuver managers of business units, to make policies easy for employees to understand.

Provide policy support to the steering group

The steering group should be responsible for developing information security policies for the organization in collaboration with business unit managers, internal auditors and lawyers. In addition, the steering group should provide the necessary clarifications and provide answers to user questions. This will help resolve and prevent misunderstandings, as well as take the necessary measures not covered by policies (guidelines).

Policies should be made available so that users, if necessary, can access their current versions. Users must sign that they are familiar with the policies before giving them access to the organization’s information resources. If the user is involved in a security incident, this agreement will serve as evidence that he or she has been informed of the organization’s policies, as well as possible sanctions, if violated.

Promote Awareness

The competence of users is a prerequisite for the successful provision of information security, and also helps to ensure that controls are working properly. Users cannot follow policies that they do not know or do not understand. Unaware of the risks associated with the organization’s information resources, they cannot see the need to implement policies designed to reduce risks.

Continuous training of users and other employees on the example of risks and related policies

The steering group should provide a strategy for the continuous training of employees, one way or another affecting the information security of the organization. The group should focus on a common understanding of the risks associated with the information processed by the organization, as well as policies and methods (means) of control aimed at reducing these risks.

Take a friendly approach

The steering group should use a variety of training and incentive methods to make the organization’s policies accessible and educate users. Avoid meetings held once a year with all employees of the organization; on the contrary, training is best done in small groups of employees.

Monitor and evaluate the effectiveness of policies and controls

Like any type of activity, information security is subject to monitoring and periodic reevaluation in order to guarantee the adequacy (compliance) of policies and means (methods) of control with the set goals.

To control factors that influence risks and indicate the effectiveness of information security

Control should focus primarily on (1) the availability of control tools and methods and their use, aimed at reducing risks and (2) assessing the effectiveness of the program and information security policies that improve user understanding and reduce the number of incidents. Such checks include testing control tools (methods), assessing their compliance with the organization’s policies, analyzing security incidents, and other indicators of the effectiveness of the information security program. The performance of the steering group can be assessed based, for example, on the following indicators (but not limited to):

  • number of trainings and meetings held;
  • the number of performed risk (risk) assessments;
  • number of certified specialists;
  • the absence of incidents that impede the work of the organization’s employees;
  • reduction in the number of new projects implemented with a delay due to information security problems;
  • full compliance or agreed and registered deviations from the minimum information security requirements;
  • reduction in the number of incidents involving unauthorized access, loss or distortion of information.

Use the results to coordinate future efforts and increase management responsibility

Control, of course, allows you to bring the organization in line with accepted information security policies, but the full benefits of control will not be achieved if the results are not used to improve the information security program. The analysis of the results of the control provides information security specialists and managers of business units with the means (1) to reassess previously identified risks, (2) to identify new problem areas, (3) to reassess the sufficiency and appropriateness of existing means and methods of control (management) and actions to ensure information security, (4) determining the needs for new means and mechanisms of control, (5) redirecting control efforts (controlling actions). In addition, the results can be used to evaluate the activities of business managers responsible for understanding and mitigating risks in business units.

Track new methods and controls

It is important to ensure that (1) information security specialists do not lag behind the developed methods and tools (applications) and have the latest information on the vulnerability of information systems and applications, (2) top management ensures that it has the necessary resources.

Friends! We invite you to a discussion. If you have an opinion, write to us in the comments.

Information security is one of the most important aspects of IP implementation. On the one hand, management informatization creates its invaluable support, but on the other hand, management is directly dependent on the level of information security of IP.

Information security refers to the security of information and supporting infrastructure from accidental or deliberate influences (attacks), fraught with harm to the owners or users of information and supporting infrastructure.

The objects of infringement may be the technical means themselves, which are tangible objects, as well as software and databases.

Information security management is a complex process, and includes a number of technical, organizational and legal measures that should be recorded in the corporate security policy.

Technical measures include:

· Protection against unauthorized access to the system,

· Redundancy of critical supporting subsystems,

· The organization of computer networks with the possibility of resource allocation in case of disruption of the individual links,

· Installation of equipment for fire detection and extinguishing,

· The use of structural measures to protect against theft, sabotage, sabotage, explosions,

· Installation of redundant power systems,

· Equipping the premises with locks,

· Physical differentiation of personnel access to premises,

· Installation of alarm systems, etc.

Organizational measures include:

· Protection of information systems,

· Careful staff selection,

· The exception of cases of particularly important work by only one person,

· The availability of a plan for restoring the system after its failure,

· Organization and maintenance of an informatics enterprise by unauthorized persons not interested in hiding the facts of violation of its work,

· Universality of security features for all users (including top management),

· Separation of powers in the field of data access,

· Assignment of responsibility to persons who must ensure the safety of the work of the computer science enterprise.

Legal measures should include the development of norms establishing responsibility for computer crimes, copyright protection, and the improvement of legislation in the field of information technology.

The international standard ISO / IEC 27001: 2005 “Information technologies. Conquers increasing popularity in the construction of corporate information security management systems (ISMS)” Security Methods. Information Security Management Systems. Requirements ”, in accordance with which companies can formalize and structure IS management processes in the following areas:



· Policy development and organization of information security,

· Organization of the management of internal assets and company resources, which form the basis of its key business processes,

· Personnel protection and reduction of internal threats of the company,

· Physical security in the company and environmental safety,

· Management of communications and equipment operation,

· Development and maintenance of hardware and software systems,

· Management of business continuity in the company,

· Compliance with legal safety standards.

There are a number of generally accepted techniques that help to effectively manage information security. The Threat Modeling Methodology (Microsoft Threat Modeling Methodology), the DREAD risk assessment methodology, and the model for dividing threats into STRIDE categories (http://msdn.microsoft.com/ru-ru/magazine/cc700352.aspx) are known and widely used.

At IBM, this is the Method for Architecting Secure Solutions (MASS) methodology, which helps identify security issues, create a robust architecture, and develop a robust security policy (www.redbooks.ibm.com).

Among the well-known and popular methods, it is necessary to recall the ISS approach to information security, called ADDME and which includes 5 stages.

Stage 1 - assessment (assess). At this stage, the identification and inventory of all organization resources is carried out. At this stage, a risk assessment is carried out, as well as a vulnerability assessment, penetration assessment and threat assessment.

Stage 2 - design. At this stage, the organization’s security policy is developed and principles for evaluating the effectiveness of the measures proposed in it (legislative, organizational, software and technical) are developed. This takes into account the data collected at the first stage about users, existing network devices, the location of critical information resources, etc.

Stage 3 - deployment. As part of this phase, work is underway to install security equipment, integrate it and test it in the adopted information processing technology, to train users in the requirements of the security policy and the operating rules of the installed protective equipment.

Stage 4 - operation (manage and support). At this stage, the effectiveness of the measures taken and their compliance with the provisions of the developed security policy are evaluated. In the event of incidents related to its violation, the incident response plan developed at the second stage is implemented and, as a result, some provisions of the security policy are reviewed. Change in information processing technology, the emergence of new protection technologies, etc. are also an impetus for the revision of the developed documents.

Stage 5 - education. Training is an ongoing process carried out at all stages of building an integrated information security system. All employees of the organization participate in it: operators, administrators, managers, etc.

In an ideal company, the information security management process is proactive (proactive and ongoing).

For information security to be effective, it must be closely linked to business security and business needs.
Each process within an IT organization must include security issues. Security is not an autonomous activity; it is a thread that goes through all the processes of a service provider.
The management of the organization is fully responsible for organizing the information. Management is responsible for answering all questions that affect information security. The board of directors should make information security an integral part of corporate governance.
Permissions

The process and framework for managing information security typically includes:
- An information security policy, supported by a subset of policies regarding aspects of strategy, control and regulation
- Information Security Management System
- a comprehensive security strategy closely linked to business goals, strategies and
plans

A security model should also include an effective organizational structure.
Security is not the responsibility of one person; roles must be considered in profiles at all levels of the organization.
Security management is necessary to support policies and manage security risks.
Finally, the security structure should consider and include:
- Process monitoring to ensure compliance and provide feedback on effectiveness
- Communications security strategy and plan
- Training and strategy and plans to provide all employees with knowledge of their responsibilities.

Information Security Policy

Information security management activities should focus on and manage the information security policy.
An information security policy should have the full support of top managers in IT management, and ideally, the support and commitment of senior business management.
This policy should cover all areas of security, be adequate and meet the needs of the business.
An information security policy should be widely available to all customers and users.
This policy must be authorized by senior management of business and IT.

All security policies should be reviewed at least annually, and if necessary.

Information security management system

An information security management system is a framework of policies, processes, standards, guidelines and tools that ensures organizations achieve their goals in Information Security Management.

An information security management system provides the basis for developing cost-effective information security programs that support business goals.
The system must take into account not only technology.

4P methods (people, processes, products and partners) can be used to ensure a high level of security in all areas.

ISO 27001 is a formal standard that can provide independent certification of an Information Security Management System. Organizations can seek certification to prove their compliance with safety requirements.

The information security management system includes an organizational structure for the development, implementation, management, maintenance and enforcement of information security and management processes systematically and consistently throughout the organization.

The diagram below shows the approach to managing information security.
Systems. This approach is widely used, and is based on the advice and recommendations described in the sources, including ISO 27001.

Control

Information security control is the first sub-process of Information Security Management, and refers to the organization and process management. This type of activity includes a structured approach to Information Security Management, which describes the following subprocesses: the formulation of Security Plans, their implementation, assessment of implementation and inclusion of the assessment in annual Security Plans (action plans). It also describes the reports provided to the customer through the Service Level Management Process.
This activity defines subprocesses, security functions, roles and responsibilities. It also describes the organizational structure, reporting system and management flows (who instructs whom, who does what, how a progress report is made). The following measures from the collection of practical recommendations on Information Security Management are implemented as part of this type of activity.

Internal rules of work (policy):
- development and implementation of internal rules of work (policy), relations with other rules;
- goals, general principles and significance;
- description of subprocesses;
- distribution of functions and responsibilities for subprocesses;
- links to other ITIL processes and their management;
- the general responsibility of the staff;
- handling security incidents.

Organization of information security:
- control block diagram;
- management structure (organizational structure);
- a more detailed distribution of responsibilities;
- Establishment of a Steering Committee on Information Security;
- coordination of information security;
- harmonization of tools (for example, for risk analysis and awareness raising);
- description of the process of authorization of IT tools in consultation with the customer;
- consultation of specialists;
- cooperation between organizations, internal and external interaction;
- independent audit of information systems;
- security principles when accessing third-party information;
- information security in contracts with third parties.

Planning

The planning sub-process is reduced to determining the content of the SLA section on security issues with the participation of the Service Level Management Process and describing the activities related to security issues carried out under the External Agreements. Tasks, which are defined in general terms in the SLA, are detailed and specified in the form of an Operational Level Service Agreement (OLA). An OLA can be seen as a Security Plan for the organizational structure of a service provider and as a specific Security Plan, for example, for each IT platform, application and network.

The input to the planning subprocess is not only the provisions of the SLA, but also the principles of the security policy of the service provider (from the subprocess of control). Examples of these principles: “Each user must be uniquely identified”; "A Basic Security Level is always available for all customers."

Service Level Operating Agreements (OLAs) for information security (specific Security Plans) are developed and implemented using standard procedures. This means that if these activities have become necessary in other processes, coordination with these processes is needed. All necessary changes to the IT infrastructure are carried out by the Change Management Process using the input provided by the Information Security Management Process. Responsible for the Change Management Process is the Leader of this Process.
The planning subprocess is coordinated with the Service Level Management Process to determine the content of the security section of the SLA, update it, and ensure compliance with its provisions. The coordination of the Service Level Management Process is responsible for this coordination.

Security requirements should be defined in an SLA, where possible in measurable terms. The security section of the SLA must ensure that compliance with all customer safety requirements and standards can be monitored.

Implementation

The task of the implementation (implementation) subprocess is the implementation of all activities defined in the plans. This subprocess can be supported by the following action checklist.

Classification and IT Resource Management:
- providing input to support Configuration Units (CI) in the CMDB;
- classification of IT resources in accordance with agreed principles.

Personnel safety:
- tasks and responsibilities in the description of the work;
- staff selection;
- confidentiality agreements for staff;
- training;
- Guides for staff on resolving security incidents and resolving detected security defects;
- disciplinary measures;
- Improving security awareness.

Security Management:
- introduction of types of responsibility and distribution of responsibilities;
- written work instructions;
- internal rules;
- security measures should cover the entire life cycle of systems; safety manuals must exist for the development of systems, their testing, acceptance, operational use, maintenance and removal from the operating environment;
- separation of the development and testing environment from the operating (working) environment;
- incident handling procedures (implemented by the Incident Management Process);
- use of recovery tools;
- providing input to the Change Management Process;
- implementation of virus protection measures;
- implementation of management methods for computers, applications, networks and network services;
- proper handling and protection of data carriers.

Access control:
- implementation of access policy and access control;
- support for user and application access privileges to networks, network services, computers and applications;
- support for network security barriers (firewall, telephone line access services, bridges and routers);
- introduction of methods for identification and authorization of computer systems, workstations and PCs in the network

Rating

An independent evaluation of the implementation of planned activities is essential. Such an assessment is necessary to determine the effectiveness; its implementation is also required by customers and third parties. The results of the evaluation sub-process can be used to adjust the measures agreed with the customer, as well as to implement them. Based on the results of the assessment, changes can be proposed, in which case a Change Request (RFC) is formulated and sent to the Change Management Process.
There are three types of assessment:
- self-assessment: carried out primarily by linear units of the organization;
- internal audit: conducted by internal IT auditors;
- external audit: conducted by external IT auditors.
Unlike self-assessment, the audit is not conducted by the same personnel who participate in other subprocesses. This is necessary to ensure separation of responsibilities. An audit may be conducted by the internal audit department.
The assessment is also conducted as a response in the event of incidents.
The main activities are:
- verification of compliance with security policy and implementation of security plans;
- conducting a security audit of IT systems;
- identification and adoption of measures for inappropriate use of IT resources;
- verification of security aspects in other types of IT audit.

Support

Due to changes in risks associated with changes in the IT infrastructure, in the company and in business processes, it is necessary to provide adequate support for security measures. Support for security measures includes support for the relevant security sections of SLA agreements and support for detailed Security Plans (at the Level of Operating Agreements for the Level of Services).
The effective functioning of the security system is maintained based on the results of the sub-process of Assessment and analysis of risk changes. Proposals can be implemented either in the planning sub-process, or in the process of providing support for the entire SLA. In any case, the proposals made may lead to the inclusion of additional initiatives in the annual Safety Plan. Any changes are subject to processing as part of the normal Change Management Process.

The support objectives are to improve security arrangements as
specified in service level agreements and operational level agreements, and
improving the implementation of security and control measures.

Maintenance must be achieved using the Plan-Do-Check-Act cycle, which is
the formal approach proposed by ISO 27001 for the establishment of a Security Management Information System. This is described in detail in CSI.

When the process is correctly implemented, information security management should have six main results. Below is a complete list of results and related data.

Strategic alignment:
o Security requirements must be determined by corporate requirements.
o Security solutions must be consistent with enterprise processes
information security investments should be consistent with the enterprise strategy and agreed risks

Shipping Value:
o Standard set of security methods, i.e. Baseline Security compliance requirements
o Properly distributed priorities and efforts for areas with the highest return and business benefits
o Institutionalized and mass solutions
o Comprehensive solutions covering the organization and process, as well as technology about a culture of continuous improvement

Management of risks:
o Harmonized risk profile
o Understanding risk exposure
o Awareness of risk management priorities
o Risk reduction
o Risk of acceptance / respect

Performance management:
o Defined, consistent set of metrics
o A measurement process has been identified that will help identify deficiencies and provide feedback on the progress of resolving issues.
o Independent collateral

Resource management:
o Knowledge collected and available
o documented safety processes and practices
o Developed security architecture for efficient use of infrastructure resources
- ensuring business processes.

Jet Infosystems company carries out complex projects to build and implement effective information security management systems (ISMS). Projects include analysis, development and implementation of information security management processes. The implemented systems comply with both business requirements and the requirements of international standards and best practices. As a result, they bring not only a marketing effect, but also allow you to optimize the budget for information security, increase the transparency of information security for business, as well as the level of security and maturity of the customer.

Issue

To protect important information, companies use a variety of IS measures. However, the use of even the most modern and expensive means is not a guarantee of their effectiveness and can lead to unreasonable expenses for providing IS. The presence of a large number of measures and means of ensuring information security complicates the management process. Often, the mechanisms that allow to constantly monitor and analyze the operation of the information security system and make adjustments to its work are not well debugged.

The lack of formalized management and information security processes leads to an increase in operating costs. Due to the lack of an organizational approach, all emerging issues are resolved in a separate order, which varies from case to case.

Decision

The ISMS is part of an overall information security system. One of its main components is the IS risk management process. The results of his work allow us to develop solutions for the processing of unacceptable risks and the introduction of economically sound measures to ensure IS. Planning the implementation of the selected measures allows you to distribute the costs of providing information security both in the short and long term.

Within the ISMS, a number of IS management and maintenance processes are created and / or described, which allows you to structure these processes and ensure their reproducibility. When building it, interaction with senior management and representatives of the customer’s business units is necessary to identify their expectations from the system.

Considering that the convenience of the IS management and maintenance system for performers is determined by the effectiveness of its work, Jet Infosystems specialists pay special attention to building and subsequent debugging of ISMS processes. In the course of work, the processes existing in the company, their features and maturity levels, as well as the traditions of corporate culture, are always taken into account. Particular attention is paid to the training of employees involved in the implementation of the system, the distribution of responsibilities, as well as the organization of an internal center of competence in the management and maintenance of information security. As a result, the implemented processes become an integral part of the company, working in accordance with the goals set, and do not remain a “folder of papers lying in the closet”.

Jet Infosystems provides a wide range of services in the field of information security management and maintenance:

Development and implementation of ISMS based on ISO / IEC 27001

The development and implementation of the basic IS management processes is carried out taking into account the organizational structure and specifics of the customer. In addition, key employees are trained to work with the ISMS, and consulting support is provided.

Development and implementation of separate management and information security processes

The development and implementation of certain IS management and maintenance processes (for example, risk management, incident management, internal audits, etc.) is carried out in accordance with the requirements of international and Russian IS standards (ISO / IEC 27001: 2005, ISO / IEC 27002: 2005, ISO / IEC 27005: 2008, PCI DSS, STO BR IBBS - 1.0, etc.), as well as best practices in this field.

Consultants can draw up a schedule for the consistent implementation of IS management processes with a view to further merging into a single ISMS.

Preparation for certification for compliance with the requirements of the international standard ISO / IEC 27001

Preparation for certification includes a preliminary analysis of compliance with the requirements of the ISO / IEC 27001 standard, elimination of identified non-conformities, bringing the ISMS in compliance with the requirements of this standard. The audit is conducted by a certification body with appropriate accreditation.

Jet Infosystems provides support to customers during audits and helps to resolve identified inconsistencies.

Support developed by ISMS or individual processes

Jet Infosystems provides:

  • preparation of the customer’s ISMS for verification audits: express examination, identification of the work that needs to be done to undergo a verification audit of the certification body;
  • refinement or implementation of specific ISMS processes. For example, conducting an annual IS risk analysis or conducting internal IS audits.

Advantages of working with Jet Infosystems:

  • a systematic approach and our own unique methodology, which allow you to quickly and efficiently develop and implement IS maintenance and management processes;
  • a close-knit project team of certified specialists capable of solving the most complex tasks;
  • consultants are trainers in management systems at BSI MS and are involved in audits;
  • the main principle of work is "each company is unique." The needs in the field of information security are determined for each client and solutions are proposed that will help ensure real security of information, and not just the formal fulfillment of requirements (legislation, partners, contractors, industry, etc.) and the contract.

Benefits

The implementation of IS management and maintenance procedures allows you to:

  • optimize and justify information security costs;
  • to increase the effectiveness of information security by achieving the comprehensiveness, interconnectedness, effectiveness and transparency of all measures to ensure information security;
  • ensure compliance with the level of information security both with legislative, industry, internal corporate requirements, and business goals;
  • reduce operating costs through formalization and standardization of management processes and information security;
  • to increase the trust of partners and customers of the company by demonstrating a high level of maturity of information security.

In addition, the implementation and certification of the ISMS allows:

  • increase the capitalization and value of shares in the company;
  • increase the international ratings of the company necessary to attract foreign investment and access to international markets;
  • protect investment.

Experience

Jet Infosystems specialists have the most experience in the CIS in building ISMS and individual IS management processes, including IS risk management, IS incident management and vulnerability management.

Five major projects for the creation and subsequent preparation of the ISMS for certification for compliance with the requirements of the ISO / IEC 27001: 2005 standard in companies were successfully completed:

  • Interregional Transit Telecom OJSC
  • ROSNO OJSC
  • LLC "Information Security Center"
  • Askari Bank (Pakistan)
  • LLC Eldorado

Also, more than 30 projects were completed to build separate IS management processes, support the ISMS and prepare them for supervisory audits by the certification body.

Do you like the article? Share with friends:
You may also be interested.