Comprehensive system information security is a very important component of USS.
Information security — all aspects related to the definition, achieving and maintaining the confidentiality, integrity, availability, non-repudiation, accountability, authenticity and reliability of the information or the means of its processing.
Information Security (data) — a state of security of information (data), at which are provided its (their) confidentiality, availability and integrity.
Information Security (data) is defined by the absence of unacceptable risk of associated with information leakage through technical channels, unauthorized and unintended effects on the data and / or other resources of the automated information systems used in the automated system.
Information Security (using information technologies) — the state of security information (data), ensuring security information, for the processing which it is applied, and information security of the automated information system in which it is implemented.
The security of the automated information systems — the state of security of the automated system which ensured the confidentiality, availability, integrity, accountability and authenticity of its resources.
Information security — protection of information and supporting infrastructure or against accidental or intentional of natural or artificial character which may cause unacceptable damage to subjects of information relations. Supportive infrastructure - system of electricity, heat, water and gas supply, air conditioning and so on, as well as staff. Unacceptable damage - damage which cannot be neglected.
As a standard security model, the model of the three categories is used:
- Confidentiality — information status in case of which access to it is provided only by the subjects having to it the right;
- Integrity — avoidance of unauthorized modification of information;
- Availability — avoidance of temporal or continuous information hiding from the users who acquired access rights.
There are other not always mandatory categories security models:
- Non-repudiation — ability to certify the action or an event taking place so that these events or actions couldn't be rejected later;
- Accountability — ensuring the identification of the subject access and registration of its actions;
- Reliability — property of compliance to the provided behavior or result;
- Authenticity — the property guaranteeing that the subject or a resource are identical to the declared.
Realization of the term "information security"
The system approach to the description of the information security proposes to allocate the following items of the information security:
- The legislative, regulatory and scientific base.
- The structure and tasks of the bodies (divisions), ensuring IT security.
- Organizational and technical security measures and methods (information security Policy).
- Program and technical methods and means of ensuring of the information security.
The purpose of realization of the information security of any object is creation of System of ensuring information security of this object. For creation and effective operation of System of ensuring information security it is necessary:
- to identify information security requirements that are specific to this object of protection;
- take into account the requirements of national and international legislation;
- to use acquired practice (standards, methodologies) of creation of similar systems of ensuring information security;
- to determine the divisions responsible for implementation and support of systems of ensuring information security;
- to distribute between divisions of area of responsibility in implementation of requirements of system of ensuring information security;
- based on the information security risk management to determine the general provisions, technical and organizational requirements constituting the information security policy of the protected object;
- to realize requirements of Information security policy, having implemented the appropriated program and technical methods and means of the information security;
- to realize Management system of the information security;
- using Management system of the information security to organize regular monitoring of the effectiveness of systems information security.
As can be seen from the latest stage of the work, the process of implementing continuous and cyclic systems of ensuring information security (after each revision) returns to the first stage, sequentially repeating everyone else. So system of ensuring information security is adjusted for effective implementation of the tasks of information security and compliance to new requirements of constantly updated information system.
1.Organizational and technical and security measures and methods
To describe the information security technologies particular information system so-called Information security policy or the Security policy of the considered information system usually is based.
Organizational security policy - is a set of documented rules, procedures, practice or guidelines in the field of information security that the organization in its activities has guided.
Security policy information and telecommunication technologies - regulations, directives, accepted practice, which determine how within the organization and its information and telecommunication technologies to manage, protect and distribute assets, including critical information.
For creation of Information security policy, it is recommended to consider separately the following directions of information security system:
- Protection of objects of the information system;
- Protection processes, procedures and programs for processing information;
- Protection of communication channels (acoustic, infrared, wired optical, radio, etc.);
- Suppression of side electromagnetic radiation and interference);
- Management protection system.
Thus on each of the listed above Information security policy directions has to describe the following stages of creation of means of protection of information:
- The Definition of information and technical resources to be protected;
- Revealing the full set of potential threats and information leakage;
- Assessment of vulnerability and risk information in a variety of existing threats and channels of leakage;
- Determination of requirements to security system;
- Selecting information security tools and their characteristics;
- Implementation and organization of using of selected measures, methods and means of protection;
- Monitoring of integrity and management protection system.
Information security policy is arranged in the form of documentary requirements of information system. Documents are usually separated by levels of description (detailed) of process protection.
According to the ISO/MEC 17799—2005 standard, at the top level of information security policies should be prepared the following documents: "The concept of information security", "Acceptable Use Resource Information System", "Business Continuity Plan".
The documents concerning separate aspects of information security are related to the average level.
Information security policy of the lower level includes regulations of works, administration guide, maintenance instructions of separate services of the information security.
2. Organizational protection of objects of information systems.
Organizational protection — is a regulation of productive activity and relations of contractors on the standard legal basis excluding or significantly the confidential information complicating illegal mastering and manifestation of internal and external threats. Organizational protection provides:
- the organization of protection, the mode, human resources, with documents;
- use of technical security means and information-analytical work on identifying internal and external threats to business activity.
3. Program and technical methods and means of ensuring of information security.
Classification of information security tools.
- Protection systems against unauthorized access (unauthorized access):
- Means of authorization;
- Mandatory Access Control;
- Selective access control;
- role-based access control;
- Journaling (also called the Audit).
- Systems for networks monitoring:
- Protocol analyzers.
- Anti-virus tools.
- Cryptographic tools:
- Digital signature
- Backup system
- Uninterrupted power supply systems
- Authentication system
- A means of preventing cracking of buildings and theft of equipment
- Means of control and management of access to premises
- Tools for analysis of protection systems