Information security audit can not only give the bank the right to carry out certain types of activities, but also show weaknesses in the bank's systems. Therefore, it is necessary to take a balanced approach to the decision on conducting and choosing the form of audit.
According to Federal Law No. 307-FZ dated 30.12.2008 “On Auditing”, an audit is “an independent check of the accounting (financial) statements of the audited entity in order to express an opinion on the reliability of such statements”. This term mentioned in this law has nothing to do with information security. However, it just so happened that information security experts actively use it in their speech. In this case, audit refers to the process of independent assessment of the activities of an organization, system, process, project or product. At the same time, it should be understood that in various domestic regulations the term "information security audit" is not always used - it is often replaced by either the term "conformity assessment" or the slightly outdated, but still used term "attestation". Sometimes the term "certification" is still used, but in relation to international foreign regulations. An information security audit is carried out either to verify compliance with regulations, or to verify the validity and security of the applied solutions. But no matter what term is used, in fact, an information security audit is carried out either to verify compliance with regulations, or to verify the validity and security of the applied solutions. In the second case, the audit is voluntary, and the decision to conduct it is made by the organization itself. In the first case, it is impossible to refuse to conduct an audit, since this entails a violation of the requirements established by regulatory enactments, which leads to punishment in the form of a fine, suspension of activities or other forms of punishment. In the case of a mandatory audit, it can be carried out both by the organization itself, for example, in the form of self-assessment (although in this case there is no longer any talk of “independence” and the term “audit” is not entirely correct to use here), or by external independent organizations - auditors. The third option for conducting a statutory audit is control by regulatory bodies empowered to carry out appropriate supervisory activities. This option is more often called not an audit, but an inspection check. Since a voluntary audit can be carried out absolutely for any reason (to check the security of the RBS system, control the assets of an acquired bank, check a newly opened branch, etc.), we will not consider this option. In this case, it is impossible either to clearly outline its boundaries, or to describe the forms of its reporting, or to talk about regularity - all this is decided by an agreement between the auditor and the audited organization. Therefore, we will consider only the forms of statutory audit inherent specifically to banks.
International standard ISO 27001
Sometimes you can hear about a bank undergoing an audit for compliance with the requirements of the international standard "ISO / IEC 27001: 2005" (its full Russian analogue is "GOST R ISO / IEC 27001-2006 - Information technology - Methods and means of ensuring security. Management systems information security - Requirements "). In fact, this standard is a set of best practices for information security management in large organizations (small organizations, including banks, are not always able to comply with the requirements of this standard in full). Like any standard in Russia, ISO 27001 is a purely voluntary document, which each bank decides to accept or not to accept. But ISO 27001 is the de facto standard all over the world, and experts in many countries use this standard as a kind of universal language that should be followed when dealing with information security. There are several not-so-obvious and often-mentioned points associated with ISO 27001. However, there are a few not-so-obvious and not-frequently-mentioned points associated with ISO 27001. Firstly, not the entire information security system of the bank is subject to audit in accordance with this standard, but only one or several of its constituent parts. For example, an RBS protection system, a bank head office protection system or a personnel management process protection system. In other words, obtaining a certificate of conformity for one of the processes assessed in the framework of the audit does not guarantee that the rest of the processes are in the same close to ideal state. The second point is related to the fact that ISO 27001 is a universal standard, that is, applicable to any organization, which means that it does not take into account the specifics of a particular industry. This has led to the fact that within the international organization for standardization ISO has long been talking about the creation of the ISO 27015 standard, which is a transposition of ISO 27001/27002 for the financial industry. The Bank of Russia is also actively involved in the development of this standard. However, Visa and MasterCard are against the draft of this standard, which has already been developed. The first believes that the draft standard contains too little information necessary for the financial industry (for example, on payment systems), and if it is added there, then the standard should be transferred to another ISO committee. MasterCard also proposes to stop the development of ISO 27015, but the motivation is different - they say, in the financial industry, and so fully regulating the topic of information security documents. Thirdly, it is necessary to pay attention to the fact that many proposals found on the Russian market do not speak about compliance audit, but about preparation for the audit. The fact is that only a few organizations in the world have the right to carry out certification of compliance with ISO 27001 requirements. Integrators, on the other hand, only help companies comply with the requirements of the standard, which will then be verified by official auditors (they are also called registrars, certification bodies, etc.). While the debate continues about whether or not banks should implement ISO 27001, some daredevils go for it and go through 3 stages of compliance audit:- Preliminary informal study by the auditor of the main documents (both on the territory of the audit client and outside it).
- A formal and in-depth audit of the implemented protective measures, an assessment of their effectiveness and a study of the developed necessary documents. This stage usually ends with the confirmation of conformity, and the auditor issues a corresponding certificate recognized throughout the world.
- Annual execution of an inspection audit to confirm the previously obtained certificate of conformity.
The set of documents of the Bank of Russia STO BR IBBS
Such a standard, or rather a set of standards, is a set of documents of the Bank of Russia, describing a unified approach to building an information security system for banking organizations, taking into account the requirements of Russian legislation. This set of documents (hereinafter STO BR IBBS), which contains three standards and five recommendations for standardization, is based on ISO 27001 and a number of other international standards for information technology management and information security. The issues of audit and assessment of compliance with the requirements of the standard, as well as for ISO 27001, are spelled out in separate documents - “STO BR IBBS-1.1-2007. Information security audit ”,“ STO BR IBBS-1.2-2010. Methodology for assessing the compliance of information security of organizations of the banking system of the Russian Federation with the requirements of STO BR IBBS-1.0-2010 "and" RS BR IBBS-2.1-2007. Guidelines for self-assessment of compliance of information security of organizations of the banking system of the Russian Federation with the requirements of STO BR IBBS-1.0 ”. During the conformity assessment according to STO BR IBBS, the fulfillment of 423 private IS indicators, grouped into 34 group indicators, is checked. The result of the assessment is the final indicator, which should be at the 4th or 5th level on a five-point scale established by the Bank of Russia. This, by the way, very much distinguishes the audit according to the STO BR IBBS from the audit according to other normative acts in the field of information security. In STO BR IBBS there is no inconsistency, just the level of compliance can be different: from zero to five. And only levels above the 4th are considered positive. As of the end of 2011, about 70-75% of banks have implemented or are in the process of implementing this set of standards. Despite everything, they are de jure of a recommendatory nature, but de facto inspections of the Bank of Russia were carried out until recently in accordance with the requirements of STO BR IBBS (although this was clearly never heard anywhere). The situation has changed since July 1, 2012, when the law “On the National Payment System” and the regulatory documents of the Government of Russia and the Bank of Russia developed for its implementation came into full force. From that moment on, the question of the need for an audit of compliance with the requirements of STO BR IBBS again rose on the agenda. The fact is that the conformity assessment methodology proposed in the framework of the legislation on the national payment system (NPS) and the methodology for assessing the conformity of STO BR IBBS can differ greatly in the final values. At the same time, the assessment according to the first method (for the NPS) became mandatory, while the assessment according to the STO BR IBBS is still de jure of a recommendatory nature. And at the time of this writing, the Bank of Russia itself had not yet made a decision on the future of this assessment. If earlier all the threads converged in the Main Directorate of Security and Information Protection of the Bank of Russia (GUBZI), then with the division of powers between the GUBZI and the Department of Settlements Regulation (LHH), the question remains open. It is already clear that the legislative acts on the NPS require a mandatory conformity assessment, that is, an audit.Legislation on the national payment system
The legislation on NPS is only at the dawn of its formation, and many new documents await us, including those on information security. But it is already clear that the Regulation 382-P, issued and approved on June 9, 2012, On Requirements for Ensuring Information Protection in the Course of Money Transfers »Requires in clause 2.15 a mandatory conformity assessment, that is, an audit. Such an assessment is carried out either independently or with the involvement of third-party organizations. As already mentioned above, the conformity assessment carried out within the framework of 382-P is similar in essence to what is described in the conformity assessment methodology of the STO BR IBBS, but gives completely different results, which is associated with the introduction of special correction factors that determine the differing results. Regulation 382-P does not establish any special requirements for the organizations involved in audit, which contradicts the Government Decree of June 13, 2012 No. 584 "On the protection of information in the payment system", which also requires the organization and implementation of control and assessment of compliance with the requirements to the protection of information once every 2 years. However, the Government Decree developed by FSTEC requires that an external audit be carried out only by organizations licensed to provide technical protection of confidential information. Additional requirements that are difficult to attribute to one of the forms of audit, but which impose new responsibilities on banks, are listed in section 2.16 of Regulation 382-P. According to these requirements, the payment system operator is required to develop, and banks that have joined this payment system are required to comply with the requirements for regularly informing the payment system operator about various information security issues in the bank: compliance with information protection requirements, identified incidents, self-assessments , about the identified threats and vulnerabilities. In addition to the audit conducted on a contractual basis, FZ-161 on NPS also establishes that control and supervision over the fulfillment of the requirements established by the Government of the Russian Federation in Resolution 584 and the Bank of Russia in Regulation 382 are carried out by the FSB FSTEC and the Bank of Russia, respectively. ... At the time of this writing, neither the FSTEC nor the FSB had a developed procedure for such supervision, unlike the Bank of Russia, which issued Regulation No. 380-P dated May 31, 2012 "On the procedure for monitoring the national payment system" (for credit institutions) and Regulations dated June 9, 2012 No. 381-P "On the procedure for supervising compliance with payment system operators, operators of payment infrastructure services, of the requirements of the Federal Law dated June 27, 2011 No. 161-FZ" On the national payment system, "adopted by in accordance with the regulations of the Bank of Russia ”. Normative acts in the field of information protection in the national payment system are only at the beginning of their detailed elaboration. On July 1, 2012, the Bank of Russia began testing them and collecting facts on law enforcement practice. Therefore, today it is premature to talk about how these regulations will be applied, how the 380-P will be supervised, what conclusions will be drawn based on the results of a self-assessment carried out every 2 years and sent to the Bank of Russia.PCI DSS Payment Card Security Standard
Payment Card Industry Data Security Standard (PCI DSS) is a payment card data security standard developed by the Payment Card Industry Security Standards Council (PCI SSC), which was established by international payment systems Visa, MasterCard, American Express, JCB and Discover. The PCI DSS standard is a set of 12 high-level and over 200 detailed requirements for ensuring the security of data on payment cardholders that are transmitted, stored and processed in the information systems of organizations. The requirements of the standard apply to all companies working with international payment systems Visa and MasterCard. Depending on the number of transactions processed, each company is assigned a certain level with a corresponding set of requirements that these companies must fulfill. These levels differ depending on the payment system. Successful completion of the audit does not mean that everything is fine with the security in the bank - there are many tricks that allow the auditee to hide some flaws in their security system. Verification of compliance with PCI DSS standard requirements is carried out within the framework of mandatory certification, the requirements for which differ depending on the type of the audited company - a merchant that accepts payment cards for payment for goods and services, or a service provider that provides services to merchants, acquiring banks , issuers, etc. (processing centers, payment gateways, etc.). Such an assessment can be carried out in different forms:- annual audits with the help of accredited companies with the status of Qualified Security Assessors (QSA);
- annual self-assessment;
- Scanning networks on a quarterly basis by authorized organizations with an Approved Scanning Vendor (ASV) status.
Personal data legislation
The latest regulatory document, also related to the banking industry and establishing requirements for conformity assessment, is the Federal Law “On Personal Data”. However, neither the form of such an audit, nor its frequency, nor the requirements for the organization conducting such an audit have not yet been established. Perhaps this issue will be removed in the fall of 2012, when the next portion of documents of the Government of the Russian Federation, FSTEC and FSB, introducing new standards in the field of personal data protection, will be released. In the meantime, banks can sleep well and independently determine the features of the audit of personal data protection issues. Control and supervision over the implementation of organizational and technical measures to ensure the security of personal data, established by the 19th article 152-FZ, are carried out by the FSB and FSTEC, but only for state information systems of personal data. According to the law, there is no one to control commercial organizations in the field of ensuring the information security of personal data. The same cannot be said about the issues of protecting the rights of subjects of personal data, that is, customers, counterparties and simply visitors to the bank. This task was taken over by Roskomnadzor, which is very active in its supervisory functions and considers banks to be one of the worst violators of the law on personal data.Final provisions
Above, we have considered the main regulations in the field of information security concerning credit institutions. There are many of these regulations, and each of them sets its own requirements for conducting conformity assessment in one form or another - from self-assessment in the form of filling out questionnaires (PCI DSS) to passing a statutory audit once every two years (382-P) or once per year (ISO 27001). Between these most common forms of conformity assessment, there are others - payment system operator notifications, quarterly scans, etc. It is also worth remembering and understanding that the country still lacks a unified system of views, not only on state regulation of information security audit processes for organizations and information technology systems, but generally on the topic of information security audit itself. In the Russian Federation, there are a number of departments and organizations (FSTEC, FSB, Bank of Russia, Roskomnadzor, PCI SSC, etc.) responsible for information security. And they all operate on the basis of their own regulations and guidelines. Different approaches, different standards, different levels of maturity ... All this hinders the establishment of uniform rules of the game. The picture is also spoiled by the appearance of fly-by-night firms, which, in pursuit of profit, offer very low-quality services in the field of assessing compliance with information security requirements. And the situation is unlikely to change for the better. Since there is a need, there will be those who want to satisfy it, while there simply will not be enough qualified auditors for all. With a small number of them (shown in the table) and the duration of the audit from several weeks to several months, it is obvious that the audit needs significantly exceed the capabilities of auditors. The “Concept of audit of information security of information technology systems and organizations”, which has not yet been adopted by FSTEC, contained the following phrase: “at the same time, in the absence of necessary national regulators, such activity / on unregulated audit by private firms / can cause irreparable harm to organizations”. In conclusion, the authors of the Concept proposed to unify approaches to audit and to establish legislatively the rules of the game, including the rules for the accreditation of auditors, requirements for their qualifications, the procedure for conducting an audit, etc., but things are still there. Although, given the attention that domestic regulators in the field of information security (and we have 9 of them) pay to information security issues (in the past calendar year alone, 52 regulatory acts on information security issues were adopted or developed - one regulatory act per week! ), I do not exclude that they will soon return to this topic.INFORMATION SECURITY AUDIT STANDARDS
EXPERT OPINION
Dmitry Markin, Head of Audit and Consulting Department, AMT-GROUP:
Until recently, the issues of passing a mandatory audit of the state of information security for credit institutions within the framework of Russian legislation were regulated only by FZ-152 "On Personal Data" in terms of the implementation of internal control over the measures taken to ensure the security of personal data, as well as by the Regulation of the Central Bank of the Russian Federation No. 242-P "On internal control body in credit institutions and banking groups ”. Moreover, in accordance with the requirements of Regulation No. 242-P, the procedure for monitoring information security is established by the internal documents of the credit institution independently, without reference to specific requirements for ensuring information security. In connection with the entry into force of Article 27 of FZ-161 "On the National Payment System", which defines the requirements for the protection of information in the payment system, Resolution of the Government of the Russian Federation No. 584 "On Approval of the Regulation on the Protection of Information in the Payment System" and the Regulation of the Central Bank RF No. 382-P. According to the requirements of Resolution No. 584 and Regulation No. 382-P, the protection of information in the payment system must be carried out in accordance with the requirements of these regulatory acts and the requirements included by operators of payment systems in the rules of payment systems. The key point here is the consolidation at the level of national legislation of the right of payment system operators (for example, Visa and MasterCard) to independently establish requirements for information protection. Regulation No. 382-P also specifies the obligation for credit institutions to assess compliance with IS requirements at least once every 2 years, the methodology for assessing compliance, audit criteria and the procedure for documenting its results are clearly defined. In our opinion, the emergence of the above regulations should increase the statistics of credit institutions passing certification in accordance with the requirements of the PCI DSS 2.0 payment card industry data security standard, developed with the participation of the leading international payment systems Visa and MasterCard.
Introduction
Audit is a form of independent, neutral control of any line of business of a commercial enterprise, widely used in the practice of a market economy, especially in the field of accounting. Equally important from the point of view of the overall development of an enterprise is its security audit, which includes an analysis of the risks associated with the possibility of security threats, especially in relation to information resources, an assessment of the current level of security of information systems (IS), localization of bottlenecks in their protection system, assessment of IS compliance with existing standards in the field of information security and development of recommendations for the implementation of new and increase the efficiency of existing IS security mechanisms.
If we talk about the main goal of an information security audit, then it can be defined as assessing the security level of an enterprise's information system for managing it as a whole, taking into account the prospects for its development.
In modern conditions, when information systems penetrate all spheres of enterprise activity, and taking into account the need for their connection with the Internet, they turn out to be open for the implementation of internal and external threats, the problem of information security becomes no less important than economic or physical security.
Despite the importance of the problem under consideration for the training of information security specialists, it has not yet been included as a separate course in existing curricula and has not been considered in textbooks and teaching aids. This was due to the lack of the necessary regulatory framework, unpreparedness of specialists and insufficient practical experience in the field of information security audit.
The general structure of work includes the following sequence of issues under consideration:
describes a model for building an information security (IS) system that takes into account threats, vulnerabilities, risks and countermeasures taken to reduce or prevent them;
methods of analysis and risk management are considered;
outlines the basic concepts of security audit and provides a description of the objectives of its implementation;
analyzes the main international and Russian standards used in IS audit;
the possibilities of using software tools for conducting an IS audit are shown;
The choice of the described structure of the textbook was made in order to maximize the student's orientation to the practical use of the material in question, firstly, when studying a lecture course, secondly, when passing industrial practices (analysis of the state of information security at an enterprise), and thirdly, when performing term papers and theses.
The presented material can be useful for managers and employees of security services and information protection services of the enterprise to prepare and conduct an internal and justify the need for an external audit of information security.
Chapter I. Security audit and methods of its implementation
1 Concept of security auditing
An audit is an independent examination of specific areas of the organization's functioning. Distinguish between external and internal audit. An external audit is, as a rule, a one-time event initiated by the organization's management or shareholders. It is recommended to conduct external audits on a regular basis, and, for example, for many financial organizations and joint-stock companies, this is a mandatory requirement on the part of their founders and shareholders. Internal audit is a continuous activity, which is carried out on the basis of the "Regulation on internal audit" and in accordance with the plan, the preparation of which is carried out by the security departments and approved by the organization's management.
The objectives of a security audit are:
analysis of the risks associated with the possibility of the implementation of security threats in relation to resources;
assessment of the current level of IP security;
localization of bottlenecks in the IP protection system;
assessment of IS compliance with existing standards in the field of information security;
Security audit of an enterprise (firm, organization) should be considered as a confidential management tool, excluding the possibility of providing information about the results of its activities to third parties and organizations for the purpose of secrecy.
The following sequence of actions can be recommended for conducting an enterprise security audit.
1. Preparing for a security audit:
selection of the audit object (company, individual buildings and premises, individual systems or their components);
building a team of expert auditors;
defining the scope and scope of the audit and setting specific deadlines.
2.Audit: general analysis of the security status of the audited object; registration, collection and verification of statistical data and results of instrumental measurements of hazards and threats; assessment of test results; preparation of a report on the results of the check by individual components. 3.Completion of the audit: drawing up a final report; development of an action plan to eliminate bottlenecks and shortcomings in ensuring the security of the company. To successfully conduct a security audit, you must: active participation of the company's management in its conduct; objectivity and independence of auditors (experts), their competence and high professionalism; clearly structured verification procedure; active implementation of the proposed measures to ensure and enhance security. Security audit, in turn, is an effective tool for security assessment and risk management. Preventing security threats also means protecting the economic, social and informational interests of an enterprise. Hence, we can conclude that security audit is becoming an instrument of economic management. Depending on the volume of the analyzed objects of the enterprise, the scope of the audit is determined: -security audit of the entire enterprise in the complex; -security audit of individual buildings and premises (dedicated premises); -audit of equipment and technical means of specific types and types; -audit of certain types and areas of activity: economic, environmental, informational, financial, etc. It should be emphasized that the audit is not carried out on the initiative of the auditor, but on the initiative of the company's management, which in this matter is the main stakeholder. The support of the company's management is a prerequisite for the audit. An audit is a set of activities in which, in addition to the auditor himself, representatives of most of the company's structural divisions are involved. The actions of all participants in this process must be coordinated. Therefore, at the stage of initiating the audit procedure, the following organizational issues should be resolved: the rights and obligations of the auditor should be clearly defined and documented in his job descriptions, as well as in the regulation on internal (external) audit; the auditor should prepare and agree with the management of the audit plan; the regulation on internal audit should stipulate, in particular, that the employees of the enterprise are obliged to assist the auditor and provide all the information necessary for the audit. At the stage of initiating the audit procedure, the scope of the survey should be defined. If some information subsystems of the enterprise are not critical enough, they can be excluded from the scope of the survey. Other subsystems may not be auditable due to confidentiality reasons. The scope of the survey is defined in the following categories: List of the examined physical, software and information resources. 2.Areas (premises) that fall within the boundaries of the survey. 3.The main types of security threats considered during the audit. 4.Organizational (legislative, administrative and procedural), physical, software-technical and other aspects of security that need to be taken into account during the survey, and their priorities (to what extent they should be taken into account). The audit plan and boundaries are discussed at a working meeting, which is attended by auditors, company management and heads of structural divisions. To understand the IS audit as a complex system, its conceptual model, shown in Fig. 1.1. The main components of the process are highlighted here: audit object: purpose of the audit: Rice. 1.1. Conceptual model of information security audit requirements to be met; methods used; performers; order of conduct. From the point of view of the organization of work during an IS audit, there are three fundamental stages: 1.collection of information; 2.data analysis; 2 Methods of data analysis in the audit of information security Currently, there are three main methods (approaches) for conducting an audit, which differ significantly from each other. The first method, the most complex, is based on risk analysis. Based on the methods of risk analysis, the auditor determines for the surveyed IS an individual set of security requirements, which to the greatest extent takes into account the features of this IS, its operating environment and security threats existing in this environment. This approach is the most time consuming and requires the highest qualifications of an auditor. The quality of audit results, in this case, is strongly influenced by the methodology used for analysis and risk management and its applicability to this type of IP. The second method, the most practical, relies on the use of information security standards. The standards define the basic set of security requirements for a wide class of IS, which is formed as a result of generalization of world practice. Standards can define different sets of security requirements, depending on the level of security of the IS that needs to be provided, its affiliation (commercial organization or government agency), as well as purpose (finance, industry, communications, etc.). In this case, the auditor is required to correctly determine the set of requirements of the standard, compliance with which must be ensured for this IS. A methodology is also needed to assess this conformity. Due to its simplicity (the standard set of requirements for auditing is already predetermined by the standard) and reliability (the standard is a standard and no one will try to challenge its requirements), the described approach is the most common in practice (especially when conducting an external audit). It allows you to draw reasonable conclusions about the state of the IS with a minimum cost of resources. The third method, the most effective, involves combining the first two. If a risk-based approach is chosen to conduct a security audit, then the following groups of tasks are usually performed at the stage of analyzing audit data: Analysis of IP resources, including information resources, software and hardware, and human resources. 2.Analysis of groups of tasks solved by the system and business processes. 3.Construction of an (informal) model of IP resources, which determines the relationship between information, software, technical and human resources, their mutual arrangement and methods of interaction. 4.Assessment of the criticality of information resources, as well as software and hardware. 5.Determination of the criticality of resources, taking into account their interdependencies. 6.Determination of the most likely security threats in relation to IP resources and security vulnerabilities that make it possible for these threats to occur. 7.Assessment of the likelihood of the implementation of threats, the magnitude of vulnerabilities and damage to the organization in the event of the successful implementation of threats. 8.Determination of the magnitude of the risks for each triple: threat - resource group - vulnerability. The listed set of tasks is quite general. To solve them, various formal and informal, quantitative and qualitative, manual and automated risk analysis techniques can be used. This does not change the essence of the approach. Risk assessment can be given using a variety of both qualitative and quantitative scales. The main thing is that the existing risks are correctly identified and ranked in accordance with the degree of their criticality for the organization. Based on this analysis, a system of priority measures can be developed to reduce the magnitude of risks to an acceptable level. When conducting a security audit for compliance with the requirements of the standard, the auditor, relying on his experience, evaluates the applicability of the requirements of the standard to the inspected IS and its compliance with these requirements. Data on the conformity of various areas of the functioning of the IS to the requirements of the standard are usually presented in tabular form. The table shows which security requirements are not implemented in the system. Based on this, conclusions are drawn about the compliance of the surveyed IS with the requirements of the standard and recommendations are given on the implementation of security mechanisms in the system to ensure such compliance. 3 Analysis of enterprise information risks Risk analysis is what should begin with building any information security system and what is needed to conduct an information security audit. It includes activities to survey the security of the enterprise in order to determine which resources and from which threats need to be protected, as well as to what extent certain resources need to be protected. Determination of a set of adequate countermeasures is carried out in the course of risk management. The risk is determined by the probability of damage and the amount of damage to the resources of information systems (IS) in the event of a security threat. Risk analysis consists in identifying existing risks and assessing their magnitude (giving them a qualitative or quantitative assessment). The risk analysis process involves solving the following tasks: 1.Identification of key IP resources. 2.Determining the importance of certain resources for the organization. 3.Identification of existing security threats and vulnerabilities that make threats possible. 4.Calculation of the risks associated with the implementation of security threats. IP resources can be categorized as follows: informational resources; software; technical means (servers, workstations, active network equipment, etc.); human resources. Within each category, resources are divided into classes and subclasses. It is necessary to identify only those resources that determine the functionality of the IS and are essential from the point of view of ensuring security. The importance (or cost) of a resource is determined by the amount of damage inflicted in the event of a violation of the confidentiality, integrity, or availability of that resource. The following types of damage are usually considered: the data has been disclosed, changed, deleted or made unavailable; the equipment has been damaged or destroyed; the integrity of the software is violated. Damage can be caused to an organization as a result of the successful implementation of the following types of security threats: local and remote attacks on IP resources; natural disasters; mistakes or deliberate actions of IS personnel; IC failures caused by software errors or hardware malfunctions. The magnitude of the risk can be determined based on the cost of the resource, the likelihood of the threat occurring and the magnitude of the vulnerability using the following formula: resource cost x threat probability Risk = vulnerability magnitude The challenge of risk management is to select a reasonable set of countermeasures to reduce risk levels to an acceptable level. The cost of implementing countermeasures should be less than the amount of possible damage. The difference between the cost of implementing countermeasures and the amount of possible damage should be inversely proportional to the likelihood of causing damage. The approach based on the analysis of enterprise information risks is the most significant for the practice of ensuring information security. This is due to the fact that risk analysis allows you to effectively manage the information security of an enterprise. To do this, at the beginning of risk analysis, it is necessary to determine what exactly is subject to protection at the enterprise, to what threats it is exposed, and according to the protection practice. Risk analysis is carried out based on the immediate goals and objectives of protecting a specific type of information of a confidential nature. One of the most important tasks in protecting information is to ensure its integrity and availability. It should be borne in mind that a violation of integrity can occur not only as a result of deliberate actions, but also for a number of other reasons: · equipment failures leading to loss or distortion of information; · physical impact, including as a result of natural disasters; · bugs in software (including undocumented features). Therefore, under the term "attack" it is more promising to understand not only human impact on information resources, but also the impact of the environment in which the enterprise's information processing system operates. When conducting a risk analysis, the following are developed: · the general strategy and tactics of carrying out "offensive operations and combat actions" by a potential violator; · possible ways of carrying out attacks on the information processing and protection system; · scenario of illegal actions; · characteristics of channels of information leakage and unauthorized service; · the likelihood of establishing an information contact (implementation of threats); · a list of possible information infections; · intruder model; · information security assessment method. In addition, to build a reliable system for protecting the information of an enterprise, it is necessary: · identify all possible threats to information security; · assess the consequences of their manifestation; · determine the necessary measures and means of protection, taking into account the requirements of regulatory documents, economic · expediency, compatibility and conflict-freeness with the software used; · evaluate the effectiveness of the selected measures and means of protection. Rice. 1.2. Information resource analysis script All 6 stages of risk analysis are presented here. At the first and second stages, information is determined that constitutes a commercial secret for the enterprise and which is to be protected. It is clear that such information is stored in certain places and on specific media, transmitted through communication channels. At the same time, the determining factor in the technology of handling information is the architecture of the IS, which largely determines the security of the information resources of the enterprise. The third stage of risk analysis is the construction of access channels, leakage or impact on the information resources of the main IS nodes. Each access channel is characterized by a multitude of points from which information can be “removed”. It is they who represent vulnerabilities and require the use of means to prevent unwanted influences on information. The fourth stage of the analysis of the methods of defense of all possible points so corresponds to the goals of the defense and its result should be a characteristic of possible gaps in the defense, including due to an unfavorable combination of circumstances. At the fifth stage, proceeding from the currently known methods and means of overcoming the defensive lines, the probabilities of the implementation of threats for each of the possible points of attack are determined. At the final, sixth, stage, the damage to the organization is assessed in the event of implementation of each of the attacks, which, together with vulnerability assessments, makes it possible to obtain a ranked list of threats to information resources. The results of the work are presented in a form that is convenient for their perception and for making decisions on correcting the existing information protection system. Moreover, each information resource can be exposed to several potential threats. Of fundamental importance is the total probability of access to information resources, which is the sum of the elementary probabilities of access to individual points of information passage. The amount of information risk for each resource is defined as the product of the probability of an attack on the resource, the probability of implementation and the threat and damage from information intrusion. This product can use various methods of weighting the constituents. The summation of risks for all resources gives the value of the total risk for the adopted IS architecture and the information security system implemented in it. Thus, by varying the options for constructing an information protection system and an IS architecture, it becomes possible to present and consider different values of the total risk due to a change in the probability of the implementation of threats. Here, a very important step is the choice of one of the options in accordance with the selected decision criterion. Such a criterion may be the permissible value of the risk or the ratio of the costs of ensuring information security to the residual risk. When building information security systems, you also need to define a risk management strategy for the enterprise. Several approaches to risk management are known today. One of the most common is to reduce risk by using appropriate methods and means of protection. Essentially similar is the approach associated with risk aversion. It is known that some classes of risks can be avoided: for example, moving the organization's Web server outside the local network avoids the risk of unauthorized access to the local network by Web clients. Finally, in some cases, risk-taking is acceptable. Here it is important to determine the following dilemma: what is more profitable for the enterprise - to deal with risks or with their consequences. In this case, it is necessary to solve the optimization problem. After the risk management strategy has been determined, the final assessment of measures to ensure information security is carried out with the preparation of an expert opinion on the security of information resources. The expert opinion includes all materials of risk analysis and recommendations for their reduction. 1.4 Methods for assessing enterprise information risks In practice, various methods of assessing and managing information risks in enterprises are used. At the same time, the assessment of information risks provides for the following stages: · identification and quantitative assessment of information resources of enterprises that are significant for business; · assessment of possible threats; · assessment of existing vulnerabilities; · evaluating the effectiveness of information security tools. It is assumed that business-relevant vulnerable information resources of an enterprise company are at risk if there are any threats to them. In other words, the risks characterize the danger to which the components of the corporate Internet / Intranet system may be exposed. At the same time, the informational risks of the company depend on: · from indicators of the value of information resources; · the likelihood of the implementation of threats to resources; · the effectiveness of existing or planned means of ensuring information security. The purpose of risk assessment is to determine the characteristics of the risks of the corporate information system and its resources. As a result of risk assessment, it becomes possible to choose the means that ensure the desired level of information security of the enterprise. Risk assessment takes into account the value of resources, the significance of threats and vulnerabilities, and the effectiveness of existing and planned defenses. The indicators of resources themselves, the significance of threats and vulnerabilities, the effectiveness of protection means can be determined both quantitatively, for example, when determining cost characteristics, and qualitatively, for example, taking into account standard or extremely dangerous abnormal environmental influences. The possibility of a threat being realized is estimated by the probability of its realization within a given period of time for a certain resource of the enterprise. At the same time, the probability that the threat is realized is determined by the following main indicators: · the attractiveness of the resource is used when considering the threat from deliberate human influence; · the possibility of using the resource to generate income when considering the threat from deliberate human influence; · the technical capabilities of the threat are used in case of deliberate human influence; · the ease with which the vulnerability can be exploited. Currently, there are many tabular methods for assessing information risks of a company. It is important that security personnel select the appropriate method for themselves that will provide correct and reliable reproducible results. Quantitative indicators of information resources are recommended to be assessed based on the results of surveys of employees of the enterprise - owners of information, that is, officials who can determine the value of information, its characteristics and the degree of criticality, based on the actual state of affairs. Based on the survey results, the indicators and the degree of criticality of information resources are assessed for the worst case scenario up to consideration of potential impacts on the business activities of the enterprise in case of possible unauthorized acquaintance with confidential information, violation of its integrity, unavailability for various periods caused by service failures of processing systems data and even physical destruction. At the same time, the process of obtaining quantitative indicators can be supplemented by appropriate methods for assessing other critical resources of the enterprise, taking into account: · personnel safety; · disclosure of private information; · legal and regulatory compliance requirements; · restrictions arising from legislation; · commercial and economic interests; · financial losses and disruptions in production activities; · public relations; · commercial policy and commercial operations; · loss of the company's reputation. Further, quantitative indicators are used where it is permissible and justified, and qualitative - where quantitative estimates are difficult for a number of reasons. At the same time, the most widespread is the assessment of quality indicators using score scales specially designed for these purposes, for example, with a four-point scale. The next operation is to fill in pairs of questionnaires, in which, for each of the threat types and the associated resource group, the threat levels are assessed as the likelihood of threats being realized and the vulnerability levels as the degree of ease with which a realized threat can lead to negative impact. Assessment is carried out on qualitative scales. For example, the level of threats and vulnerabilities is rated on a high-low scale. The necessary information is collected by interviewing the company's TOP managers, employees of commercial, technical, personnel and service departments, visiting the field and analyzing the company's documentation. Along with tabular methods for assessing information risks, modern mathematical methods can be used, for example, the Delphi-type method, as well as special automated systems, some of which will be discussed below. The general algorithm of the risk assessment process (Figure 1.3.) In these systems includes the following stages. · description of the object and protection measures; · identification of the resource and assessment of its quantitative indicators (determination of the potential negative impact on the business); · analysis of information security threats; · assessing vulnerabilities; · assessment of existing and proposed funds ensuring information security; · risk assessment. 5 Information risk management Currently, information risk management is one of the most relevant and dynamically developing areas of strategic and operational management in the field of information security. Its main task is to objectively identify and assess the information risks of the company that are most significant for the business, as well as the adequacy of the risk controls used to increase the efficiency and profitability of the economic activity of the enterprise. Therefore, the term "information risk management" is usually understood as a systematic process of identification, control and mitigation of information risks of companies in accordance with certain restrictions of the Russian regulatory framework in the field of information protection and its own corporate security policy. Rice. 1.3. Risk assessment algorithm The use of information systems is associated with a certain set of risks. When the potential damage is unacceptably large, economically justified measures of protection are necessary. Periodic (re) risk assessment is necessary to monitor the effectiveness of security activities and to take account of changes in the environment. The essence of risk management activities is to assess their size, develop effective and cost-effective measures to mitigate risks, and then ensure that risks are contained within acceptable limits (and remain so). Consequently, risk management includes two types of activities, which alternate cyclically: )(re) assessment (measurement) of risks; )selection of effective and economical protective equipment (neutralization of risks). In relation to the identified risks, the following actions are possible: · elimination of the risk (for example, by eliminating the cause); · risk reduction (for example, through the use of additional protective equipment); · risk acceptance (by developing an action plan under appropriate conditions): · redirecting risk (for example, by entering into an insurance agreement). The risk management process can be divided into the following stages: 1.The choice of the analyzed objects and the level of detail of their consideration. 2.Choice of risk assessment methodology. .Identification of assets. .Analysis of threats and their consequences, identification of vulnerabilities in protection. .Risk assessment. .Selection of protective measures. .Implementation and verification of the selected measures. .Residual risk assessment. Stages6 and relate to the choice of protective equipment (neutralization of risks), the rest - to the assessment of risks. Already listing the stages shows that risk management is a cyclical process. Essentially, the last step is an end-of-loop statement that tells you to go back to the beginning. Risks need to be monitored constantly, periodically re-evaluating them. It should be noted that a completed and well-documented assessment can greatly simplify follow-up activities. Risk management, like any other activity in the field of information security, needs to be integrated into the IS life cycle. Then the effect turns out to be the greatest, and the costs are minimal. Risk management must be carried out at all stages of the information system life cycle: initiation-development-installation operation-disposal (decommissioning). At the initiation stage, known risks should be taken into account when developing requirements for the system in general and security equipment in particular. During the development phase, knowledge of the risks helps to select the appropriate architectural solutions, which play a key role in ensuring security. During the installation phase, the identified risks should be taken into account when configuring, testing and verifying the previously formulated requirements, and the full cycle of risk management should precede the introduction of the system into operation. During the operational phase, risk management should accompany all significant changes in the system. When decommissioning a system, risk management helps ensure that data is migrated in a safe manner. Chapter II. Information security standards 1 Prerequisites for the creation of information security standards Information security audit is based on the use of numerous recommendations, which are set out mainly in international information security standards. Recently, one of the results of the audit is increasingly becoming a certificate certifying the compliance of the surveyed IP with a certain recognized international standard. The presence of such a certificate allows the organization to obtain competitive advantages associated with greater trust from customers and partners. The use of standards contributes to the solution of the following five tasks. First, the goals of ensuring information security of computer systems are strictly defined. Secondly, an effective information security management system is being created. Thirdly, it provides the calculation of a set of detailed not only qualitative, but also quantitative indicators for assessing the compliance of information security with the stated goals. Fourthly, conditions are created for the use of the existing tools (software) for ensuring information security and assessing its current state. Fifth, it becomes possible to use safety management techniques with a well-grounded system of metrics and support measures for information system developers. Since the early 1980s, dozens of international and national standards in the field of information security have been created, which to some extent complement each other. Below will be considered the most famous standards for the chronology of their creation: )Criterion for assessing the reliability of computer systems "Orange Book" (USA); )Harmonized Criteria for European Countries; )X.800 Recommendations; )German standard BSI; )British Standard BS 7799; )ISO 17799 standard; )Standard "General Criteria" ISO 15408; )Standard COBIT These standards can be divided into two types: · Evaluation standards aimed at the classification of information systems and security measures according to security requirements; · Technical specifications governing various aspects of the implementation of safeguards. It is important to note that there is no blank wall between these types of regulatory documents. Evaluation standards highlight the most important, from the point of view of information security, aspects of IS, playing the role of architectural specifications. Other technical specifications define how to build an IS of a prescribed architecture. 2 Standard "Criteria for assessing the reliability of computer systems" (Orange Book) Historically, the US Department of Defense's “Evaluation Criteria for Trusted Computer Systems” became the first assessment standard that became widespread and had a huge impact on the basis of information security standardization in many countries. This work, most often called the "Orange Book" for the color of the cover, was first published in August 1983. Its name alone requires comment. We are not talking about secure, but about trusted systems, that is, systems that can be given a certain degree of trust. The Orange Book clarifies the concept of a secure system that "manages, through appropriate means, access to information so that only properly authorized persons or processes acting on their behalf are entitled to read, write, create and delete information." It is obvious, however, that absolutely safe systems do not exist, this is an abstraction. It makes sense to assess only the degree of confidence that can be given to a particular system. The Orange Book defines a trusted system as “a system that uses sufficient hardware and software to enable a group of users to simultaneously process information of varying degrees of secrecy without violating access rights.” It should be noted that in the considered criteria, both security and trust are assessed solely from the point of view of data access control, which is one of the means of ensuring the confidentiality and integrity of information. However, the Orange Book does not address accessibility issues. The degree of trust is assessed according to two main criteria. .A security policy is a set of laws, rules, and codes of conduct that govern how an organization processes, protects, and disseminates information. In particular, the rules determine in which cases the user can operate on specific data sets. The higher the degree of trust in the system, the stricter and more diverse the security policy should be. Depending on the formulated policy, you can choose specific security mechanisms. Security policy is an active aspect of protection, including the analysis of possible threats and the selection of countermeasures. .The level of assurance is a measure of confidence that can be provided to the architecture and implementation of the IS. Confidence in security can arise both from the analysis of test results and from the verification (formal or not) of the overall design and implementation of the system as a whole and its individual components. The assurance level shows how correct the mechanisms responsible for the implementation of the security policy are. This is the passive aspect of defense. An accountability (logging) mechanism is defined as the main security measure. The trusted system must record all security events. The record keeping should be complemented by an audit, that is, an analysis of the registration information. The concept of a trusted computing base is central to assessing the degree of security trust. The Trusted Computing Base is the collection of IC security mechanisms (including hardware and software) that are responsible for enforcing security policies. The quality of the computing base is determined solely by its implementation and the correctness of the initial data entered by the system administrator. The considered components outside the computational base may not be trusted, but this should not affect the security of the system as a whole. As a result, the authors of the standard recommend considering only its computational base to assess the confidence in the IS security. The main purpose of a trusted computing base is to perform the functions of a reference monitor, that is, to control the admissibility of certain operations on objects (passive entities) by subjects (users). The monitor checks each user access to programs or data for consistency with the set of actions allowed for the user. A hit monitor must have three qualities: Isolation. It is necessary to prevent the possibility of monitoring the monitor. Completeness. The monitor should be called on every call, there should be no way to bypass it. Verifiability. The monitor must be compact so that it can be analyzed and tested with confidence in the completeness of testing. The implementation of the reference monitor is called the security kernel. The Security Core is the foundation on which all defense mechanisms are built. In addition to the reference monitor properties listed above, the kernel must guarantee its own immutability. The boundary of the trusted computing base is called the security perimeter. As noted, components outside the security perimeter may not generally be trusted. With the development of distributed systems, the concept of "security perimeter" is increasingly given a different meaning, meaning the boundary of ownership of a particular organization. What is inside the possession is considered trusted, and what is outside is not. According to the Orange Book, a security policy must necessarily include the following elements: · arbitrary access control; · safety of reuse of objects; · security labels; · forced access control. Arbitrary access control is a method of differentiating access to objects based on the account of the identity of the subject or the group to which the subject belongs. Arbitrariness of control lies in the fact that a certain person (usually the owner of the object) can, at his discretion, grant other subjects or take away their access rights to the object. Object reuse security is an important addition to access controls to prevent accidental or deliberate extraction of confidential information from the trash. Reuse security must be guaranteed for areas of RAM (in particular, for buffers with screen images, decrypted passwords, etc.), for disk blocks and magnetic media in general. 3 German BSI standard In 1998, Germany published the "Guide to Information Technology Security for a Basic Level". The manual is a hypertext of about 4 MB (in HTML format). Later it was formalized in the form of the German BSI standard. It is based on the general methodology and components of information security management: · General method of information security management (organization of management in the field of information security, methodology for using the manual). · Descriptions of the components of modern information technologies. · Main components (organizational level of information security, procedural level, organization of data protection, planning of actions in emergency situations). · Infrastructure (buildings, premises, cable networks, organization of remote access). · Client components of various types (DOS, Windows, UNIX, mobile components, other types). · Networks of various types (point-to-point connections, Novell NetWare networks, networks with OC ONIX and Windows, heterogeneous networks). · Elements of data transmission systems (e-mail, modems, firewalls, etc.). · Telecommunications (faxes, answering machines, integrated systems based on ISDN, other telecommunication systems). · Standard software. · Database. · Descriptions of the main components of the organization of the information security regime (organizational and technical levels of data protection, contingency planning, business continuity support). · Characteristics of objects of informatization (buildings, premises, cable networks, controlled areas). · Characteristics of the company's main information assets (including hardware and software, such as workstations and servers running DOS, Windows, and UNIX operating systems). · Characteristics of computer networks based on various networking technologies, such as Novell Net Ware, UNIX and Windows networks). · Characteristics of active and passive telecommunication equipment from leading vendors, such as Cisco Systems. · Detailed catalogs of security threats and control measures (over 600 items in each catalog). All types of threats in the BSI standard are divided into the following classes: · Force majeure circumstances. · Disadvantages of organizational measures. · Human errors. · Technical issues. · Intentional actions. Countermeasures are similarly classified: · Improving infrastructure; · Administrative countermeasures; · Procedural countermeasures; · Software and hardware countermeasures; · Reducing the vulnerability of communications; contingency planning. All components are considered and described according to the following plan: )general description; )possible scenarios of security threats (lists the threats that are applicable to this component from the security threat catalog); )possible countermeasures (lists the threats that are applicable to this component from the security threat catalog); 4 British Standard BS 7799