What is an approach to organizing an information security system at an enterprise ?
Technological, production, and commercial data used by enterprises are expensive, and their loss or leakage can lead to serious financial losses. For the oil and gas complex (OGC), which is of strategic importance for the country’s economy, the price of the issue is especially high. Therefore, one of the goals for the industry is to create a reliable information protection system.
An information security system is a set of organizational and technical measures aimed at ensuring the information security of an enterprise. The main object of protection is data that is processed in an automated control system (ACS) and is involved in the performance of business processes.
The main threats to the information security of any company are related to theft of data (for example, industrial espionage), the use of unverified software (for example, containing viruses), hacker attacks, spamming (it may also contain viruses), and negligence of employees. Less commonly, data loss is caused by factors such as a hardware malfunction or hardware theft. As a result, companies suffer significant losses.
The process of creating an information security system can be divided into three stages:
Formation of enterprise policy in the field of information security;
Selection and implementation of hardware and software protection;
Development and implementation of a number of organizational activities.
At the same time, state regulatory documents and standards that govern information security issues at companies should be taken into account.
Enterprise Information Security Policy
The foundation for creating an information security system is a document that formulates the principles and main provisions of the enterprise’s policy in the field of information security. What issues do they cover?
- Development of legal support for the protection of information . In fact, this is a system of regulatory documents relevant to the activities of the enterprise. With its help, on the one hand, the rules for ensuring information security at the enterprise (for example, the duties of employees) are determined, and on the other, responsibility for their violation is established. The legal framework includes state laws and acts (for example, the law on state secrets), internal regulatory and organizational documents of an enterprise (charter, internal rules, instructions for employees on maintaining commercial or other secrets, etc.).
- Identification of potential threats to information security. They can be divided into three groups – these are the threats that arise:
Due to human actions – this can be either random errors of the enterprise’s specialists when working with the information system (incorrect data entry or its deletion), or deliberate actions (theft of documents or information carriers);
Due to malfunctioning or failure of hardware or software (for example, a malfunction of the operating system caused by a virus);
Due to natural disasters, natural disasters, force majeure circumstances (floods, fires, tornadoes, military operations, etc.).
The list of potential threats to the information security of an enterprise can be very long. It is recommended to evaluate each of them from the standpoint of common sense or statistics, and then rank by the degree of probability of occurrence and the amount of potential damage.
Compilation of a list of data to be protected. Information that is used at the enterprise may be open (accessible to all) or closed (available to a limited circle of persons). The first type includes information that does not constitute state or commercial secrets, does not belong to the category of confidential information (according to the legislation or internal documents of the enterprise). The damage from the loss of this kind of information is not significant, therefore their protection is not a priority.
Data that is a state secret – their list is determined by law;
Commercial or official information – any information related to production, finances, used technologies, the leakage or loss of which may harm the interests of the enterprise;
Personal data of employees.
This information should be protected first. For each type of this kind of data, it is indicated how and where they arise, with what software or hardware they are processed, which units (employees) work with them, etc.
Creation of a unit responsible for information security issues
As a rule, there is a separation of functions related to ensuring information security. This implies that the security service of the company is responsible for the development of a data protection policy, the implementation of organizational measures, and issues related to the use of any software and hardware are included in the competence of the IT department. Often situations arise when the desire to protect data as reliably as possible conflicts with the needs of the enterprise’s business. This also happens if security measures are developed without taking into account the capabilities of modern IT tools.
For example, at one of the enterprises, the security service forbade employees to have access to the work email address from the external environment, motivating their decision by the need to avoid information leaks. As a result, delays began to occur when performing business processes: employees could not promptly make the necessary management decisions if they were not in the office of the enterprise. Participation in the development of such a measure by IT department employees would have avoided this problem: access to work mail would be preserved, and data protection would be ensured through the use of additional software tools.
Therefore, a more correct approach is to create a single point of decision-making, namely the creation of a unit whose task will be to solve the whole range of issues for protecting information in an enterprise. It should include both security personnel and IT professionals. Definition of the main directions of ensuring information security. In the framework of solving this problem, in particular, the ACS components that need protection are identified, the necessary software and hardware are determined, organizational measures are formulated to protect information.
Protection of an automated control system: software and hardware
The main issue in terms of ensuring information security is the protection of an automated control system, which is implemented through the use of software and hardware.
The complexity of solving this problem is determined by two factors. First, access to system resources has a huge number of users (several thousand people) who are in several geographically distributed units. Secondly, her work is based on the interaction of a number of software and hardware components.