Our life is constantly becoming more complicated in all areas. There are new and unprecedented approaches, technologies, assets. For modern large enterprises, information assets play an important role. What are they?
Before proceeding to the main topic, let's touch on the necessary theoretical minimum. Namely, let's talk about information. It is one of the most important production assets, on which the efficiency of the enterprise and its viability largely depend. It can be both the secret of creating a certain product, and internal financial data. Any more or less large organization has its own information assets, regarding which it is very undesirable for them to fall into third-party hands. Therefore, storage and security issues are acute.
To successfully deal with all the data presented, you need to know a few things:
As you can understand, not only individual numbers and their explanations are important, but also the ability to quickly use them, protection against unauthorized access, and a number of other points. When the information assets of an enterprise are identified and formed, the question of their correct classification with subsequent security is acute. Why exactly? The fact is that with the help of classification it is possible to draw up key metrics for the information used - its value, the power of influence on the enterprise, requirements for provision / maintenance / protection, and the like. It largely depends on how the data will be processed and protected. In addition, there are a number of regulatory standards that provide for a mandatory inventory of an organization's information assets. Although there is no single procedure for this.
The approach to data depends on the conditions in which and with what we are dealing. Consider information assets on the example of a private enterprise. The classification is carried out in order to provide a differentiated approach to data, taking into account the level of their criticality, which affects the activity, reputation, business partners, employees and customers. This allows you to determine the economic feasibility and priority of various measures to form the information security of the enterprise. In accordance with the legislation of the Russian Federation, there are:
How to evaluate their importance? For this, special models are used. Let's take a closer look at them.
The two most common are:
To make the assessment of information assets as efficient as possible and shifted from quantity to quality, you can introduce classes that will reflect the value of the data and the level of requirements for it. In such cases, they usually distinguish:
Such information can be conditionally divided into several categories. The first two are used in commercial structures, the rest, as a rule, exclusively by the state:
Let's look at one of the possible algorithms:
This is the way this valuable asset goes before its classification. Information security, believe me, plays a significant role, and you should not neglect it. At the same time, considerable attention must be paid to the life cycle. What it is? Life cycle- this is a set of certain periods, after which the importance of the object, as a rule, decreases. Conventionally, the following stages can be distinguished:
That, perhaps, is all. What data is stored - the information base of assets or something else - it does not matter. The main thing is to ensure confidentiality, availability, integrity. Then you don’t have to worry about your reputation and consider losses.
In this article, we tried to describe the problem of protecting information assets from an attack from inside the network and give recommendations for preventing the theft of an enterprise's intellectual property. The utility we tested made it possible to put into practice theoretical statements about the security of information within the company.
Introduction
One of the most important reasons for creating a computer security policy is the belief that the money spent on security will help the company protect more valuable information.
Nowadays, the business of companies is directly related to information technology, for many it is information that is the main means of obtaining money. Needless to say, like any tangible asset, information assets need to be secure. The high professionalism of the attacker and the lack of it among users does not speak in favor of the level of information protection, and makes your company, as well as your entire business, vulnerable. But, unfortunately, this is only part of the problem that the security department and the system administrator have to solve. According to a 2003 study by Ernst & Young, malware and employee misconduct were the biggest hits for companies. You can never be one hundred percent sure that an employee working with valuable information will not steal or destroy it. According to RFC 2196, information assets are subject to the following threats:
Very often, data is much easier to access from within than from outside the network. Many administrators protect their network from attacks by unknown intruders using various intrusion detection systems, firewalls, forgetting that users of their network can cause much more damage to information assets.
2. Unintentional and/or wrongful disclosure of information
Here we are talking about users who can accidentally or deliberately reveal important information about security policy to an attacker or even transfer confidential data into the hands of crackers.
3. Denial of Service
Bringing an asset to a non-working state due to unintentional or special actions of users (deletion, damage to a file or several files of a common database)
Let's look at the options for protecting against these threats in more detail.
In this article, we will consider the second threat, since it is from this threat that information assets are most difficult to protect.
For the safety of information assets, complex protection measures are used:
hardware(sniffers, routers, switches)
Program(sniffers, content filters, intrusion detection systems)
hardware(video surveillance systems, listening, etc.)
Program(keyloggers, monitoring systems, etc.)
hardware
Program
Understanding the incident
For the system administrator and security officer, understanding the incident and having a policy to protect against it are the most important means in the fight for information resources of the enterprise.
Users who work with important information, are objects of observation for the security service. Control over user mail messages, Internet usage, attempts to access resources can be carried out using various sniffers, intrusion detection systems, all kinds of log files, etc. But how to identify an intruder who is trying to steal information assets by writing them to removable media? Auditing files and folders does not detect a simple operation of copying the contents of a secret file into a new one.
Information theft protection. DeviceLock.
This article discusses the solution for protecting information assets using the DeviceLock utility.
SmartLine's DeviceLock utility allows you to control access to various devices in the system: floppy drives, magnetic optical disks, CD-ROM, ZIP, USB, FireWire, serial and parallel ports, WiFi and Bluetooth adapters, etc.
Software Features:
Version: 5.52
Platforms: Windows NT 4.0/2000/XP/2003
Remote control: Yes
Remote Install: Yes
Interaction with Active Directory: Yes
Usually, computers are bought with standard hardware, which includes USB ports, a CD-ROM or CD-RW drive, serial and parallel ports, etc., which allows the user to easily use one of these devices to copy information. You can deal with this with both hardware and software, it is the latter that is preferred, since it is often necessary to create an access policy to such resources for each individual user.
1. Installation
The utility supports three types of installation: conventional installation with a graphical interface, installation using Microsoft Systems Management Server (SMS), installation from the command line.
To install using Microsoft Systems Management Server, you should use the files that are in the sms.zip archive of the distribution.
Installation using the command line:
For this type of installation, it is important that the devicelock.ini configuration file is located in the same directory as the setup.exe file
Devicelock.ini file syntax:
| Key | Parameter | Description |
| Floppy | 1 or 0 | Denies access to all drives. |
| Removable | 1 or 0 | Denies access to all removable media. |
| CDROM | 1 or 0 | Denies access to all CD-ROM devices |
| Serial | 1 or 0 | Denies access to all serial ports |
| parallel | 1 or 0 | Denies access to all parallel ports |
| Tape | 1 or 0 | Denies access to all tape recorders |
| USB | 1 or 0 | Denies access to all USB devices |
| IRDA | 1 or 0 | Denies access to all IRDA devices. |
| firewire | 1 or 0 | Denies access to all IEEE 1394 ports |
| Bluetooth | 1 or 0 | Denies access to all Bluetooth adapters |
| WiFi | 1 or 0 | Denies access to all WiFi adapters |
| CreateGroups | 1 or 0 | Creates local groups for each device type |
| AccessTo... | (User or group name with full access rights to the device) | Allows individual user access for each device type |
| CtrlUSBHID | 1 or 0 | Controls USB ports for keyboard, mouse... |
| CtrlUSBPrint | 1 or 0 | Controls USB ports for printers, scanners |
| CtrlUSBBth | 1 or 0 | Controls USB Bluetooth adapters |
| CtrlFWNet | 1 or 0 | Controls USB and FireWire network adapters |
| Service | 1 or 0 | Installs DeviceLock Service |
| manager | 1 or 0 | Installs a manager for DeviceLock |
| Documents | 1 or 0 | Installs documentation for the program |
| InstallDir | (path to directory) | Specifies the path to the installation directory |
| RegFileDir | (the path to the file) | Specifies the path to the license key |
| Run | (the path to the file) | Launches the application if the installation is successful |
Example configuration file devicelock.ini:
;Configuration for installing DeviceLock on user computers:
AccessToFloppy= Domain\privileged
AccessToRemovable= Domain\privileged
AccessToCDROM= Domain\privileged
AccessToUSB=Domain\privileged
InstallDir=C:\Program files\devicelock\
RegFileDir=C:\RegistrationKey\xxxxxx
To install the program in this mode, run the setup.exe file with the /s (silent) key
D:\Distributives\DeviceLock\setup.exe /s
Unfortunately, during the installation process, the utility allows you to create only local user groups. If you have a domain network, it is much more convenient to create groups for the entire domain. To do this, use the Active Directory Users and Computers snap-in: dsa.msc or the net group utility.
2. Usage. Program capabilities.
For the program to function properly, the following ports must be open on the machines on your network:
Using the DeviceLock manager, the utility is installed on the required machines on the network by double-clicking on the object. Management is carried out centrally from the machine on which the manager is installed
Access policies for a specific device are defined using the Permissions dialog box, which is invoked by double-clicking the left mouse button on the device or via the File->Set Permissions menu.
The utility allows you to manage access for both groups and individual users. Possible types device access:
It is also possible to manage user access to devices over time.
Allow Eject permissions are valid only for programmatic ejection of the media from the device, therefore, in our opinion, there is no special need for such a rule, since the user can always press the drive button and remove or insert the media.
Note that an access policy is assigned to the entire device group, not to a single device. Those. if there are 2 CD-ROM devices on the machine, it is not possible for one user to create different permissions for each device.
The program allows you to simultaneously create policies for a specific type of device on all computers in the network. To do this, use the Batch Permissions dialog box (File->Batch Permissions).
Benefits of the program:
1. Allows you to create device access rules, which makes it indispensable in an environment where tight control over information assets is required
2. Easy to handle
3. Does not require large resources to work
Disadvantages:
1. Slightly awkward interface
2. It would be nice to set permissions for each device, and not for a group of devices. For example, a virtual CD-ROM and a physical one are recognized as the same device group, which prevents some users from being denied read access to the physical device.
Conclusion
In this article, we tried to describe the problem of protecting information assets from an attack from inside the network and give recommendations for preventing the theft of an enterprise's intellectual property. The utility we tested made it possible to put into practice theoretical statements about the security of information within the company.
Target.
Analysis of information resources used by the company and development of the conceptual framework for activities to ensure corporate information security.
Tasks.
1. Establish a range of information resources and evaluate their significance for the company as a whole and its structural divisions.
2. Identify the types and varieties of secrets that are used in the company's activities.
3. Assess information security risks.
The order of registration.
1. Font Arial 10. Spacing 1. Margins are standard. The pages of the work should be numbered at the top. Document Format - MS Office
2. Works in electronic form are sent to email teacher:
[email protected]
The subject of the letter is “Laboratory information security / full name of the student - group”. In the body of the letter, you must duplicate the full name and group.
3. Deadline for submission of the laboratory workshop: November 2. Workshops submitted after this deadline will not be counted. In case of identification of works, the text of which matches, none of them is counted.
Exercise 1.
Description of the company and its structural divisions
1. Specify the name of the company and the address of its corporate website.
2. Give a description of the company's activities, its directions and business goals.
3. Describe the main performance indicators of the company, characterizing its scale (5-6 indicators), and give them numerical values for a certain period or date;
4. In MS Visio or another graphical editor, draw up a functional block diagram of the company in the selected option. Detailing to the level of departments.
5. Build a diagram that characterizes the architecture of the company's IT network, its software and hardware components.
If you are having difficulty selecting a company for analysis, use the list of companies in Appendix 1 at the end of the file.
Description of the company should not take more than 1 page.
Task 2.
Definition of the nomenclature of information assets
a. Determine the basic vulnerabilities and threats in the field of information security for the company's activities.
b. For each structural unit, define information assets. Fill in Table 1.
Table 1
To complete this paragraph, you must carefully read paragraph 5 of the GOST R ISO / IEC 17799-2005 standard (Appendix 2). At least three assets.
Task 3.
Determination of the nomenclature of types and varieties of secrets
a. Determine the list of information that is used in the activities of the company and form secrets of various types and varieties.
b. For each type (variety) of secrets, fill in Table 2. The first line of the table shows a conditional example.
table 2
| Kind (variety) of mystery | Content of information constituting a secret | Which information asset contains the corresponding data | Number of users (P), workplaces (WP), branches (F) involved in CI processing | Most significant DFs for each item (in descending order of importance) | On what media the relevant data is distributed |
| Personal data | Employee information | Database 1C | Human Resources Department - 2P, 2RM Accounting - 2P, 1RM | ||
A minimum of THREE secrets must be listed. For each secret, SPECIFIC DFs and media should be indicated
Task 4.
For information assets, define:
conditions of reconnaissance contact (indicate specific conditions);
· methods of access to the extracted information (define specific methods);
methods of remote obtaining of information (list specific methods);
zone in which the asset should be located (specify the specific zone).
Fill in Table 3.
Table 3
Task 5
Determine the most dangerous channels of information leakage, methods and means of counteracting leakage. Fill in Table 4. Specify specific channels, ways and means. Abstract recommendations (to be attentive, careful, prudent, etc.) do not count.
Table 4
Scoring:
· for correctly and completely completed Table 1 - 7 points;
· for correctly and completely completed Table 2 - 8 points;
· for correctly and completely completed Table 3 - 12 points;
· for correctly and completely completed Table 4 - 11 points;
· for the completed Task 1 - 2 points (are awarded if at least two tables are filled).
Attachment 1
Company options:
1. Moscow Financial and Industrial University "Synergy".
2. The company is engaged in the retail trade of multimedia products
3. The company is engaged in the provision of logistics services
4. The company is engaged in educational activities
5. The company is engaged in the production of furniture
6. The company is a tour operator
7. The company is engaged in the provision of services in the field of health care activities
8. The company develops information security tools
9. The company is engaged in the manufacture of printing products
10. The company provides services for the collection of retail facilities
11. The company develops and maintains industry software
12. The company is engaged in film distribution of films
13. The company is engaged in book publishing
14. The company is engaged in the release of magazines (Publishing house)
15. The company connects to the Internet and IP telephony
16. The company develops and administers websites
17. The company is engaged in the manufacture of POS-terminals
18. The company is engaged in booking hotels in Russia
19. The company is engaged in booking and delivery of railway and air tickets.
20. The company is engaged in localization software products
21. The company is engaged in replication of optical discs
Appendix 2
Classification of assets related to information systems
The asset description provides assurance that assets are being effectively protected and may also be required for occupational safety, insurance, or financial (asset management) purposes. The asset inventory process is an important aspect of risk management. An organization should be able to identify its assets based on their relative value and importance. Based on this information, the organization can provide the desired levels of protection appropriate to the value and importance of the assets. Inventories should be developed and maintained for important assets associated with each information system. Each asset must be clearly identified and classified in terms of security, its owners must be authorized, and their data must be documented. In addition, the actual location of the asset must be indicated (this is important in the case of recovering assets from loss or damage). Examples of assets related to information systems are:
Information assets: databases and data files, system documentation, user manuals, educational materials, procedures for operation or support (maintenance), plans to ensure the continuity of the functioning of information support, procedures for dealing with failures, archived information;
Software assets: application software, system software, development tools and utilities;
Physical assets: computer equipment (processors, monitors, laptop computers, modems), communication equipment (routers, private automatic telephone exchanges with access to the public network, fax machines, answering machines), magnetic media (tapes and disks), other technical equipment (power supply , air conditioners), furniture, premises;
Services: computing and communication services, basic public Utilities e.g. heating, lighting, electricity, air conditioning.
Let us briefly consider the modern problems of asset identification and external assessment (certification) of information security management systems (ISMS) in accordance with the requirements of GOST R ISO / IEC 270011 and STO Gazprom series 4.22. When implementing only the requirements of STO Gazprom series 4.2, there may be omissions in the process of analyzing information security (IS) risks, fragmentary identification and evaluation of part of the assets - only objects of protection (OP), and subsequently - when choosing an adequate list of measures (means) to ensure information security
UDC 004.94
Methodology for determining assets during the implementation and certification of ISMS in accordance with the requirements of GOST R ISO / IEC 27001-2006 and STO Gazprom series 4.2
I.I. Livshits, Ph.D., Leading Engineer, Gazinformservis LLC
Keywords
Information security (IS); information security management system (ISMS); information security system (ISIS); object of protection (OZ); audit; PDCA cycle; risk management.
keywords:
Information Security (IT-Security); Information Security Management System(ISMS); Information security providing system(ISPS); object protection(ObP); audit;PDCA cycle;risk management.
annotation
This publication briefly discusses current issues in the identification of assets and certification of information security management systems (ISMS) in accordance with the requirements of GOST R ISO / IEC 27001 series and industry standards of the STO Gazprom Information Security System 4.2 series (ISMS). An approach to the formation of models and methods for identifying, identifying and classifying information security (IS) threats for protected assets of various types is proposed. The main attention is paid to the difficulties in combining the requirements of two different standardization systems (GOST R ISO / IEC and IS Maintenance System), which can cause difficulties in identifying and evaluating ISMS assets, as well as in planning and successfully conducting a certification audit.
This issue covers briefly the current problemsof asset identification andcertification ofthe information security management systems(ISMS) in accordancewith the requirements ofGOST R ISO/IEC27001seriesof standardsand industryinformation security providing systemSTO Gazpromseries4.2(ISPS). Proposed approach providingdevelopment ofmodels andmethods for detection, identification and classification ofthreats tobreachinformation security (IS) fordifferent typesassets.Focuses on thedifficulties inreconcilingthe requirementsof two different systemsfor Standardization (ISMS andISPS), which can cause difficultiesin the identificationand evaluationof assetsISMS, as well as in the planning andsuccessfulcertification audit.
Introduction
The problem of implementing an effective ISMS in accordance with the requirements of the GOST R 27001 series is quite well known. The requirements for conducting audits of management systems (MS) are set out in a well-known standard. In a number of sources (www.snti.ru/snips_sto51.htm, s3r.ru/2010/10/standardy/Gazprom, txcom.ru/gazpro) IS Maintenance System standards are available, which basically contain a number of requirements of these standards. Objectively, there are differences in the ISMS requirements that may hinder the successful implementation of the ISMS (for example, differences in the concepts of " assets" And " object of protection”) and conducting a successful independent assessment (certification) according to the requirements of the basic “certification” standard. In the event that the top management of an organization decides to prepare an existing ISMS for a certification audit, it seems necessary to analyze the ISMS requirements and decide on a set of measures that should be taken to ensure compliance with the requirements. To implement the controlled conditions of this process, a method for identifying and evaluating assets, which has passed practical approbation, is proposed.
Consideration of differences in the identification and evaluation of assets (objects of protection) of the ISMS
For a number of organizations, it is quite natural to accept "as is" industry requirements, and the introduction of additional standards requires a separate decision of top management. This circumstance is not extraordinary, because, firstly, it is stated in the preamble of almost all international standards (ISO) and their Russian translations of GOST R, secondly, it is a function of the formation of added value and, thirdly, it is confirmed by world statistics ISO certification. Accordingly, if such a decision is made - to implement a specific national or international standard, the organization is forced to perform a comparison (“ mapping”) of their processes, implemented initially only to meet the requirements of specific industry requirements. At the same time, omissions (incompleteness) are possible when performing an analysis of the risks of IS violations and an insufficiently complete study of the vulnerabilities of information processing processes in the AS. The situation may have more serious consequences if a specific industry system (in particular, IS Maintenance System) was originally created on the basis of foreign standards (for example, BS series 7799), but for a number of reasons was not updated when the relevant standards or applicable laws (regulations) changed. In particular, the IS Maintenance System standard contains a link to the canceled Federal Law N 1-FZ "On Electronic Digital Signature" (see http://base.garant.ru/), and the IS Maintenance System standard contains a link to the canceled BS 7799:3-2006 standard (see http://www.standards.ru/document/3858996.aspx) - as of the date of preparation of the publication.
At the same time, there are methods based on ISO standards that take into account the basic requirements for information security risk management, describing in sufficient detail practical implementation the requirements of both the basic "certifying" standard and the target standard for information security risk management. The use of this methodology contributes to obtaining numerical assessments of IS risks and, in general, possibly successful certification of the ISMS for compliance with the standard.
For the purposes of this publication, two main fundamental differences will be considered, which, in the author's opinion, can have critical consequences for the purposes of creating and successfully certifying an ISMS for compliance with the requirements of the standard. These inconsistencies can lead to the “conservation” of the idea of creating an IS Maintenance System and the loss of an important advantage of any successfully implemented MS - adequate support for the fulfillment of business goals. The second negative consequence of the identified differences, which is of measurable significance, is the additional costs of bringing the ISMS to a level sufficient to adequately meet the requirements of the standard. It should be noted that in the practice of creating an ISMS, it seems important to concentrate expert efforts on the formation of reliable models and methods for ensuring internal audit and effective “monitoring” of the state of objects under the influence of IS threats.
Difference 1. Identification (classification) of assets
To analyze the first difference, consider the requirements of the standard in terms of asset management and the requirements of the standard for the classification of protected objects. The definition is known: “assets (asset): everything that has value for the organization” (clause 3.1). Additionally, consider Appendix "B" of the standard: " to establish the value of assets, an organization must define all of its assets at an appropriate level of detail". At the same time, an explanation is given that two types of assets can be distinguished: “ core assets that include business processes, business activities and information and ancillary (supporting) assets on which the main components of the scope of all types depend, including hardware, software, network, personnel, location of the organization and structure of the organization».
The Plan phase of the PDCA cycle (clause 4.2.1) states that the organization must, for example, “ determine the scope and boundaries of the ISMS, taking into account the characteristics of the business, organization, its location, assets and technologies. Appendix A() provides examples of the implementation of specific measures (means) for ensuring information security (“ controls”) in terms of asset management, for example: “ Asset inventory: "An inventory of all important assets of the organization should be established and kept up to date (A.7.1.1)".
In turn, the IS Maintenance System requirements for the classification of objects of protection (OP) provide other terms and definitions (Section 3), where OP is interpreted in terms of ;
According to the term OH, we understand information assets, technical and software tools for their processing, transfer, storage (clause 3.3.3). This list of HOs is closed, objectively clearly less than the definition of assets presented above. Accordingly, one of the critical risks during certification may be the objectively obvious incompleteness of the identified and accepted for protection EPs in the IS Maintenance System, in particular, assets in the following categories are not taken into account in any way - personnel, location (objects) and organization structure. It should be noted that the proposed approach in the Gazprom IS Maintenance System introduces significant difficulties in the current process of maintaining and ensuring IS, in particular, in the field of managing IS incidents and IS risks. For example, both the GOST R ISO/IEC 18044-2007 standard operates with examples of information security incidents related to personnel, and the latest ISO 27040 international standard for securing stored data takes into account the critical role of personnel (internal, external) in ensuring the required level of information security at infrastructure facilities.
The standard defines the rules for identifying HOs and the owner, owner and users of a particular HO should be defined (clause 5.6.), each of them should be assigned to only one of the following types (clause 5.8):
The standard lists the rules for determining the criticality of OH and, according to them, the criticality of OH is determined (clause 6.7.) and further, based on the obtained level of criticality, HO is assigned to one of the groups (clause 7.1.):
Section 8 of the standard contains the rules for accounting for OZ. The main tasks of accounting for OCs are the collection, processing and systematization of data on OCs. It is noted that mandatory registration of the facts of the creation, acquisition, transfer, duplication, decommissioning and destruction of HO should be carried out. Thus, we can draw a preliminary conclusion on the 1st difference - for the development and successful certification of an ISMS according to the requirements, only fulfilling the requirements of the ISMS is objectively not enough, because an extremely limited set of entities that are objectively critical assets for the business are taken into account.
Difference 2. Information security risk assessment
To analyze the 2nd difference, consider the requirements for IS risk management and the IS Maintenance System requirements for risk analysis and assessment. The main definitions necessary for the analysis of the 2nd difference are given in (pp. 3.7 - 3.15). It is convenient to consider the main requirements for information security risk management by phases of the PDCA cycle, similar to Difference 1: in the “Plan” phase (clause 4.2.1), the “Do” phase (clause 4.2.2), in the “Check” phase (clause 1). 4.2.3), respectively. Appendix A () provides examples of the implementation of specific measures (means) for ensuring information security (“ controls”) in terms of risk management, for example: “ Checking all candidates for permanent job contractors and third party users must be conducted in accordance with laws, regulations and ethical rules, taking into account the requirements of the business, the nature of the information to which they will be accessed, and the anticipated risks” (A. 8.1.2.).
In turn, the following basic procedures are performed in the IS Maintenance System requirements for risk analysis and assessment (clause 4.4): risk identification, analysis and assessment. c (clause 4.8). Thus, objectively there is a critical risk for the purposes of successful ISMS certification, in which risk assessment activities in terms of ISMS only may not be carried out at all. Accordingly, the activities provided for by the IS Maintenance System will not be carried out on “legal” grounds, which can lead to errors in the processes of identifying, identifying and classifying threats to IS violations for OH, as well as to an unreliable analysis of the risks of IS violations and vulnerabilities in the processes of information processing in the AS in the established scope (“scope”). It is especially important that “nesting” of critical risks can be observed - failure to assess risks (Difference 2) can be a direct consequence of the exclusion of personnel from assets in the IS Maintenance System (Difference 1) and such “nesting” can objectively lead to significant inconsistencies in the external certification audit ISMS. As part of the work on identifying risks, it is necessary to identify the elements of risk, namely OH, threats to HO and vulnerabilities of HO (clause 5.1). As part of the work on risk analysis, determine (clause 6.1.):
Possible damage is assessed on a 3-level qualitative scale (6.2.2):
Let us note that, as a rule, when solving specific applied problems, the values of the criteria are measured within a certain scale and are expressed in established units. It is known that qualitative scales are used, for example, to measure various psychophysical quantities, the strength of an earthquake, as well as the degree of destruction of a material or structure (3.3.1). Accordingly, the use of a qualitative scale for the purposes of assessing the possible damage to information security does not seem to be fully justified and methodologically vulnerable from the standpoint of ensuring the achievement of measurable (!) goals - the creation of an ISMS, ensuring continuous improvement in the effectiveness of the ISMS and the successful certification of the ISMS for compliance with the requirements.
The standard notes that the maximum value of possible damage is characterized by the maximum level of criticality of the HZ, the average value of possible damage - by the average level of criticality of the HM, the minimum value of possible damage - by the minimum level of criticality of the HM. Objectively, there are difficulties in determining the level of possible damage to assets (in terms of ISO standards), but not taken into account as OH in the IS Maintenance System, for example: personnel (own and outside), server rooms, rooms for confidential negotiations, etc.
The next step in the risk assessment is to compare the obtained risk values with a predetermined risk level scale - the risk assessment stage (clause 7.1). Levels of risk that are acceptable must be identified (clause 7.4) and risks that do not exceed the acceptable level must be accepted. Risks that exceed an acceptable level should also be accepted if there is no suitable treatment for these risks. All other risks must be handled (clause 7.5). This provision creates a significant difficulty in preparing the ISMS for certification, since well-known requirement - the implementation of an ISMS review by management (standard, section 7) provides for explicit consideration as input information about: " vulnerabilities or threats that were not adequately addressed in the previous risk assessment process” (clause 7.2. f) and in the IS Maintenance System Gazprom is not fulfilled due to the applied paradigm of formation of the OP.
Asset Identification Methodology
As noted above, there are a number of differences between the ISMS and IS Maintenance System systems, one of the most important and fundamental is the difference in the terms "asset" () and "object of protection" (). Accordingly, it is necessary to propose a methodological approach that will gently transform the existing IS Maintenance System to ISMS requirements and ensure the effective conduct of various audits and monitoring of the state of objects that are under the influence of IS breach threats. First of all, as mentioned above, it is necessary to transform basic system OZ to the requirements for identification of all groups of ISMS assets for compliance with the standard. For example, the following classification of ISMS asset groups can be proposed (see Table 1).
Table 1. Classification of groups of ISMS assets
An example of the register of the group of assets "AS" is given in Table. 2.
Table 2. Register of AS assets group
Notes:
* Owner - a certain service in the field of ISMS certification, which is responsible for the specified asset in terms of maintaining functionality;
** Criticality level - based on the "List of OH" in accordance with the requirements of the IS Maintenance System.
An example of IS risk assessment for an example of an asset of AS "Boss-Kadrovik" is given in Table. 3.
Table 3. IS risk assessment for AS asset
|
Risk No. |
Name of risk |
Asset Criticality |
Vulnerability level |
Threat Probability Level |
The magnitude of the risk |
Level of risk |
|
Violation of the confidentiality of information in AS "Boss-Kadrovik" | ||||||
|
Violation of the integrity of information of the Boss-Kadrovik AS |
Maximum |
Minimum | ||||
|
Violation of the availability of information of the Boss-Kadrovik AS |
Minimum |
Evaluation of the effectiveness of the IMS taking into account the requirements of the ISMS
Accounting for assets in accordance with the requirements of the ISO standard will make it possible to introduce an element of manageability into IMS according to common goals, measurable in terms of business. For an IMS that includes an ISMS, appropriate metrics can be applied. Examples of the formation of simple information security metrics are widely known, which can provide the formation of quantitative assessments (metrics) as evidence of "usefulness" for business. Here it seems especially important to immediately make a comparison with internal audit mechanisms, which are specifically designed to provide “objective evidence” for top management in order to make effective management decisions. It seems appropriate to group various types of metrics for the purposes of ensuring information security as follows:
In order to reduce costs (this is one of the priority tasks of any business and the most “presentable” form of assessing the effectiveness of the information security service), metrics can be applied showing the degree to which the maximum possible achievement (sales plan, project completion on time, etc.) has been achieved. Accordingly, various types of metrics can be proposed:
conclusions
1. When planning and implementing ISMS certification projects, it is necessary to take into account that many requirements of an arbitrary system of industry certification, in general, do not comply with the requirements of the ISO 27001 series certification standard. To adapt an ISMS, a productive methodology based on comparison is needed (“ mapping”) standard requirements in the field of information security and ensuring the achievement of the goals of ensuring internal audit and effective “monitoring” of the state of objects under the influence of information security threats - based on the generated reliable models and methods.
2. The implementation of the requirements of modern standards for ISMS, "imposed" on the existing ISMS, leads to the need to revise the fundamental requirements (for example, the concepts of " assets" And " risk management c). This circumstance is directly related to the area of certification determined by top management (“ scope”) and, accordingly, with a list of assets recognized as vital to the organization’s business, and for this reason, subject to protection as part of the ISMS.
Bibliography
GOST R ISO/IEC 27001-2006 “Information technology. Methods and means of ensuring security. From the information security management system. Requirements"
GOST R ISO/IEC 27005-2010 “Information technology. Methods and means of ensuring security. Information Security Risk Management»
GOST R ISO 19011-2011 "Guidelines for auditing management systems."
STO Gazprom 4.2-1-001-2009 OAO Gazprom information security system. Basic terms and definitions
STO Gazprom 4.2-2-002-2009 OAO Gazprom information security system. Requirements for APCS
STO Gazprom 4.2-3-002-2009 Requirements for technical protection information when using information technologies
STO Gazprom 4.2-3-003-2009 OAO Gazprom information security system. Risk analysis and assessment
STO Gazprom 4.2-3-004-2009 Classification of objects of protection
STO Gazprom 4.2-3-005-2013 Information security incident management
Livshits I.I. Estimates of the ratio of quantitative indicators of certification of enterprise management systems // Quality Management, 2014, no. 2;
Livshits I. I. Joint solution of the problems of auditing information security and ensuring the availability of information systems based on the requirements of international standards BSI and ISO // Informatization and Communication, 2013, no. 6;
Livshits I.I. Practical applicable methods for assessing information security management systems // Quality Management, 2013, no. one;
Livshits I.I. Approaches to the application of the integrated management system model for auditing complex industrial facilities- airport complexes // Proceedings of SPIIRAS, 2014, no. 6
V.D. Nogin Decision making under many criteria // State University- Higher School of Economics, St. Petersburg, 2007, 103 pages.
M.K. Yanchin. Information risk management based on the MEHARI methodology, Publication source: http://pvti.ru/data/file/bit/bit_4_2011_29.pdf (as of January 19, 2015)
ISO/IEC 27040:2015 Information technology — Security techniques — Storage security.
ISO/IEC 27001:2013 Information technology - Security techniques - Information security management systems - Requirements.
ISO/IEC 27000:2014 Information technology — Security techniques — Information security management systems — Overview and vocabulary.
ISO/IEC 27004:2014 Information technology — Security techniques — Information security management — Measurement.
Identification and evaluation of information assets
We identify the information assets of the organization. To do this, we first introduce the concept of an information asset.
An information asset is any information, regardless of how it is presented, that is of value to an organization and is at its disposal. Each organization has its own set of assets of one type or another.
Consider the information assets of the organization. For a more convenient consideration of assets, we will group them according to their types.
1. Information/data.
Development data;
Product data.
2. Hardware.
8 servers;
374 computers;
36 printers;
22 scanners.
3. Software.
1C: Enterprise;
MS Windows XP/7
4. Documents.
Contracts with vendors;
Contracts with clients;
Financial statements;
Let's consider the selected assets in more detail, i.e. we will give the form of presentation, the owner of the asset, the criteria for determining the value and carry out the valuation of assets.
Table 1.1. provides information on the allocated assets of the organization.
Table 1.1.
Assessment of information assets of an enterprise
| Kind of activity | Asset name | Presentation form | Asset owner | Criteria for determining the cost | Estimate Dimension | |
| Quantification | quality | |||||
| Information assets | ||||||
| Staffing | Electronic | Human Resources Specialist | Recreation cost | 170 thousand rubles | Medium | |
| Sales of products | Product data | Electronic | Accountant | Recreation cost | 500 thousand rubles | critical |
| Hardware Assets | ||||||
| Data processing | Servers | Material | System Administrator | Initial cost | 300 thousand rubles | critical |
| Data processing | Computers | Material | System Administrator | Initial cost | 100 thousand rubles | Medium |
| Data processing | Printers | Material | System Administrator | Initial cost | 25 thousand rubles | Malaya |
| Data processing | scanner | Material | System Administrator | Initial cost | 15 thousand rubles | Malaya |
| Software Assets | ||||||
| Data processing | Microsoft Windows | Electronic | System Administrator | Recreation cost | 15 thousand rubles | Malaya |
| Data processing | Microsoft Office | Electronic | System Administrator | Recreation cost | 17 thousand rubles | Malaya |
| Data processing | 1C: Enterprise | Electronic | System Administrator | Recreation cost | 120 thousand rubles | Medium |
| Data processing | SAP WMS | Electronic | System Administrator | Recreation cost | 400 thousand rubles | critical |
| physical assets | ||||||
| Sales of products | Development documentation | Paper | Recreation cost | 55 thousand rubles | Malaya | |
| Sales of products | Contracts with clients | Paper | Account Manager | Recreation cost | 82 thousand rubles | Malaya |
| Accounting | Financial statements | Paper | Accountant | Recreation cost | 75 thousand rubles | Malaya |
Consider the list of information assets, mandatory restriction of access, to which is regulated by the legislation of the Russian Federation. This list is presented in Table 1.2.
Table 1.2.
List of confidential information
Let's sum up the ranking of the selected assets. The ranking results are presented in Table 1.3.
Table 1.3.
Asset ranking results.
| Asset name | Asset value (rank) |
| Counterparty data | |
| Sales data | |
| 8 servers | |
| Personal data of employees | |
| Product data | |
| 1C: Enterprise | |
| Computers | |
| Microsoft Windows | |
| SAP WMS | |
| Microsoft Office | |
| Printers | |
| Scanners | |
| Contracts with clients | |
| Financial statements |
So, summing up, we can say that the assets with the highest value:
counterparty data;
Sales data;
Servers;
Computers;
Personal data of employees;
Product data;
1C: Enterprise;
Contracts with clients;
Financial statements
The rest of the assets are of minimal value compared to those allocated.
We will group the Printers and Scanners assets into the Printers and Scanners group, we will also group the Microsoft Windows and Microsoft Office assets into the Microsoft Software group, as well as all the physical assets of the organization into the Documentation group, since the ranks the values of these assets are the same, and such a grouping will greatly simplify further analysis.
Asset Vulnerability Assessment
We will assess the vulnerabilities of the selected assets of the enterprise. The results of this assessment are presented in Table 1.4.
Table 1.4.
Asset Vulnerability Assessment Results
| Group of vulnerabilities | Counterparty data | Sales data | Servers | Personal data of employees | SAP WMS | 1C: Enterprise | Computers | Printers and scanners | Microsoft Software | Documentation |
| 1. Environment and infrastructure | ||||||||||
| Poor building security | Low | Low | Low | Low | ||||||
| Power problems | Medium | Medium | Low | Low | Low | Low | Low | Low | Low | |
| 2. Hardware | ||||||||||
| Transfer or reuse of information storage media without proper cleaning | Medium | Medium | Low | Medium | ||||||
| 3. Software | ||||||||||
| Underserved storage media | Medium | Medium | Low | Medium | Low | |||||
| Lack of updates to the software used to protect against malicious code | high | high | high | high | high | high | high | Low | ||
| 4. Communications | ||||||||||
| Insecure connections to public networks | high | high | high | high | high | high | high | |||
| 5. Physical access | ||||||||||
| Unprotected storage | Low | Low | Low | Low | ||||||
| 6. Staff | ||||||||||
| Security Ignorance | Medium | Medium | Medium | Medium | Medium | Medium | Low | |||
| 7. Common vulnerabilities | ||||||||||
| Implementation of hardware and software bookmarks | high | high | high | high |
Assessing Threats to Assets
A threat (the potential for adverse impact) has the ability to damage an information technology system and its assets. If this threat is implemented, it can interact with the system and cause unwanted incidents that adversely affect the system. Threats can be based on both natural and human factors; they can be realized accidentally or deliberately. Sources of both accidental and deliberate threats must be identified and the likelihood of their implementation assessed. It is important not to lose sight of any possible threat, as the result may be a malfunction or the appearance of vulnerabilities in the information technology security system.
Security threats are assessed by experts, depending on the current level of information security and the likelihood of threats being realized.
We will highlight the threats to the organization's assets, as well as assess them. The results of these actions are presented in Table 1.5.
Table 1.5.
Asset Threat Assessment Results
| Group of vulnerabilities | Counterparty data | Sales data | Servers | Personal data of employees | SAP WMS | 1C: Enterprise | Computers | Printers and scanners | Microsoft Software | Documentation |
| 1. Threats due to deliberate actions | ||||||||||
| Theft of documents and other media | Low | Low | Low | Low | ||||||
| Substitution of documents and other media | Low | Low | Low | Low | ||||||
| high | high | high | Low | |||||||
| Unauthorized copying of documents and media | Low | Low | Low | Low | Low | Low | ||||
| Unauthorized access to data. | high | high | high | Low | Low | high | ||||
| Disclosure of data by downloading them from a data carrier by an unauthorized person | Low | Low | Low | Low | Low | |||||
| 2. Threats due to random actions | ||||||||||
| Leakage of information from the network through communication channels | Low | Low | Low | Low | Low | |||||
| Unintentional disclosure of information by company employees | Low | Low | Low | Low | Low | Low | ||||
| high | high | high | high | high | high | high | high | high | ||
| 3. Threats due to natural causes (natural, man-made factors) | ||||||||||
| Man-made disasters (explosion, terrorism, vandalism, other means of intentional damage) | Low | Low | Low | Low | Low | Low | Low | Low | Low | Low |
1.2.4. Assessment of existing and planned remedies
Let's carry out the analysis of means of information protection already used at the enterprise. To do this, it is necessary to analyze the technical and software architecture of the enterprise.
Under the architecture of a computer system, we mean the concept of organizing an information system, its elements, as well as the nature of the interaction of these elements.
It is advisable to consider separately the technical and software architecture of the existing information system.
The company makes extensive use of computers. The technical architecture includes:
Servers. Servers are used to ensure the creation and operation of a single local network.
Workstations. Approximately 380 workstations, of various brands, manufacturers and with completely different technical specifications, because are used in departments with different directions.
Notebooks. About 20 laptops are used, also of different performance.
Switches. Installed 10 switches needed to create a single local area network.
Modem router. Used to provide all computers with Internet access.
The diagram of the technical architecture of the information system is shown in Figure 1.2.
Rice. 1.2. Enterprise technical support
Figure 1.3 is a diagram of the enterprise software.
Rice. 1.3. Software Diagram
The company uses Windows 7 and XP operating systems from Microsoft. Integrated office suite Microsoft 2003/2007. Internet browser Google Chrome. Antivirus protection is provided by Avast antivirus! business pro. The information system "1C: Accounting" is also used, which is installed on the computers of the accounting department.
Consider protection against physical penetration. Figure 1.4 shows the main office building and the location of the motion sensors.
Rice. 1.4. Location of motion sensors
Based on the presented schemes, we can conclude that there is relatively weak protection in terms of physical penetration, as well as in terms of virus and hacker attacks.
Let's summarize all the actions of the organization to ensure information security. A summary table of the analysis of the implementation of the main tasks to ensure information security is presented in Table 1.6.
Table 1.6.
Analysis of the implementation of the main tasks to ensure information security
| The main tasks for ensuring information security | Completion rate |
| Ensuring the security of production and trading activities, protection of information that is a commercial secret; | Partially |
| Organization of work on the legal, organizational and engineering protection of trade secrets; | Partially |
| Organization of special office work, excluding unauthorized receipt of information that is a trade secret; | Partially |
| Prevention of unreasonable admission and open access to information and works constituting a commercial secret; | Partially |
| Identification and localization of possible channels of leakage of confidential information in the course of daily production activities and in extreme situations; | Partially |
| Ensuring the security regime in the implementation of such activities as various meetings, negotiations, meetings, sessions and other events related to business cooperation at the national and international level; | Not fulfilled |
| Ensuring the protection of the territory, buildings, premises, with protected information. | Partially |
Risk assessment
Let's carry out an assessment of the allocated risks. The results of asset valuation are shown in Table 1.7.
Table 1.7.
The results of risk assessment of information assets of the organization
| Risk | Assets | Risk Rank |
| Destruction of documents and other media | Counterparty data | Tall |
| Sales data | Tall | |
| Personal data of employees | Tall | |
| Product data | Tall | |
| Unauthorized access to data | Counterparty data | Tall |
| Sales data | Tall | |
| Personal data of employees | Tall | |
| Product data | Tall | |
| Insufficient maintenance of computer equipment | Counterparty data | Tall |
| Sales data | Tall | |
| Personal data of employees | Tall | |
| Product data | Tall | |
| Software | Tall | |
| Servers | Tall | |
| 1C: Enterprise | Tall | |
| SAP WMS | Tall | |
| Computers | Tall |
Thus, based on the results of the analysis of threat risks, we can conclude that, first of all, it is necessary to increase the protection of information from virus and hacker attacks, i.e. upgrade existing anti-virus protection at the enterprise. In the future, it is recommended that the organization also increase the physical security of the organization's assets.
