Information security tools in business. The concept and types of threats to business information security. Trade secret security
Before talking about what information security risks can await you at work, I want to introduce myself: my name is Kamila Iosipova. I am the senior information security manager of the IT company ICL Services, I have been working in this organization for 5 years. I am also a CISA certified information systems auditor (ISACA certification, stands for Certified Information Systems Auditor).
In 2018, the volume of data leaks in companies grew by 5%. The human factor is one of the main causes of information security incidents. Carelessness, carelessness, motive, intent - these are the reasons why employees of your companies can intentionally or unintentionally bring the business to the bottom. How to protect yourself and your customers, what to do to develop a culture of working with data among employees, and what methods to apply at the same time, I will tell you below.
Plan for establishing work in the field of information security
If you look globally, you can see that a certain pattern can be traced in the field of information security: attention to information security largely depends on the activities of the company. For example, in government or the banking sector, there are more stringent requirements, therefore, more attention is paid to training employees, which means that the culture of working with data is more developed. However, today everyone should pay attention to this problem.
So, here are some practical steps that will help you get started in the field of information security:
1 step... Develop and implement a general information security policy, which will contain the main principles of the company, goals and objectives in the field of information security management.
Step 2... Enter classifications policy and privacy levels.
In this case, it is necessary not only to write a document to which the employee will have access 24 by 7, but also to conduct various training events, talk about the changes being made. Stick to the rule: forewarned is forearmed. Let the company constantly work in this direction.
Step 3... Develop a proactive approach.
It's like prevention in medicine. Agree, it is much cheaper and easier to undergo a preventive examination than to treat a neglected disease. For example, in our company, a proactive approach works like this: to work with information in commercial projects, we have developed a Standard for Information Security Management in Projects, which contains the necessary minimum information security requirements to ensure a certain level of maturity of information security processes in a commercial project. It describes what needs to be done to maintain a certain level of maturity of the security management process. We have implemented this standard in projects and now we annually conduct internal audits: we check how projects meet these requirements, identify information security risks and best practices that can help other project managers.
Apart from audits, Knowledge sharing works well. If "thunder has struck" in one of the projects, it is good for the rest to know about it and have time to take the necessary measures.
Step 4... Make all the documents explaining the rules: structured, understandable and concise.
As practice shows, no one reads long, multi-page texts. The document must be written in clear language. Also, it must be in accordance with the business goals and sanctioned by top management - this will be a more powerful argument for employees why these rules should be followed.
Step 5... Conduct trainings, conversations, business games, and the like.
Very often people do not understand how some rules are related to their specific work, therefore it is necessary to give examples, explain, show how they can apply this. Here it is important to show the consequences, up to the loss of the business, and what specific consequences await the employee, up to criminal liability.
To implement all of the above in a company requires resources, both material and human. Therefore, now in many companies the position of the Director of Information Security (CISO) began to appear. Thanks to this position, it is possible to convey to business leaders the importance of promoting any decisions, allocating funds, etc. CISO is able to promote information security in a company at all levels.
The tasks that he undertakes are extensive: communication with top management, justification of certain decisions, communication with process owners to implement security in all areas. From the point of view of cyber threats, he is the point of contact, at the same time he manages, defines strategies for responding to cyber threats, coordinates the work on responding to attacks.
Employee training: difficult, time-consuming, but necessary
However, before teaching people certain rules, it is necessary to understand one thing: you cannot dwell on the human factor, there may be something else behind it - a lack of resources, knowledge or technology. The most effective method here is to analyze the true causes, to get to the root cause.
When working with people, it is necessary to select a key for literally everyone. All people are different, respectively, and methods must be used differently. In an interview with an employee, a specialist told me: I will only do something if I know what I will get for failure to comply with the requirement. And vice versa, for some, only positive motivation acts, such as a good assessment of the quality of work, rewards for the successful completion of trainings.
There is an opinion that information security specialists often act as a brake on innovation, especially when they restrict the use of new technologies and business models. This may indeed be the case, however, it is important to remember the following: “Security is like brakes on your car. Their function is to slow you down. But their purpose is to allow you to go fast. Dr. Gary Hinson "(" Safety is like the brakes on your car. Their function is to slow you down. But their purpose is to enable you to move quickly "). It is important to understand that without these rules it is impossible to go further, because at some point you simply will not be able to develop your business if you do not defend against cyber threats and manage information security risks. In order to strike a balance, our company uses a risk-based approach, which is the basis of the ISO 27001 standard. This approach allows us to select the requirements and security measures that are applicable to us, which are necessary in order to protect against threats that are relevant to us. With the help of this approach, we can also choose from a financial point of view: how expedient is the use of certain measures. For example, we can put a biometric scanner at every meeting room, but how much do we need, what value does it bring, what risks does it reduce? The answer is not always obvious.
At ICL Services, we understand that the confidentiality of the information we work with is important to us, for this we encrypt laptops, because even if the laptop is lost, the information will not fall into the hands of intruders. This is critical, and we are ready to spend money on this.
I believe that only in this way can a balance be struck between security and value for the business: choose, be aware of innovations and always assess risks (how much the cost of implementing a risk is comparable to the cost of purchasing one or another security solution).
An integrated approach is the perfect recipe for information security
In my opinion, an integrated approach to working with security is the most effective, because information security is a matter of human awareness, behavior and the correct organization of business processes, taking into account security requirements. Incidents most often happen because of employees: people make mistakes, get tired, they can click the wrong button, so here half of the success is technical limitations, from random unintended incidents, the other half is the safety culture of each employee.
Therefore, it is important to conduct preventive conversations, trainings. In today's world, cyber threats are designed for people: if you receive a phishing email, it is harmless until you reach the link and click on it. Our company focuses on the conscientiousness of the staff, on working with people, on awareness. And the third point is organizational, people must know the rules, the rules must be spelled out, there must be a certain policy that everyone must follow.
Remember: cyber threats are very widespread in the world, and at the same time the consequences of attacks are very serious - up to a complete loss of business, bankruptcy. Naturally, the issue is on the agenda. Security in our time is already simply obliged to be part of the corporate culture, and top management is the first stakeholder in this matter, since it manages the business, and will bear responsibility in the first place when risks are realized.
Here are some tips to help your employees avoid information security incidents:
- You can't follow unverified links;
- You cannot distribute confidential information;
- You cannot write down the password on a piece of paper and glue a sticker;
- You cannot use USB drives that you are not sure about (an attacker can leave an infected physical device in the place where the victim will surely find it);
- When registering on the sites, indicating the phone number and postal address, carefully look at what this information is needed for, perhaps in this way you will subscribe to a paid mailing list.
I hope that over time, safety will become a key element of the corporate culture in every company.
You can perfectly master the skills for work in the field of information security at the faculty.
Companies often neglect cybersecurity issues and suffer multi-million dollar losses as a result. In a new special project, the site experts will tell you how to prevent attacks by malefactors without encroaching on the freedom of employees.
Business is under constant cyberattacks by cybercriminals aimed at emptying company accounts or stealing customer data.
15:33 15.07.2019
Many Russian companies forget about basic cybersecurity measures for their industrial assets and are forced to spend huge sums to cope with the consequences of attacks, although there are simpler solutions.
A year ago, many Russian and foreign companies became victims of large-scale cyber attacks WannaCry and ExPetr. Since then, there have been no such cases - does this mean that the business has become more responsible for cybersecurity, or has the situation changed in some other way? The head of Kaspersky Industrial CyberSecurity spoke about them.
It is important to understand that these attacks were not aimed at the industry, but "hooked" it. High-profile cyberattacks usually occur due to a combination of several factors. In this case, the public disclosure of the vulnerability in very common Windows operating systems and the unwillingness of users to quickly fix it throughout the enterprise played a role. The absence of such cases now has nothing to do with the fact that companies have become more responsible for their safety.
Those enterprises that were affected by WannaCry or in which we investigated incidents and made recommendations for strengthening protection, took certain measures. We can say with a high degree of probability that they will not have the same attack again.
But in most companies, nothing has changed, even though they are well aware of the risks, and there have been enough incidents.
Good news for Russian enterprises is the appearance of No. 187-FZ "On the security of critical information infrastructure." It also applies to industrial process automation systems. In Russia, this law is the most powerful driver in building real protection systems. It entered into force at the beginning of 2018, and in 2019–2021. we will already see an increase in security.
What threats can be called key now?
The most common cause of infections in industrial infrastructures is commonplace malware. Basically, these are Trojans that get there by accident. You don't have to be a target to be a victim.
A contradiction is obvious: when laws are passed and they talk about cybersecurity in general, they are mainly worried about attacks by motivated and qualified attackers, they are afraid of targeted attacks. But now the maturity of industrial cybersecurity is such that companies allow common infection with massive malware.
Could you list such curious attacks?
Malicious software is written by people, and not always of high quality - it contains bugs.
Incidents in industrial networks most often occur due to accidental infection: a contractor connected a laptop with a virus to a secure network, an employee was provided with remote access ... A virus can provoke a denial of service, equipment failures, or stopping technological processes, although this does not happen intentionally ...
For example, one of the three versions of WannaCry could not encrypt, but was very poorly compatible with Windows XP, as a result of which the system crashed into a blue screen of death. In some cases, we had to deal with this, and not with encryption in the industrial network.
What precautions can be taken to minimize the likelihood of such occurrences?
The more employees are aware of a particular type of cyberattack, the easier it is to avoid them.
8-10 years ago, when most industrial specialists were receiving education, industrial systems were attacked less often - as a rule, they were isolated from the outside world. But in recent years, industrial networks have been integrated with corporate networks on demand from businesses, for example, for order management and supply chain management. Contractors gain access to technological networks in order to quickly provide services to industrial enterprises. Networks are becoming exposed to a wide range of cyber threats.
These threats are successfully combated in the corporate segment, but engineers and metrologists have never encountered them before.
It is worth telling them about basic questions: what does a fake letter or a virus look like on a USB flash drive, why it is impossible to charge a mobile phone from the control panel of the machine, why you need to call a "security officer" when providing remote access to a contractor ...
If employees knew about the potential vectors of penetration and their consequences, they simply would not do these things. This is one of the first priority, quick and very cheap measures.
At Kaspersky Lab, we see our mission not only in developing products that help prevent attacks or detect them, but also in professional education. To this end, we initiate partnerships with training centers and universities that “speak” the language of engineers. In Russia, our partner is Abiroy, which has been professionally engaged in training in an industrial environment for many years, and now also in the field of cybersecurity. In Europe, a few months ago, we announced a partnership with the Fraunhofer IOSB Institute, and now our cybersecurity courses are available in their portfolio, and they give us an even deeper understanding of the specifics of the industry.
Finally, don't forget the basic technical measures. Antiviruses, means of organizing remote access, network segmentation are very effective in protection.
How energy and financial are the cost of dealing with cyber risks in industry?
Design difficulties are really a problem. Imagine an industrial network built eight years ago that is connected to a corporate network for remote access or data transmission. Potentially, you can penetrate into it, get to the level of programmable logic controllers, change the process control logic and disable them. But often industrial networks at the lower level are built on unmanaged network equipment, from which it is impossible to organize traffic mirroring in order to connect an intrusion detection system. As a result, it is possible to penetrate such a network, but it is very difficult to detect such attacks.
In many cases, the entire network must be redesigned to implement all of the protections. But the industrial world has its own rules: "it works - no need to climb."
It has its own modernization cycle and the network can be built according to new, protected rules in 5-10, or even 15 years. It is extremely difficult to protect the old infrastructure with modern means: in order to deliver an intrusion detection tool for $ 50 thousand, you need to do a project to modernize the network for another $ 500 thousand.
The second difficulty is qualified personnel. There are not so many ICS information security specialists in the world, and even more so in Russian regions, where industrial enterprises are mainly located. Modern cybersecurity systems are difficult to use and require an understanding of how threats will evolve.
Of course, there are financial issues as well. The first projects to protect a large number of already built infrastructures are costly: services, inspection, design, implementation, new personnel ... There are many companies with state capital in Russia that cannot easily raise the prices of their services and goods. For example, in the energy sector, overinvestment in cybersecurity can ultimately affect our electricity bills.
But I am sure that we will overcome this and move to a new level of security. The main thing is to constantly maintain the proper level of cybersecurity as your systems develop.
In Europe, the number of computers that undergo accidental infection attempts is much smaller than in Russia. In developed countries, companies use a service model for servicing industrial infrastructures: an automation system supplier or integrator constantly maintains these systems, step by step, including introducing cybersecurity measures. Thus, Western companies have a more secure infrastructure without shock costs, spreading them over several years. In our country, companies themselves are responsible for their industrial infrastructure and operate according to the principle “if the system works, there is no need to modernize it”. So the backlog accumulates, and it is quite "painful" to eliminate it.
As a rule, ready-made solutions are suitable for customers or do they need individual projects due to non-standard parameters?
Customers need individual projects that contain "cubes" from ready-made solutions. Integration work, inspection and design of the protection system are very important, but there is no point in redesigning the industrial protection for each system.
Now the industry is unifying: standardized data transfer protocols, the same operating systems ... Yes, sometimes very unusual industrial networks come across, but, as a rule, it turns out that they will be modernized in the coming years.
If you need to protect a unique infrastructure, then after a comprehensive analysis, it becomes clear that it will be cheaper and more correct to do this in two years, together with its modernization, and before that take any compensatory measures.
Few executives realize that the employee is the “entry point” into their company. How can we take business cybersecurity to the next level so that employees do not consider it a restriction of freedom?
One of the key business information security problems is the lack of risk awareness among employees. How can it be increased in simple ways?
Shares key knowledge on this topic, the head of the regional corporate sales department " Kaspersky Labs»:
People who know little about threats still have to master the basics of cybersecurity in order to feel secure. After all, you should understand which letters should not be opened, which links should not be clicked on, which programs should not be downloaded.
At the same time, few of the leaders realize that the employee is the “entry point” into the company: especially if he has access to documents and client databases. Man is always the weakest link.
Traditional cybersecurity training looks like this: a person listens to a training that lasts from one to three days, signs a document on completed studies and goes to work. At best, 10% of the knowledge gained is deposited in my head if it is not applied and practiced.
This is not quite the right approach. Every employee must be aware of and enforce cybersecurity rules. Our approach involves online learning, as today the easiest way to learn is online. Has developed an online course that can be downloaded free of charge if you have less than five employees and licensed if you have more. You can track your progress in a single control center.
The course contains 32 modules in total. In the "Mail" module, the employee sees a sample letter, which contains information about potential threats and cybersecurity measures (for example, you cannot provide your PIN and CVV code, even if the bank requests them). After a person reads the letter, he is offered to take the test in a playful way. If the employee chooses the right answer, then he is encouraged, and if it is wrong, then they explain what and why he did wrong.
Such practical tasks require 15 minutes a week and hardly distract the employee from his main duties.
After the employee passes the training module, a message is sent to the checkpoint and a check is scheduled after a couple of weeks. If a person doesn't click on malicious links or download questionable programs, then they've learned their lesson.
If an employee makes the same mistakes, then a signal is sent to the control center that the employee needs to repeat the lesson and take the test again. Such training takes place throughout the year, it is very affordable and convenient.
What is the proportion of staff who need to learn the basics, and what is the proportion of those who successfully master the material the first time in the learning process?
According to our statistics, 85% of employees learn everything the first time. I think this program will be useful to everyone. The development was tested on the employees of Kaspersky Lab. I have never passed any module 100% correctly, although I have been working in the information security market for 12 years. Some of the questions just seem accessible and simple.
Opening suspicious links is the simplest example. It's no secret that everyone uses social media during working hours. Imagine that a person receives a link to an interesting video from a friend: 99% of people will open it on their work computer and not at all in safe mode. Nobody knows what will be downloaded in parallel with the video.
About 30% of small businesses outsource cybersecurity issues to non-specialists. What tools should you use to increase your security?
It's good if such a company bought a legal antivirus. Until now, not everyone uses even this. And small business needs at least a full-time system administrator who would ensure the operation of all computers and protect them from viruses and possible attacks.
Antivirus is often viewed as a panacea: since it is there, then you can really not think about security, they say, it will do everything by itself.
Unfortunately, this is not the case. Antivirus can be compared to a bulletproof iron door. There are keys to it, and if you lost them or gave them to someone, then the protection will not work. For companies that are really concerned about the safety of their information, there are higher-level solutions - to protect against targeted attacks. When an attacker deliberately wants to break the protection, he usually does not use loud methods, but works very quietly: he secretly gets to the place where he can get the necessary information. It is unprofitable for him to be discovered until he has achieved his goal. A very similar situation is observed in cyberspace. In large companies, attackers can wait for months.
Are there more often intentional or unintentional attacks?
We assume that highly skilled attacks account for 1% of all threats. But they are very significant: for example, the ExPetr virus was directed at certain companies and simultaneously hooked thousands of other companies. The world is saturated with information technologies, and people from different structures communicate and interact with each other.
What other measures can be effective when dealing with intentional interference? Is it always realistic to detect this process, or does it happen that they learn about it months and years later?
The process is realizable if you do it. There are special services for checking the corporate network. On average, a highly skilled attack takes six months: first, the attacker infiltrates a company, looks around, and a few months later, for example, encrypts all computers and simultaneously withdraws money from accounts.
To protect against targeted attacks, our specialists, if the client so desires, view traffic online, report suspicious activities and ask what to do with them: you can block the actions of the attacker, or you can create an imitation of the infrastructure inside the system to find out the intentions of the attacker. In parallel, experts are investigating and looking for the source of the attack.
Are small or large companies more likely to target such attacks?
Both happen. But to attack a large company, you need to attract professionals, whose work is expensive. And big business has a whole cyber security system. For small businesses, the limit of protection is often antivirus. Sometimes, in order to reach a large organization, attackers attack their suppliers.
Often, attacks, not necessarily loud ones, come from resentful former employees or possibly contractors. Probably even unintentionally.
If the company has built a security system, such cases can be minimized. But in practice there are examples when the dismissed sysadmin was not blocked access. For example, in a large logistics center, a former employee blocked all printers: for almost a day in the center they could not send and receive goods, since they could not print a single document.
In security measures, it is necessary to prescribe that when an employee is fired, his access to the system is blocked, the passwords of important systems are changed.
There are unique cases: at one financial enterprise, the password was required to be changed once a month. For ordinary employees, this is an unnecessary gesture, and 95% of people entered the password according to the "month and year" scheme. This allowed the former employee to take advantage of the loophole and penetrate the company's internal network.
By the way, one of the modules of the Kaspersky Lab's online course is not to set passwords like “12345”, as many people still do.
It is necessary to remember the basics of cybersecurity: do not use social networks from a work computer if they are not required for work. Changing passwords may restrict Internet access to those employees who do not need it directly. Prohibit the use of flash drives and other removable devices.
But ordinary office workers perceive all these measures as limiting personal freedom. On the one hand, these measures are correct, on the other, information technologies are developing so rapidly that we can never fully control everything. You cannot close the entire enterprise under a box - then nothing will work. Even in defense enterprises, where there are closed networks and you cannot use Wi-Fi, Bluetooth and flash drives, there are people who monitor the system and the compliance of all parameters. They get bored of sitting for 12 hours and manage to play a movie or surf the Internet.
A person will always find how to get around restrictions, so the best option is to improve computer literacy.
Business is under constant cyberattacks by cybercriminals aimed at emptying company accounts or stealing customer data. Companies, especially small ones, often save on information security (IS), and half of information security directors are sure that financial losses will be the price to pay for this.
How can attacks be prevented and what to look for to protect your business? Tells the head of the sales department for small and medium-sized businesses at Kaspersky Lab.
Oftentimes, cyber security executives understand the inevitability of threats, but face a lack of budgets. How big is the problem and how can businesses deal with it?
Unfortunately, cybersecurity in Russia is indeed underfunded.
This is probably due to the fact that many business leaders and owners underestimate the scale of losses that cyber incidents can cause.
It is important to soberly assess what losses the company will incur if the company is idle for several days - if the site or all corporate computers stop working. Of course, for a flower seller who does bookkeeping in a notebook, a two-day computer lock will not be a serious problem. But access to data is critical for a travel agency, an insurance company, a retailer that does bookkeeping electronically, delivers goods on credit, records future payments and debts. These are all real cases from our practice.
The volume of upcoming payments and funds that have not yet arrived in the company's accounts can be 20-30% of the annual turnover.
When an entrepreneur realizes how much he can lose, he roughly represents how much he is ready to invest in smooth operation, preserving the company's intellectual property and its reputation - that is, ensuring cyber and IT security. On the one hand, these are a bit ephemeral calculations - how to estimate the value of a reputation? On the other hand, they are quite obvious. For example, if an airline cannot sell tickets online, customers will not wait long and simply buy tickets from another carrier.
Loss of data will lead to difficulties, at least with access to 20-30% of the company's annual turnover
Typically the cybersecurity and information security budget is 10-15% of the total IT budget. The cost of mobile devices, computers, cartridges, the Internet is on average 30-50 thousand rubles. per employee per year. And high-quality protection of one workplace in small and medium-sized businesses - from 1,000 to 3,500 rubles.
Therefore, saving on IT security is saving on matches. Office spending on coffee, toilet paper, and stationery can be higher.
It is important to understand that protecting your information is a critical cost that should not be neglected.
Small and medium businesses are now under the scrutiny of cybercriminals - in some cases, cyber attacks have even led to bankruptcy of enterprises.
Cybercriminals are looking for ways to infiltrate the organization. Most often, letters are sent to the accounting department for this, and then to the legal, human resources and marketing departments.
The emails may contain malware or an invitation to go to a phishing page. After infection, attackers begin to collect various data: they track keystrokes on the keyboard, mouse movements, study correspondence, contacts and positions of the senders of letters, etc.
By examining the processes in the company, attackers can compose a targeted phishing email directed at a specific employee.
For example, write to an employee of the personnel department with a request to consider a resume, attaching a file in Word format.
Employees of companies use such documents every day, but they may contain an executable script that will launch a virus and begin to encrypt data within the company - at all locations where this employee has access. Conventional antiviruses, which work only by signature-based method, cannot track such ransomware.
Cryptographers are the scourge of the current time. Their activity increases in the fourth quarter of the year, when the most active sales are taking place, and from the end of March to June, when companies file tax reports for the past period. What threats from the competent authorities can there be if you do not file your tax return on time?
Now imagine that all the data on the servers was encrypted, and there is simply no access to accounting and accounting programs.
The company is forced to pay cybercriminals, or inform the tax authorities that it cannot submit reports. Therefore, the ransom amount increases during peak periods.
There are statistics on which part of the attacked companies agree to pay, and which part is trying to decrypt the data and fight the attackers?
It is impossible to recover data without an encryption key after an attack by a modern ransomware. Whereas before there was one universal key for all affected computers, modern malware creates keys for each individual machine.
Protection from ransomware will be the use of not ordinary antiviruses, but a multilayered cybersecurity system. It should include monitoring the activity of programs, users, heuristic behavioral analysis, the ability to 100% prevent the launch of the ransomware.
If you check incoming messages on mail servers, attachments with malicious files will not even reach the employee's computer
The second line of defense is at the employee's workplace: Application Launch Control checks all files used. The third barrier is web control: the network administrator creates "white" lists of sites, where the allowed resources are listed, and all others are considered prohibited.
Maximum attention in cyber security issues should be paid to protecting the workstations of the accountant, lawyer, CFO and CEO - people who have access to the company's money. Most often, they are susceptible to targeted attacks by cybercriminals.
The next level of protection against ransomware is anticriptor or system monitoring. The anticriptor monitors user behavior: if he suddenly starts encrypting data, which he has never done before, then suspicious activity will be suspended, and the computer is cut off from the rest of the network. Part of the data will be put into a backup for later recovery. Thus, we prevent the development of ransomware attacks on our customers.
- One of the most sensational malware -Buhtrap. How can you deal with it?
Buhtrap is a malicious program that allows you to gain access to electronic banking and the ability to conduct financial transactions in a company.
The attempts by intruders to find people who can carry out such operations are becoming more sophisticated. Sites of specialized media are infected, which are most often visited by accountants and CFOs, sites visited by company leaders, business owners.
In some cases, hackers even create sites with interesting content to attract more specialized users.
- What are the consequences of a Buhtrap infection?
The amount of damage to Russian companies from such malicious programs last year alone is estimated at tens of millions of dollars. You can cope with Buhtrap, but you need to fight not with the consequences of the attack, but with its original source.
Qualified solutions, like those of Kaspersky Lab, can detect malicious news resources through which Buhtrap gets to workstations and completely block them along with the malware.
Sometimes cybersecurity in small and medium-sized companies is handled by non-specialists. How can a business leader realize the importance of this task and put it in the right hands?
Specialized solutions for small and medium-sized businesses, for example, Kaspersky Small Office Security, allow you to protect companies with less than 25 workstations. This product includes protection of financial transactions, password manager, protection of mobile devices, servers and workstations. The program uses technologies that were developed including for the protection of large companies.
The larger segment will be interested in the Kaspersky Security Cloud solution. It is suitable for companies with up to 250 employees.
At the same time, you can manage protection not only from the workplace, but from anywhere in the world where there is Internet access.
That is, an employee can go on vacation to Bali and from there monitor the company's cybersecurity. The console is intuitive and adapted for non-specialists - even the chief accountant or business leader can figure out the settings.
- Can a business rely on free solutions to protect against financial threats?
Like home solutions, they are not suitable for corporate users because they are not designed to protect organizations. And attackers are improving their methods of work. Mostly free versions include only basic protection against malware, they cannot ensure the security of online financial transactions, do not block fraudulent links, do not help control the use of resources and programs, etc.
Can you protect your data from ransomware? Interactive game
How can small businesses protect themselves from malicious attacks and prevent the spread of malware before it becomes a problem?
We are too small to be a target, ”so many small business executives believe. According to statistics from Kaspersky Lab, 58% of victims of cybercriminals are small businesses, and the average damage from a successful attack for SMB companies is 4.3 million rubles.
How can small and midsize businesses protect their employees from malicious attacks? What remedies should you use? A senior product marketing manager at Kaspersky Lab.
When does the management of the enterprise realize that it is necessary to take any protective measures?
In most cases, after the first incident. Unfortunately, in small businesses, the priority of IT security becomes very high only after the company is first attacked by a ransomware virus. The business owner will set aside additional costs to the maximum if he is not an advanced user.
The cost of a mistake is very high. A large organization can reallocate its infrastructure and move on. But if in a small business the entire network falls from a malware attack, it simply stops providing services - the company's work stops entirely. And the competition is very high: according to statistics, half of the small business companies that have become victims of the attack fly out of the market in six months, because they could not restore their resources in time.
There was a very difficult case in my practice. The cybercriminals knew about the breach in the cybersecurity of the enterprise, sharpened the "malware" for stealing the organization's data and gradually took away clients from it. Most likely, they acted "on a tip". But the company found advanced people who were able to recognize a targeted attack and save the company - this is extremely rare.
In most cases, attacks are massive, and employees are always the weak link. They look for information from work computers, download the program that they need for work, and may be wrong. If there is no specialist who monitors this, then no one controls the situation in the company.
Minimal protection for small businesses helps to avoid negative consequences from just such mistakes. Imagine you are faced with a phishing attack. If you have 50-100 people in your organization, it doesn't matter how many of them clicked on the link - even one click is enough to infect the network. Small business solutions are designed to prevent the spread of "malware" before it becomes a problem.
Typically, large companies train employees to identify files and links from cybercriminals in email. Do small companies shield their employees from such threats?
Small businesses spend a lot of time and effort on their core business. Fixed assets are always invested in those areas that can potentially increase the company's revenues. Minimum resources are left for supporting processes, therefore IT and IT security financing is not a priority, and ease of use and automatic operation are important when choosing these services. That is, decisions should require a minimum of attention.
In addition, in small business, personnel issues are always acute. A small firm often has a visiting system administrator rather than a full-time employee. In slightly larger companies, one specialist may be responsible for both IT and information security.
Small and medium-sized business leaders focus on IT security based on their bad experiences in the area. If they generally represent a spectrum of threats, have encountered such incidents before, or realize the need to protect the company after massive cyber attacks, then they will look for protection that works in an automatic mode.
Kaspersky Lab offers just such solutions - Kaspersky Endpoint Security for Business. We call these products “Install and Forget,” which means install and forget. They will provide maximum automatic protection - small businesses often do not have special employees on staff to configure the program.
Protection against phishing emails should also be automatic, so that such mailings, in principle, do not reach users.
Are employees in small companies more likely to receive such letters than in large businesses?
There is a dangerous misconception among small business leaders that they are not the target of cybercriminals, nor a tidbit for them. But according to statistics, small and medium-sized companies are victims of organized criminal groups in 50% of cases. In the case of global fan attacks like WannaCry, everyone gets it: corporations, small firms, and private users.
Targeted attacks are more relevant to large enterprises, when attackers understand the size of their potential "prey". But in my memory there were cases when such attacks were carried out on online stores and medium-sized companies in the wholesale trade.
The chance of an attack increases if attackers somehow find out that the company is not engaged in information and cybersecurity - in small businesses, they often hope for it.
Do these entrepreneurs leave IT security at the mercy of incoming employees or a single employee, or is the role of automatic protection increasing?
In microbusiness, IT is often the most advanced person, whose main job is different - sometimes even in logistics and sales. But if it turns out that a person is versed in information systems, then he assumes, among other things, the protection of computers and cyber security. The minimum he needs to do is install antivirus software. And he needs business solutions, not home protection.
They pose solutions that the average person doesn't understand. An advanced IT level is enough for him to establish this protection.
In a larger company, where there is an incoming or even its own admin, there is also a requirement for control. That is, the enterprise realizes that they need to implement minimum security policies in order to understand what is happening, to reduce the range of risks and threats. We are ready to offer more and more advanced solutions as the company matures.
Is it more profitable to use cloud protection than the services of a regular incoming specialist?
An IT specialist still needs tools: this decision does not replace him, but becomes a means by which he will protect the organization. Kaspersky Small Office is a do it yourself solution. With him, the organization will be able to protect itself from current threats and not yet resort to the help of a professional.
What is the key difference between Endpoint Security Cloud and what are the benefits of a cloud solution?
Non-cloud protection is installed on the server - this requires a highly specialized specialist. You need to be a technically competent person to deploy an Endpoint solution on a server, install agents, connect all this, set up a security policy, and so on. The cloud solution allows you to get fast protection: you do not need to buy a server and maintain it - that is, there are no costs for maintaining hardware. You save staff time and money.
The cloud solution is downloaded and installed in a few minutes, the whole task takes no more than an hour. The main advantage of this method is speed: protection takes effect within a few minutes.
Our solutions for small businesses are extremely lightweight in terms of management. Small Office Security does not require you to log into the web console at all. In Kaspersky Endpoint Security Cloud, the console is greatly simplified: all settings are automatically applied to new devices connected to protection. Although, if desired, the admin can add something manually. Moreover, both solutions are cloud-based and do not require hardware or a server.
As a rule, more advanced organizations resort to similar solutions, or not necessarily?
The degree of maturity of the organization, the manager and the IT specialist, if any, is important here. In general, the level of IT competence in Russia is quite high. An organization as a whole may strive for a modern infrastructure: some companies are abandoning their own hardware in order to be more flexible and dynamic.
Cloud solutions are very easy to scale. If you open a new point of sale or a new office, you can protect it using Kaspersky Endpoint Security Cloud in a matter of minutes. The speed of your business scaling and growing is not tied to your own infrastructure. Offices can be scattered across the country, and you do everything remotely, because all solutions are in the cloud. Companies that are geared towards growth and understand the issues involved in scaling choose the cloud from the start because traditional solutions will not allow them to change so quickly.
What other important trend do you see in the area of \u200b\u200bsmall business security?
Another trend is work on mobile devices. Large organizations have corporate mobility programs: they buy devices centrally, install collaboration tools, security tools, and so on. All this is controlled by the "security officer", and in principle it is impossible to connect to the company's infrastructure.
And in a small business, no one understands whether it is a personal device or not. A person chooses the most convenient gadget in order to cope with his work faster and more efficiently. We are ready to support such enterprises and provide protection for mobile devices as well. If the company is not yet using cloud protection, it can be connected later. And no matter where the person is - all protection can be installed remotely.
"The mobile device is becoming a surveillance tool, and that surveillance is essentially legal by the company." How do employees' personal smartphones and laptops create a business security breach?
Small companies cannot always afford to purchase all the necessary gadgets for employees, for example, work smartphones and laptops. At the same time, the use of personal devices for work purposes is encouraged so that the employee can always be in touch.
This is how a trend called BYOD (bring your own device) arose, and it is increasingly spreading in medium and small businesses.
“Due to BYOD, the company saves money on the purchase and maintenance of hardware, eliminates the risk of loss and damage to mobile devices. And this is significant money ", - comments Victor Chebyshev , antivirus expert " Kaspersky Labs».
However, the BYOD concept itself is controversial. Access of an employee's personal device to the internal perimeter of the company is convenient for the employee himself, but creates risks of data leakage and uncontrolled access to information.
In this case, the BYOD approach is a complicating factor and can become the “entry point” into the company for cybercriminals. Therefore, the organization needs to configure access and control the entrance in such a way that it will not always be convenient for the user.
To mitigate the risks of BYOD, there are many data protection measures that need to be taken. Personal gadgets of staff are usually less protected than corporate ones and more susceptible to cyber threats and loss. According to a study by Kaspersky Lab, 35% of SME companies (with a staff of 1 to 249 employees) encountered the fact that the gadgets of employees, which they used, including for work purposes, were infected with malware. Employees of 28% of organizations lost personal devices and media with corporate information: smartphones, laptops, external hard drives, flash drives. And the average damage from a successful attack on a company from the small and medium-sized business segment was estimated at 4.3 million rubles.
Personal devices of employees in business: what is the danger?
The severity of threats depends on how a company's IT department monitors the security of workers' mobile devices. Several solutions can be used here:
1.MDM profiles. Mobile Device Management (mobile device management) is a set of services and technologies that provide control and protection of the company's gadgets and its employees. One part of MDM is installed on the employee's gadget, while the other is a "control center" for remote device management.
2. Limiting Policies. Not all employees need access to some resources. For example, why would an accountant use social media from work devices? This can be dangerous if the gadget contains confidential documents, and an employee accidentally clicks on a malicious Internet link. Therefore, flexible configuration of access rights to social networks or other programs or resources is a very important and necessary decision.
3. Antiviruses with centralized control that protect against malware. These solutions will allow you to immediately cut off the infected device from the company's infrastructure and conduct an investigation of the incident.
If none of these methods are practiced, then the company faces significant cybersecurity risks, warns Viktor Chebyshev. According to him, when a mobile device is infected, several scenarios are possible:
1. The malware collects all data from a mobile device - in fact, it spies. In this case, you can intercept important files in the device's memory, record conversations using the built-in microphone, take pictures of cameras, and so on. The mobile device is turning into a surveillance tool, and this surveillance is essentially legal by the company.
2. The malware establishes a so-called tunnel. The mobile phone has two network interfaces - WIFI and 3G / 4G / LTE. An attacker, from any world, can gain access to the company's internal infrastructure through these network interfaces, since the mobile phone is constantly on the network, and the company's internal WIFI networks are available to BYOD. The consequences of such an infection can be arbitrarily sad.
Controlling data on laptops is a separate conversation. Unprotected information on a personal computer that can be lost at the airport or forgotten in a cafe is a common IT nightmare.
To avoid this threat, a number of companies allow employees to work only on office computers, which have severely limited data transfer capabilities and disabled USB ports for flash drives. But this approach won't work in a BYOD-focused company, warns Viktor Chebyshev. Protection involves restrictions that not all users can go to.
How can entrepreneurs secure corporate information on personal gadgets?
There are several basic data protection techniques that should be applied in BYOD. “You shouldn't neglect them: the price of negligence can be incomparable with the price of even a complete set of protection,” says Viktor Chebyshev.
In no case should you neglect the protection of mobile gadgets (in addition to the main working devices - computers). Protect your computers, file servers, and tablets and smartphones from Internet attacks, online financial fraud, ransomware, and data loss with comprehensive protection. Such protection is provided, for example, by the program Kaspersky Small Office Security specially designed for small companies with up to 25 employees, or Kaspersky Endpoint Security Cloud that helps protect small businesses without putting additional strain on IT resources, time and finances.
Activate the special Anti-Theft module for Android devices as part of comprehensive protection. This feature allows you to remotely lock a lost device, erase data on it, or locate it on a map.
Use full or partial encryption of corporate data. Then, even if a laptop or USB drive is lost or stolen, it will not be possible to access the information contained on them without a password.
Backup technology will save your business. With the help of a backup, you will always have a spare storage with the most up-to-date version of valuable working information in the event, for example, of a successful ransomware attack.
System administrators should always know what devices employees are using for work and have a remote “fuse” (remote control) for corporate data in such devices in case it is lost, stolen, or the owner leaves the company.
But on the whole, you shouldn't allow secret documents to leak outside the company's perimeter, even to cloud storages like Yandex.Disk and Google.drive - and then you won't have to destroy anything.
To secure your correspondence on corporate topics in personal messengers, you can give several recommendations. First, the latest version of the operating system must be installed on the mobile device. Secondly, always use a security solution - otherwise, the device cannot be allowed into the company perimeter.
Countermeasures include solutions from the line of Kaspersky Security for Business and Kaspersky Small Office Security. They include equally effective protection for corporate and personal computers and for mobile devices, which is especially important for small businesses. Kaspersky Small Office Security allows owners to focus on running their business because it is easy to use and does not require specialized IT administration knowledge to secure a company's network.
Will using employees' personal devices become more secure for the company?
The technical side of the cybersecurity issue in the BYOD concept will be improved, and more and more companies will refuse to purchase devices, Viktor Chebyshev is sure. It is likely that only companies that use specific mobile devices, such as shockproof and waterproof ones, will follow the old methods.
“The logic of device profiles on mobile operating systems is likely to become more complex. That is, the mobile device itself will decide that the owner is currently at work and block activities that involve the risk of infection or the device's access to places prohibited for him. Along with this, mechanisms for controlling personal devices in the enterprise network are evolving, and in the foreseeable future, machine learning solutions will be introduced that fix anomalies from BYOD devices. Such systems are the future, ”summarizes the Kaspersky Lab anti-virus expert.
2019
IS-priorities of SMB
Companies of the SMB segment are drawn to the clouds, to a service consumption model of services according to the MSSP (Managed Security Service Provider) model. This helps them to significantly reduce operational costs in the field of information security.
| Now some vendors offer their clients cloud information security services on a subscription model. In my opinion, medium and small businesses will move towards just such a service model of information security, - notes Dmitry Livshits, General Director of Digital Design. |
The service model of information security consumption is becoming more and more in demand by small and medium-sized businesses, since these companies cannot afford a large staff of security specialists.
According to Vladimir Balanin, Head of the Information Security Department of I-Teco Group of Companies, the SMB segment is becoming the main consumer of the services of service providers that provide services immediately with integrated information security services: there are no costs for administration, monitoring and maintenance of their own infrastructure, but risks regulatory requirements are borne by the service provider itself.
At the same time, the Russian market is now characterized by a very limited supply of information security for SMB. According to Andrey Yankin, director of the Information Security Center of Jet Infosystems, almost all services are aimed at large customers. Typical and inexpensive, but not primitive information security services for SMB, according to him, practically do not exist, although in a number of other countries this market is well developed.
At the same time, with the development of the segment of managed information security services and the prospect of the development of the cyber-risk insurance market, this category of customers will have at their disposal measures adequate to modern threats.
In the meantime, SMB companies are implementing basic IT security, rarely rising to the level of business processes.
According to Dmitry Pudov, deputy general director of Angara Technologies Group for technologies and development, SMB representatives, given their budgets, have practically no access to high-tech or complex solutions. This is not solely due to the cost of solutions, but rather the OPEX that they carry.
The main solutions that customers of the SMB segment purchase are antiviruses and software firewalls, says Yakov Grodzensky, head of information security at System Soft. In addition, companies in this segment are actively interested in IS audit and penetration testing, because such organizations do not always employ a separate information security specialist, not to mention pentesters.
Vyacheslav Medvedev, a leading analyst at Doctor Web, adds that surveys of medium-sized businesses have shown that such companies do not have funds for security solutions other than basic ones.
Cybersecurity priorities of large business
It is always important for shareholders, owners and top management to have an objective picture of information security and technological processes within an organization, therefore the general level of information security maturity in companies is growing every year. However, some large organizations still lack elementary order in business processes that ensure the operation of information systems, which can lead to chaos in information security. Therefore, the main priority for large companies is in solving these problems, says Nikolay Zabusov, Director of the Department of Information and Network Security at Step Logic.
In addition, big business focuses on meeting the requirements of regulators and internal standards, trying to create a more or less uniformly protected infrastructure. Industry standards in the field of information security are developed and "implemented" in many corporations.
Large commercial companies essentially faced a choice: to follow the path of digital transformation, or to work without changing the paradigm of doing business. But in the second case, sooner or later they will be forced to give up their positions in the market to competitors who have shown great flexibility.
| Among the priorities for the enterprise segment, I can point out, on the one hand, increasing the efficiency of using classical information security solutions, and, on the other, introducing new type of threat protection tools as part of the implementation of digitalization projects. The latter is very important, since security restrictions are often one of the main reasons for the slow progress along the path of digital transformation, - notes Oleg Shaburov, Head of the Information Security Department at Softline. |
From the point of view of practical security, the vector is increasingly shifting from preventing attacks to detecting and responding, says Andrey Zaikin, head of information security at Krok. This leads to the fact that relatively young classes of solutions are becoming more popular and in demand: EDR, IRP. Automated response systems have different sets of scripts, scripts and allow you to block attempts to spread threats.
Cybersecurity services
SMB companies that understand the criticality of information security for their business are following the path of using service models.
Introduction
Business leaders need to understand the importance of information security, learn to predict and manage trends in this area.
Today's business cannot exist without information technology. It is known that about 70% of the world total national product depends in one way or another on the information stored in information systems. The widespread introduction of computers has created not only well-known conveniences, but also problems, the most serious of which is the problem of information security.
Along with control elements for computers and computer networks, the standard pays great attention to the development of security policy, work with personnel (hiring, training, dismissal from work), ensuring the continuity of the production process, and legal requirements.
Undoubtedly, this topic of course work is very relevant in modern conditions.
Coursework object: information security of the organization's professional activities.
Research subject: information security.
In the course work, it is planned to create a project of a management solution for the organization of information security on the basis of a real organization.
Chapter 1. Information security of professional activity
Information security is a relatively new area of \u200b\u200bprofessional activity of specialists. The main goals of such activities are:
Ensuring protection from external and internal threats in the field of formation, distribution and use of information resources;
Prevention of violations of the rights of citizens and organizations to maintain confidentiality and secrecy of information;
Providing conditions that prevent deliberate distortion or concealment of information in the absence of legal grounds for this.
The customers of specialists in this field are:
Federal bodies of state power and administration of the Russian Federation;
State authorities of the constituent entities of the Russian Federation;
Government agencies, organizations and enterprises;
Defense industry;
Local government bodies;
Non-governmental institutions, organizations and enterprises
property.
The appearance in the free, albeit illegal sale of a database of customers of the mobile company MTS again and again forces us to address the problem of computer security. It looks like this topic is inexhaustible. Its relevance is the more, the higher the level of computerization of commercial firms and non-commercial organizations. High technologies, playing a revolutionary role in the development of business and practically all other aspects of modern society, make their users very vulnerable from the point of view of information and, ultimately, economic security.
This is a problem not only in Russia, but in most countries of the world, primarily Western ones, although there are laws that restrict access to personal information and impose strict requirements for its storage. The markets offer various systems for protecting computer networks. But how to protect yourself from your own “fifth column” - unscrupulous, disloyal, or simply careless employees who have access to classified information? The scandalous leak of the MTS client database could not have happened, apparently, without collusion or criminal negligence of the company's employees.
It seems that many, if not most, entrepreneurs simply do not understand the seriousness of the problem. Even in countries with developed market economies, according to some studies, 80% of companies do not have a well-thought-out, planned system for protecting storage and operational databases. What can we say about us, who are used to relying on the famous "maybe".
Therefore, it is not useless to turn to the topic of the dangers of confidential information leaks, to talk about measures to reduce such risks. A publication in the Legal Times (October 21, 2002), a publication devoted to legal issues (Mark M. Martin, Evan Wagner, “Vulnerability and Information Security”) will help us with this. The authors list the most typical types and methods of information threats. Which ones?
Declassification and theft of trade secrets. Everything is more or less clear here. Classic economic espionage dating back to ancient history. Whereas previously secrets were kept in secret places, in massive safes, under reliable physical and (later) electronic protection, today many employees have access to office databases, often containing very sensitive information, for example, the same customer data.
Dissemination of compromising materials. Here, the authors mean the intentional or accidental use by employees in e-mail of such information that casts a shadow on the reputation of the company. For example, the name of the company is reflected in the domain of the correspondent who admits defamation, insults, in short anything that can compromise the organization in his letters.
Intellectual property infringement. It is important not to forget that any intellectual product produced in an organization belongs to the organization and cannot be used by employees (including generators and authors of intellectual values) except in the interests of the organization. Meanwhile, in Russia on this occasion, conflicts often arise between organizations and employees, claiming the intellectual product they have created and using it in their personal interests, to the detriment of the organization. This often happens due to the vague legal situation at the enterprise, when the labor contract does not contain clearly defined rules and regulations outlining the rights and obligations of employees.
Dissemination (often unintentional) of inside information that is not secret, but could be useful to competitors. For example, about new vacancies due to business expansion, business trips and negotiations.
Visits to competitors' sites. Now more and more companies use programs on their open sites (in particular, those designed for CRM), which allow them to recognize visitors and track their routes in detail, record the time and duration of their viewing of the site pages. It is clear that if your visit to a competitor's website is known in detail to its operator, then it is not difficult for the latter to conclude what exactly interests you. This is not a call to abandon a critical channel of competitive information. Competitor websites have been and remain a valuable source for analysis and forecasting. But when visiting sites, you must remember that you leave traces and you are also being watched.
Abuse of office communications for personal purposes (listening, watching music and other content that is not related to work, loading an office computer) does not pose a direct threat to information security, but creates additional loads on the corporate network, reduces efficiency, and interferes with the work of colleagues.
And, finally, external threats - unauthorized intrusions, etc. This is a topic for another serious conversation.
How can you protect yourself from internal threats? There is simply no 100% guarantee against damage caused by your own employees. This is a human factor that does not lend itself to complete and unconditional control. At the same time, the authors mentioned above give useful advice - to develop and implement a clearly formulated communication (or information) policy within the company. Such a policy should draw a clear line between what is permitted and what is not permitted in the use of office communications. Crossing the border leads to punishment. There should be a system for monitoring who uses computer networks and how. The rules adopted by the company must comply with both national and internationally recognized standards for the protection of state and commercial secrets, personal, private information.
Chapter 2. Information security
professional activity in LLC "Laspi"
2.1. Brief description of LLC "Laspi"
LLC "Laspi" was established in 1995 as a representative office of a Czech company in Russia. The company is engaged in the supply of Czech equipment and consumables for the production of various concrete products (from paving slabs to fences, flowerpots, etc.). The equipment is of high quality and reasonable cost. The customers contacting the Samara office are organizations from various cities of Russia and the CIS (Kazan, Ufa, Izhevsk, Moscow, Nizhny Novgorod, etc.). Naturally, such a large-scale activity requires special attention to information security within the company.
Information security today leaves much to be desired. Various documentation (technical, economic) is in the public domain, which allows almost any employee of the company (from the founder to the driver) to read it without hindrance.
Critical records are kept in the safe. Only the director and his secretary have the keys to the safe. But here the so-called human factor plays an essential role. Often, the keys are forgotten in the office on the table and the safe can even be opened by a cleaning lady.
Economic documents (reports, invoices, invoices, invoices, etc.) are arranged in folders and shelves in a cabinet that cannot be locked.
Employees do not sign any nondisclosure agreements for information that are trade secrets when applying for a job, which does not prevent them from distributing such information.
The recruitment of employees is carried out through an interview, which consists of two stages: 1. communication with the immediate supervisor (at which the skills and abilities of a potential employee are revealed) 2. communication with the founder (it is more personal in nature and the conclusion of such a dialogue can be either "we work together" or " we will not work together ").
All this requires closer attention from the management and a competent program to ensure the information security of the company, because today Laspi LLC has a lot of competitors who are unlikely to miss the opportunity to use, for example, the company's client base or supplier base.
2.2. Project of a management solution to ensure information security of professional activities of Laspi LLC.
An important place in the system of organizational, administrative, legal and other measures that allows to qualitatively solve the problems of information support of scientific, industrial and commercial activities, physical safety of material carriers of classified information, preventing their leakage, preserving commercial secrets is occupied by the permissive system of access of performers to classified documents and information ...
Taking into account the Law of the RSFSR "On Enterprises and Entrepreneurial Activity", the head of an enterprise (firm), regardless of the form of ownership, can establish special rules for access to information that leaves a trade secret and its carriers, thereby ensuring their safety.
In the system of security measures, the optimal distribution of production, commercial and financial-credit information, leaving the secret of the enterprise, between the specific performers of the relevant work and documents, is of essential importance. When distributing information, on the one hand, it is necessary to ensure that a specific employee is provided with a full amount of data for high-quality and timely execution of the work entrusted to him, and on the other hand, to exclude the performer's acquaintance with unnecessary classified information that is not necessary for him to work.
In order to ensure lawful and reasonable access of the contractor to information constituting a commercial secret of the company, it is recommended to develop and implement an appropriate licensing system at enterprises.
Access is understood as obtaining written permission from the head of the company (or, with his approval, from other executives) to issue specific (or in full) non-public information to a particular employee, taking into account his job duties (official powers).
Registration of access to CT can be carried out in accordance with the Regulations on the authorization system of access approved by the director, where the powers of the company's officials for the distribution of information and the use of it are legally enshrined. The head of the organization may authorize the use of any protected information to any employee of this enterprise or to a person who arrived at the facility from another organization to resolve any issues, if there are no restrictions on this information on the part of production and commercial partners for joint production, etc. P. So, in LLC "Laspi" it is recommended to restrict access to information that is a commercial secret (contracts with suppliers and customers, final reports on transactions) to the following employees:
1. founder of the company.
2. director of the company.
3. Secretary of the Director.
Only the founder and director of the firm can authorize access to information to other employees.
All of the above employees and managers who conduct these transactions should have access to information about current transactions with clients.
Initial information on the purchase prices of equipment should be similarly limited. Only the founder, the director of the company have access to it, who provide the rest of the employees only with the already worked out prices (with various "markups"), as well as the secretary who maintains the entire document flow in the organization.
Effective work of the permitting system is possible only if certain rules are observed:
1. The authorization system, as a mandatory rule, includes a differentiated approach to authorizing access, taking into account the importance of classified information in relation to which the issue of access is being decided.
2. A documentary reflection of the issued permission for the right to use one or another protected information is required. This means that the manager who gave permission for the right to use must obligatorily record it in writing on the corresponding document or in the accounting form in force at the enterprise. Any verbal instructions and requests for access from anyone (with the exception of the head of the enterprise) have no legal effect. This requirement also applies to managers at all levels working with classified information and its carriers. Thus, only the written permission of the head (within the scope of authority) is a permission for the issuance of protected information to a particular person.
3. The principle of control should be strictly observed. Each permit must have the date of its registration and issue.
Such a traditional form of resolution as a resolution of the head on the classified document itself is widespread. Such permission must contain a list of the names of employees who are obliged to familiarize themselves with the documents or execute them, the deadline for execution, other instructions, the signature of the manager and the date. The manager can, if necessary, provide for restrictions on the access of specific employees to certain information.
The resolution, as a type of permission, is used mainly for prompt delivery to interested parties of classified information contained in documents and products received from outside and created at the enterprise.
The head of the enterprise can give permission for access to administrative documents: orders, instructions, instructions for the enterprise. They must contain the names, positions of persons, specific classification documents and products to which they can be admitted (familiarized).
Another type of permits - by family lists of persons entitled to get acquainted and perform any actions with classified documents and products. Family lists are approved by the director of the enterprise or in accordance with the current licensing system by managers who, as a rule, occupy positions not lower than the heads of the relevant departments.
By family lists of persons can be used when organizing access to classified documents and products that are of particular importance for the enterprise, when registering access to restricted areas, to various kinds of closed events (conferences, meetings, exhibitions, meetings of scientific and technical councils, etc. .). In the family lists, specific leaders can be identified, who are allowed by the leader to all closed documents and products without the corresponding written permissions. They indicate the full name. performer of work, department, position held, category of documents and products to which he is admitted. In practice, the option of job lists is also applicable, which indicates: the position of the contractor, the volume of documents (categories of documents) and the types of products that must be used by employees of enterprises holding the position corresponding to the list. It should be noted that for enterprises with a small volume of classified documents and products, it may be sufficient to use such types of permission as a resolution of the head on the document itself, by family lists, job lists.
Organizationally, family lists should be prepared by interested heads of structural units. The list of employees included in the list is endorsed by the head of the Security Council and approved by the head of the enterprise, who can delegate approval rights to other persons from the management.
The permitting system must meet the following requirements:
· Apply to all types of classified documents and products available at the enterprise, regardless of their location and creation;
· Determine the access procedure for all categories of employees who have received the right to work with CT, as well as specialists who temporarily arrived at the enterprise and are related to joint closed orders;
· Establish a simple and reliable procedure for issuing permits for access to protected documents and products, which allows you to immediately respond to changes in the field of information at the enterprise;
· Clearly delineate the rights of managers of various job levels in the design of access for the relevant categories of performers;
· Exclude the possibility of uncontrolled and unauthorized issuance of documents and products to anyone;
· Do not allow persons working with classified information and objects to make changes to even data, as well as to replace accounting documents.
When developing a permitting system, special attention should be paid to highlighting the main information that is especially valuable for the enterprise, which will ensure strictly limited access to them. In the presence of joint work with other enterprises (organizations), foreign firms or their individual representatives, it is necessary to provide for the procedure for access of these categories to the commercial secrets of the enterprise. It is advisable to determine the procedure for interaction with representatives of serving state organizations: technical supervision, sanitary and epidemiological station, etc.
In the Regulation on the licensing system of the company, it is necessary to indicate that the transfer of classified documents and products from the contractor to the contractor is possible only within the structural unit and with the permission of its head. The transfer, return of such product documents is made according to the order established by the company and only during the working hours of the given day.
All classified documentation and products received and developed by the enterprise are accepted and accounted for by the middle management and the secretary. After registration, the documentation is submitted for consideration to the head of the enterprise against receipt.
In the Regulation on the licensing system of the company, it is necessary to indicate that closed meetings on business matters are held only with the permission of the head of the company or his deputies. Special requirements may apply to meetings of academic councils, meetings to review the results of R&D and financial and commercial activities, etc. For such events, it is recommended to draw up permissive lists without fail and include in them only those employees of the enterprise who are directly related to the planned events and participation in which is caused by official necessity.
As noted above, employees of other firms can participate in closed meetings only with the personal permission of the firm's management. Prepares lists, as a rule, is responsible for organizing the meeting in contact with interested heads of structural units. The list is the basis for organizing control over the admission to this meeting. Before the start of the meeting, those present are warned that the information discussed is of a classified nature and cannot be distributed outside the scope of circulation established by the company, and give instructions on how to keep records.
It is important to emphasize that the establishment at the company of a certain procedure for handling classified information and products significantly increases the reliability of protecting trade secrets, reduces the likelihood of disclosure, loss of carriers of this information.
To ensure the safety of the documents, it is proposed to purchase the appropriate furniture, which allows the documents to be securely locked. It is also necessary to seal the cabinets every day, before leaving.
The keys to the safe and cabinets must be handed over to the security service against signature. It is also recommended to purchase a special tube for storing keys and also seal it.
Particular attention should be paid to the security of computer information. In LLC "Laspi" today several databases have been created: clients of the company (indicating not only their work addresses and phone numbers, but also home, as well as personal information); database containing prices and characteristics of supplied equipment; database of employees of the organization. The computer also stores various contracts, agreements, etc.
In any case, getting this information into the hands of competitors is highly undesirable. To prevent such a development of events, it is recommended to create passwords for access to each database (and software tools allow you to do this). When booting a computer, it is also recommended to set two-level protection (when loading BIOS and when loading OS Windows'2000, which does not allow passwordless access to the contents of the hard drive, unlike previous versions of this operating system). Naturally, passwords should also be available only to those employees of the company who directly work with these databases (secretary, managers, programmers).
In the event of any problems related to the computer and the need to contact a third party, it is necessary to fully control the process of repairing equipment. Since it is at such a moment when all passwords are removed, when the programmer "from the outside" has free and unhindered access to the contents of the hard disk, it is possible for him to withdraw information and use it for various purposes.
It is necessary to constantly update antivirus programs in order to prevent the entry and spread of viruses in computers.
Particular attention should be paid to the issues of hiring new employees. Today, many organizations practice a toughened approach to this process, which is associated with the desire to preserve information within the company and not allow it to go beyond it due to the "human factor".
While in most cases recruitment is carried out in two stages (they are summarized above), then here are four stages.
1. Conversation with the head of the personnel department. The head of the personnel department gets acquainted with the candidate, his resume, asks questions about his professional activities, making preliminary notes. This stage is professional in nature. Then the head of the personnel department analyzes the information received from the candidates and transfers it to the head.
2. To supervise to get acquainted with the resume of candidates and the notes about them of the head of the personnel department, choosing the most suitable ones and inviting them for an interview. The interview is personal in nature and involves non-standard questions (for example, what does the person like to eat, what is his hobby, etc.) Thus, the manager receives information to make a decision about how suitable this person is for him, predicts possible problems with which he may come across when dealing with this candidate.
3. Testing. Here the level of intelligence of the employee is already determined, his psychological portrait is drawn up on the basis of various tests. But first, you need to determine how the manager and colleagues want to see the new employee.
4. Security service. It proposes two stages: a) checking candidates in various instances (whether he was brought to court, served time in places of detention, is he registered in a drug treatment clinic, is the information he provided about previous jobs true); b) checking on special equipment, which is most often called a "lie detector". At the second stage, it is determined how loyal the employee is to the company, what reactions he has to provocative questions (for example, what he will do if he finds out that one of his colleagues is taking documents home), etc.
And only after the candidate has passed all these four stages, it is possible to make a decision - whether to hire him or not.
After a positive decision is made, a probationary period is set for the employee (according to the legislation of the Russian Federation, it can vary from 1 month to three, but it is recommended not less than 2 months, and preferably 3). During the probationary period, the management and the security service must keep an eye on the new employee, observe his activities.
In addition, immediately upon hiring, it is necessary, along with the conclusion of an employment contract, the signing of an agreement on non-disclosure of commercial secrets. Recommended clauses of this agreement:
This is not a complete list of what may be included in the agreement.
Conclusion
Today, the issue of organizing information security is of concern to organizations of any level - from large corporations to entrepreneurs without a legal entity. Competition in modern market relations is far from perfect and is often not conducted in the most legal ways. Industrial espionage is flourishing. But there are also cases of unintentional dissemination of information related to the trade secret of an organization. As a rule, the negligence of employees, their lack of understanding of the situation, in other words, the "human factor", plays a role here.
The course work presents a project of a management solution for the organization of information security in LLC "Laspi". The project touches upon three main areas of security organization: 1. documentation area (access to materials presented on paper, with the delimitation of this access); 2. computer security; 3. security in terms of hiring new employees.
It should be borne in mind that although this project was developed for a specific organization, its provisions can also be used to organize security in other firms belonging to the category of medium-sized ones.
Ministry of Education and Science of the Russian Federation
federal state budgetary educational institution
higher professional education
"PERM NATIONAL RESEARCH
POLITECHNICAL UNIVERSITY"
Test
by discipline
INFORMATION SECURITY OF THE ENTERPRISE
Topic "Information security in business on the example of OJSC" Alfa-Bank "
Completed by a student
group FK-11B:
Smyshlyaeva Maria Sergeevna
Checked by the teacher:
Shaburov Andrey Sergeevich
Perm - 2013
Introduction
Conclusion
List of references
Introduction
The information resources of most companies are among the most valuable resources. For this reason, commercial, confidential information and personal data must be reliably protected from unauthorized use, but at the same time, it is easily accessible to the subjects involved in the processing of this information or using it in the process of performing the assigned tasks. The use of special tools for this contributes to the stability of the company's business and its viability.
As practice shows, the issue of organizing the protection of business in modern conditions has become the most urgent. Online stores are being “opened” and customers' credit cards are emptied, casinos and sweepstakes are blackmailed, corporate networks are under external control, computers are “zombified” and included in botnets, and fraud using stolen personal data is becoming a national disaster.
Therefore, company leaders must understand the importance of information security, learn to predict and manage trends in this area.
The purpose of this work is to identify the advantages and disadvantages of a business information security system using the example of Alfa-Bank.
Characteristics of the activities of OJSC "Alfa-Bank"
Alfa-Bank was founded in 1990. Alfa-Bank is a universal bank that carries out all the main types of banking operations on the financial services market, including servicing private and corporate clients, investment banking, trade finance and asset management.
Alfa-Bank's head office is located in Moscow; a total of 444 branches and branches of the bank have been opened in the regions of Russia and abroad, including a subsidiary bank in the Netherlands and financial subsidiaries in the USA, Great Britain and Cyprus. Alfa-Bank employs about 17 thousand people.
Alfa-Bank is the largest Russian private bank in terms of total assets, total capital and deposits. The bank has a large client base of both corporate clients and individuals. Alfa-Bank is developing as a universal bank in the main areas: corporate and investment business (including small and medium-sized businesses (SME), trade and structured finance, leasing and factoring), retail business (including a system of bank branches, car loans and mortgages). Particular attention is paid to the development of banking products for corporate business in the mass and SME segments, as well as the development of remote self-service channels and Internet acquiring. Alfa-Bank's strategic priorities are maintaining the status of a leading private bank in Russia, strengthening stability, increasing profitability, setting industry standards for manufacturability, efficiency, customer service quality, and teamwork.
Alfa-Bank is one of the most active Russian banks in the world capital markets. Leading international rating agencies assign Alfa-Bank some of the highest ratings among Russian private banks. It was ranked first in the Customer Experience Index four times in a row. The retail banking sector after the financial crisis ", held by Senteo together with PricewaterhouseCoopers. Also in 2012, Alfa-Bank was recognized as the best Internet bank according to the GlobalFinance magazine, awarded for the best analytics by the National Association of Securities Market Participants (NAUFOR), became the best Russian private the bank according to the confidence index calculated by the research holding Romir.
Today the Bank has a federal-scale network of 83 points of sale. Alfa Bank has one of the largest networks among commercial banks, consisting of 55 offices and covering 23 cities. As a result of the expansion of the network, the Bank gained additional opportunities to increase its client base, expand the range and quality of banking products, implement interregional programs, and provide comprehensive services to backbone clients from among the largest enterprises.
Analysis of the theoretical basis of the issue of information security of business
Relevance and the importance of the problem of ensuring information security is due to the following factors:
· Modern levels and rates of development of information security tools lag significantly behind the levels and rates of development of information technology.
· High growth rates of the park of personal computers used in various spheres of human activity. According to research by Gartner Dataquest, there are currently more than a billion personal computers in the world.
information security business bank
· A sharp expansion of the circle of users with direct access to computing resources and data arrays;
At present, the importance of information stored in banks has increased significantly, important and often secret information about the financial and economic activities of many people, companies, organizations and even entire states has been concentrated. The bank stores and processes valuable information that affects the interests of a large number of people. The bank stores important information about its customers, which expands the circle of potential intruders interested in stealing or damaging such information.
Over 90% of all crimes are associated with the use of automated information processing systems of the bank. Consequently, when creating and modernizing ASOIB, banks need to pay close attention to ensuring its security.
The main attention should be paid to the computer security of banks, i.e. security of automated systems for processing bank information, as the most urgent, complex and pressing problem in the field of banking information security.
The rapid development of information technology has opened up new business opportunities, but has led to the emergence of new threats. Due to competition, modern software products are sold with errors and defects. Developers, including all kinds of functions in their products, do not have time to perform high-quality debugging of the created software systems. Errors and flaws left in these systems lead to accidental and intentional breaches of information security. For example, most of the accidental loss of information is caused by failures in the operation of software and hardware, and most attacks on computer systems are based on found bugs and flaws in the software. For example, in the first six months after the release of the Microsoft Windows server operating system, 14 vulnerabilities were discovered, 6 of which are critical. Despite the fact that over time, Microsoft develops service packs that eliminate the identified deficiencies, users are already suffering from information security breaches that have occurred due to the remaining errors. Until these many other problems are resolved, the insufficient level of information security will be a serious brake on the development of information technologies.
Under information security means the security of information and supporting infrastructure from accidental or intentional influences of a natural or artificial nature that can cause unacceptable damage to the subjects of information relations, including the owners and users of information and supporting infrastructure.
In the modern business world, there is a process of migration of tangible assets towards information assets. As the organization develops, its information system becomes more complex, the main task of which is to ensure maximum efficiency of business in the constantly changing conditions of competition in the market.
Considering information as a commodity, we can say that ensuring information security in general can lead to significant cost savings, while the damage done to it leads to material costs. For example, the disclosure of the manufacturing technology of the original product will lead to the appearance of a similar product, but from another manufacturer, and as a result of a breach of information security, the owner of the technology, and perhaps the author, will lose part of the market, etc. On the other hand, information is the subject of control, and its change can lead to catastrophic consequences in the control object.
According to GOST R 50922-2006, information security is an activity aimed at preventing information leakage, unauthorized and unintentional influences on protected information. Information security is relevant for both enterprises and government agencies. With the aim of comprehensive protection of information resources, work is being carried out on the construction and development of information security systems.
There are many reasons that can seriously affect the operation of local and global networks, lead to the loss of valuable information. Among them are the following:
Unauthorized access from the outside, copying or modification of information accidental or deliberate actions leading to:
distortion or destruction of data;
familiarization of unauthorized persons with information constituting banking, financial or state secrets.
Incorrect software operation leading to loss or corruption of data due to:
errors in application or network software;
infecting systems with computer viruses.
Technical failures of equipment caused by:
power outage;
failure of disk systems and data archiving systems;
disruption of servers, workstations, network cards, modems.
Maintenance personnel errors.
Of course, there is no one-size-fits-all solution that excludes all of these reasons, but many organizations have developed and implemented technical and administrative measures that allow the risk of data loss or unauthorized access to be minimized.
Today there is a large arsenal of information security methods, which are also used at Alfa-Bank:
· means of identification and authentication of users (the so-called complex 3A);
· encryption tools for information stored on computers and transmitted over networks;
· firewalls;
· virtual private networks;
· content filtering tools;
· tools for checking the integrity of disk contents;
· anti-virus protection means;
· network vulnerability detection systems and network attack analyzers.
"Complex 3A" includes authentication (or identification), authorization and administration. Identification and authorization are key elements of information security. When you try to access any program, the identification function answers the question: "Who are you?" and "Where are you?" if you are an authorized user of the program. The authorization function is responsible for which resources a particular user has access to. The administration function is to endow the user with certain identification features within a given network and determine the scope of actions allowed for him. In Alfa-Bank, when opening programs, the password and login of each employee is requested, and when performing any operations, in some cases, authorization of the head or his deputy in the department is required.
Encryption systems allow to minimize losses in case of unauthorized access to data stored on a hard disk or other medium, as well as interception of information when it is sent by e-mail or transmitted over network protocols. The purpose of this protection is to ensure confidentiality. The main requirements for encryption systems are a high level of cryptographic strength and legality of use on the territory of Russia (or other states).
Firewall is a system or combination of systems that forms a protective barrier between two or more networks to prevent unauthorized data packets from entering or leaving the network. The basic principle of firewalls. checking each data packet for compliance with the incoming and outgoing IP_addresses base of allowed addresses. Thus, firewalls significantly expand the capabilities of segmenting information networks and controlling data circulation.
When talking about cryptography and firewalls, we should mention secure virtual private networks (Virtual Private Network - VPN). Their use makes it possible to solve the problems of confidentiality and integrity of data during their transmission over open communication channels.
An effective means of protecting against loss of confidential information. Filtering the content of incoming and outgoing e-mail. Validating email messages and their attachments based on organizational rules can also help keep companies from liable for legal claims and protect their employees from spam. Content filtering tools allow you to scan files of all common formats, including compressed and graphic. At the same time, the network bandwidth remains practically unchanged.
Modern antivirus technologies allow detecting almost all already known virus programs by comparing the code of a suspicious file with samples stored in the anti-virus database. In addition, behavioral modeling technologies have been developed to detect newly created virus programs. Discovered objects can be disinfected, isolated (placed in quarantine), or deleted. Virus protection can be installed on workstations, file and mail servers, firewalls running under almost any of the common operating systems (Windows, Unix - and Linux_systems, Novell) on various types of processors. Spam filters significantly reduce the overhead associated with parsing spam, reduce traffic and server load, improve team health and reduce the risk of employee involvement in fraudulent transactions. In addition, spam filters reduce the risk of infection with new viruses, because messages containing viruses (even those that have not yet been included in the anti-virus databases) often show signs of spam and are filtered out. True, the positive effect of filtering spam can be crossed out if the filter, along with garbage, deletes or marks as spam and useful messages, business or personal.
There are several of the most typical types and methods. information threats:
Declassification and theft of trade secrets. Whereas previously secrets were kept in secret places, in massive safes, under reliable physical and (later) electronic protection, today many employees have access to office databases, often containing very sensitive information, for example, the same customer data.
Dissemination of compromising materials. That is, deliberate or accidental use by employees in electronic correspondence of such information that tarnishes the reputation of the bank.
Intellectual property infringement. It is important not to forget that any intellectual product produced in banks, as in any organization, belongs to it and cannot be used by employees (including generators and authors of intellectual values) except in the interests of the organization. Meanwhile, in Russia on this occasion, conflicts often arise between organizations and employees, claiming the intellectual product they have created and using it in their personal interests, to the detriment of the organization. This often happens due to the vague legal situation at the enterprise, when the labor contract does not contain clearly defined rules and regulations outlining the rights and obligations of employees.
Dissemination (often unintentional) of inside information that is not secret, but may be useful to competitors (other banks).
Visits to the websites of competing banks. Now more and more companies use programs on their open sites (in particular, those designed for CRM), which allow them to recognize visitors and track their routes in detail, record the time and duration of their viewing of the site pages. Competitor websites have been and remain a valuable source for analysis and forecasting.
Abuse of office communications for personal purposes (listening, watching music and other content that is not related to work, loading an office computer) does not pose a direct threat to information security, but creates additional loads on the corporate network, reduces efficiency, and interferes with the work of colleagues.
And, finally, external threats - unauthorized intrusions, etc.
The rules adopted by the bank must comply with both national and internationally recognized standards for the protection of state and commercial secrets, personal and private information.
Organizational protection of information in Alfa-Bank
Alfa Bank has implemented a security policy based on a selective access control method. Such management in OJSC "Alfa Bank" is characterized by a set of permitted access relations specified by the administrator. The access matrix is \u200b\u200bfilled in directly by the company's system administrator. The application of a selective information security policy meets the requirements of the management and requirements for information security and access control, accountability, and also has an acceptable cost for its organization. The implementation of the information security policy is completely entrusted to the system administrator of OJSC "Alfa Bank".
Along with the existing security policy, Alfa Bank OJSC uses specialized hardware and software security tools.
The security hardware is Cisco 1605. The router is equipped with two Ethernet interfaces (one with TP and AUI interfaces, the other with TP only) for the LAN and one expansion slot for installing one of the modules for the Cisco 1600 series routers. In addition, the Cisco IOS FirewallFeatureSet software makes the Cisco 1605-R the ideal flexible router / security system for the small office. Depending on the installed module, the router can support a connection both through ISDN and through a dial-up line or a leased line from 1200 bps to 2 Mbps, FrameRelay, SMDS, x.25.
To protect information, the owner of the LAN must secure the "perimeter" of the network, for example, by establishing control at the junction of the internal network with the external network. Cisco IOS provides high flexibility and security through standard tools such as: Extended Access Lists (ACLs), Blocking Systems (Dynamic ACLs), and Routing Authorization. In addition, the Cisco IOS FirewallFeatureSet, available for the 1600 and 2500 series routers, provides comprehensive security features including:
contextual access control (CBAC)
java blocking
logbook
detection and prevention of attacks
immediate alert
In addition, the router supports virtual overlay networks, tunnels, priority control, resource reservation, and various routing control methods.
The Kaspersky OpenSpaceSecurity solution is used as a software protection tool. Kaspersky OpenSpaceSecurity fully meets the modern requirements for security systems for corporate networks:
a solution to protect all types of network nodes;
protection against all types of computer threats;
effective technical support;
"proactive" technologies combined with traditional signature protection;
innovative technologies and a new antivirus engine that increases productivity;
ready-to-use protection system;
centralized management;
full protection of users outside the network;
compatibility with third-party solutions;
efficient use of network resources.
The system being developed should provide full control, automated accounting and analysis of the protection of personal information, allow to reduce the time of customer service, receive information about codes for protecting information and personal data.
To formulate the requirements for the system being developed, it is necessary to formulate the requirements for the organization of the database, information compatibility for the system being developed.
Database design should be based on the end-user views of a particular organization - conceptual system requirements.
In this case, the IS contains data about the employees of the firm. One of the technologies that significantly illustrates the work of an information system is the development of a workflow scheme for documents.
The functions of the system being developed can be achieved through the use of computer technology and software. Considering that the search for information, information and accounting documents in the activities of bank specialists make up about 30% of the working time, the introduction of an automated accounting system will significantly free up qualified specialists, can lead to savings in the wages fund, a decrease in the number of employees, but it can also lead to the introduction to the staff of the department of the operator's staff, whose responsibilities will include entering information about the ongoing business processes: documents for accounting for personal data and access codes.
It should be noted that the implementation of the system being developed will reduce, and ideally, completely eliminate errors in accounting for personal and information and security codes. Thus, the introduction of an automated manager's workplace will lead to a significant economic effect, a reduction in staff by 1/3, savings in the payroll, and an increase in labor productivity.
Alfa-Bank, like any other bank, has developed an Information Security Policy, which defines a system of views on the problem of ensuring information security and is a systematic statement of the goals and objectives of protection, as one or more rules, procedures, practices and guidelines in the field of information security.
The Policy takes into account the current state and immediate prospects for the development of information technologies in the Bank, goals, objectives and legal basis for their operation, modes of operation, and also contains an analysis of security threats to objects and subjects of information relations of the Bank.
The main provisions and requirements of this document apply to all structural divisions of the Bank, including additional offices. The main issues of the Policy also apply to other organizations and institutions interacting with the Bank as suppliers and consumers of the Bank's information resources in one capacity or another.
The legislative basis of this Policy is the Constitution of the Russian Federation, the Civil and Criminal Codes, laws, decrees, decrees, other normative documents of the current legislation of the Russian Federation, documents of the State Technical Commission under the President of the Russian Federation, the Federal Agency for Government Communications and Information under the President of the Russian Federation.
The policy is the methodological basis for:
· formation and implementation of a unified policy in the field of information security in the Bank;
· making management decisions and developing practical measures to implement the information security policy and developing a set of coordinated measures aimed at identifying, reflecting and eliminating the consequences of the implementation of various types of threats to information security;
· coordination of the activities of the Bank's structural divisions when carrying out work on the creation, development and operation of information technologies in compliance with the requirements for ensuring information security;
· development of proposals for improving the legal, regulatory, technical and organizational security of information in the Bank.
A systematic approach to building an information security system in the Bank involves taking into account all interrelated, interacting and time-changing elements, conditions and factors that are significant for understanding and solving the problem of ensuring the security of the Bank's information.
Ensuring information security - a process carried out by the Bank's Management, information protection units and employees of all levels. This is not only and not so much a procedure or policy that is implemented in a certain period of time or a set of remedies, but a process that must constantly go on at all levels within the Bank and every employee of the Bank must take part in this process. Information security activities are an integral part of the Bank's daily activities. And its effectiveness depends on the participation of the Bank's management in ensuring information security.
In addition, most physical and technical means of protection for the effective performance of their functions require constant organizational (administrative) support (timely change and ensure the correct storage and use of names, passwords, encryption keys, redefinition of powers, etc.). Interruptions in the operation of security tools can be used by intruders to analyze the methods and means of protection used, to introduce special software and hardware "tabs" and other means of overcoming protection.
Personal responsibilityimplies the assignment of responsibility for ensuring the security of information and its processing system to each employee within the limits of his authority. In accordance with this principle, the distribution of rights and obligations of employees is structured in such a way that in the event of any violation the circle of culprits is clearly known or minimized.
Alfa-Bank constantly monitors the activities of any user, each means of protection and in relation to any object of protection should be carried out on the basis of the use of operational control and registration and should cover both unauthorized and authorized actions of users.
The bank has developed the following organizational and administrative documents:
· Regulations on commercial secrets. This Regulation regulates the organization, the procedure for working with information constituting a commercial secret of the Bank, the duties and responsibilities of employees admitted to this information, the procedure for transferring materials containing information constituting a commercial secret of the Bank to state (commercial) institutions and organizations;
· List of information constituting an official and commercial secret. The list defines the information classified as confidential, the level and terms of ensuring restrictions on access to protected information;
· Orders and instructions for establishing a security regime for information:
· admission of employees to work with restricted information;
· appointing administrators and persons responsible for working with restricted information in the corporate information system;
· Instructions and responsibilities for employees:
· on the organization of security and access control;
· on the organization of office work;
· administration of information resources of the corporate information system;
· other regulatory documents.
Conclusion
Today, the issue of organizing information security is of concern to organizations of any level - from large corporations to entrepreneurs without a legal entity. Competition in modern market relations is far from perfect and is often not conducted in the most legal ways. Industrial espionage is flourishing. But there are also frequent cases of inadvertent dissemination of information related to the commercial secret of an organization. As a rule, the negligence of employees, their lack of understanding of the situation, in other words, the "human factor", plays a role here.
Alfa-Bank protects the following information:
trade secret
personal data (clients, bank employees)
bank secrecy
bank documents (reports of the Security Department, annual estimate of the bank, information on the income of bank employees, etc.)
Information in the bank is protected by such threats as:
Natural
· Artificial threats (unintentional (unintentional, accidental) threats caused by errors in the design of the information system and its elements, errors in the actions of personnel, etc.; deliberate (intentional) threats associated with the selfish, ideological or other aspirations of people (attackers).
Sources of threats in relation to the information system itself can be both external and internal.
List of references
1. Decree of the President of the Russian Federation "On measures to ensure information security of the Russian Federation when using information and telecommunication networks of international information exchange" dated 17.03.2008 No. 351;
Galatenko, V.A. Basics of information security. Internet University of Information Technologies. INTUIT. ru, 2008;
Galatenko, V.A. Information security standards. Internet University of Information Technologies. INTUIT. ru, 2005;
Lopatin, V.N. Information Security of Russia: Man, Society, State. Series: Human and Society Safety. M .: 2000. - 428 s;
Shangin, V.F. Protection of computer information. Effective methods and means. M .: DMK Press, 2008 .-- 544 p.
Shcherbakov, A. Yu. Modern computer security. Theoretical basis. Practical aspects. M .: Knizhnyi mir, 2009 .-- 352 p.
Magazine Legal Times , edition dated 21.10.2013
Instructions for working with confidential documents at the Bank
Tutoring
Need help exploring a topic?
Our experts will advise or provide tutoring services on topics of interest to you.
Send a request with the indication of the topic right now to find out about the possibility of obtaining a consultation.
It might be helpful to read:
- How to cancel the registration of cash register with the tax office?;
- How to fire an LLC director - step by step instructions;
- How to open a children's store How to open a children's clothing boutique;
- What metal products are in demand among the population?;
- How to fire an employee for absenteeism;
- How to correctly calculate compensation for unused vacation in case of dismissal due to staff reduction?;
- DIY interior for a photo studio;
- Instructions: how to fire an employee due to death;