Good day, dear ones!
I haven’t written to Habr for a long time, there was no time, there was a lot of work. But now I have unloaded and formed thoughts for a new post.

I talked with one of the comrades who was charged with the work on information security in the organization (comrade system administrator), and he asked me to tell where to start and where to move. He put his thoughts and knowledge in order a little and gave him a rough plan.
Unfortunately, this situation is far from isolated and occurs frequently. Employers, as a rule, want to have both a Swiss and a reaper, and a player on the pipe, and all this for one price. I will return to the question of why information security does not need to be attributed to IT later, but now we will still consider where to start if this happened and you signed up for such an adventure, that is, the creation of an information security management system (ISMS).

Risk Analysis

Almost everything in information security begins with risk analysis, this is the basis and beginning of all security processes. I will conduct a brief educational program in this area, since many concepts are not obvious and are most often confused.
So there are 3 main concepts:

• Probability of realization
• Vulnerability

Risk is the possibility of incurring any losses (monetary, reputational, etc.) due to the implementation of a vulnerability.
Probability of implementation is how likely it is that a given vulnerability will be exploited to materialize a risk.
Vulnerability is directly a gap in your security system, which, with a certain degree of probability, can cause harm, that is, realize a risk.

There are many methods, different approaches to risk management, I will tell you about the basics, the rest you will not need at first in the formation of an ISMS.
So, all work on risk management comes down to either reducing the likelihood of implementation, or minimizing losses from implementation. Accordingly, the risks can be acceptable and unacceptable for the organization. Risk acceptability is best expressed in specific amounts of losses from its implementation (in any case, even seemingly intangible reputational losses eventually result in lost profits). It is necessary to decide with the management what amount for them will be the threshold of acceptability and make a gradation (preferably 3-5 levels for losses). Next, make a gradation in terms of probability, as well as with losses, and then evaluate the risks by the sum of these indicators.
After the preparatory work, highlight the real vulnerabilities of your organization and assess the risks of their implementation and losses. As a result, you will get 2 sets of risks - acceptable and unacceptable. With acceptable risks, you simply put up with it and will not take active steps to minimize them (that is, we accept that minimizing these risks will cost us more than losses from them), and with unacceptable ones, there are 2 scenarios.

Minimize - reduce the likelihood of occurrence, reduce possible losses, or even take measures to eliminate the risk (closing the vulnerability).
Transfer - simply shift the risk concerns to another person, for example, insure the organization against risk events or transfer an asset at risk (for example, transfer servers to a data center, so the data center will be responsible for uninterrupted power and physical safety of the servers) .

Scales

First of all, of course, it is necessary to assess the scale of the disaster. I will not touch on the issues of protecting personal data, there are already a lot of articles on this subject, there are practical recommendations and algorithms of actions described more than once.
Let me also remind you that information security is primarily about people, so we need regulatory documentation. To write it, first you need to understand what to enter there.
There are 3 main documents for information security in this regard:

Information security policy

Your main document, handbook, Bible and other high-profile titles. It is in it that all the information security procedures are described, the level of security that you follow in your organization is described. So to speak - an ideal cut of security, documented and accepted in accordance with all the rules.
The policy should not be dead weight, the document should live, should change under the influence of new threats, trends in information security or wishes. In this regard, the policy (as, in principle, any process document) should be regularly reviewed for relevance. It is best to do this at least once a year.

Information security concept

A small excerpt from the policy, which describes the basics of your organization's security, there are no specific processes, but there are principles for building an ISMS and principles for building security.
This document is more of an image document, it should not contain any "sensitive" information and should be open and accessible to everyone. Place it on your website, put it in a tray at the information stand so that your customers and visitors can familiarize themselves with it or simply see that you care about safety and are ready to demonstrate it.

Regulations on trade secrets (confidential information)

In parentheses indicate an alternative name for such a document. By and large, com. secret is a special case of confidentiality, but there are very few differences.
This document must indicate the following: how and where the documents that make up the com. the secret of who is responsible for the storage of these documents, what the template of a document containing such information should look like, what will be for the disclosure of confidential information (under the law and in accordance with internal agreements with management). And of course, a list of information that, for your organization, is a trade secret or is confidential.
According to the law, without the measures taken to protect confidential information, you don’t have it, as it were :-) That is, the information itself seems to be there, but it cannot be confidential. And here there is an interesting point that 90% of organizations sign confidentiality agreements with new employees, but few have taken the measures required by law. Maximum list of information.

Audit

To write these documents, more precisely, to understand what should be in them, you need to audit the current state of information security. It is clear that depending on the activities of the organization, territorial distribution, etc., there are a lot of nuances and factors for each specific organization, but there are several main points that are common to all.

Access policy

There are 2 branches - this is physical access to the premises and access to information systems.

Physical access

Describe your access control system. How and when access cards are issued, who determines who has access to which premises (provided that the premises are equipped with ACS). Also here it is worth mentioning the video surveillance system, the principles of its construction (the absence of blind spots in the monitored premises, the mandatory control of entrances and exits to / from the building, control of the entrance to the server room, etc.). Also, do not forget about visitors, if you do not have a common reception (and even if you have one), you should indicate how visitors get into the controlled area (temporary passes, accompanying person).
For the server room, there should also be a separate access list with a log of visits (it’s easier if ACS is installed in the server room and everything is done automatically).

Access to information systems

Describe the procedure for issuing access, if multi-factor authentication is used, then issuing additional identifiers. Password policy (password expiration, complexity, number of login attempts, time to block KM after exceeding the number of attempts) for all systems that are granted access if you do not have Single Log On everywhere.

Building a network

Where are external access servers (DMZ) located, how are they accessed from inside and outside. Network segmentation, how it is provided. Firewalls, which segments they protect (if any within the network between segments).

Remote access

How is it organized and who has access. Ideally, it should be like this: only VPN, access only in agreement with top management and with a rationale for the need. If you need access to third parties (vendors, service personnel, etc.), then access is limited in time, that is, an account is issued for a certain period, after which it is automatically blocked. Naturally, with remote access, any, rights must be limited to a minimum.

Incidents

How they are processed, who is responsible and how the process of incident management and management problems (if any, of course) is built. I already had a post on working with incidents: you can read more.
It is also necessary to determine the trends in your organization. That is, which incidents occur more often, which are more harmful (simple, direct loss of property or money, reputational damage). This will help in risk control and risk analysis.

Assets

In this case, assets mean everything that needs protection. That is, servers, information on paper or removable media, computer hard drives, etc. If any assets contain "sensitive" information, then they should be marked accordingly and there should be a list of actions allowed and prohibited with this asset, such as transfer to third parties, transfer by e-mail within the organization, posting to the public within the organization etc.

Education

A moment that many people forget. Employees need to be taught about safety measures. It is not enough to familiarize yourself with the instructions and policies against signature, 90% will not read them, but simply sign them in order to get rid of them. I also made a publication about training: There are the main points that are important in training and about which you should not forget. In addition to the training itself, such events are useful in terms of communication between employees and the security officer (nice name, I really like it :-). You can learn about some minor incidents, wishes, and even problems that you would hardly have known about in a normal working rhythm.

Conclusion

That, probably, is all that I wanted to tell beginners in the field of information security. I understand that with such a post, I may deprive some of my colleague of work, since a potential employer will simply assign these duties to the admin, but I will also protect many organizations from scam integrators who love to extort money for audits and write multi-page pamphlets about what, passing them off as normative (http://website/post/153581/).
Next time I will try to talk about the organization of the information security service as such.

P.S. If you put a minus, please comment, so that in the future I will not make such mistakes.

Tags:

• Information Security
• documentation
• education

Add tags

Promote employee awareness

An essential factor in the effective implementation of these principles is a bridging cycle of activities to ensure that information security management is constantly focused on current risks. It is important that the top management of the organization recognizes the risks of business process disruption associated with the security of information systems. The basis for developing and implementing policies and selecting the necessary controls is the risk assessment of individual business applications. The steps taken will increase user awareness of the risks and associated policies. The effectiveness of controls is subject to evaluation through various studies and audits. The results obtained provide an approach to the subsequent risk assessment and determine the necessary changes in policies and controls. All these actions are centrally coordinated by the security service or a staff of specialists, consisting of consultants, representatives of business units and management of the organization. The risk management cycle is illustrated in the figure.

Methods for implementing an information security program

The following sixteen methods used to implement the five principles of risk management are highlighted in the following illustration. These practices are key to the effective implementation of an organization's information security program.

Assess risk and identify needs

Risk assessment is the first step in implementing an information security program. Security is not considered in itself, but as a set of policies and related controls designed to secure business processes and mitigate related risks. Thus, the identification of business risks associated with information security is the starting point of the risk (information security) management cycle.

Recognize information resources as essential (inalienable) assets of the organization

Recognition of information security risks by the organization's management, as well as a set of measures aimed at identifying and managing these risks, is an important factor in the development of an information security program. This management approach will ensure that information security is taken seriously at the lower organizational levels of the organization, and information security professionals are provided with the resources necessary to effectively implement the program.

Develop practical risk assessment procedures linking security and business requirements

There are various risk assessment methodologies, ranging from informal discussion of risk to rather complex methods involving the use of specialized software tools. However, the world experience of successful risk management procedures describes a relatively simple process involving the participation of various departments of financial institutions with the involvement of specialists with knowledge of business processes, technical specialists and information security specialists.

It is worth emphasizing that understanding risks does not provide for their precise quantification, including the likelihood of an incident or the cost of damage. Such data is not available as losses may not be detected and management may not be informed. In addition, data are limited on the total cost of repairing the damage caused by weak security controls, as well as the operating costs of these mechanisms (controls). Due to constant changes in technology, as well as software tools and tools available to attackers, the application of statistics collected in previous years is questionable. As a result, it is difficult, if not impossible, to accurately compare the cost of controls with the risk of loss in order to determine which control is the most cost-effective. In any case, business unit managers and information security specialists should rely on the best information available to them when deciding on the choice of necessary controls (methods).

Establish accountability for business unit managers and managers involved in the security program

Business unit managers should be primarily responsible for determining the level of security (confidentiality) of information resources that support business processes. It is business unit managers who are best able to determine which of the information resources is the most critical, as well as the possible impact on the business, in case of violation of its integrity, confidentiality or availability. In addition, business unit managers may point out controls that can harm business processes. Thus, by involving them in the selection of controls, it can be ensured that the controls meet the requirements and will be successfully implemented.

Continuously manage risk

Information security should be given ongoing attention to ensure the adequacy and effectiveness of controls. As noted earlier, modern information and related technologies, as well as factors related to information security, are constantly changing. Such factors include threats, technologies and system configurations, known software vulnerabilities, the level of reliability of automated systems and electronic data, and the criticality of data and operations.

Install Centralized Management

The steering group acts primarily as an adviser or consultant to business units, and cannot impose methods (means) of information security.

Define a leadership team to carry out key actions

In general, the steering group should be (1) a catalyst (accelerator) of the process, ensuring that information security risks are considered continuously; (2) a central consulting resource for organizational units; (3) a means of communicating to the management of the organization information about the state of information security and the measures taken. In addition, the steering group allows you to centrally manage the assigned tasks, otherwise these tasks may be duplicated by various departments of the organization.

Provide the leadership team with easy and independent access to the top management of the organization

We note the need for discussion of information security problems by managers of the steering group with the top management of the organization. Such a dialogue will allow us to act effectively and avoid disagreements. Otherwise, there may be conflicts with business unit managers and system developers who want new software products to be introduced as soon as possible, and therefore challenge the application of controls that can interfere with the efficiency and comfort of working with the software. Thus, the opportunity to discuss information security issues at the highest level can ensure that risks are fully understood and tolerated before final decisions are made.

Define and allocate budget and personnel

The budget will allow planning and setting goals for the information security program. At a minimum, the budget includes employee salaries and training costs. The size of the leadership group (security unit) can vary and be envious of both the goals set and the projects under consideration. As noted earlier, both technical specialists and employees of business units can be involved in the work in the group.

Increase the professionalism and technical knowledge of employees

Employees of the organization should be involved in various aspects of the information security program and have the appropriate skills and knowledge. The required level of professionalism of employees can be achieved through training, which can be carried out by both specialists of the organization and external consultants.

Implement necessary policies and appropriate controls

Policies in the field of information security are the basis for the adoption of certain procedures and the choice of means (mechanisms) of control (management). Politics is the primary mechanism by which management communicates its opinions and demands to employees, customers and business partners. For information security, as well as for other areas of internal control, the requirements of policies directly depend on the results of risk assessment.

Establish the relationship between policies and business risks

A comprehensive set of adequate policies that are accessible and understandable to users is one of the first steps in establishing an information security program. It is worth emphasizing the importance of continuous maintenance (adjustment) of policies for a timely response to identified risks and possible disagreements.

Distinguish between policies and guidelines

The general approach to creating information security policies should include (1) short (concise) high-level policies and (2) more detailed information provided in practical guidelines and standards. The policies provide for the basic and mandatory requirements adopted by top management. While how-to guides are not mandatory for all business units. This approach allows top management to focus on the most important elements of information security, as well as provide room for business unit managers to maneuver, make policies easy for employees to understand.

Ensure policies are followed by the leadership team

The leadership team should be responsible for developing the organization's information security policies in collaboration with business unit managers, internal auditors, and lawyers. In addition, the steering group should provide the necessary clarifications and provide answers to users' questions. This will help to resolve and prevent misunderstandings, as well as take the necessary measures that are not provided for by the policies (guidelines).

Policies should be made available so that users can access their current versions when needed. Users must sign that they are familiar with the policies before granting them access to the information resources of the organization. If a user is involved in a security incident, this agreement will serve as evidence that he or she has been informed of the organization's policy, as well as possible sanctions if it is violated.

Promote awareness

The competence of users is a prerequisite for successful information security, and also helps to ensure that controls work properly. Users cannot follow a policy they do not know or understand. Unaware of the risks associated with an organization's information resources, they may not see the need to implement policies designed to mitigate risks.

Continuous training of users and other employees on the example of risks and related policies

The leadership team should provide a strategy for ongoing training of employees who in one way or another affect the information security of the organization. The group should focus on a shared understanding of the risks associated with information processed within the organization, and the policies and controls to mitigate those risks.

Use a friendly approach

The leadership team should use a variety of training and encouragement methods to make the organization's policies accessible and educate users. It is worth avoiding meetings held once a year with all employees of the organization; on the contrary, training is best done in small groups of employees.

Monitor and evaluate the effectiveness of policies and controls

Like any type of activity, information security is subject to control and periodic reassessment to ensure the adequacy (compliance) of policies and means (methods) of control with the goals set.

Control factors that influence risks and indicate the effectiveness of information security

Controls should focus primarily on (1) the availability of controls and methods and their use to mitigate risks and (2) evaluating the effectiveness of the information security program and policies that improve user understanding and reduce incidents. Such checks include testing means (methods) of control, assessing their compliance with the policies of the organization, analyzing security incidents, as well as other indicators of the effectiveness of the information security program. The performance of the steering group can be assessed based on, for example, the following indicators (but not limited to):

• the number of trainings and meetings held;
• number of risk assessment(s) performed;
• number of certified specialists;
• the absence of incidents that impede the work of employees of the organization;
• reduction in the number of new projects implemented with a delay due to information security problems;
• full compliance or agreed and recorded deviations from the minimum information security requirements;
• reduction in the number of incidents involving unauthorized access, loss or distortion of information.

Use the results obtained to coordinate future efforts and increase management accountability

Monitoring certainly brings an organization into line with accepted information security policies, but the full benefits of monitoring will not be achieved unless the results are used to improve the information security program. Analysis of control results provides information security professionals and business unit managers with the means to (1) re-evaluate previously identified risks, (2) identify new problem areas, (3) re-evaluate the sufficiency and appropriateness of existing controls and methods of control (management) and actions to ensure information security, (4) determining the need for new means and mechanisms of control, (5) redirecting control efforts (controlling actions). In addition, the results can be used to evaluate the performance of business managers responsible for understanding and mitigating risk across business units.

Keep track of new methods and controls

It is important to ensure that (1) information security professionals keep up with the development of methods and tools (applications) and have the latest information about the vulnerability of information systems and applications, (2) top management ensures that it has the necessary resources for this.

Friends! We invite you to discuss. If you have an opinion, write to us in the comments.

© Vadim Grebennikov, 2018

ISBN 978-5-4493-0690-6

Created with the intelligent publishing system Ridero

1. Family of information security management standards

1.1. History of the development of information security management standards

Today, the security of the digital space shows a new path for the national security of each country. In accordance with the role of information as a valuable commodity in business, its protection is certainly necessary. To achieve this goal, each organization, depending on the level of information (in terms of economic value), needs to develop an information security management system (hereinafter referred to as ISMS), while it is possible to protect its information assets.

In organizations whose existence is significantly dependent on information technology (hereinafter referred to as IT), all tools for data protection can be used. However, information security is essential for consumers, cooperating partners, other organizations and the government. In this regard, in order to protect valuable information, it is necessary that each organization strive for a particular strategy and implement a security system based on it.

ISMS is part of an integrated management system based on risk assessment and analysis for the development, implementation, administration, monitoring, analysis, maintenance and enhancement of information security (hereinafter referred to as IS) and its implementation, derived from the organization's goals and requirements, security requirements used procedures and the size and structure of its organization.

The origin of the principles and rules of information security management began in the UK in the 1980s. In those years, the UK Department of Trade and Industry (DTI) organized a working group to develop a set of best practices for ensuring information security.

In 1989, DTI published the first standard in this area, which was called PD 0003 Information Security Management Practices. It was a list of security controls that were considered adequate, normal, and good at the time, applicable to both the technologies and environments of the time. The document "DTI" was published as the governing document of the British Standards System (eng. British Standard, BS).

In 1995, the British Standards Institution (BSI) adopted the national standard BS 7799-1 "Practical rules for information security management". She described 10 areas and 127 control mechanisms needed to build an Information Security Management System (ISMS) based on best practices from around the world.

This standard became the progenitor of all international ISMS standards. Like any national standard, BS 7799 in the period 1995-2000 enjoyed, let's say, moderate popularity only within the countries of the British Commonwealth.

In 1998, the second part of this standard appeared - BS 7799-2 “ISMS. Specification and Application Guide”, which determined the general model for building an ISMS and a set of mandatory requirements for compliance with which certification should be carried out. With the advent of the second part of BS 7799, which defined what an ISMS should be, the active development of a certification system in the field of security management began.

At the end of 1999, experts from the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) came to the conclusion that within the existing standards there is no specialized information security management standard. Accordingly, it was decided not to develop a new standard, but in agreement with BSI, taking BS 7799-1 as a basis, to adopt the corresponding international standard ISO / IEC.

At the end of 1999, both parts of BS 7799 were revised and harmonized with the international standards for quality management systems ISO / IEC 9001 and environmental ISO / IEC 14001, and a year later, without changes, BS 7799-1 was adopted as the international standard ISO / IEC 17799:2000 “Information technologies (hereinafter referred to as IT). Practical rules of information security management”.

In 2002, both the first part of BS 7799-1 (ISO/IEC 17799) and the second part of BS 7799-2 were updated.

As for the official certification according to ISO / IEC 17799, it was not originally provided (full analogy with BS 7799). Only certification according to BS 7799-2 was provided, which was a set of mandatory requirements (not included in BS 7799-1) and in the appendix a list of conditionally mandatory (at the discretion of the certifier) ​​the most important requirements of BS 7799-1 (ISO/IEC 17799).

In the territory of the CIS, Belarus was the first country to adopt ISO/IEC 17799:2000 as a national standard in November 2004. Russia introduced this standard only in 2007. The Central Bank of the Russian Federation on its basis created an information security management standard for the banking sector of the Russian Federation.

As part of ISO / IEC, Subcommittee No. 27 is responsible for the development of a family of international standards for information security management, therefore, a numbering scheme for this family of standards was adopted using a series of consecutive numbers starting from 27000 (27k).

In 2005, ISO/IEC Joint Technical Committee JTC 1 IT developed the certification standard ISO/IEC 27001 IT. Protection methods. SUIB. Requirements”, which replaced BS 7799-2, and now certification is carried out according to ISO 27001.

In 2005, based on ISO/IEC 17799:2000, ISO/IEC 27002:2005 “IT. Protection methods. Code of norms and rules for information security management.

At the beginning of 2006, a new British national standard BS 7799-3 “ISMS. Information Security Risk Management Guide”, which in 2008 received the status of the international standard ISO/IEC 27005 “IT. Protection methods. Information security risk management”.

In 2004, the British Standards Institution published the ISO/IEC TR 18044 IT. Protection methods. Information security incident management. In 2011, on its basis, the ISO / IEC 27035 “IT. Protection methods. Information security incident management.

In 2009, the ISO/IEC 27000 IT. SUIB. General overview and terminology". It provides an overview of information security management systems and defines related terms. The glossary of carefully formulated formal definitions covers most of the specialized information security terms used in the standards of the ISO/IEC 27 group.

On September 25, 2013, new versions of the ISO/IEC 27001 and 27002 standards were published. Since then, the standards of the ISO/IEC 27k series (IS management) have been fully integrated with the standards of the ISO/IEC 20k series (IT service management). All terminology from ISO/IEC 27001 has been moved to ISO/IEC 27000, which defines a common terminology for the entire ISO/IEC 27k family of standards.

1.2. ISO/IEC 27000-2014 standard

Latest update of ISO/IEC 27000 “IT. SUIB. General overview and terminology” was held on January 14, 2014.

The standard consists of the following sections:

– introduction;

- scope;

- Terms and Definitions;

– IS management systems;

– a family of ISMS standards.

Introduction

Overview

International management system standards provide a model for the establishment and operation of a management system. This model includes functions on which experts have reached agreement on the basis of international experience gained in this area.

By using the ISMS family of standards, organizations can implement and improve the ISMS and prepare for its independent assessment applied to protect information such as financial information, intellectual property, personnel information, and information entrusted by customers or a third party. These standards can be used by an organization to prepare an independent assessment of its information security ISMS.

ISMS family of standards

The family of ISMS standards, which has the general name “Information technology. Security techniques" (Information technology. Protection methods), is designed to help organizations of any type and size in the implementation and operation of an ISMS and consists of the following international standards:

– ISO/IEC 27000 ISMS. General overview and terminology;

– ISO/IEC 27001 ISMS. Requirements;

– ISO/IEC 27002 Code of practice for information security management;

– ISO/IEC 27003 Guidelines for the implementation of an ISMS;

– ISO/IEC 27004 PIB. measurements;

– ISO/IEC 27005 Information security risk management;

– ISO/IEC 27006 Requirements for bodies providing ISMS audit and certification;

– ISO/IEC 27007 ISMS Audit Guidelines;

– ISO/IEC TR 27008 Guidelines for auditing information security controls;

– ISO/IEC 27010 PIS for intersectoral and interorganizational communications;

– ISO/IEC 27011 Guidelines for PIS for telecommunications organizations based on ISO/IEC 27002;

– ISO/IEC 27013 Guidelines for the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1;

– ISO/IEC 27014 Management of information security by top management;

– ISO/IEC TR 27015 Guidelines for PIS for financial services;

– ISO/IEC TR 27016 UIB. organizational economics;

– ISO/IEC 27035 Information security incident management (not specified in the standard).

International Standard not having this common name:

– ISO 27799 Health informatics. PEB according to ISO/IEC 27002.

Purpose of the standard

The standard provides an overview of the ISMS and defines the relevant conditions.

The ISMS family of standards contains standards that:

– define requirements for ISMS and certification of such systems;

– include industry-specific guidelines for ISMS;

– lead the assessment of compliance with the ISMS.

1. Scope of application

The standard provides an overview of the ISMS and the terms and definitions commonly used in the ISMS family of standards. The standard is applicable to all types and sizes of organizations (eg commercial enterprises, government agencies, non-profit organizations).

2. Terms and definitions

The section contains definitions of 89 terms, for example:

– Information system– applications, services, IT assets and other information processing components;

– information security (IS)– maintaining the confidentiality, integrity and availability of information;

– availability– the property to be available and ready for use at the request of an authorized person;

– confidentiality- the property of information to be inaccessible or closed to unauthorized persons;

– integrity- the property of accuracy and completeness;

– non-repudiation- the ability to certify the occurrence of an event or action and their creating subjects;

– IS event– a detected state of the system (service or network) indicating a possible violation of the information security policy or measures, or a previously unknown situation that may relate to security;

– information security incident– one or more IS events that, with a significant degree of probability, lead to a compromise of business operations and create threats to IS;

– incident managementIS– processes for detecting, alerting, assessing, responding to, reviewing and studying information security incidents;

– control system– a set of interrelated elements of an organization to establish policies, objectives and processes to achieve those objectives;

– monitoring– determination of the status of a system, process or activity;

– politics– the general intention and direction formally expressed by management;

– risk– the effect of uncertainty in goals;

– threat– the possible cause of an unwanted incident that could cause damage;

– vulnerability– lack of an asset or security measure that can be exploited by one or more threats.

3. Information security management systems

The ISMS section consists of the following main items:

– description of the ISMS;

– implementation, control, maintenance and improvement of the ISMS;

– the benefits of implementing ISMS family standards.

3.1. Introduction

Organizations of all types and sizes:

– collect, process, store and transmit information;

– are aware that information and related processes, systems, networks and people are important assets for achieving organizational goals;

– face a range of risks that could affect the performance of assets;

– eliminate the perceived risk through the implementation of IS measures and tools.

All information stored and processed by an organization is subject to threats of attack, error, nature (eg fire or flood), and the like, and subject to vulnerabilities inherent in its use.

Typically, the concept of information security is based on information that is considered as a valuable asset and requires appropriate protection (for example, against loss of availability, confidentiality and integrity). The ability for authorized individuals to have timely access to accurate and complete information is a catalyst for business efficiency.

The effective protection of information assets by defining, creating, maintaining and improving information security is a prerequisite for an organization to achieve its goals, as well as maintain and improve legal compliance and reputation. These coordinated actions to implement appropriate safeguards and handle unacceptable information security risks are commonly known as information security controls.

As information security risks change and the effectiveness of safeguards in response to changing circumstances, an organization should:

– monitor and evaluate the effectiveness of the implemented protection measures and procedures;

– identify emerging risks for processing;

– select, implement and improve appropriate safeguards as appropriate.

For the interconnection and coordination of information security activities, each organization should establish an information security policy and objectives and effectively achieve these objectives using a management system.

3.2. Description of the ISMS

The description of the ISMS includes the following components:

– provisions and principles;

– information;

- Information Security;

– management;

- control system;

– process approach;

– the importance of the ISMS.

Regulations and principles

An ISMS consists of policies, procedures, guidelines and related resources and activities collectively managed by an organization to achieve the protection of its information assets. An ISMS defines a systematic approach to creating, implementing, processing, controlling, reviewing, maintaining and improving an organization's information security in order to achieve business objectives.

It is based on a risk assessment and an organization's acceptable risk levels designed to effectively treat and manage risk. Analyzing the requirements for protecting information assets and applying appropriate safeguards to provide the necessary protection for these assets contributes to the successful implementation of an ISMS.

The following key principles contribute to the successful implementation of an ISMS:

– understanding the need for an IS system;

– assignment of responsibility for information security;

– combining the commitments of management and the interests of stakeholders;

- the growth of social values;

– risk assessments identifying appropriate protective measures to achieve acceptable levels of risk;

– security as an integral element of IS and networks;

– active prevention and detection of information security incidents;

– ensuring an integrated approach to PEB;

– continuous re-evaluation and corresponding improvement of information security.

Information

Information is an asset that, along with other critical business assets, is important to an organization's business and therefore should be appropriately protected. Information may be stored in a variety of forms, including digital form (eg data files stored on electronic or optical media), tangible form (eg paper), as well as intangible form in the form of employee knowledge.

Information may be transmitted in a variety of ways, including courier, electronic or voice communication. Regardless of the form in which the information is presented and how it is transmitted, it must be properly protected.

In many organizations, information is dependent on information and communication technology. This technology is an essential element in any organization and facilitates the creation, processing, storage, transfer, protection and destruction of information.

Information Security

Information security includes three main dimensions (properties): confidentiality, availability and integrity. Information security involves the application and management of appropriate security measures, which include consideration of a wide range of threats, with the aim of ensuring long-term business success and continuity and minimizing the impact of information security incidents.

IS is achieved by applying an appropriate set of safeguards, defined through the risk management process and managed by the ISMS, including policies, processes, procedures, organizational structures, software and hardware, to protect the identified information assets.

These safeguards must be defined, implemented, monitored, tested and improved as necessary to ensure that the level of information security is consistent with the organization's business objectives. Appropriate IS measures and tools should be seamlessly integrated into the organization's business processes.

Control

Management includes activities to direct, control and continuously improve the organization within the appropriate structures. Management activity includes the actions, methods or practices of generating, processing, directing, monitoring and controlling resources. The size of the management structure can vary from one person in small organizations to a management hierarchy in large organizations consisting of many people.

In relation to the ISMS, management includes monitoring and making decisions necessary to achieve business goals through the protection of information assets. Information security management is expressed through the formulation and use of information security policies, procedures and guidelines, which are then applied throughout the organization by all those associated with it.

Control system

The management system uses a set of resources to achieve the goals of the organization. An organization's management system includes structure, policies, planning, commitments, practices, procedures, processes, and resources.

In terms of information security, the management system allows the organization to:

– meet the safety requirements of customers and other interested parties;

- improve the plans and activities of the organization;

– meet the IS goals of the organization;

– comply with regulations, legislation and industry orders;

– manage information assets in an organized manner to promote continuous improvement and correction of the current goals of the organization.

3.3. Process approach

An organization needs to conduct and manage a variety of activities in order to function effectively and efficiently. Any activity that uses resources needs to be managed in order to enable the transformation of inputs into outputs through a set of interrelated activities - this is also called a process.

The output of one process can directly form the input of the next process, and usually this transformation takes place under planned and controlled conditions. The application of a system of processes within an organization, together with the identification and interaction of these processes, as well as their control, can be defined as the "process approach".

Additional Information (not included in the standard)

The founder of the process approach to quality management is considered to be the American scientist Walter Shewhart. His book begins by distinguishing 3 stages in quality management of the results of the organization's activities:

1) development of specifications (terms of reference, specifications, criteria for achieving goals) of what is required;

2) production of products that meet the specifications;

3) verification (control) of manufactured products to assess their compliance with the specification.

Shewhart was one of the first to propose that the linear perception of these stages be closed in a cycle, which he identified with the "dynamic process of acquiring knowledge."

After the first cycle, the results of the inspection should be the basis for improving the product specification. Next, the production process is adjusted based on the updated specification, and the new result of the production process is again checked, etc.

The American scientist Edwards Deming transformed the Shewhart cycle into the form most commonly seen today. He, in order to move from quality control to quality management, gave more general names to each of the stages, and, in addition, he added one more stage, the 4th stage, with which he wanted to draw the attention of American managers to the fact that they did not sufficiently analyze the received information. in the third stage, information and do not improve the process. That is why this stage is called "act" (Act), and accordingly the Shewhart-Deming cycle is called the "PDCA" or "PDSA" model:

– plan – Planning– identification and analysis of problems; assessing opportunities, setting goals and developing plans;

– Do – Implementation– search for solutions to problems and implementation of plans;

– Check (Study) – Performance evaluation- evaluation of the results of implementation and conclusions in accordance with the task;

– act– Improvement– decision-making based on the findings, correction and improvement of work.

Model "PDCA" for ISMS

Planning - Implementation - Control - Improvement

1.Planning (development and design): setting goals, policies, controls, processes and procedures for the ISMS to achieve results consistent with the overall policies and objectives of the organization.

2. Implementation (implementation and maintenance): implementation and application of IS policies, controls, ISMS processes and procedures for assessing and handling IS risks and incidents.

3. Control (monitoring and analysis of functioning): assessment of the effectiveness of meeting the requirements of policies, IS objectives and the effectiveness of the functioning of the ISMS and notifying top management of the results.

4. Improvement (maintenance and improvement): taking corrective and preventive actions based on the results of the audit and management review to achieve an improvement in the ISMS

The Shewhart-Deming method and cycle, which is more often called the Deming cycle, usually illustrate the scheme for managing any process of activity. By now, with the necessary clarifications, it has been widely used in international management standards:

– product quality ISO 9000;

– environmental protection ISO 14000;

– safety and labor protection OHSAS 18000;

– ISO/IEC 20000 information services;

– food safety ISO 22000;

– information security ISO/IEC 27000;

– security ISO 28000;

– business continuity ISO 22300;

– ISO 31000 risks;

– energy ISO 50000.

3.4. Importance of ISMS

An organization should determine the risks associated with information assets. Achieving information security requires risk management and encompasses physical, human and technological risks related to threats to all forms of information within an organization or used by an organization.

The adoption of an ISMS is a strategic decision for an organization and it is essential that this decision be continuously integrated, evaluated and updated in accordance with the needs of the organization.

The development and implementation of an organization's ISMS is influenced by the needs and objectives of the organization, the security requirements, the business processes used, and the size and structure of the organization. The development and operation of an ISMS should reflect the interests and information security requirements of all stakeholders in the organization, including customers, suppliers, business partners, shareholders and other third parties.

In an interconnected world, information and related processes, systems and networks are critical assets. Organizations and their information systems and networks face security threats from a wide range of sources, including computer fraud, espionage, sabotage, vandalism, and fire and flood. IP and system damage caused by malware, hackers, and DoS attacks has become more common, larger, and more sophisticated.

ISMS is important for enterprises in both the public and private sectors. In any industry, an ISMS is a necessary tool to support e-business and is essential to risk management activities. The interconnection of public and private networks and the exchange of information assets complicate the management of access to information and its processing.

In addition, the proliferation of mobile storage devices containing information assets may weaken the effectiveness of traditional security measures. When organizations adopt a family of ISMS standards, the ability to apply consistent and mutually recognizable information security principles can be demonstrated to business partners and other interested parties.

Information security is not always taken into account when creating and developing IS. In addition, information security is often considered to be a technical problem. However, the information security that can be achieved through technical means is limited and may not be effective unless supported by appropriate controls and procedures within the context of an ISMS. Embedding a security system into a functionally complete IC can be complex and costly.

The ISMS involves the identification of available safeguards and requires careful planning and attention to detail. For example, access control measures, which can be technical (logical), physical, administrative (management), or a combination thereof, ensure that access to information assets is authorized and restricted based on business and information security requirements.

The successful application of an ISMS is important for protecting information assets because it allows:

– increase assurance that information assets are adequately protected on a continuous basis against information security threats;

– maintain a structured and comprehensive system for assessing IS threats, selecting and applying appropriate protection measures, measuring and improving their effectiveness;

– continuously improve the management environment of the organization;

– Effectively comply with legal and regulatory requirements.

3.5. Implementation, control, maintenance and improvement of the ISMS

Implementation, control, maintenance and improvement of the ISMS are operational stages in the development of the ISMS.

The operational stages of the ISMS are determined by the following components:

– general provisions;

– IS requirements;

are the decisive factors for the success of an ISMS.

The operational stages of the ISMS provide the following activities:

– IS risk assessment;

– IS risk treatment;

– selection and implementation of protection measures;

– control and maintenance of the ISMS;

– continuous improvement.

General provisions

The organization shall take the following steps to implement, control, maintain and improve its ISMS:

– definition of information assets and related information security requirements;

– assessment and treatment of IS risks;

– selection and implementation of appropriate safeguards to manage unacceptable risks;

– control, maintenance and improvement of the effectiveness of protection measures related to the information assets of the organization.

To ensure that the ISMS effectively protects the organization's information assets on an ongoing basis, it is necessary to continually iterate all steps to detect changes in risk or the organization's strategy or business objectives.

Information security requirements

Within the organization's overall strategy and business objectives, size and geographic distribution, information security requirements can be determined by understanding:

– information assets and their values;

– business needs in working with information;

– legal, regulatory and contractual requirements.

Carrying out a methodical assessment of the risks associated with the organization's information assets includes an analysis of:

– threats to assets;

– asset vulnerabilities;

- the probability of materialization of the threat;

– the possible impact of an information security incident on assets.

The cost of appropriate safeguards should be proportionate to the anticipated business impact of risk materialization.

Information security risk assessment

Information security risk management requires an appropriate risk assessment and treatment method, which may include an assessment of costs and benefits, legal requirements, stakeholder concerns, and other inputs and variables.

Risk assessments should identify, measure and prioritize risks, taking into account the risk acceptance criteria and the objectives of the organization. The results will help develop and make appropriate management decisions for action and prioritization of information security risk management and implementation of protection measures selected to protect against these risks.

Risk assessment should include a systematic approach to assessing the extent of risks (risk analysis) and a process of comparing assessed risks against risk criteria to determine the severity of risks (risk assessment).

Risk assessments should be carried out periodically to make changes to information security requirements and risk situations, for example, assets, threats, vulnerabilities, impacts, risk assessments, and in case of significant changes. These risk assessments should be carried out methodically to ensure comparable and reproducible results.

An information security risk assessment should clearly define the scope to be effective, and contain interactions with risk assessments in other areas where possible.

The ISO/IEC 27005 standard provides guidance on information security risk management, including recommendations for assessing, processing, accepting, alerting, monitoring, and analyzing risk.

Information security risk treatment

Before considering risk treatment, an organization should establish criteria for determining whether risks can be accepted or not. Risks can be accepted if the risk is low or the cost of treatment is not cost effective for the organization. Such decisions should be recorded.

For each risk identified by the risk assessment, a treatment decision should be made. Possible risk treatment options include:

– applying appropriate safeguards to mitigate risks;

– conscious and objective risk taking in strict accordance with the organization's policy and risk acceptance criteria;

– prevention of risks by eliminating actions that lead to the emergence of risks;

– sharing associated risks with other parties, such as insurers or suppliers.

Appropriate protection measures against those risks for which it is decided to apply them for the purpose of risk treatment should be selected and implemented.

Selection and implementation of protection measures

Alexander Astakhov, CISA, 2006

Introduction

For many Russian companies, the time has come to think about security management - the IT infrastructure of many of them has reached a level that requires well-established coordination. When building a security management system (ISMS), experts recommend relying on international standards ISO/IEC 27001/17799.

The manager is obliged to control the situation in his organization, department, project and in relationships with customers. This means being aware of what is happening, being aware of all emergency situations in a timely manner and having an idea of ​​what actions will need to be taken in one case or another. There are several levels of management in an organization, from top managers to specific performers, and at each level the situation must remain under control. In other words, the vertical of management and management processes should be built.

Information security management system - what is it?

Information security management is a cyclical process, including awareness of the degree of need to protect information and setting goals; collection and analysis of data on the state of information security in the organization; assessment of information risks; planning risk treatment measures; implementation and implementation of appropriate control mechanisms, distribution of roles and responsibilities, training and motivation of personnel, operational work to implement protective measures; monitoring the functioning of control mechanisms, assessing their effectiveness and appropriate corrective actions.

According to ISO 27001, an information security management system (ISMS) is "that part of an organization's overall management system, based on business risk assessment, that creates, implements, operates, monitors, reviews, maintains and improves information security." The management system includes organizational structure, policies, planning, job responsibilities, practices, procedures, processes, and resources.

The creation and operation of an ISMS requires the same approach as any other management system. The process model used in ISO 27001 to describe the ISMS provides for a continuous cycle of activities: plan, implement, check, act (PRAP).

Applying the PRP Model to ISMS Processes

The process of continuous improvement usually requires an initial investment: documentation of activities, formalization of the risk management approach, definition of methods of analysis and allocation of resources. These measures are used to set the cycle in motion. They do not have to be completed before the revision stages are activated.

The planning stage ensures that the context and scope of the ISMS is correctly set, information security risks are assessed, and an appropriate plan for handling these risks is proposed. In turn, at the implementation stage, the adopted decisions that were identified at the planning stage are implemented. The review and action stages reinforce, correct, and improve security solutions that have already been identified and implemented.

Inspections can be carried out at any time and with any frequency, depending on the specific situation. In some systems, they must be built into automated processes to ensure immediate execution and response. For other processes, response is required only in the event of security incidents, when changes or additions were made to the protected information resources, as well as when changes in threats and vulnerabilities occurred. Annual or other periodic reviews or audits are needed to ensure that the management system as a whole is achieving its objectives.

One of the options for the organizational structure of the ISMS

The management of the organization issues a security policy that introduces the concept of an ISMS and proclaims its main objectives: business continuity management and security management. At the top of the ISMS is the Director of Information Security, who chairs the Steering Committee for Information Security, a collegiate body designed to address strategic issues related to the provision of information security. The Chief Information Officer is responsible for all information security management processes, which include: incident management and security monitoring, change management and security control, security infrastructure (policies, standards, instructions, procedures, plans and programs), risk management, compliance control , training (awareness program).

Creating such a governance structure is the goal of implementing ISO 27001/17799 in an organization. One of the main principles here is "management commitment". This means that such a structure can only be created by the company's management, which allocates positions, responsibilities and controls the performance of duties. In other words, the organization's management builds an appropriate vertical of power, or rather modifies the existing one to meet the organization's security needs. ISMS can only be created from top to bottom.

Another fundamental principle is the involvement in the process of ensuring information security of all employees of the organization dealing with information resources - "from the director to the cleaner". The lack of awareness of specific people working with information, the lack of an information security training program is one of the main reasons for the inoperability of specific control systems.

No less important is the fact that any planning of information security activities should be based on risk assessment. The absence of risk management processes in the organization leads to inadequacy of the decisions made and unjustified expenses. In other words, risk assessment is the foundation on which a well-proportioned ISMS tree rests.

An equally fundamental principle is “do-it-yourself implementation and support of the ISMS”. The involvement of external consultants at all stages of implementation, operation and improvement of the ISMS is in many cases justified. Moreover, this is one of the control mechanisms described in ISO 17799. However, the creation of an ISMS by the hands of external consultants is impossible by definition, because ISMS is a set of organizational structures formed by the management of an organization and processes implemented by its employees who are properly aware of their responsibilities and trained in information handling and protection skills. ISMS costs a lot of money, but no amount of money can buy experience and knowledge.

Certify or not?

Voluntary certification procedure is used to confirm the compliance of the organization's existing ISMS with the requirements of the standard, as well as its adequacy to existing business risks. Although you can do without it, in most cases certification fully justifies the investment and time.

Firstly, the official registration of the organization's ISMS in the register of reputable bodies, such as the UK Accreditation Service (UKAS), which strengthens the company's image, increases interest from potential customers, investors, creditors and sponsors.

Secondly, as a result of successful certification, the scope of the company's activities is expanded by obtaining the opportunity to participate in tenders and develop business at the international level. In areas most sensitive to the level of information security, such as finance, for example, the presence of a certificate of conformity with ISO 27001 is beginning to act as a mandatory requirement for carrying out activities. Some Russian companies are already facing these restrictions.

It is also very important that the certification procedure has a serious motivating and mobilizing effect on the company's personnel: the level of employee awareness increases, shortcomings and inconsistencies in the information security management system are more effectively identified and eliminated, which in the long term means a reduction in the average statistical damage from security incidents for the organization, as well as reduction of overhead costs for the operation of information systems. It is quite possible that having a certificate will make it possible to insure the organization's information risks on more favorable terms.

As current practice shows, the costs of certification according to BS7799 in most cases are incomparably small in comparison with the costs of the organization for ensuring information security, and the resulting benefits compensate them many times over.

It should be emphasized that the organization receives all of these benefits only if it is an internationally recognized certification system that ensures the proper quality of work and the reliability of results.

Preparation for certification

Preparing an organization for ISO 27001 certification is a rather lengthy and laborious process. In general, it includes six consecutive stages, which are carried out by the organization, usually with the help of external consultants.

At the first stage, a preliminary audit of the ISMS is carried out, during which the current state is assessed, an inventory and documentation of all the main components of the ISMS are carried out, the scope and boundaries of certification are determined, and a number of necessary preparatory actions are performed. Based on the results of the audit, a detailed action plan is developed to prepare for certification.

At the second stage, an information risk assessment is performed, the main purpose of which is to determine the applicability of the controls described in the standard in this particular organization, the preparation of a declaration of applicability and a risk treatment plan.

At the third stage, an analysis of discrepancies with the requirements of the standard is performed, as a result of which the current state of the controls in the organization is assessed and discrepancies with the declaration of applicability are identified.

At subsequent stages, the planning and implementation of the missing control mechanisms is carried out, for each of which a strategy and implementation plan are developed. Work on the implementation of control mechanisms includes three main components: training of employees of the organization: education, training, awareness raising; preparation of ISMS documentation: policies, standards, procedures, regulations, instructions, plans; preparation of evidence of the functioning of the ISMS: reports, protocols, orders, records, event logs, etc.

At the final stage, preparations for the certification audit are carried out: the state of the ISMS is analyzed, the degree of its readiness for certification is assessed, the scope and boundaries of certification are specified, and appropriate negotiations are held with the auditors of the certification body. Detailed recommendations for establishing an ISMS and preparing for certification are contained in the BSI BIP 0071-0073 series of guidance documents.

Stumbling points

In the process of implementing an ISMS, there are many stumbling blocks. Some of them are related to the violation of the fundamental principles of security management described above. Serious difficulties for Russian organizations lie in the legislative field. The incompleteness and inconsistency of the current Russian legislation, its prohibitive nature in the field of the use of cryptography and in many other areas, as well as the lack of regulation of the information security certification system, seriously complicates the fulfillment of one of the main requirements of the standard - compliance with current legislation.

The source of difficulties is often the incorrect definition of the scope and boundaries of the ISMS. Too broad interpretation of the scope of the ISMS, for example, the inclusion in this scope of all business processes of the organization, significantly reduces the likelihood of successful completion of the project for the implementation and certification of the ISMS.

It is equally important to understand where the boundaries of the ISMS lie and how it relates to other management systems and processes of the organization. For example, the information security management system and the business continuity management (BCM) system of an organization closely intersect. The latter is one of the 11 information security control areas defined by the standard. However, the ISMS includes only that part of the BCM that is related to information security - this is the protection of the organization's critical business processes from major failures and accidents of information systems. Other aspects of BCM are outside the scope of the ISMS.

Standard - a guarantee of safety

Today, the organization of the work of a serious and efficient company that claims to be successful is necessarily based on modern information technologies. Therefore, companies of any size should pay attention to information security management standards. As a rule, the issues of information security management are the more relevant, the larger the company, the wider the scale of its activities and claims for development, and, as a result, the higher its dependence on information technology.

The use of international information security management standards ISO 27001/17799 makes it possible to significantly simplify the creation, operation and development of an ISMS. Regulatory requirements and market conditions force organizations to apply international standards when developing information security plans and policies and demonstrate their commitment through information security audits and certifications. Compliance with the requirements of the standard provides certain guarantees that the organization has a basic level of information security, which has a positive impact on the company's image.

VOLUNTARY CERTIFICATION SYSTEM

"COMMUNICATION - EFFICIENCY"

ROSS RU.M821.04FBG0

Information security management system "Basic level of information security of telecom operators"

Requirements, program and methodology of certification tests

1 Introduction 1

2 Scope 2

4.2. Requirements for operator policies 5

4.3.Requirements for functionality 6

4.4. Interoperability Requirements 7

5 Certification testing program 7

5.1. Test object 7

5.2. Test objective 7

6 Procedure for conducting certification tests 8

6.1. Test conditions 8

6.2. Test Method 9

1. Introduction

The requirements for the Information Security Management System "Basic Level of Information Security of Telecom Operators" (hereinafter referred to as the Requirements) determine the basic level of information security, using which each operator can assess the state of network and information security, taking into account which security standards are relevant, which of these standards should be used, when they should be used and how they should be applied. In addition, the readiness and ability of the telecom operator to interact with other operators, users and law enforcement agencies in order to jointly counter threats to information security is described.

The requirements are a minimum set of recommendations, the implementation of which will guarantee an adequate level of information security of communication services, while allowing to ensure a balance of interests of operators, users and the regulator.

The program and methodology determine all types, conditions, scope and methods of certification tests of the basic level of information security of telecom operators.

This document can be used for cases where the telecom operator:

needs to demonstrate its ability to provide communication services that meet the established requirements;

aims to demonstrate to cooperating telecom operators the ability and readiness to jointly counter threats to information security.

2 Scope

These Requirements, program and methodology are developed in accordance with the Regulations on the voluntary certification system "Communication - Efficiency" based on the Recommendations of the standards sector of the International Telecommunication Union (ITU-T) Series X, Appendix 2, "X.800-X849 Series ITU-T - Appendix on the basic level of information security of telecom operators.

These Requirements, program and methodology have been developed for the voluntary certification system and are intended for telecom operators, certification centers and laboratories during the voluntary certification of the Information Security Management System "Basic level of information security of telecom operators" in the voluntary certification system "Communication - Efficiency".

3 Normative references, definitions and abbreviations

3.1. References to the following regulatory documents are used in these Requirements, the program and methodology:

Federal Law of July 27, 2006 No. No. 149-FZ "On Information, Information Technologies and Information Protection".

Information Security Doctrine of the Russian Federation dated September 09, 2000 No. Pr-1895.

Rules for the connection of telecommunication networks and their interaction (approved by Decree of the Government of the Russian Federation of March 28, 2005, N 161).

GOST R 50739-95 Computer facilities. Protection from unauthorized access to information. General technical requirements.

GOST R 52448-2005 Information security. Ensuring the security of telecommunication networks. General provisions.

GOST R ISO/IEC 15408-2002 Information technology. Methods and means of ensuring security. Criteria for evaluating information technology security.

GOST R ISO/IEC 27001-2006 Methods for ensuring information security. Information security management systems. Requirements.

OST 45.127-99. Information security system of the Interconnected communication network of the Russian Federation. Terms and Definitions.

International Telecommunication Union (ITU-T) Standards Sector Recommendation, X Series, Annex 2, "ITU-T X.800-X849 Series - Telecom Operator Information Security Baseline Annex".

3.2. In these Requirements, the program and methodology, the terms corresponding to the definitions of the Federal Law "On Communications" are used, and the following terms and abbreviations are additionally defined:

Account- a personal user account of the information system, software equipment, including the user name (login), his hidden individual features (password) and other information necessary to gain access.

Antivirus software- special software designed to detect and deactivate (block) malicious code specially created to violate the integrity, availability and confidentiality of data.

Denial of Service Attack- deliberate impact on an information system or equipment in order to create conditions under which legitimate users cannot access the resources provided by the system or equipment or such access will be difficult.

Information security of the telecom operator- the state of protection of the information resources of the telecom operator and the infrastructure supporting them from accidental or intentional impacts of a natural or artificial nature, fraught with damage to the telecom operator, users of communication services, and characterized by the ability to ensure the confidentiality, integrity and availability of information during its storage, processing and transmission.

License agreement– an agreement between the owner of the software and the user of its copy

Telecommunications operator - a legal entity or an individual entrepreneur providing communication services on the basis of an appropriate license.

Carrier security policy– a set of documented security policies, procedures, practices or guidelines to be followed by a telecom operator.

Service Provider- a legal entity engaged in the provision (delivery) of communication services of a certain type to a subscriber and ensuring the coordinated use of network capabilities associated with these services.

Spam- unsolicited correspondence transmitted electronically (as a rule, by means of e-mail).

Management of risks- the process of identifying, controlling, reducing or completely eliminating (at an acceptable cost) information security risks that may affect the information systems of the telecom operator and the infrastructure supporting them.