Determination of the information security policy of the enterprise. Lecture

The TSF software outside the core consists of trusted applications that are used to implement security features. Note that shared libraries, including PAM modules in some cases, are used by trusted applications. However, there is no instance where the shared library itself is treated as a trusted object. Trusted commands can be grouped as follows.

• System initialization
• Identification and authentication
• Network Applications
• batch processing
• System management
• User level audit
• Cryptographic support
• Virtual machine support

The execution components of the kernel can be divided into three parts: the main kernel, kernel threads, and kernel modules, depending on how they will be executed.

• The core core includes code that is executed to provide a service, such as servicing a user system call or servicing an exception event or interrupt. Most compiled kernel code falls into this category.
• Kernel threads. To perform certain routine tasks, such as flushing disk caches or freeing up memory by swapping out unused page frames, the kernel creates internal processes or threads. Threads are scheduled just like regular processes, but they don't have a context in non-privileged mode. Kernel threads perform certain functions of the kernel C language. Kernel threads reside in kernel space, and only run in privileged mode.
• The kernel module and device driver kernel module are pieces of code that can be loaded and unloaded into and out of the kernel as needed. They extend the functionality of the kernel without the need to reboot the system. Once loaded, the kernel module object code can access other kernel code and data in the same way as statically linked kernel object code.

A device driver is a special type of kernel module that allows the kernel to access hardware connected to the system. These devices can be hard drives, monitors, or network interfaces. The driver interacts with the rest of the kernel through a specific interface that allows the kernel to deal with all devices in a generic way, regardless of their underlying implementations.

The kernel consists of logical subsystems that provide various functionality. Even though the kernel is the only executable program, the various services it provides can be separated and combined into different logical components. These components interact to provide specific functionality. The kernel consists of the following logical subsystems:

• File subsystem and I/O subsystem: This subsystem implements functions related to file system objects. Implemented functions include those that allow a process to create, maintain, interact with, and delete file system objects. These objects include regular files, directories, symbolic links, hard links, device-specific files, named pipes, and sockets.
• Process Subsystem: This subsystem implements functions related to process control and thread control. The implemented functions allow creating, scheduling, executing, and deleting processes and thread subjects.
• Memory Subsystem: This subsystem implements functions related to managing system memory resources. The implemented functions include those that create and manage virtual memory, including the management of pagination algorithms and page tables.
• Network subsystem: This subsystem implements UNIX and Internet domain sockets, as well as the algorithms used to schedule network packets.
• IPC Subsystem: This subsystem implements functions related to IPC mechanisms. Implemented features include those that facilitate the controlled exchange of information between processes by allowing them to share data and synchronize their execution when interacting with a shared resource.
• Kernel Module Subsystem: This subsystem implements the infrastructure to support loadable modules. Implemented functions include loading, initializing, and unloading kernel modules.
• Linux security extensions: Linux security extensions implement various aspects of security that are provided throughout the kernel, including the framework of the Linux Security Module (LSM). The LSM framework serves as the basis for modules that allow you to implement various security policies, including SELinux. SELinux is an important logical subsystem. This subsystem implements the mandatory access control functions to achieve access between all subjects and objects.
• Device driver subsystem: This subsystem implements support for various hardware and software devices through a common, device-independent interface.
• Audit Subsystem: This subsystem implements functions related to recording security-critical events in the system. Implemented functions include those that capture each system call to record security-critical events and those that implement the collection and recording of control data.
• KVM Subsystem: This subsystem implements virtual machine life cycle maintenance. It performs statement completion, which is used for statements requiring only minor checks. For any other instruction completion, KVM invokes the user-space component of QEMU.
• Crypto API: This subsystem provides a kernel-internal cryptographic library for all kernel components. It provides cryptographic primitives for callers.

The kernel is the main part of the operating system. It interacts directly with the hardware, implements resource sharing, provides shared services for applications, and prevents applications from directly accessing hardware-dependent functions. The services provided by the kernel include:

1. Management of the execution of processes, including the operations of their creation, termination or suspension, and interprocess data exchange. They include:

• Equivalent scheduling of processes to run on the CPU.
• Separation of processes in the CPU using time-sharing mode.
• Process execution in the CPU.
• Suspend the kernel after its time quantum has elapsed.
• Allocation of kernel time to execute another process.
• Rescheduling kernel time to execute a suspended process.
• Manage process security related metadata such as UIDs, GIDs, SELinux labels, feature IDs.

2. Allocation of RAM for the executable process. This operation includes:

• Permission granted by the kernel to processes to share a portion of their address space under certain conditions; however, in doing so, the kernel protects the process's own address space from outside interference.
• If the system is running low on free memory, the kernel frees memory by writing the process temporarily to second-level memory or the swap partition.
• Consistent interaction with the machine's hardware to establish a mapping of virtual addresses to physical addresses, which establishes a mapping between compiler-generated addresses and physical addresses.

3. Maintenance of the life cycle of virtual machines, which includes:

• Set limits on resources configured by the emulation application for this virtual machine.
• Running the program code of the virtual machine for execution.
• Handling the shutdown of virtual machines either by terminating the instruction or delaying the completion of the instruction to emulate user space.

4. Maintenance of the file system. It includes:

• Allocation of secondary memory for efficient storage and retrieval of user data.
• Allocation of external memory for user files.
• Utilize unused storage space.
• Organization of the file system structure (using clear structuring principles).
• Protection of user files from unauthorized access.
• Organization of controlled access of processes to peripheral devices, such as terminals, tape drives, disk drives, and network devices.
• Organization of mutual access to data for subjects and objects, providing controlled access based on the DAC policy and any other policy implemented by the loaded LSM.

The Linux kernel is a type of OS kernel that implements preemptive scheduling. In kernels that do not have this capability, execution of the kernel code continues until completion, i.e. the scheduler is not capable of rescheduling a task while it is in the kernel. In addition, kernel code is scheduled to execute cooperatively, without preemptive scheduling, and execution of this code continues until it terminates and returns to user space, or until it explicitly blocks. In preemptive kernels, it is possible to unload a task at any point, as long as the kernel is in a state in which it is safe to reschedule.

Regardless of the size of the organization and the specifics of its information system, work to ensure the IS regime usually consists of the following steps (Figure 1):

- defining the scope (boundaries) of the information security management system and specifying the goals of its creation;

– risk assessment;

– selection of countermeasures that ensure the IS mode;

- Management of risks;

– audit of the information security management system;

- Development of a security policy.

DIV_ADBLOCK315">

Stage 3. Structuring countermeasures to protect information on the following main levels: administrative, procedural, software and hardware.

Stage 4. Establishing the procedure for certification and accreditation of CIS for compliance with IS standards. Appointment of the frequency of meetings on IS topics at the management level, including the periodic review of the provisions of the IS policy, as well as the procedure for training all categories of users of the information system in the field of IS. It is known that the development of an organization's security policy is the least formalized stage. However, in recent years, this is where the efforts of many information security specialists have been concentrated.

Stage 5. Determining the scope (boundaries) of the information security management system and specifying the goals of its creation. At this stage, the boundaries of the system for which the IS mode should be provided are determined. Accordingly, the information security management system is built within these boundaries. The description of the boundaries of the system itself is recommended to be carried out according to the following plan:

- the structure of the organization. Presentation of the existing structure and changes that are expected to be made in connection with the development (modernization) of the automated system;

– information system resources to be protected. It is advisable to consider the resources of an automated system of the following classes: CVT, data, system and application software. All resources are of value to the organization. To evaluate them, a system of criteria and a methodology for obtaining results according to these criteria should be selected;

· development of principles for classifying information assets of a company and evaluating their security;

assessment of information risks and their management;

training the company's employees in the methods of ensuring information security, conducting briefings and monitoring the knowledge and practical skills of implementing the security policy by the company's employees;

· advising company managers on information risk management;

harmonization of private security policies and regulations among company divisions;

Control over the work of the quality and automation services of the company with the right to check and approve internal reports and documents;

interaction with the personnel service of the company to verify the personal data of employees when hiring;

organization of measures to eliminate emergency situations or emergencies in the field of information security in case of their occurrence;

The integrity of information is the existence of information in an undistorted form (unchanged in relation to some fixed state). Usually, subjects are interested in ensuring a broader property - the reliability of information, which consists of the adequacy (completeness and accuracy) of the display of the state of the subject area and the integrity of the information itself, i.e. its non-distortion.

There is a distinction between static and dynamic integrity. In order to violate static integrity, an attacker can: enter incorrect data; To change the data. Sometimes meaningful data changes, sometimes service information. Threats to dynamic integrity are violation of the atomicity of transactions, reordering, theft, duplication of data, or the introduction of additional messages (network packets, etc.). The corresponding actions in the network environment are called active listening.

The threat to integrity is not only the falsification or modification of data, but also the refusal to take action. If there is no means to ensure "non-repudiation", computer data cannot be considered as evidence. Potentially vulnerable from the point of view of integrity violations are not only data, but also programs. The introduction of malware is an example of such a breach.

An actual and very dangerous threat is the introduction of rootkits (a set of files installed in the system in order to change its standard functionality in a malicious and secret way), bots (a program that automatically performs a certain mission; a group of computers on which the same type of bots operate is called a botnet), secret moves (malicious software that listens for commands on certain TCP or UDP ports) and spyware (malicious software aimed at compromising user confidential data. For example, Back Orifice and Netbus "Trojans" allow to gain control over user systems with various variants of MS -Windows.

Privacy Threat

The threat of a breach of confidentiality lies in the fact that information becomes known to someone who does not have the authority to access it. Sometimes, in connection with the threat of confidentiality, the term "leakage" is used.

Confidentiality of information is a subjectively determined (attributed) characteristic (property) of information, indicating the need to introduce restrictions on the circle of subjects with access to this information, and provided by the ability of the system (environment) to keep this information secret from subjects who do not have the authority to access it. . The objective prerequisites for such a restriction on the availability of information for some subjects are in the need to protect their legitimate interests from other subjects of information relations.

Confidential information can be divided into subject and service. Service information (for example, user passwords) does not belong to a specific subject area, it plays a technical role in the information system, but its disclosure is especially dangerous, since it is fraught with obtaining unauthorized access to all information, including subject information. A dangerous non-technical threat to privacy are methods of moral and psychological influence, such as "masquerade" - performing actions under the guise of a person with authority to access data. Abuse of power is one of the most nasty threats that are difficult to defend against. On many types of systems, a privileged user (for example, a system administrator) is able to read any (unencrypted) file, access the mail of any user.

Currently, the most common so-called "phishing" attacks. Phishing (fishing - fishing) - a type of Internet fraud, the purpose of which is to gain access to confidential user data - logins and passwords. This is achieved by conducting mass mailings of emails on behalf of popular brands, as well as personal messages within various services, for example, on behalf of banks, services (Rambler, Mail.ru) or within social networks (Facebook, Vkontakte, Odnoklassniki.ru). The target of phishers today are customers of banks and electronic payment systems. For example, in the United States, masquerading as the Internal Revenue Service, phishers collected significant taxpayer data in 2009.

Objective: To ensure that information security is managed and supported by management in accordance with business requirements, as well as the current legal and regulatory framework. Management must set a clear strategic direction and demonstrate support and commitment to information security by publishing and maintaining an information security policy throughout the organization.

The information security policy is the most important document in the information security management system (ISMS) of an organization, acting as one of the key security mechanisms.

According to ISO 17799, a documented information security policy should state the commitment of the management and establish an approach to managing information security, define the concept of information security, its main objectives and scope, contain the main provisions for determining the goals and control mechanisms, including the risk assessment and management framework, and much more. other.

According to ISO 27001, the information security policy is a subset of a more general document - the ISMS policy, which includes the main provisions for determining the goals of the ISMS and establishes the general direction and principles of activity in relation to information security, taking into account business requirements, legislative or regulatory framework, contractual obligations, establishing criteria for risk assessment, etc.

The information security policy and the organization's ISMS policy can be described in the same document. The development of such a document is not an easy task and a very responsible one. On the one hand, the information security policy should be sufficiently capacious and understandable for all employees of the organization. On the other hand, the entire system of measures to ensure information security is built on the basis of this document, so it must be sufficiently complete and comprehensive. Any omissions and ambiguities can seriously affect the functioning of the organization's ISMS. The information security policy must fully comply with the requirements of international standards ISO 27001/17799. This is a prerequisite for successful certification.

BS ISO/IEC 27001:2005 4.2.1 b) ISMS policy:

Define an ISMS policy in terms of business characteristics, organization, location, resources and technology that:

includes a framework for defining its objectives and establishes the general direction and principles of activity in relation to information security;

takes into account business requirements and the requirements of the legislative or regulatory framework, as well as contractual obligations in the field of security;

integrates with the strategic context of risk management in the organization in which the creation and maintenance of the ISMS will take place;

establishes criteria for assessing risks (see 4.2.1c)); And

approved by management.

NOTE: In this International Standard, the ISMS policy is considered as a superset of the information security policy. These policies can be described in one document.

BS ISO/IEC 17799:2005 5.1.1 Documented information security policy:

Control mechanism

A documented information security policy should be approved by management, published and communicated to all employees of the organization and external parties to which it applies.

Implementation Guide

A documented information security policy should state the commitment of management and set out the approach to managing information security in the organization. The documented policy should contain the following statements:

definition of the concept of information security, its main goals, scope and importance of security as a mechanism that makes it possible to share information (see Introduction);

a statement of management's intent to support the achievement of the objectives and compliance with the principles of information security in accordance with the goals and strategy of the business;

basic provisions for determining the goals and mechanisms of control, including the structure of risk assessment and management;

a brief explanation of security policies, standards, principles, and requirements of particular relevance to the organization, including:

compliance with the requirements of legislation, regulatory framework and contracts;

security awareness, education and training requirements;

business continuity management;

consequences of information security policy violations;

definition of general and individual responsibility for information security management, including notification of security incidents;

links to documents that may support the policy, such as more detailed security policies and procedures for individual information systems or security rules that users must follow.

This information security policy should be communicated to all users of the organization in a form that is relevant, accessible, and understandable to the intended readers.

Other information

The information security policy should be part of a more general documented policy. If the information security policy extends beyond the boundaries of the organization, measures must be taken to prevent the disclosure of confidential information. See ISO/IEC 13335-1:2004 for more information.

Under security policy organizations understand the set of documented management decisions aimed at protecting information and its associated resources. The security policy is the means by which activities are carried out in the organization's computer information system. In general, security policies are determined by the computing environment in use and reflect the specific needs of an organization.

Typically, a corporate information system is a complex set of heterogeneous, sometimes poorly coordinated hardware and software: computers, operating systems, network tools, DBMS, various applications. All of these components usually have their own protections that need to be coordinated with each other. Therefore, an effective security policy is very important as a consistent platform for securing the corporate system. As a computer system grows and integrates into the global network, it must be ensured that there are no weak points in the system, since all efforts to protect information can be depreciated by just one oversight.

You can build a security policy that defines who has access to specific assets and applications, what roles and responsibilities specific individuals will have, and security procedures that clearly dictate how specific security tasks are to be performed. The individual characteristics of an employee's work may require access to information that should not be available to other employees. For example, an HR manager may have access to any employee's private information, while an accountant may only have access to those employees' financial data. And an ordinary employee will have access only to his own personal information.

The security policy defines the organization's position on the rational use of computers and the network, as well as procedures for preventing and responding to security incidents. In a large enterprise system, a wide range of different policies can apply, from business policies to specific rules for accessing data sets. These policies are entirely determined by the specific needs of the organization.

Basic conceptssecurity policies

The security policy defines the strategy for managing information security, as well as the amount of attention and amount of resources that management deems appropriate to allocate.

The security policy is based on the analysis of risks that are recognized as real for the organization's information system. When the risk analysis is carried out and the protection strategy is determined, a program is drawn up, the implementation of which should ensure information security. Resources are allocated for this program, responsible persons are appointed, the procedure for monitoring the implementation of the program, etc. is determined.

In order to familiarize ourselves with the basic concepts of security policies, consider as a specific example a hypothetical local area network owned by an organization and its associated security policy.

An organization's security policy should be structured as a concise, easily understood, high-level policy document supported by a set of more specific, specialized security policy and procedure documents.

The high-level security policy should be reviewed periodically to ensure that it addresses the current needs of the organization. This document is written in such a way that the policy is relatively independent of specific technologies. In this case, this policy document will not need to be changed too often.

A security policy is usually drawn up in the form of a document that includes sections such as a description of the problem, scope, position of the organization, distribution of roles and responsibilities, sanctions, etc.

Description of the problem. The information circulating within the local network is critical. A local area network allows users to share programs and data, which increases the security risk. Therefore, each of the computers included in the network needs stronger protection. These enhanced security measures are the subject of this document. The document has the following goals: to demonstrate to the employees of the organization the importance of protecting the network environment, to describe their role in ensuring security, and to allocate specific responsibilities for protecting information circulating on the network.

Application area. The scope of this policy includes all hardware, software and information resources included in the local network of the enterprise. The policy is also directed at people working with the network, including users, subcontractors and suppliers.

Position of the organization. The purpose of the organization is to ensure the integrity, availability and confidentiality of data, as well as their completeness and relevance. More specific goals are:

ensuring the level of security corresponding to regulatory documents;

adherence to economic feasibility in choosing protective measures (protection costs should not exceed the expected damage from information security violations);

ensuring security in each functional area of ​​the local network;

ensuring accountability for all user actions with information and resources;

ensuring the analysis of registration information;

providing users with sufficient information to consciously maintain a security regime;

development of recovery plans after accidents and other critical situations for all functional areas in order to ensure the continuity of the network;

ensuring compliance with existing laws and corporate security policy.

Distribution of roles and responsibilities. Relevant officials and network users are responsible for the implementation of the goals formulated above.

Heads of departments responsible for communicating the provisions of the security policy to users and for contacts with them.

ensure the continuous operation of the network and are responsible for the implementation of the technical measures necessary to enforce the security policy.

Service Administrators are responsible for specific services and, in particular, for ensuring that protection is built in accordance with the overall security policy.

Users are obliged to work with the local network in accordance with the security policy, obey the orders of persons responsible for certain aspects of security, notify management of all suspicious situations.

More details on the roles and responsibilities of officials and network users are provided below.

Sanctions. Violation of the security policy can expose the local network and the information circulating in it to an unacceptable risk. Incidents of security breaches by personnel must be promptly reviewed by management for disciplinary action, up to and including termination.

Additional Information. Specific groups of performers may need to review some additional documents, in particular documents of specialized security policies and procedures, as well as other guidelines. The need for additional security policy documents largely depends on the size and complexity of the organization. A sufficiently large organization may require specialized security policies in addition to the basic policy. Smaller organizations only need a subset of specialized policies. Many of these support documents can be quite short, one or two pages in length.

From a practical point of view, security policies can be divided into three levels: top, middle, and bottom.

Top level The security policy defines decisions that affect the organization as a whole. These decisions are of a very general nature and come, as a rule, from the management of the organization.

Such solutions may include the following elements:

formulation of the goals pursued by the organization in the field of information security, determination of general directions in achieving these goals;

formation or revision of a comprehensive information security program, identification of persons responsible for promoting the program;

providing a material base for compliance with laws and regulations;

formulation of management decisions on the implementation of the security program, which should be considered at the level of the organization as a whole.

Top level security policy articulates the organization's information security objectives in terms of integrity, availability, and confidentiality. If an organization is responsible for maintaining mission-critical databases, the first priority should be integrity data. For a sales organization, the relevance of information about the services provided and prices is important, as well as its availability the maximum number of potential buyers. The regime organization will primarily take care of privacy information, that is, about its protection from unauthorized access.

On the top level management of security resources and coordination of the use of these resources, the allocation of special personnel to protect critical systems, maintaining contacts with other organizations that provide or control the security regime.

Top level policy must clearly define its sphere of influence. This could be all of the organization's computer systems, or even more if the policy governs some aspects of how employees use their home computers. It is also possible that only the most important systems are included in the sphere of influence.

The policy should define the responsibilities of officials in developing the safety program and in implementing it, that is, the policy can serve as the basis for the accountability of personnel.

Top-level policy deals with three aspects of law-abidingness and performance discipline. First, the organization must comply with existing laws. Secondly, the actions of those responsible for the development of the security program should be monitored. Thirdly, it is necessary to ensure the performance discipline of personnel through a system of rewards and punishments.

Average level security policy determines the solution of issues related to certain aspects of information security, but important for various systems operated by the organization.

Examples of such issues are attitudes to Internet access (the problem of combining freedom of information with protection from external threats), use of home computers, etc.

The mid-level security policy should define the following points for each aspect of information security:

aspect description- the position of the organization can be formulated in a fairly general way as a set of goals pursued by the organization in this aspect;

application area- it should be specified where, when, how, to whom and to what this security policy is applied;

roles and responsibilities- the document must contain information about the officials responsible for implementing the security policy;

sanctions - the policy should contain a general description of prohibited activities and penalties for them;

points of contact- it should be known where to go for clarification, help and additional information. Usually the “point of contact” is an official.

Lower level security policy applies to specific services. This policy includes two aspects: goals and rules for achieving them, so it is sometimes difficult to separate it from implementation issues. Unlike the top two levels, the policy in question should be more detailed.

Here are some examples of questions that should be answered when following a low-level security policy:

who has the right to access the objects supported by the service;

how the remote access to the service is organized.

Low level security policy may come from considerations of integrity, availability, and confidentiality, but it should not stop there. In general, goals should connect service objects and meaningful actions with them.

From the goals, security rules are derived that describe who can do what and under what conditions. The more detailed the rules, the more clearly and formally they are stated, the easier it is to support their implementation by software and hardware measures. Usually, the most formal way is to set the access rights to objects.

Here is a more detailed description of the responsibilities of each category of personnel.

Heads of departments responsible for communicating the security policy to users. They are obliged:

keep safety issues under constant review. Make sure that their subordinates do the same;

conduct risk analysis, identifying assets that require protection and system vulnerabilities, assessing the amount of possible damage from a security breach and choosing effective remedies;

Organize safety training for staff. Pay special attention to issues related to anti-virus control;

inform local network administrators and service administrators about changes in the status of each of their subordinates (transition to another job, dismissal, etc.);

ensure that each computer in their departments has an owner or system administrator who is responsible for security and who is qualified to fill this role.

Local network administrators ensure the continuous operation of the network and are responsible for the implementation of the technical measures necessary to enforce the security policy. They are obliged:

ensure the protection of local network equipment, including interfaces with other networks;

promptly and effectively respond to events that pose a threat. Inform service administrators about attempts to breach security;

use proven auditing and suspicious detection tools. Daily analyze registration information related to the network in general and file servers in particular;

do not abuse your great powers. Users have a right to privacy;

develop procedures and prepare instructions for protecting the local network from malicious software. Assist in the detection and elimination of malicious code;

regularly back up information stored on file servers;

perform all changes to the network hardware and software configuration;

ensure that the identification and authentication procedure for accessing network resources is mandatory. Allocate login names and initial passwords to users only after filling out registration forms;

periodically check the reliability of the protection of the local network. Prevent unauthorized users from gaining privileges.

Service Administrators are responsible for specific services and, in particular, for ensuring that protection is built in accordance with the overall security policy. They are obliged:

manage user access rights to serviced objects;

promptly and effectively respond to events that pose a threat. To assist in repelling the threat, identifying violators and providing information for their punishment;

regularly back up information processed by the service;

allocate login names and initial passwords to users only after filling out registration forms;

daily analyze the registration information related to the service. Regularly monitor the service for malicious software;

periodically check the reliability of the protection of the service. Prevent unauthorized users from gaining privileges.

Users are obliged to work with the local network in accordance with the security policy, obey the orders of persons responsible for certain aspects of security, notify management of all suspicious situations. They are obliged:

know and comply with the laws, rules adopted in this organization, security policy, security procedures. Use available security mechanisms to ensure the confidentiality and integrity of your information;

use the file protection mechanism and properly set access rights;

Choose good passwords and change them regularly. Do not write down passwords on paper, do not disclose them to other persons;

inform administrators or management about security breaches and other suspicious situations;

do not use weaknesses in the protection of services and the local network as a whole. Do not perform unauthorized work with data, do not interfere with other users;

always provide correct identification and authentication information, do not try to work on behalf of other users;

provide backup of information from the hard drive of your computer;

know the principles of operation of malicious software, the ways of its penetration and distribution. Know and follow the procedures for preventing the penetration of malicious code, its detection and destruction;

know and follow the rules of conduct in emergency situations, the sequence of actions in the aftermath of accidents.

Management measures to ensure information security. The main goal of measures taken at the managerial level is the formation of an information security work program and ensuring its implementation by allocating the necessary resources and regularly monitoring the state of affairs. The basis of this program is a multi-level security policy that reflects the organization's comprehensive approach to protecting its resources and information assets.

Information security policy - a set of laws, measures, rules, requirements, restrictions, instructions, regulations, recommendations, etc., regulating the procedure for processing information and aimed at protecting information from certain types of threats.

The information security policy is a fundamental document for ensuring the entire information security cycle in a company. Therefore, the top management of the company should be interested in the knowledge and strict observance of its main points by all company personnel. All employees of the departments responsible for the information security regime of the company must be familiarized with the information security policy against signature. After all, they will be responsible for verifying compliance with the requirements of the information security policy and knowledge of its main points by the company's personnel in the part that concerns them. The process for conducting such inspections, the responsibilities of the officials carrying out such inspections, and a schedule of inspections should also be defined.

An information security policy can be developed both for a separate component of an information system, and for an information system as a whole. The information security policy should take into account the following features of the information system: information processing technology, computing environment, physical environment, user environment, access control rules, etc.

The information security policy should ensure the integrated use of legal, moral and ethical standards, organizational and technical measures, software, hardware and software and hardware to ensure information security, as well as determine the rules and procedures for their use. The information security policy should be based on the following principles: continuity of protection, sufficiency of measures and means of protection, their compliance with the likelihood of threats, cost-effectiveness, structure flexibility, ease of management and use, etc.

A security policy is a set of preventive measures to protect confidential data and information processes in an enterprise. The security policy includes requirements for personnel, managers and technical services. The main directions of security policy development:

• determining what data and how seriously it needs to be protected,
• determining who and what damage can cause to the company in the informational aspect,
• calculation of risks and determination of a scheme to reduce them to an acceptable value.

There are two systems for assessing the current situation in the field of information security in the enterprise. They have received the figurative names "research from the bottom up" and "research from the top down". The first method is quite simple, requires much less capital investment, but also has fewer capabilities. It is based on the well-known scheme: "You are an intruder. What are you doing?". That is, the information security service, based on data on all known types of attacks, tries to put them into practice in order to check whether such an attack is possible from a real attacker.

The "top-down" method is, on the contrary, a detailed analysis of the entire existing scheme for storing and processing information. The first step in this method is, as always, to determine which information objects and streams need to be protected. This is followed by a study of the current state of the information security system in order to determine which of the classical methods of protecting information has already been implemented, to what extent and at what level. At the third stage, all information objects are classified into classes in accordance with its confidentiality, requirements for availability and integrity (immutability).

What follows is a clarification of how serious damage a disclosure or other attack on each specific information object can bring to a company. This step is called "risk calculation". In a first approximation, the risk is the product of the "possible damage from an attack" by the "probability of such an attack."

The information security policy should contain clauses containing information from the following sections:

• 
  the concept of information security;
• determination of the components and resources of the information system that can become sources of information security violations and the level of their criticality;
• comparison of threats with objects of protection;
• risk assessment;
• assessment of the amount of possible losses associated with the implementation of threats;
• estimate the cost of building an information security system;
• determination of requirements for methods and means of ensuring information security;
• selection of basic information security solutions;
• organizing restoration work and ensuring the continuous operation of the information system;
• access control rules.

The information security policy of an enterprise is very important to ensure the comprehensive security of an enterprise. It can be implemented in hardware and software using DLP solutions.

Related publications

April 29, 2014 Many companies purchase mobile gadgets at their own expense for employees who often go on business trips. Under these conditions, the IT service has an urgent need to control devices that have access to corporate data, but are outside the perimeter of the corporate network.