Categories information and information systems. Ensuring the basic level of information security. Categories of information on importance

Categories Protected Resources - establishing gradations of the importance of protecting protection (categories) of resources and attribute specific resources to the relevant categories.

Simplified assessment algorithm Protection of informatization object:

Inventory information resources and identifying protected information

Identifying Potentially possible threat

Detection of Impressions Informatization object

Drawing Potentially possible threat

Evaluation nOT sales and danger threat , drawing up a list of relevant threats

1. If B. file Available protected Information T. the entire file is subject to protection and the file is assigned the appropriate level of importance;

2. from the standpoint of her privacy Fully defined by the prisons of the secrecy or privacy. For confidential information, the privacy is determined depending on which circle of persons has the right to familiarize with it, and is determined mainly by the user;

3. Graduation of the criticality of information from the position of providing her integrity or accessibility determined by the user and depends on the level and acceptability of costs (time, labor resources, financial resources) to restore the integrity or availability of information;

4. Executable application files, the start of which causes access to files with user data, have no less important from the provision of both integrity and their availability than the files themselves with the user data;

5. Information files, violation of the integrity or availability of which leads to the breakdown of the OS operation, are of great importance from the position of ensuring their integrity or availability than the other files stored in the system;

6. If confidential information is stored or the premises are allocated for confidential negotiations, it is believed that the information distributed during conversations or when transmitted by communication lines information has the highest privacy level provided for this room, that is, information leakage with the greatest possible The level of criticality for this room.

creating a regulatory and methodological basis for the differentiated approach to a routine. Resources automation. systems based on their classification by the degree of risk in case of violation of their availability, integrity or confidentiality;

typization of the ongoing organizational measures and the distribution of hardware and software for the protection of resources by AWCs organization and the unification of their settings.

« high "- this category includes non-negious information that is confidential in accordance with the requirements of the current legislation of the Russian Federation (banking secrets, personal data);

« low "- this category includes confidential information, not related to the category" High ", the restrictions on the distribution of which are entered by the decision of the Organization's management in accordance with the information provided to it by the Rights provided to it;

« no requirements "- This category includes information, confidentiality (the introduction of dissemination restrictions) of which is not required.

« high "- this category includes information, unauthorized modification or falsification of which can lead to the application of significant direct damage to the organization, its customers and correspondents, the integrity and authenticity of the cat. Dolzhna are provided by guaranteed methods in accordance with the compulsory requirements of current legislation;

« low "- this category includes info, unauthorized modification, deletion or falsification of which can lead to the application of minor indirect damage to the organization, its customers and correspondents, the integrity (and if necessary and authenticity), which should be provided in accordance with the decision of the organization's management (control methods sums, EDS, etc.);

« no requirements "- This category includes information to ensure the integrity (and authenticity) of which the requirements are not presented.

Required degree of accessibility Functional tasks:

« unhindered accessibility "- the task should provide access at any time (the task is solved constantly, the delay in obtaining the result should not exceed a few seconds or minutes);

« high availability "- access to the task should be carried out without significant time delays (the task is solved daily, the delay in obtaining the result should not exceed a few hours);

« average accessibility "- access to the task can be provided with significant temporary delays (the task is solved once a few days, the delay of obtaining the result should not exceed several days);

« low accessibility "- Time delays in access to the task are practically not limited (the task is solved with a period of several weeks or months, the allowable delay in obtaining the result is a few weeks).

Categories AD. Depending on the categories of tasks solved on the ART, 4 categories of Armenia: " A. », « B. », « C. "And" D. " To the group arm "A" include AWP, on the cat. At least one function functions. The task of the first category. The categories of other tasks are solved in this arm, should not be lower than the second. To the group arm "B" Conducts on which at least one functional task of the second category is solved. The categories of other tasks are solved in this AWP should be not lower than the third and not higher than the second. To the group arm "C" Conducts in which at least one functional task of the third category is solved. The categories of other tasks solved in this AWP should be no higher than the third. To the group arm "D" Conducts on which the functional tasks of only the fourth category are solved.

From the editor

Any type of human activity can be represented as a process resulting in a product, material or intellectual, which has a certain value, that is, the cost. The information is one of the species of such values, it can be so high that its loss or leakage, even partial, is able to question the very existence of the company. Therefore, the protection of information every day is becoming increasingly important, in almost all more or less large organizations there are devices of IB.

In the IT market, the spectrum of information security offers is growing. How to correctly navigate in this stream of products offered? How to choose an optimal option for financial costs and take into account all the needs of your company? What selection criteria apply? After all, although the service of IB of any organization or enterprise itself does not produce intellectual nor material values, there is no doubt about its need and importance, and there is no doubt, and at the expenses for this service are rarely saved.

What needs to be done so that the costs and level of information security of the company are in the optimal relationship - this publication is devoted to these issues.

Introduction

Information security activities (IB) are known to do not bring revenues, with their help you can only reduce the damage from possible incidents. Therefore, it is very important that the cost of creating and maintaining IB at the proper levels are commens to the value of the assets of the organization related to its information system (IP). Commonity can be provided with categorization of information and information system, as well as the choice of security regulators based on categorization results.

Categories information and information systems

The assignment of information security categories and information systems is based on damage assessment, which can be applied by security violations. Such incidents may interfere with the organization in the implementation of the missions entrusted to it, compromise assets, put the company to the position of the violator of the current legislation, to create a threat to daily activities, to expose the staff. Security categories are used in conjunction with data on vulnerabilities and threats in the process of analyzing the risks, which are subject to the organization.

There are three main aspects of IB:

• availability;
• confidentiality;
• integrity.

Generally speaking, violations of the IB can affect only a part of these aspects, as well as security regulators can be specific for individual aspects. Therefore, it is advisable to evaluate possible damage separately for disorders of accessibility, confidentiality and integrity, and if necessary, you can get an integral assessment.

The amount of damage is convenient to evaluate the three-level scale as low, moderate or high ().

Figure 1. Damage assessment scale due to informational security

Potential damage to the organization is estimated as low if the loss of accessibility, confidentiality and / or integrity has limited malicious impact on the organization's activities, its assets and personnel. The limited malicious effect means:

• the organization remains capable of carrying out the mission assigned to it, but the effectiveness of basic functions is noticeably reduced;
• the assets of the organization shall be applied minor damage;
• the organization carries minor financial losses;
• human Resources applied minor damage.

Potential damage for the company is estimated as moderateIf the loss of accessibility, confidentiality and / or integrity has a serious malicious impact on the activities of the organization, its assets and personnel. The seriousness of the malicious effect means that:

• the company remains capable of carrying out the mission assigned to it, but the effectiveness of basic functions is significantly reduced;
• the assets of the organization caused significant damage;
• the company carries significant financial losses;
• the staff is applied significant harm that does not create a threat to life or health.

Potential damage to the organization is assessed as tallIf the loss of accessibility, privacy and / or integrity has a heavy or catastrophically, malicious impact on the organization, its assets and staff, that is:

• the company loses the ability to perform all or some of its basic functions;
• the assets of the organization causes major damage;
• the organization carries large financial losses;
• the staff is applied heavy or catastrophic harm that creates a possible threat to life or health.

Categories both user, and system information provided in both electronic form and in the form of a "solid" copy. Open information may not have confidentiality categories. For example, the information contained on a publicly accessible Web server of the organization does not have confidentiality categories, and their availability and integrity are estimated as moderate.

When categorizing the information system, the categories of the stored, processed and transmitted media, as well as the value of the assets itself, i.e. Maximum categories are taken on all types of information and assets. To obtain an integral assessment, you should take a maximum of categories for the main aspects of information security.

Minimum (basic) safety requirements

The minimum (basic) security requirements are formulated in general, excluding category assigned to IP. They ask the basic level of information security, they must satisfy all information systems. The categorization results are important when choosing safety regulators, providing compliance with requirements based on risks analysis (Fig. 2).

Figure 2. Information security levels

The minimum security requirements (Fig. 3) encompass administrative, procedural and software-technical levels of IB and are formulated as follows.

Figure 3. Basic security requirements for information and IP.

• The organization should develop, document and publish an official security policy and formal procedures aimed at fulfilling the requirements below and ensure the effective implementation of policies and procedures.
• The company needs to periodically assess risks, including assessing the threats to the mission, functioning, image and reputation of the organization, its assets and personnel. These threats are a consequence of the operation of the IC and the processing, storage and transfer of data.
• In relation to the purchase of systems and services in the company, it is necessary:
  • allocate sufficient resources for adequate IP protection;
  • in the development of systems to take into account the requirements of the IB;
  • limit the use and installation of software;
  • ensure the allocation by external service providers sufficient resources to protect information, applications and / or services.
• In the field of certification, accreditation and safety assessment in the organization should be carried out:
  • continuous monitoring of safety regulators to have confidence in their effectiveness;
  • periodic assessment of safety regulators used in IP to control their effectiveness;
  • development and implementation of a plan to eliminate deficiencies and decrease or eliminate vulnerabilities to IP;
  • authorization of the commissioning of IP and establishing connections with other information systems.
• In the field of frame security, it is necessary:
  • ensure reliability (power of attorney) of officials occupying responsible posts, as well as the compliance of these persons with security requirements for these posts;
  • ensure the protection of information and information system when conducting disciplinary activities, such as dismissal or movement of employees;
  • apply relevant official sanctions to security policies and safety procedures.
• The organization must provide employee informing and training:
  • so that executives and users of the ICs knew about the risks associated with their activities, and on the relevant laws, regulations, guidelines, standards, instructions, and the like;
  • for the staff to have proper practical training to fulfill information security duties.
• In the planning area, it is necessary to develop, document, periodically change and implement IP security plans that describe security regulators (available and planned) and staff behavior rules with access to IP.
• In order to plan uninterrupted work in the company, to establish, maintain and effectively implement emergency response plans, backup, recovery after accidents to ensure the availability of critical information resources and continuity of operation in emergency situations.
• In terms of response to informational security, the organization must:
  • create an existing structure to respond to incidents, meaning adequate preparatory activities, identification, analysis and localization of violations, recovery after incidents and maintenance of user calls;
  • provide tracking, documenting and reporting on incidents to the appropriate officials of the organization and authorized bodies.
• For the purpose of physical protection, the organization should:
  • provide physical access to IP, equipment, in production premises only authorized personnel;
  • physically protect the equipment and supporting IP infrastructure;
  • ensure proper technical conditions for IP operation;
  • protect IP from environmental threats;
  • ensure control of the conditions in which IP is functioning;
  • provide access control by providing access to IP assets to authorized users, processes acting on behalf of these users, as well as devices (including other IP) to perform allowed transaction and functions.
• To provide logging and audit, it is necessary:
  • create, protect and maintain registration logs that allow you to track, analyze, investigate and prepare reports on illegal, unauthorized or improper activity;
  • ensure the traceability of actions in an IP with an accuracy of the user (user accountability).
• In terms of configuration management in the company follows:
  • install and maintain basic configurations;
  • having an inventory (card) of IP, actualized with the life cycle, which includes equipment, software and documentation;
  • install and ensure the practical application of settings for configuring security tools in products included in IP.
• In the identification and authentication area, it is necessary to identify and authenticate users of IP, processes acting on username, as well as devices as a necessary condition for providing access to IP.

In addition, it is necessary:

• For accompaniment:
  • carry out periodic and timely maintenance of IP;
  • ensure effective regulators for funds, methods, mechanisms and personnel carrying out support.
• To protect media:
  • protect data carriers both digital and paper;
  • provide access to data on media only to authorized users;
  • sanue or destroy media before conclusion from operation or before transferring to reuse.
• In order to protect systems and communications:
  • track, monitor and protect communication (that is, transmitted and received data) on the external and key internal boundaries of the IP;
  • apply architectural and hardware-software approaches that increase the current IP information security level.
• To ensure the integrity of systems and data:
  • timely identify the defects of IP and data, report and correct them;
  • protect the IP from malicious software;
  • track signals about security violations and reports of new threats for the information system and properly react to them.

Select the basic set of security regulators in order to fulfill safety requirements

A prerequisite for the implementation of safety requirements is the choice and implementation of the relevant safety regulators, that is, the development and application of economically justified countermeasures and means of protection. Security regulators are divided into administrative, procedural and software and technical and serve to ensure the availability, confidentiality and integrity of the information system and processed, stored and data transmitted.

The choice of security regulators is based on the results of categorizing the data and information system. In addition, it should be taken into account which security regulators are already implemented and for which there are specific implementation plans, as well as the required degree of confidence in the effectiveness of the current regulators.

Adequate selection of safety regulators can be simplified if producing it from predefined basic sets associated with the required level of IB. Using a three-level scale, use three basic set, respectively, for the minimum (low, basic), moderate and high level of information security.

Security regulators for minimum IB

At the minimum level of information security, it is advisable to apply the following administrative security regulators.

Figure 4. Security regulators by IB levels

• Risk assessment: Policy and procedures.
  • official documented risk assessment policy, which presents the purpose, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures that contribute to the implementation of policies and associated risk assessment regulators.
• Risk assessment: categorization for safety requirements. Categorization of data and information system, documentation of results, including the rationale for established categories; The document is certified by the manual.
• Risk assessment: Holding. Risk assessment and possible damage from unauthorized access, use, disclosure, disorders, modifications and / or destruction of data and / or information system, including resources managed by external organizations.
• Risk assessment: review of results. The revision of the results of risk assessment is carried out either with a given frequency, or after significant changes in the IC or supporting infrastructure, or after other events that can noticeably affect the level of security level or its accreditation status.
• Safety Planning: Policy and Procedures.
  • the official documented security planning policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associate safety planning regulators.
• Safety Planning: IP Security Plan. Development and implementation for an information system plan, which describes security requirements for IP and available and planned security regulators that serve to fulfill these requirements; The document is certified by the manual.
• Safety Planning: Changing IP Safety Plan. With a given frequency, the safety plan is revised. It makes changes to reflecting changes in the company and in its information system or problems identified during the implementation of the plan or when evaluating safety regulators.
• Security planning: rules of behavior. The organization establishes and communicates to the attention of IC users a set of rules describing duties and expected behavior with respect to the use of information and information system. Before you get access to IP and its information resources, users sign a confirmation that they read, understood and agree to fulfill the prescribed rules of behavior.
• Security planning: privacy assessment. The company has an assessment of privacy requirements.
• Purchase of systems and services: Policy and procedures.
  • the official documented procurement policy of systems and services, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures that contribute to the implementation of policies and associated regulators of the procurement of systems and services.
• Purchase of systems and services: allocation of resources. Definition, documentation and allocation of resources necessary for adequate protection of the information system in the company are part of the processes of capital planning and investment management.
• Purchase of systems and services: Support for the life cycle. The organization manages the information system, applying the methodology for supporting the life cycle, taking into account aspects of information security.
• Purchase of systems and services: procurement. Procurement contracts include requirements and / or safety specification, based on risk assessment results.
• It is necessary to ensure the presence, protection and distribution of authorized officials of the company of adequate documentation on the information system and its component parts.
• Purchase of systems and services: restrictions on the use of software. The organization ensures that existing restrictions on the use of software.
• Purchase of systems and services: Software installed by users. It is necessary to implement explicitly formulated rules regarding downloading and installing software users.
• Purchase of systems and services: Outsourcing information services. It is necessary to ensure that external organizations providing information services applied adequate security regulators that meet the current legislation and contract conditions, as well as to track the adequacy of security regulators.
• Certification, accreditation and safety assessment: Policy and procedures. Development, distribution, periodic revision and change:
  • official documented policy of assessing safety, certification and accreditation, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associated regulators of safety assessment, certification and accreditation.
• Certification, accreditation and safety assessment: Connections with other IP. Authorization of all connections of its information system with other IPs, which are outside accreditation boundaries, and constant tracking / control of these compounds; Signing by authorized officers of the Agreement on establishing compounds between systems.
• The organization conducts an assessment of safety regulators used in ICs to check how correctly they are implemented, function in accordance with the specifications and give expected results from the point of view of fulfilling information security requirements.
• Certification, accreditation and safety assessment: calendar plan of events. The organization is developed and a calendar plan of events changes with a given frequency. It describes the planned, implemented and evaluated corrective actions aimed at eliminating all the shortcomings identified in the process of assessing safety regulators, and to reduce or eliminate well-known IP vulnerabilities.
• Certification, accreditation and safety assessment: accreditation. The company clearly authorizes (carries out accreditation) input of the information system into operation and with a given frequency, but not less than once every three years, it conducts re-accreditation.
• Certification, accreditation and safety assessment: constant monitoring. Constant monitoring of safety regulators in IP.

Figure 5. Maintain the required security level

procedural safety regulators.

• Personnel security: politics and procedures. Development, distribution, periodic revision and change:
  • officially documented personnel security policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the life of policies and associate regulators of personnel security.
• Personnel security: categorizing posts. With each position, a certain level of risk is associated and the criteria for selecting candidates for these posts are established. It is advisable at a given frequency to revise the established risk levels.
• Personnel security: personnel selection. Before you provide access to information and information system, there is a check of persons who need similar access.
• Personnel security: dismissal. The dismissed employee deprives access to IP, a final conversation is held with him, check the delivery of the entire state property, including keys, identification cards, passes, and are convinced that the relevant officials have access to official data created by the dismissed employee and stored in the information system .
• Personnel security: travel staff. When moving an employee to another position, the organization revises the rights of access to IP and its resources provided to him, and provides appropriate actions, such as the manufacture of new keys, identification cards, skips, closing the old and institution of new system accounts, as well as the change of access rights.
• Personnel Security: Access agreements. Before you provide access to information and information system, an employee in need of such access is drawn up with appropriate agreements (for example, the non-disclosure of information, the proper use of IP), as well as the rules of conduct, the company provides the signing of these agreements by the parties and with a given frequency revises them.
• Personnel security: security requirements for third-party employees. The organization establishes security requirements, including roles and responsibilities, to employees of third-party organizations (service services, contractors, developers, providers of information services and systems management systems and networks) and monitors providing third-party organizations of an adequate level of information security.
• Personnel security: sanctions. The company uses a formalized process of punishment of employees who have violated established security policies and procedures.
• Physical Protection: Policy and Procedures. Developed, distributed, periodically revised and change:
  • official documented physical protection policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associated regulators of physical protection.
• Physical Protection: Authorization of Physical Access. The organizations are drawn up and supported up to date, lists of employees who have access to premises in which the components of the information system are located (except for rooms that are officially considered publicly available), relevant certificates (BEJJ, identification cards, intellectual cards) are issued; Relevant officials with a given frequency revise and approve lists and certificates.
• Physical Protection: Managing Physical Access. It is necessary to control the points of physical access, including officially specific entry / output points, in the premises in which the components of the information system are located (except for rooms that are officially considered publicly available). It should be checked by law officials before allowing them to access. In addition, access to premises is controlled, officially considered publicly available, in accordance with the risk assessment.
• Tracking physical access to the system in order to identify and respond to violations.
• Physical access to the information system is monitored by the authentication of visitors before allowing to enter the premises where the components of the IC are located (except for rooms that are officially considered publicly available).
• The company has supported journals visits to premises (except those are officially considered publicly available), where they are recorded:
  • surname, visitor name and organization name;
  • signature of the visitor;
  • submitted documents (identification form);
  • date and access time (input and output);
  • visit purpose;
  • surname, the name of the person visited and its organizational belonging; Relevant officials with a given frequency view visiting logs.
• Physical Protection: Emergency Lighting. The company needs to use and maintain automatic emergency lighting systems, which are included in power interruptions and cover emergency outputs and evacuation paths.
• Devices / fire extinguishing systems and fire detection systems are used.
• Physical Protection: Temperature Control Means and Humidity. Tracking and maintained in permissible temperatures and humidity in rooms containing IP components.
• It is necessary to protect the IP from flooding and leakage arising from damage to the water supply or by virtue of other reasons, ensuring the availability and health of the cranes, overlapping water, and informing the corresponding officials about the location of these cranes.
• Physical protection: delivery and export. The organization is controlled by the delivery and export of the components of the information system (hardware and software) and supports information about the location of these components.
• Uninterrupted work planning: politics and procedures. Developed, distributed, periodically revised and change:
  • the official documented uninterrupted work planning policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the life of politics and associated uninterrupted work regulators.
• A plan to ensure the uninterrupted operation of the information system, which describes the roles, responsibilities of responsible officials, indicate their contact coordinates. In addition, the plan is prescribed actions performed when recovering IP after damage and accidents. Relevant officials revise and approve this plan and bring it to the attention of employees responsible for uninterrupted work.
• Uninterrupted work planning: Changing an uninterrupted work plan. With a given frequency, but at least once a year, the organization revises a plan to ensure the uninterrupted operation of the information system to reflect the changes in the structure of the IP or organization and / or eliminate the problems identified during the implementation, execution and / or testing of the plan.
• A preset frequency is back up with a user and system data contained in the information system (including IP status data), backup copies are stored in places protected properly.
• The organization uses mechanisms and supporting procedures that allow you to restore the information system after damage or accidents.
• Configuration management: Policy and procedures. Developed, distributed, periodically revised and change:
  • official documented configuration management policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associated configuration control regulators.
• The company is developed, documented and supported by the current basic configuration of the information system, inventory components of the IP and the corresponding data about their owners.
• In company:
  • approved mandatory settings for products of information technologies used in IP;
  • installation settings for information technology products are established in the most restrictive mode compatible with operational requirements;
  • settings are documented;
  • proper settings of all components of the information system are provided.
  • Support: Policy and procedures. Developed, distributed, periodically revised and change:
  • the official documented accompaniment policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associated support regulators.
• Planning, implementation and documentation of the daily, preventive and regular support of the components of the information system in accordance with the specifications of the manufacturer or supplier and / or organizational requirements.
• The organization authorizes, controls and monitors remotely implemented accompanied and diagnostic activities.
• Escort: accompaniment staff. It is necessary to maintain a list of persons authorized to accompany the information system. Only authorized staff performs IP support.
• Integrity of systems and data: politics and procedures. Development, distribution, periodic revision and change:
  • official documented integrity policies of systems and data, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures that contribute to the implementation of policies and associated integrity regulators of systems and data.
• Integrity of systems and data: elimination of defects. Identification of information system defects, informing them and correction.
• The company is implemented in the information system protection against malicious software, including the ability to automatic updates.
• Integrity of systems and data: signals about security violations and reports of new threats. It is necessary to regularly track signals about security violations and reports of new threats for IP, bring them to the attention of appropriate officials and properly react to them.
• Protection of media: Policy and procedures. Development, distribution, periodic revision and change:
  • the official documented media protection policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with the current legislation;
  • formal documented procedures contributing to the life of policies and associated carrier protection regulators.
• It is necessary to ensure that only authorized users have access to information in printed form or on digital media seized from the information system.
• Protection of media: Sanation and output. Organization:
  • sanges media (both paper and digital) before conclusion from operation or transmission for reuse;
  • tracks, documents and verifies the activity on the rehabilitation of carriers;
  • periodically tests the expansive equipment and procedures to make sure that they are correct.
• Responding to information security violations: policies and procedures. Development, distribution, periodic revision and change:
  • official documented response policy for informational security violations, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associate regulators of response to violations of information security.
• The company forms structures to respond to violations of information security (response group), including training, identification and analysis, localization, liquidation of impact and restoration after violations.
• It is necessary to make timely information on violations of IB to the attention of authorized officials.
• The formation of a structure for issuing recommendations and assisting IP users when responding to violations of IB and reports about them; This structure is an integral part of the response group.
• Informing and learning: politics and procedures. Development, distribution, periodic revision and change:
  • the official documented policy of informing and learning the staff in which the goal, coverage, roles, duties, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associate regulators of informing and training of employees.
• Informing and Training: Informing about IB Problems. It should be ensured that all users, including managers, have made basic information on IB, before these users will be provided with access to IP; Such information should continue to continue with a given frequency, but not less than once a year.
• Informing and learning: IB training. It is necessary to identify officials who play an important role and having responsible responsibilities to ensure the information security of the IP, document these roles and obligations and ensure the appropriate training of these persons before providing them with access to IP. Such learning should continue further with a given frequency.
• INFORMATION AND TRAINING: Documentation of IB training training. The company documented and monitors the course of training of each IB employee, including the introductory course and courses specific to the IP.
• Informing and training: contacts with groups and associations of information security. It is advisable to establish and maintain contacts with groups, forums and associations specializing in information security to be aware of the current state of IB, advanced recommended protective equipment, methods and technologies.

At the minimum level of information security, it is recommended to apply the following software and technical safety regulators.

• Identification and authentication: Policy and procedures. Development, distribution, periodic revision and change:
  • official documented identification and authentication policy, which presents the goal, coverage, roles, responsibilities, support management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associated identification and authentication regulators.
• The information system unambiguously identifies and authenticates users (or processes acting on username).
• Identification and Authentication: Managing identifiers. The organization manages user identifiers by:
  • unique identification of each user;
  • verification of the identifier of each user;
  • obtaining an official sanction from authorized officials to the release of user ID;
  • providing identifier output for the desired user;
  • termination of the user ID after a specified activity period;
  • archiving user identifiers.
• Identification and Authentication: Authenticate Management. The company manages authenticators in the information system (tokens, certificates in public key infrastructure, biometric data, passwords, key cards, etc.) by:
  • definitions of initial content of authenticators;
  • regulation of administrative procedures for the initial distribution of authenticators, replacing lost, compromised or damaged authenticators, as well as authenticator reviews;
  • changes to the implied authenticators after installing the information system.
• Identification and authentication: Reference of authenticators. The information system hides the echo-display of authentication information during the authentication process to protect this information from possible use by unauthorized persons.
• Identification and authentication: authentication with respect to cryptographic modules. For authentication with respect to cryptographic modules, the information system applies methods that meet the requirements of standards on such modules.
• Access control: Policy and procedures. Development, distribution, periodic revision and change:
  • official documented access control policy, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures that contribute to the implementation of policies and associated access control regulators.
• The organization manages accounts in the information system, including their creation, activation, modification, revision (with a given frequency), disconnection and removal.
• The information system implements assigned privileges to manage access to the system in accordance with applicable policies.
• Access control: unsuccessful input attempts. The information system enforces a specified limit on the number of successive unsuccessful attempts to access from the user for a specified period of time, automatically locking the account or delaying on a given algorithm to issue an invitation to the input to a given time when the maximum permissible number of unsuccessful attempts is exceeded.
• Access control: Warning to use the system. The information system displays an officially approved warning message on the use of the system before you provide access to it, informing potential users:
  • about organizational accessory system;
  • on possible monitoring, logging and audit of the use of the system;
  • about ban and possible punishment for unauthorized use of the system;
  • on the consent of the user on monitoring and logging in the case of system use; A warning message contains the appropriate security policy provisions and remains on the screen until the user will take explicit actions to enter the IP.
• Access control: Supervision and viewing. The organization oversees and checks the actions of users regarding the implementation and use of access regulators available in IC.
• Access control: Actions allowed without identification and authentication. Defining specific actions of users who can be performed in the information system without identification and authentication.
• Documentation, tracking and control of all types of remote access to IC (for example, via modem inputs or via the Internet), including remote access to perform privileged action; Relevant officials authorize the use of each type of remote access and authorize to apply only those users with which it is needed.
• Organization:
  • establishes restrictions on the use and manages the implementation of wireless technologies;
  • documents, monitors and controls wireless access to IP; Relevant officials authorize the use of wireless technologies.
• Access control: Personal information systems. Restricting the application of personal information systems for production needs, including processing, storage and transmission of production information.
• Logging and auditing: Policy and procedures. Development, distribution, periodic revision and change:
  • the official documented policies of the protocol and audit, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures contributing to the implementation of policies and associated logging regulators and audit.
• Logging and auditing: Logging events. The information system generates registration records for the specified events.
• The information system saves enough information in the registration records to establish which event it happened, which was the source of the event, which was the outcome of the event.
• Logging and auditing: resources for storing registration information. It is necessary to highlight the sufficient amount of resources for storing registration information and configure logging so as to prevent the exhaustion of these resources.
• In the event of a failure of the logging or exhaustion of registering information resources, the information system warns the relevant officials and is taking the given additional actions.
• Logging and auditing: Registration information protection. The information system protects the registration information and means of logging / auditing from unauthorized access, modifications and removal.
• Logging and auditing: Saving registration information. Registration information should be kept for a specified time to ensure the support of investigations of previous information security violations and the fulfillment of the requirements of the current legislation and organizational requirements for saving information.
• Protection of systems and communications: Policy and procedures. Development, distribution, periodic revision and change:
  • the official documented policy of protecting systems and communications, which presents the goal, coverage, roles, responsibilities, support for management, coordination among organizational structures and compliance with current legislation;
  • formal documented procedures that contribute to the implementation of policies and associate regulators of protection of systems and communications.
• Protection of systems and communications: protection against attacks on accessibility. The information system protects against attacks on the availability of specified species or limits their impact.
• The information system monitors and controls communications on its external and key internal limits of IP.
• Protection of systems and communications: the use of printed cryptography. If cryptographic drugs are used in the information system, they must meet the requirements of current legislation, technical regulations, standards, guideling and regulatory documents, sectoral and organizational standards.
• Protection of systems and communications: protection of publicly available systems. The information system ensures the integrity of data and applications for publicly available systems.

Additional and reinforced security regulators for moderate IB

For a moderate level of information security, it is advisable to apply the following additional and reinforced (compared to the minimum level) safety regulators.

• With a given frequency or after the appearance of information about new Critical for IP vulnerabilities, you must scan vulnerabilities in the information system.
• Security planning: security planning. Ensuring proper planning and coordination of activities related to security and affecting the information system in order to minimize the negative impact on the work and assets of the organization (including its mission, functions, image and reputation).
• Purchase of systems and services: documentation. You must include in the general package of documents, the documentation from the manufacturer / supplier (if any) describing the functional properties of the security regulators involved in the information system are quite detailed in order to make it possible to analyze and test the regulators.
• Purchase of systems and services: Principles of information security design. Design and implementation of the information system is carried out using the principles of information security design.
• Purchase of systems and services: safety testing by the developer. The developer of the information system forms a testing and safety assessment plan implements it and document results; The latter can be used to support certification for safety requirements and accreditation of the supplied IP.
• Certification, accreditation and safety assessment: safety assessment. With a given frequency, but at least once a year, it is advisable to evaluate safety regulators in the information system to determine how correctly they are implemented, function in accordance with the specifications and give expected results from the point of view of the fulfillment of information security requirements.
• Certification, accreditation and safety assessment: security certification. Evaluation of security regulators in the information system for certification purposes by security requirements is carried out by an independent certifying organization.
• Physical Protection: Access control to information display devices. Control of physical access to information display devices in order to protect the latter from viewing by unauthorized persons.
• Physical Protection: Monitoring Physical Access. Real-time coming invasion signals and data from the tracking devices are tracked.
• Physical Protection: Visitors Monitoring. Ensuring the maintenance of visitors and, if necessary, monitoring their activity.
• Physical protection: electrical equipment and wiring. Protection of electrical equipment and wiring for the information system from damage and destruction.
• Physical protection: emergency shutdown. For certain rooms in which the information system resources are concentrated (data processing centers, server rooms, machine rooms for mainframes, etc.), it is possible to disable power to any refusal (for example, due to short circuit) or endangering (For example, due to the breaking of the water supply), the component of the IP, without exposing the hazard personnel associated with access to equipment.
• Providing short-term uninterrupted power sources to allow you to carefully turn off the information system in case of the main power supply.
• Physical Protection: Fire Protection. It is necessary to apply and maintain devices / fire extinguishing systems and detecting fires that automatically trigge into a fire.
• Physical Protection: Spare Production Playground. Employees of the Organization at the Spare Production Platform use appropriate security regulators for IP.
• Physical Protection: Location of information system components. The components of the information system should be located in the designated areas so as to minimize potential damage from physical risks and threats from the environment, as well as the possibility of unauthorized access.
• Uninterrupted work planning: Uninterruptible work plan. The organization coordinates the development of an uninterrupted work plan with structures responsible for related plans (for example, recovery plans after accidents, responding to security disorders, etc.).
• The company organizes the training of employees of their roles and responsibilities to ensure the smooth operation of the information system, as well as with a given frequency, but not less often than once a year, workouts are held to maintain practical skills.
• With a given frequency, but at least once a year, the organization is tested by a plan for the uninterrupted operation of the information system. For this, specified tests and training procedures apply to determine the effectiveness of the plan and the readiness of the organization to its implementation. Appropriate officials check the results of the plan testing and initiate corrective actions. The organization coordinates the testing of an uninterrupted work plan with structures responsible for related plans (for example, recovery plans after accidents, responding to security disorders, etc.).
• It is necessary to define a spare place of storage and conclude the necessary agreements to make it possible to store backup data of the information system data; Spare storage locally should be deleted from the main thing in order not to expose it with the same hazards.
• Spare data processing is determined, and the necessary agreements are initiated in order to make it possible to resume the information system of critical production functions for a specified period of time if the basic data processing tools are inaccessible. The spare place of data processing is geographically deleted from the main and, therefore, is not subject to the same hazards. Potential problems with access to a spare data processing in the case of large-scale accidents or natural disasters are determined, obvious actions to mitigate identified problems are scheduled. The Agreement on the Spare Data Processing Place contains a priority service commitment in accordance with the requirements of the organization for accessibility.
• The main and spare sources of telecommunication services supporting the information system are determined. The necessary agreements are initiated in order to make it possible to resume the information system of critical-important production functions during a specified period of time if the main source of telecommunication services is inaccessible. The main and reserve sources of telecommunication services contain priority services obligations in accordance with the requirements of the organization for accessibility. A spare source of telecommunication services does not share a single point of refusal to the main source.
• Uninterrupted work planning: backup. With a given frequency in the organization, backups are tested to make sure that the carriers and the integrity of the data are tested.
• Configuration management: Basic configuration and inventory components of the information system. When installing new components, the basic configuration of the information system and the OPEV components are changed.
• Document and controlled changes in the information system; Relevant officials authorize IP changes in accordance with the policies and procedures adopted.
• Configuration Management: Configuration Monitoring. It is necessary to track changes in the information system and analyze their safety influence to determine the effect of changes.
• The organization enforces the physical and logical restrictions on access associated with changes in the information system, and generates, saves and revises the records reflecting all such changes.
• You should configure the information system so as to provide only the necessary capabilities, and explicitly prohibit and / or limit the use of certain functions, ports, protocols and / or services.
• Support: Periodic support. A registration log is supported by the information system support log in which:
  • date and time of service;
  • surname and name of the person who made service;
  • surname and the name of the accompanying, if necessary;
  • a description of the operations of IP maintenance;
  • list of remote or displaced equipment (with identification numbers).
• The organization authorizes, controls and monitors the use of means of supporting the information system and constantly supports these funds.
• Maintenance: timely service. The organization receives maintenance and spare parts for the key components of the information system for a specified period of time.
• Integrity of systems and data: protection against malicious software. Centralized managing mechanisms for protection against malicious software.
• Integrity of systems and data: Means and methods for monitoring the information system. Application of means and methods for monitoring events in the information system, identifying attacks and identification of unauthorized use of IP.
• The information system is implemented by spam protection.
• Integrity of systems and data: data entry restrictions. The organization provides the right to enter data into the information system only authorized persons.
• Integrity of systems and data: accuracy, completeness, accuracy and authenticity of data. The information system checks the data on accuracy, completeness, accuracy and authenticity.
• Integrity of systems and data: error processing. The information system explicitly reveals and processes erroneous situations.
• Integrity of systems and data: processing and saving output. The output of the information system is processed and persisted in accordance with the policies and operational requirements adopted.
• Protection of media: labels of carriers. Removable data media and IP output are supplied with external marks containing the restrictions on the distribution and processing of this data; The specified types of carriers or hardware components are exempt from tags, since they remain within the limits of the controlled zone.
• Protection of media: storing media. The physical monitoring and secure storage of data carriers, paper and digital, based on the maximum category assigned to the data recorded on the carrier.
• Protection of media: transportation of media. Control of data carriers, paper and digital, and restriction of sending, receiving, transporting and delivering media to authorized persons.
• The company teaches employees to their roles and duties associated with responding to violations of IP information security, and with a given frequency, but not less often than once a year, conducts training to maintain practical skills.
• With a given frequency, but at least once a year, testing means of responding to informational safety of IP are tested, while the specified tests and training procedures are used to determine the response efficiency. Results are documented.
• Response to information security violations: response. To support the response process for information security, automatic mechanisms are applied.
• It is necessary to constantly trace and document information security violations.
• Responding to violations of information security: Reports on violations. The use of automatic mechanisms to facilitate information security violations reports.
• Response to information security violations: assistance. The use of automatic mechanisms to increase the availability of information and support associated with responding to informational security.
• Identification and authentication: Identification and authentication of devices. The information system identifies and authenticates certain devices before installing the connection with them.
• Access Control: Account Management. Application of automatic mechanisms to support account management in the information system; The information system automatically terminates the temporary and emergency accounts after the time specified for each type of time intervals; The information system automatically disables the inactive accounts after the specified period of time.
• Access control: carrying out. The information system ensures that access to security functions (implemented by hardware and / or programmatically) and protective data was provided only to authorized persons (for example, security administrators).
• Access control: Implementing information flow management. The information system enforces assigned privileges to manage information flows in the system and between interconnected systems in accordance with the adopted security policy.
• Access control: Duties separation. The information system implements the separation of responsibilities by assigning access privileges.
• Access control: Minimizing privileges. The information system implements the most restrictive set of rights / privileges of access required by users (or processes acting on behalf of these users) to perform their tasks.
• Access Control: Session Blocking. The information system prevents further access to the IC by blocking the session until the user restores access by applying the appropriate identification and authentication procedures.
• Access control: Session termination. The information system automatically terminates the session after the specified inactivity period.
• Access control: Actions allowed without authentication and authentication. The organization allows the implementation of actions without identification and authentication, only if they are necessary to achieve the key goals of the Organization.
• Access control: Remote access. Application of automatic mechanisms to facilitate monitoring and control of remote access methods, encryption - to protect the privacy of remote access sessions. It is necessary to control all remote access at the controlled access point.
• Access Control: Restrictions on Wireless Access. Apply authentication and encryption to protect wireless access to the information system.
• Access control: Mobile devices. Organization:
  • establishes restrictions on the application and develops manuals on the use of mobile devices;
  • documes, monitors and controls access through such devices to the IP; Relevant officials authorize the use of mobile devices; Removable hard drives or cryptography are used to protect data located in mobile devices.
• Logging and auditing: Content registration records. The information system provides the possibility of inclusion in registration records of additional, more detailed information for logoble events identifiable by type, place or subject.
• It is necessary to regularly study / analyze registration information in order to identify inadequate or atypical activity, investigate cases of suspicious activity or alleged violations, report on the results to relevant officials and take the necessary actions.
• The information system provides the ability to reduce registration information and generating reports.
• Logging and auditing: Time Tags. The information system provides time stamps for use when generating registration records.
• Protection of systems and communications: Application separation. The information system shares user interface (including user interface services) from IP control functionality.
• Protection of systems and communications: residual information. The information system prevents unauthorized and unassigned transmission of information through shared system resources.
• Protection of systems and communications: protection of borders. It is advisable to physically place the public components of the information system (for example, publicly available Web servers) in separate subnets with individual physical network interfaces, prevent public access to the internal network, with the exception of properly controlled access.
• The information system protects the integrity of the transmitted data.
• The information system protects the confidentiality of the transmitted data.
• Protection of systems and communications: rupture of network connections. The information system terminates the network connection at the end of the session or after the specified inactivity period.
• Protection of systems and communications: Cryptographic key generation and management of them. The information system applies automatic mechanisms and auxiliary procedures or manual procedures to generate cryptographic keys and key management.
• Protection of systems and communications: collective applications. The information system prohibits remote activation of collective application mechanisms (for example, video or audio conferencing) and provides explicit evidence of their use to local users (for example, indicating the use of video cameras or microphones).
• Protection of systems and communications: Public key infrastructure certificates. The organization develops and implements policies for certificates and certification practice specification for issuing public key certificates used in the information system.
• Protection of systems and communications: Mobile code. Organization:
  • establishes restrictions on the application and develops guidelines for the use of mobile code technologies based on the possibility of damaging the information system in the malicious use of these technologies;
  • documents, monitors and controls the use of a mobile code in the information system; Relevant officials authorize the use of mobile code.
• Protection of systems and communications: VoIP protocol. Organization:
  • establishes restrictions on the application and develops guidelines for the use of VoIP technologies, based on the possibility of damaging the information system in the malicious use of these technologies;
  • documents, monitors and controls the use of VoIP in the information system; Relevant officials authorize the use of VoIP.
• Protection of systems and communications: Safety Name Search Service (Authorized Sources). Information systems (authorized domain name servers), providing external users to access the names for accessing the information resources of the organization via the Internet, provide attributes to authenticate the data source and monitor data integrity to give users the opportunity to receive authenticity and integrity messages when receiving data within Network transactions.

Additional and reinforced security regulators for high-level IB

For high level of information security, it is recommended to apply the following additional and enhanced (compared to moderate level) security regulators.

Risk assessment: scanning vulnerabilities. Vulnerability scanners include the ability to quickly change the list of scanned vulnerabilities of the information system.

With a given frequency or after the appearance of information about new Critical for Vulnerabilities, the organization changes the list of scanned vulnerabilities of the information system.

• Purchase of systems and services: documentation. You should enable the documentation from the manufacturer / supplier in the general document package (if any) describing the design and implementation of safety regulators involved in the information system, with a degree of details sufficient to make it possible to analyze and test the regulators (including functional interfaces between components of regulators).
• Purchase of systems and services: Configuration management developer. The information system developer creates and implements a configuration management plan that controls the change of the system during the development process, tracing security defects, requiring the authorization of the change, and provides the documentation of the plan and its implementation.
• Physical Protection: Access control to data transmission channels. Controls physical access to the distribution and data transmission lines belonging to the IP and located within protected boundaries to prevent unintentional damage, listening, modifying in the transmission process, gap or physical distortion of lines.
• Physical Protection: Monitoring Physical Access. Automatic mechanisms are used to ensure the identification of potential intrusions and initiating the reaction to them.
• Physical Protection: Access Logging. Automatic mechanisms are applied to facilitate support and viewing registration logs.
• Physical protection: emergency power supply. It is necessary to ensure long-term alternative power sources for an information system that can support the minimum required operational capabilities in the event of a long-term failure of the primary power source.
• Physical Protection: Fire Protection. Devices / fire extinguishing systems and detection of fires that automatically notify organizations and emergency services are applied and maintained.
• Physical protection: protection against flooding. Automatic mechanisms are used to automatically overlap water in case of its intensive leakage.
• Uninterrupted work planning: learning. Event modeling is included in training courses to help effectively respond to employees for possible crisis situations.
• Uninterrupted work planning: Testing an uninterrupted work plan. The uninterrupted work plan is tested at a spare production site to familiarize employees with existing opportunities and resources and evaluate the ability of the site to maintain the continuity of operation.
• Uninterrupted work planning: Spare storage places. Spare storage is configured to facilitate timely and efficient recovery; Potential problems with access to a spare storage place in the case of large-scale accidents or natural disasters are determined and obvious actions to mitigate identified problems are scheduled.
• Uninterrupted work planning: Spare data processing places. Spare data processing is fully configured to maintain the minimum required operational capabilities and availability of use as a production site.
• Uninterrupted work planning: Telecommunication services. A spare source of telecommunication services should be sufficiently removed geographically from the main thing in order not to be subject to the same hazards; The main and reserve sources of telecommunication services have adequate uninterrupted work plans.
• Uninterrupted work planning: backup. To restore the functions of the information system, backups are used as part of the testing plan for uninterrupted operation. Backup copies of the operating system and other critical software are stored in a separate place or in a refractory container located separately from the operational software.
• Uninterrupted work planning: restoring the information system. The organization includes a complete recovery of the information system as part of testing an uninterrupted work plan.
• Configuration management: Basic configuration and inventory components of the information system. Automatic mechanisms are applied to maintain a relevant, complete, accurate and easily accessible basic configuration of the information system and the components of the IP components.
• Configuration Management: Monitoring Configuration Changes. Automatic mechanisms are used to:
  • document the proposed changes in the information system;
  • notify the relevant officials;
  • attract attention to not received promptly affirming visas;
  • postpone changes before obtaining the necessary approving visas;
  • document generated changes in the information system.
• Configuration Management: Access Restriction for Changes. To implement access limits and support the logging of limiting actions, automatic mechanisms are applied.
• Configuration Management: Settings. Automatic mechanisms are used for centralized management, applying and verifying settings.
• Configuration management: Minimizing functionality. With a given frequency, the information system is revised to identify and eliminate functions, ports, protocols and other services that are not necessary.
• Support: Periodic support. Automatic mechanisms are applied to ensure the planning and conducting periodic accompaniment in accordance with the established requirements, as well as the relevance, accuracy, completeness and availability of registration records on the necessary and accompanied acts.
• Maintenance: accompaniment tools. It is necessary to inspect all accompanies (for example, diagnostic and test equipment), which are brought to the territory of the organization by attendants, for visible inappropriate modifications. All media containing diagnostic test programs should be checked (for example, software used to accompany and diagnose systems), for malicious software, before carriers are applied in the information system. Verification is subject to all equipment used for accompaniment purposes and capable of maintaining information to make sure that the information is not recorded in the equipment, the information belonging to the organization or that it is properly sanitized before reuse. If the equipment can not be sanitized, it remains on the territory of the organization or is destroyed, with the exception of cases explicitly authorized by the relevant officials.
• Support: Remote accompaniment. All remote accompaniment sessions are recorded, and the corresponding officials are viewing the registration log of remote sessions. Installation and use of remote diagnostic channels are reflected in the safety plan of the information system. Remote diagnostic or support services are permissible only if the service organization supports at least the same level of security in its IC of at least the same level as served.
• Integrity of systems and data: protection against malicious software. The information system automatically changes the mechanisms of protection against malicious software.
• Integrity of systems and data: verification of safety functionality. The information system within the framework of technical capabilities, when starting or restarting the system, by command of an authorized user and / or periodically, with a given frequency, verifies the correctness of the security functions and is notified by the system administrator and / or turns off or restarts the system in case of detection of any anomalies.
• Integrity of systems and data: integrity of software and data. The information system reveals and protects against unauthorized changes in software and data.
• Integrity of systems and data: protection against spam. The organization centrally manages spam protection mechanisms.
• Protection of media: access to media. Either security posts are applied, or automatic mechanisms for controlling access to storing media, ensuring protection against unauthorized access, as well as registration of access attempts and access provided.
• Response to information security violations: learning. The training courses include modeling events to contribute to the effective response of employees to possible crisis situations.
• Response to information security violations: Testing. Automatic mechanisms are used for more thorough and efficient testing of response.
• Response to information security violations: monitoring. Automatic mechanisms are used to facilitate the tracking of security disorders, as well as the collection and analysis of information about violations.
• Identification and authentication: Identification and user authentication. The information system applies multifactor authentication.
• Access Control: Account Management. Automatic mechanisms are applied to provide logging and, if necessary, notify the appropriate persons about creating, modifying, disconnecting and terminating accounts.
• Access control: Control parallel sessions. The information system limits the number of parallel sessions for one user.
• Access control: supervision and view. Automatic mechanisms are applied to facilitate viewing user activity.
• Access control: Automatic marking. The information system marks output using standard naming agreements to identify all special instructions for distributing, processing and distributing data.
• Logging and auditing: Content registration records. The information system provides the ability to centrally manage the contents of registration records generated by individual components of the IP.
• Logging and auditing: processing registration information. The information system provides the issuance of a warning message when the share of the busy space allotted to store registration information reaches a specified value.
• Logging and auditing: Monitoring, analysis and registration information report. The use of automatic mechanisms to integrate monitoring, analysis and registration information report to the overall process of identifying and responding to suspicious activity.
• Logging and auditing: registration information reduction and report generation. The information system provides the ability to automatically process registration information about the attention of events, based on the specified selection criteria.
• Protection of systems and communications: isolation of safety functions. The information system isolates security features from other functions.
• Protection of systems and communications: the integrity of the transmitted data. The use of cryptographic mechanisms to ensure recognition of changes in data in the transmission process if the data is not protected by alternative physical measures (for example, a protective distribution system).
• Protection of systems and communications: confidentiality of transmitted data. The use of cryptographic mechanisms to prevent unauthorized disclosure of information during the transmission process, if it is not protected by alternative physical measures (for example, a protective distribution system).
• Protection of Systems and Communications: Safety Name Search Service (Name Resolution). Information systems (authorized domain name servers), providing internal user search service to access information resources, provide mechanisms to authenticate the data source and monitor data integrity, and also carry out these actions at the request of client systems.

Minimum trust requirements for safety regulators

Minimum trust requirements for security regulators are presented to specific processes and actions. Specialists developing and implementing regulators determine and apply (execute) these processes and actions to increase the degree of confidence that regulators are implemented correctly, functioning in accordance with the specifications and give expected results from the point of view of the implementation of information security requirements.

At the minimum level of information security, it is necessary that the security regulators are involved and satisfied explicitly specified in their definition functional requirements.

At a moderate level of information security, the following conditions must be completed. Specialists developing (implementing) regulators provide a description of their functional properties, quite detailed to make it possible to perform analysis and testing of regulators. As an integral part of regulators, developers are documented and the distribution of responsibilities and specific actions are provided, due to which the regulators must meet the functional requirements after the development (implementation). The technology in which regulators are developed should maintain a high degree of confidence in their completeness, consistency and correctness.

Figure 6. Ensuring information security. Process approach.

At a high level of information security, among otherwise, it is necessary to provide a description of the project and implement the regulators, including functional interfaces between their components. Developers require evidence that after the completion of the development (implementation), the implementation of the requirements for regulators will be continuous and consistent on the scale of the entire information system, and the possibility of increasing the efficiency of regulators will be supported.

Conclusion

Ensuring information security is a complex, multidimensional process, requiring the adoption of many solutions, analyzing a plurality of factors and requirements, sometimes contradictory. The presence of categories and minimum security requirements, as well as a predetermined security regulators catalog, is able to serve as a base for a systematic approach to providing IB, an approach that requires reasonable labor and material costs and capable of presenting practically acceptable results for most organizations.

Mikhail Coptenkov | © M. Koptenkov

Information security is the security status of the information environment. Information security should be considered as a set of measures, among which it is impossible to allocate more or less important. The concept of information security is closely related to the concept of information protection, which is an activity to prevent leakage of protected information, unauthorized and unintended impacts on it, i.e., a process aimed at achieving the state of information security. However, before protecting information, it is necessary to determine which information should be protected and to what extent. This uses categorization (classification) of information, i.e., establishing gradations of the importance of ensuring information security and attribute specific information resources to the relevant categories. Thus, categorization of information can be called the first step towards providing information security of the organization.

Historically, it is necessary to classify it at the classification of information at the level of secrecy (privacy). At the same time, accessibility and integrity requirements are often not taken into account or are accounted for on par with general requirements for information processing systems. This is a wrong approach. In many areas, the share of confidential information is relatively small. For open information, the detriment of the disclosure of which is missing, the most important properties are: availability, integrity and security from unlawful copying. As an example, you can bring an online store, where it is important to constantly maintain accessibility to the company's website. Based on the need to ensure different levels of information security, you can enter various categories of confidentiality, integrity and accessibility.

1. Categories of confidentiality of protected information

Confidentiality of information - the property of information indicating the need to introduce restrictions on the circle of persons with access to this information.
The following confidentiality categories of information are introduced:
– - Information that is confidential in accordance with the requirements of legislation, as well as information, restrictions on the dissemination of which are entered by the decisions of the organization's management, the disclosure of which can lead to a significant damage to the organization's activities.
– Confidential information - Information that is not strictly confidential, the restrictions on the distribution of which are entered only by the decision of the Organization's management, the disclosure of which can lead to damage to the organization's activities.
– Open information - This category includes information to ensure the confidentiality of which is not required.

2. Categories of integrity of information

The integrity of the information is a property, when executing which the data retains a predetermined form and quality (remain unchanged with respect to some fixed state).
The following categories of information integrity are introduced:
– High - This category includes information, unauthorized modification or counterfeiting of which can lead to a significant damage to the organization's activities.
– Low - This category includes information unauthorized modification of which can lead to the application of moderate or minor damage to the organization's activities.
– No requirements - This category includes information to ensure the integrity of which the requirements are not presented.

3. Information available information

Availability is a state of information in which subjects with access rights can implement it unhindered.
The following information availability categories are introduced:
– - Access to information should be provided at any time (the delay in receiving access to information should not exceed a few seconds or minutes).
– High availability - Access to information should be carried out without significant time delays (the delay in receiving access to information should not exceed a few hours).
– Average accessibility - Access to information can be provided with significant temporary delays (the delay in obtaining information should not exceed several days).
– Low accessibility - Time delays in access to information are practically not limited (allowable delay in gaining access to information - a few weeks).

From the above, it is clear that the categories of confidentiality and integrity of information directly depend on the amount of damage to the organization in violation of these properties of information. Availability categories to a lesser extent, but also depend on the amount of damage to the organization. To determine the amount of damage, its subjective assessment is used and a three-level scale is introduced: significant damage, moderate damage and low damage (or no damage).
lowIf the loss of accessibility, confidentiality and / or integrity of information has a slight negative impact on the activities of the organization, its assets and staff.
The negative impact means that:
- the organization remains capable of performing its activities, but the effectiveness of basic functions is reduced;
- An insignificant damage is applied by assets;
- The organization carries minor financial losses.
Damage to the organization is estimated as moderateIf the loss of accessibility, confidentiality and / or integrity has a serious negative impact on the organization, its assets and staff.
The seriousness of the negative impact means that:
- the organization remains capable of performing its activities, but the effectiveness of basic functions is significantly reduced;
- assets of the organization caused significant damage;
- The company carries significant financial losses.
Potential damage to the organization is assessed as significantIf the loss of accessibility, confidentiality and / or integrity is provided by severe (catastrophic) negative impact on the organization, its assets and personnel, i.e.:
- the organization loses the ability to perform all or some of its basic functions;
- the assets of the organization caused major damage;
- The organization carries large financial losses.
Thus, estimating the damage to the organization's activities in violation of the confidentiality, integrity and availability of information and on the basis of this, determining the categories of information, three types of it can be distinguished: the most critical, critical and non-critical.

The type of information is determined by making the categories of this information.
Table 1 shows the type of information.

Table 1: Definition of the type of information

Thus, the categorization of information is the first step towards providing information security of the organization, since before to protect something, first of all, it is worth determining what is required to be protected and to what extent. Categories and user, and system information provided in both electronic form and material carrier are categorized. To determine the type of information protected, it is necessary to determine which damage to the organization will be caused in the loss of confidentiality, integrity and availability of such information.
In the future, by defining what type of information is, you can apply various measures to protect each type of information. This will not only structure the data being processed in the organization, but also to implement the most effectively and use the access control subsystem to the protected information, as well as to optimize the costs of providing information security.

Bibliography:
1. Unless V., Information Security Service: First Steps, 2008, http://www.compress.ru/article.aspx?id\u003d20512
2. Smooth A. A., Dementiev V. E., Basic principles of information security of computing networks. Ulyanovsk: ULGTU, 2009. - 156 p.

Today it is unlikely to be able to find an organization in which no one would never think about the protection of information. At the same time, it is not always possible to meet the correct understanding of information security as a complex of organizational and technical events. The most important element of its collateral is a person, and he is the main factor of its violation.

Information security should be perceived as a complex of organizational and technical measures, since it is impossible to ensure confidentiality, integrity and accessibility can not be separately taken by technical measures, not only organizational.

Let's say you decide to protect only technical measures, while organizational documents are completely absent. It often happens if the defense is done by the IT department or the head of the Information Security Department (IB) - a former representative of IT structures. What happens in this case? Suppose that one of the company's employees systematically conveys confidential information by email to competitors. You discovered leakage, but you do not have documents, therefore, punish an employee (for example, dismiss it) you simply have no right. And if you do it, a smart attacker will sue you for violating its constitutional rights to personal correspondence. The most sad thing is that legally it will be absolutely right: within your organization is not documented that all information transmitted by email with addresses belonging to your organization is the property of the company.

Consider the second extreme. It is usually characteristic of former military personnel and special services staff. You have prepared excellent documents, but there is absolutely no technical support. What happens in this case? Your employees will sooner or later violate the provisions of organizational documents and seeing that no one controls them will do it systematically.

Thus, information security is a flexible system that includes both organizational and technical measures. It should be understood that more significant measures or less significant are imposed here. It is important. It is necessary to observe protection measures at all points of the network, when working any subjects with your information. (Under the subject in this case it is understood as a user system, process, computer or software for information processing). Each information resource, whether the computer user or the organization server must be fully protected. File systems, network, etc. must be protected. We will not discuss here.

There is a huge number of software aimed at solving the protection task of information. These are antivirus programs, and network screens, and built-in tools for operating systems. However, the most vulnerable factor always remains a person. The performance of any software depends on the quality of its writing, from the literacy of the administrator who set up it.

Many organizations in connection with this create information protection departments or set the security challenges to their IT departments. But more than once it was mentioned that it was impossible to take a function to the IT service. Suppose that the IT security department has been created in your organization. What to do next? Where to start his activity?

The first steps of the IB department

In my opinion, you need to start with the training of employees! And in the future to do it at least twice a year. Training of ordinary staff the basics of information protection should be a permanent business of the staff of the Information Protection Department!

Many managers are trying to immediately get a document called "Security Policy" from the Information Policy. This is mistake. Before you are serving the writing of this serious document, which will define all your efforts to ensure the information security of your organization, you need to ask yourself the following questions:

What information do you proceed?

How to classify it?

What resources do you possess?

How is the processing of information on resources?

How to classify resources?

We will try to answer these questions.

Classification of information

In our country, the approach was historically formed to classify information (first of all state) on the levels of requirements for its security on the basis of its property - confidentiality (secrecy).

Requirements to ensure the integrity and availability of information, as a rule, are only indirectly mentioned among the general requirements for data processing systems.

If this approach is to some extent justified to ensure the safety of information constituting the state secret, this does not mean that transferring it to another subject area (with other subjects and their interests) will be correct.

In many areas, the share of confidential information is relatively small. For open information, the detriment of the disclosure of which is insignificant, the most important are completely different properties, let's say such as availability, integrity or protected from unlawful replication. For example, for payment (financial) documents the most important is their integrity (reliability). Then the property should be accomplished (loss of a payment document or delay of payments can be very expensive). Requirements for ensuring the confidentiality of payment documents are usually in third place.

For the Internet newspaper in the first place will stand the availability and integrity of information, and not its confidentiality. Attempts to approach to solving issues of protecting such information from the standpoint of the traditional provision of only confidentiality, failed. The main reasons for this are the narrowness of the traditional approach to the protection of information, the absence of experience in domestic experts and appropriate elaboration in terms of ensuring the integrity and availability of information that is not confidential.

To improve the classification of information, depending on the requirements for its security, enter several degrees (gradations, categories) of requirements for ensuring each of the security properties of the information: availability, integrity, confidentiality.

The amount of gradation and the meaning in them may differ.

Based on the need to provide various levels of protection of different types of information (not containing information constituting a state secret), stored and processed in the organization, we introduce several categories of confidentiality and integrity of the protected information.

"Strictly confidential" - information that is confidential in accordance with the requirements of current legislation (banking secrets, personal data), as well as information, restrictions on the dissemination of which are entered by decisions of the management of the organization (commercial mystery), the disclosure of which can lead to grave financial and economic consequences for the organization, Before bankruptcy (applying a serious damage to the vital interests of customers, correspondents, partners or employees).

"Confidential" - information that is not attributed to the category of "strictly confidential", the restrictions on the distribution of which are entered by the decision of the organization's leadership in accordance with the owner provided to him (authorized by the owner) of information by the current legislation, the disclosure of which can lead to significant losses and loss of the competitiveness of the organization (applying Tangible damage to the interests of customers, correspondents, partners or employees).

"Open" - information, confidentiality (introducing dissemination restrictions) of which is not required.

"High" - This category includes information, unauthorized modification (distortion, substitution, destruction) or falsification (fake) of which can lead to a significant direct damage to the organization, integrity and authenticity (confirmation of the authenticity of the source) of which must be ensured by guaranteed methods (electron digital signatures, EDS) in accordance with the compulsory requirements of the current legislation, orders, directives and other regulatory acts.

"Low" - This category includes information, unauthorized modification, substitution or removal of which can lead to the application of minor indirect damage to the organization, its customers, partners or employees, the integrity of which should be provided in accordance with the decision of the management (methods for counting checksum, hash functions).

"No requirements" - This category includes information to ensure the integrity of (and authenticity) of which the requirements are not presented.

Depending on the frequency of solving functional tasks and the maximum allowable delay of obtaining results, four required degrees (categories) of information available information are introduced.

"Unhindered accessibility" - Access to the task should be provided at any time (the task is solved constantly, the delay of obtaining the result should not exceed a few seconds or minutes).

"High availability" - Access must be carried out without significant time delays (the task is solved daily, the delay of obtaining the result should not exceed a few hours).

"Average accessibility" - Access can be provided with significant time delays (the task is solved once a few days, the delay of obtaining the result should not exceed several days).

"Low accessibility" - time delays when accessing the task is practically not limited (the task is solved with a period of several weeks or months, the allowable delay in obtaining the result is a few weeks).

At the first stage of the work, it is categorized with all types of information used in solving tasks on a specific computer (establishing categories of confidentiality and integrity of specific types of information). Compiled "List of information resources to be protected".

At the second stage, there is a categorization of all functional tasks solved on this computer. During the third stage, the category of the computer is established, based on the maximum categories of the information being processed and the tasks solved on it.

After you have distributed information being processed by your relevant categories, resource inventory should be carried out.

The categorization of resources implies the identification (inventory) and the analysis of all resources of the organization information system to be protected. Here is an exemplary sequence and the main content of these works.

First of all, a special working group is formed to analyze all subsystems of the information system of the organization, inventory and categorization of resources to be protected. It includes specialists (aware of the issues of automated information processing technology) units of computer security and other units of the organization.

The order of the Organization's management is published, in which, in particular, are given to all managers of structural divisions to assist and assist the Working Group in analyzing the resources of all computers.

To assist assistance, employees should be allocated to provide detailed information on automated information processing in the divisions.

In the course of the examination of specific units of the organization and subsystems of the enterprise information system, all functional tasks are detected and described using computers, as well as all types of information used in solving these tasks in the divisions.

After that, a total list of functional tasks is drawn up and the form is issued for each task. It should be borne in mind that the same task in different units may be called differently, and on the contrary, various tasks can have the same name. At the same time, the software tools used in solving the functional tasks of the unit is carried out.

When examining the subsystems and analysis of tasks, all types of incoming, outgoing, stored, processed, etc. are detected. It is necessary to identify not only information that can be attributed to confidential (to banking and commercial secrets, personal data), but also information to be protected due to the fact that the violation of its integrity or accessibility can cause tangible damage to the organization.

Revealing all types of information circulating and processed in subsystems, it is necessary to evaluate the consequences to which disturbances of its properties can lead. To obtain initial estimates, it is advisable to conduct a survey (for example, in the form of survey) specialists working with this information. At the same time, it is necessary to find out who may be interested in this information, as possible on it or illegally use, to which consequences it can lead.

If it is impossible to quantify the likely damage, then its qualitative assessment is given (for example: very low, low, medium, high, very high).

When drawing up a list and formulas of functional tasks solved in an organization, it is necessary to find out the frequency of their solution, the maximum allowable delay time for obtaining results and the degree of seriousness of the consequences to which violations of their availability may lead (blocking the possibility of solving problems).

All information detected during the survey are recorded in the appropriate document.

Next, it is necessary to determine which type of mystery (banking, commercial, personal data, which does not constitute secrets) includes each of the identified types of information (on the basis of the requirements of the current legislation and provided organizations of rights).

Initial proposals for evaluating the categories of confidentiality and integrity of specific types of information are found out from managers (leading specialists) of the structural unit (based on their personal assessments of the likely damage due to violation of the privacy properties and integrity of information). The list is then coordinated with the leaders of the department of automation and computer security departments and is submitted to the organization's management.

At the next step, there is a category of functional tasks. Based on the availability requirements imposed by the heads of organizations and agreed with IT services, all application functional problems are categorized, solved in units using computer equipment. Information is entered into task form. You should not contain categorization of system tasks and software outside the binding to specific computers and applied tasks.

In the future, with the participation of IT professionals and the IB division, it is necessary to clarify the composition of the information and software resources of each task and make it a form of information on user groups of tasks and guidelines to configure the protection applies when it solving it. These data will be used as a reference settings for the protection of relevant computers, as well as to control the correctness of their installation.

At the last stage, categorization of computers is established, based on the maximum category of special tasks, solved on it, and the maximum categories of confidentiality and integrity of information used in solving these tasks. Computer category information is entered into its form.

The concept of resource inventory includes not only reconciliation of active and passive network resources that you have, with the list of equipment (and its completeness) purchased by the organization. For the reconciliation of equipment and its completeness, you can use the appropriate software (for example, Microsoft SMS Server) and so on.

This can also include creating a network card with a description of all possible connection points, drawing up a list of software used, the formation of the Fund of the Licensed License Software Fund used in the organization, as well as the Foundation for Algorithms and Programs of Own Development.

It should be noted that the software can be admitted to work only after it is verified by the information protection department for compliance with the tasks, the absence of all sorts of bookmarks and "logical bombs".

I would like to say about the trends that appeared we have to use applications with open codes. Undoubtedly, they bring substantial resource savings. However, it seems, in this case, safety is determined by trust not only to the system developer, but also to your administrator. And if you take into account the salary of the administrator, it is not difficult to conclude that you buy your secrets much easier and cheaper than to carry out a direct external attack. It is worth mentioning that most of the successful attacks carried out insiders (serving the company itself).

It seems that it is necessary to apply a freely distributed software if there is a risk of making serious damage, it is possible only if it will be supplied to you in compilation and with a digital signature of an organization that guarantees the absence of logical bombs, all sorts of bookmarks and "black strokes". Moreover, the guarantor's organization must bear material responsibility. However, today such a proposal should be attributed to the discharge of unreal.

After checking, the reference software is entered into the Algorithms and Programs Foundation (a reference copy must be accompanied by the checksum file, and better - by an electronic signature of the developer). In the future, when changing versions, the appearance of updates, the software check is made by the established procedure.

The form form of the installed software is entered into the form of each computer, the installation date is indicated, the goals solved using this software, the task, the name and signature of the person who has installed and configure software is set. After creating such formulations, the information security service must provide a regular verification of the compliance of the real position to the formulation.

The next step in building the information security service should be the analysis of the risks of the organization, on the basis of which the security policy will be created.