Ministry of Education and Science Russian Federation

federal state budgetary educational institution

higher professional education

"PERM NATIONAL RESEARCH

POLITECHNICAL UNIVERSITY"

Test

by discipline

INFORMATION SECURITY OF THE ENTERPRISE

Topic "Information security in business on the example of Alfa-Bank"

Completed by a student

FK-11B group:

Smyshlyaeva Maria Sergeevna

Checked by teacher:

Shaburov Andrey Sergeevich

Perm - 2013

Introduction

Conclusion

Bibliography

Introduction

The information resources of most companies are among the most valuable resources. For this reason, commercial, confidential information and personal data must be reliably protected from misuse, but at the same time easily accessible to entities involved in the processing of this information or using it in the process of performing assigned tasks. The use of special tools for this contributes to the sustainability of the company's business and its viability.

As practice shows, the issue of organizing business protection in modern conditions has become the most relevant. Online stores are "opened" and customers' credit cards are emptied, casinos and sweepstakes are blackmailed, corporate networks fall under external control, computers are "zombified" and included in botnets, and fraud using stolen personal data is becoming a disaster on a national scale.

Therefore, company leaders must be aware of the importance of information security, learn how to predict and manage trends in this area.

The purpose of this work is to identify the advantages and disadvantages of the business information security system using the example of Alfa-Bank.

Characteristics of the activities of Alfa-Bank OJSC

Alfa-Bank was founded in 1990. Alfa-Bank is a universal bank that carries out all major types of banking operations on the financial services market, including servicing private and corporate clients, investment banking, trade finance and asset management.

Alfa-Bank's head office is located in Moscow; in total, 444 branches and branches of the bank have been opened in the regions of Russia and abroad, including a subsidiary bank in the Netherlands and financial subsidiaries in the USA, Great Britain and Cyprus. Alfa-Bank employs about 17,000 employees.

Alfa-Bank is the largest Russian private bank in terms of total assets, total capital and deposits. The bank has a large client base of both corporate clients and individuals. Alfa-Bank is developing as a universal bank in the main areas: corporate and investment business (including small and medium business(SMEs), trade and structured finance, leasing and factoring), retail business(including the system of bank branches, car loans and mortgages). Particular attention is paid to the development of banking products for corporate business in the mass and SME segments, as well as the development of remote self-service channels and Internet acquiring. Alfa-Bank's strategic priorities are to maintain its status as the leading private bank in Russia, strengthen stability, increase profitability, and set industry standards for technology, efficiency, customer service and teamwork.

Alfa-Bank is one of the most active Russian banks in the global capital markets. Leading international rating agencies give Alfa-Bank one of the highest ratings among Russian private banks. It has been ranked #1 in the Customer Experience Index four times in a row. The retail banking sector after the financial crisis, conducted by Senteo together with PricewaterhouseCoopers. Also in 2012, Alfa-Bank was recognized the best internet bank according to the GlobalFinance magazine, was awarded for the best analytics by the National Association of Stock Market Participants (NAUFOR), became the best Russian private bank in the trust index calculated by the research holding Romir.

Today the Bank has a network of federal scale, including 83 points of sale. Alfa Bank has one of the largest networks among commercial banks, consisting of 55 offices and covering 23 cities. As a result of the expansion of the network, the Bank has additional opportunities to increase its customer base, expand the range and quality of banking products, implement inter-regional programs, and provide comprehensive services to backbone customers from among the largest enterprises.

Analysis of the theoretical basis of the issue of business information security

Relevanceand the importance of the problem of ensuring information security is due to the following factors:

· Modern levels and rates of development of information security tools lag far behind the levels and rates of development of information technologies.

· High growth rate of the park personal computers used in various fields of human activity. According to research by Gartner Dataquest, there are currently over a billion personal computers in the world.

information security business bank

· A sharp expansion of the circle of users with direct access to computing resources and data arrays;

At present, the importance of information stored in banks has increased significantly, concentrated important and often secret information about the financial and economic activity many people, companies, organizations and even entire states. The Bank stores and processes valuable information affecting the interests of a large number of people. The bank stores important information about its customers, which expands the circle of potential intruders interested in stealing or damaging such information.

Over 90% of all crimes are related to the use of automated information processing systems of the bank. Therefore, when creating and modernizing ASOIB, banks need to pay close attention to ensuring its security.

The main attention should be paid to the computer security of banks, i. the security of automated information processing systems of the bank, as the most relevant, complex and urgent problem in the field of banking information security.

The rapid development of information technology has opened up new business opportunities, but also led to the emergence of new threats. Due to competition, modern software products are sold with errors and shortcomings. Developers, including various functions in their products, do not have time to perform high-quality debugging of the created software systems. Errors and flaws left in these systems lead to accidental and deliberate violations of information security. For example, the causes of most accidental loss of information are failures in the operation of software and hardware, and most attacks on computer systems are based on errors and flaws found in software. So, for example, in the first six months after the release of the Microsoft Windows server operating system, 14 vulnerabilities were discovered, 6 of which are critical. Although over time Microsoft develops service packs that address the identified flaws, users are already suffering from information security breaches due to the remaining errors. Until these many other problems are solved, the insufficient level of information security will be a serious brake on the development of information technologies.

Under information securitythe security of information and supporting infrastructure from accidental or intentional impacts of a natural or artificial nature that can cause unacceptable damage to the subjects of information relations, including owners and users of information and supporting infrastructure, is understood.

Migration is taking place in today's business world tangible assets towards information. As an organization develops, its information system becomes more complex, the main task of which is to ensure maximum business efficiency in a constantly changing competitive market environment.

Considering information as a commodity, we can say that ensuring information security in general can lead to significant cost savings, while the damage caused to it leads to material costs. For example, the disclosure of the manufacturing technology of the original product will lead to the appearance of a similar product, but from another manufacturer, and as a result of information security violation, the owner of the technology, and maybe the author, will lose part of the market, etc. On the other hand, information is the subject of control, and its change can lead to catastrophic consequences in the control object.

According to GOST R 50922-2006, ensuring information security is an activity aimed at preventing information leakage, unauthorized and unintentional impacts on protected information. Information security is relevant for both enterprises and government agencies. For the purpose of comprehensive protection of information resources, work is being carried out to build and develop information security systems.

There are many reasons that can seriously affect the operation of local and global networks, leading to the loss of valuable information. Among them are the following:

Unauthorized access from the outside, copying or changing information accidental or intentional actions leading to:

distortion or destruction of data;

familiarization of unauthorized persons with information constituting a banking, financial or state secret.

Incorrect operation of the software, leading to loss or corruption of data due to:

errors in application or network software;

computer virus infection.

Technical equipment failures caused by:

power outage;

failure of disk systems and data archiving systems;

disruption of servers, workstations, network cards, modems.

Errors of service personnel.

Of course, there is no one-size-fits-all solution, but many organizations have developed and implemented technical and administrative measures to minimize the risk of data loss or unauthorized access.

To date, there is a large arsenal of methods for ensuring information security, which is also used in Alfa-Bank:

· means of identification and authentication of users (the so-called complex 3A);

· means of encrypting information stored on computers and transmitted over networks;

· firewalls;

· virtual private networks;

· content filtering tools;

· tools for checking the integrity of the contents of disks;

· means of anti-virus protection;

· network vulnerability detection systems and network attack analyzers.

"Complex 3A" includes authentication (or identification), authorization and administration. Identificationand authorization are key elements of information security. When you try to access any program, the identification function gives an answer to the question: "Who are you?" and "Where are you?", whether you are an authorized user of the program. The authorization function is responsible for what resources a particular user has access to. The function of administration is to provide the user with certain identification features within a given network and determine the scope of actions allowed for him. In Alfa-Bank, when opening programs, the password and login of each employee are requested, and when performing any operations, in some cases, authorization of the head or his deputy in the department is required.

Firewallis a system or combination of systems that forms a protective barrier between two or more networks that prevents unauthorized data packets from entering or leaving the network. Basic operating principle of firewalls. checking each data packet for matching the incoming and outgoing IP_address to the allowed address base. Thus, firewalls significantly expand the possibilities of segmenting information networks and controlling the circulation of data.

Speaking of cryptography and firewalls, we should mention secure virtual private networks (Virtual Private Network - VPN). Their use allows solving the problems of data confidentiality and integrity during their transmission over open communication channels.

An effective means of protecting against the loss of confidential information. Content filtering inbound and outbound Email. Validating email messages and their attachments based on the rules set by the organization also helps to protect companies from liability in lawsuits and protect their employees from spam. Content filtering tools allow you to scan files of all common formats, including compressed and graphic. At the same time, the network bandwidth remains practically unchanged.

Modern antiviraltechnologies allow detecting almost all already known virus programs by comparing the code of a suspicious file with samples stored in the anti-virus database. In addition, behavior modeling technologies have been developed to detect newly created virus programs. Detected objects can be disinfected, isolated (quarantined), or deleted. Virus protection can be installed on workstations, file and mail servers, firewalls running under almost any of the common operating systems (Windows, Unix - and Linux_systems, Novell) on various types of processors. Spam filters significantly reduce unproductive labor costs associated with parsing spam, reduce traffic and server load, improve the psychological background in the team and reduce the risk of company employees being involved in fraudulent transactions. In addition, spam filters reduce the risk of being infected with new viruses, since messages containing viruses (even those not yet included in the anti-virus databases) often show signs of spam and are filtered out. True, the positive effect of spam filtering can be crossed out if the filter, along with junk, removes or marks as spam and useful messages, business or personal.

There are several most typical types and methods information threats:

Declassification and theft of trade secrets. While previously secrets were kept in secret places, in massive safes, under reliable physical and (later) electronic protection, today many employees have access to office databases, often containing very sensitive information, for example, the same customer data.

Distribution of compromising materials. That is, the deliberate or accidental use by employees in electronic correspondence of such information that casts a shadow on the reputation of the bank.

Infringement on intellectual property. It is important not to forget that any intellectual product produced in banks, as in any organization, belongs to it and cannot be used by employees (including generators and authors of intellectual values) except in the interests of the organization. Meanwhile, in Russia, conflicts often arise on this issue between organizations and employees who claim the intellectual product they have created and use it for personal interests, to the detriment of the organization. This is often due to the vague legal situation in the enterprise, when labor contract there are no clearly defined norms and rules outlining the rights and obligations of employees.

Distribution (often unintentional) of inside information that is not secret, but may be useful to competitors (other banks).

Visits to the websites of competing banks. Now more and more companies are using programs on their open sites (in particular, designed for CRM), which allow you to recognize visitors and track their routes in detail, record the time and duration of viewing pages on the site. Competitor websites have been and remain a valuable source for analysis and forecasting.

Abuse of office communications for personal purposes (listening to, viewing music and other content not related to work, downloading an office computer) does not pose a direct threat to information security, but creates additional stress on the corporate network, reduces efficiency, and interferes with the work of colleagues.

And, finally, external threats - unauthorized intrusions, etc.

The rules adopted by the bank must comply with both national and internationally recognized standards for the protection of state and commercial secrets, personal and private information.

Organizational protection of information in Alfa-Bank

Alfa Bank OJSC has implemented a security policy based on a selective access control method. Such management in Alfa Bank OJSC is characterized by a set of allowed access relations specified by the administrator. The access matrix is ​​filled in directly by the system administrator of the company. The application of a selective information security policy complies with the requirements of the management and requirements for information security and access control, accountability, and also has an acceptable cost of its organization. The implementation of the information security policy is fully entrusted to the system administrator of Alfa Bank OJSC.

Along with the existing security policy, Alfa Bank OJSC uses specialized security hardware and software.

The security hardware is Cisco 1605. The router is equipped with two Ethernet interfaces (one with TP and AUI interfaces, the other with TP only) for LAN and one expansion slot for installing one of the modules for Cisco 1600 series routers. In addition, the Cisco IOSFirewallFeatureSet software makes the Cisco 1605-R the ideal flexible router/security solution for the small office. Depending on the installed module, the router can support connection both via ISDN and dial-up line or leased line from 1200 bps to 2 Mbps, FrameRelay, SMDS, x.25.

To protect information, the owner of the LAN must secure the "perimeter" of the network, for example, by establishing control at the junction of the internal network with the external network. Cisco IOS provides high flexibility and security with both standard features such as: Extended access lists (ACLs), locking systems (dynamic ACLs), and routing authorization. In addition, the Cisco IOS FirewallFeatureSet available for the 1600 and 2500 series routers provides comprehensive security features including:

contextual access control (CBAC)

java lock

logbook

attack detection and prevention

immediate notification

In addition, the router supports virtual overlay networks, tunnels, a priority management system, a resource reservation system, and various methods routing control.

The KasperskyOpenSpaceSecurity solution is used as a software protection tool. KasperskyOpenSpaceSecurity is fully responsive modern requirements for security systems of corporate networks:

solution for protection of all types of network nodes;

protection against all types of computer threats;

effective technical support;

"proactive" technologies combined with traditional signature-based protection;

innovative technologies and a new anti-virus engine that improves performance;

ready-to-use protection system;

centralized management;

full protection of users outside the network;

compatibility with third-party solutions;

efficient use of network resources.

The developed system should provide full control, automated accounting and analysis of protection personal information, allow you to reduce customer service time, receive information about information security codes and personal data.

To form requirements for the system being developed, it is necessary to form requirements for the organization of the database, information compatibility for the system being developed.

The database design should be based on the views of the end users of a particular organization - the conceptual requirements for the system.

In this case, the IS contains data about the employees of the company. One of the technologies that significantly illustrates the operation of an information system is the development of a workflow scheme for documents.

The functions of the developed system can be achieved through the use of computer technology and software. Considering that the search for information, information and accounting documents in the activities of bank specialists is about 30% of the working time, the introduction of an automated accounting system will significantly free up qualified specialists, can lead to savings in the payroll fund, reducing the staff, but may also lead to the introduction of to the staff of the department of the operator's staff unit, whose duties will include entering information about ongoing business processes: personal data accounting documents and access codes.

It should be noted that the introduction of the developed system will reduce, and ideally, completely eliminate errors in accounting for personal information and security codes. Thus, the introduction of an automated workplace for a manager will lead to a significant economic effect, a reduction in the staff by 1/3, savings in the wage fund, and increasing labor productivity.

Alfa-Bank, like any other bank, has developed an Information Security Policy that defines a system of views on the problem of ensuring information security and is a systematic statement of the goals and objectives of protection, as one or more rules, procedures, practices and guidelines in the field of information security.

The policy takes into account the current state and immediate prospects for the development of information technologies in the Bank, goals, objectives and legal framework their operation, modes of operation, and also contains an analysis of security threats to objects and subjects of information relations of the Bank.

The main provisions and requirements of this document apply to all structural divisions of the Bank, including additional offices. Key Issues The Policy also applies to other organizations and institutions interacting with the Bank as suppliers and consumers of the Bank's information resources in one capacity or another.

The legislative basis of this Policy is the Constitution of the Russian Federation, the Civil and Criminal Codes, laws, decrees, resolutions, etc. regulations the current legislation of the Russian Federation, documents of the State Technical Commission under the President of the Russian Federation, the Federal Agency for Government Communications and Information under the President of the Russian Federation.

The policy is the methodological basis for:

· formation and implementation of a unified policy in the field of information security in the Bank;

· making management decisions and developing practical measures to implement the information security policy and develop a set of coordinated measures aimed at identifying, repelling and eliminating the consequences of the implementation of various types of information security threats;

· coordination of activities structural divisions the Bank when carrying out work on the creation, development and operation of information technologies in compliance with the requirements for ensuring information security;

· development of proposals for improving the legal, regulatory, technical and organizational security of information in the Bank.

Systems approach to building an information security system in the Bank involves taking into account all interrelated, interacting and time-varying elements, conditions and factors that are significant for understanding and solving the problem of ensuring the security of the Bank's information.

Ensuring Information Security- a process carried out by the Bank's Management, information security departments and employees at all levels. This is not only and not so much a procedure or policy that is implemented in a certain period of time or a set of remedies, but a process that must constantly go on at all levels within the Bank and every employee of the Bank must take part in this process. Information security activities are an integral part of the daily activities of the Bank. And its effectiveness depends on the participation of the Bank's management in ensuring information security.

In addition, most of the physical and technical means of protection require constant organizational (administrative) support to effectively perform their functions (timely change and ensure the correct storage and use of names, passwords, encryption keys, redefinition of powers, etc.). Interruptions in the operation of protection tools can be used by attackers to analyze the methods and means of protection used, to introduce special software and hardware "bookmarks" and other means of overcoming protection.

Personal responsibilityassumes the assignment of responsibility for ensuring the security of information and the system for its processing to each employee within the limits of his authority. In accordance with this principle, the distribution of rights and obligations of employees is built in such a way that in the event of any violation, the circle of perpetrators is clearly known or minimized.

Alfa-Bank constantly monitors the activities of any user, each security tool and in relation to any object of protection should be carried out on the basis of the use of operational control and registration tools and should cover both unauthorized and authorized actions of users.

The bank has developed the following organizational and administrative documents:

· Regulations on trade secrets. This Regulation governs the organization, the procedure for working with information constituting a commercial secret of the Bank, the duties and responsibilities of employees admitted to this information, the procedure for transferring materials containing information constituting a commercial secret of the Bank to state (commercial) institutions and organizations;

· List of information constituting official and commercial secrets. The list defines information classified as confidential, the level and timing of restrictions on access to protected information;

· Orders and directives to establish the information security regime:

· admission of employees to work with restricted information;

· appointment of administrators and persons responsible for working with restricted information in the corporate information system;

· Instructions and functional responsibilities employees:

· on the organization of the security access regime;

· on the organization of office work;

· administration of information resources of the corporate information system;

· other regulatory documents.

Conclusion

Today, the issue of organizing information security is of concern to organizations of any level - from large corporations to entrepreneurs without forming a legal entity. Competition in modern market relations is far from perfect and is often not carried out in the most legal ways. Industrial espionage flourishes. But cases of inadvertent dissemination of information relating to the trade secret of the organization are not uncommon. As a rule, the negligence of employees, their lack of understanding of the situation, in other words, the "human factor" plays a role here.

Alfa-Bank ensures the protection of the following information:

trade secret

banking secrecy

bank documents (reports of the Security Department, the annual estimate of the bank, information on the income of bank employees, etc.)

Information in the bank is protected by such threats as:

· natural

· Artificial threats (unintentional (unintentional, accidental) threats caused by errors in the design of the information system and its elements, errors in the actions of personnel, etc.; intentional (deliberate) threats associated with selfish, ideological or other aspirations of people (intruders).

Sources of threats in relation to the information system itself can be both external and internal.

Bibliography

1. Decree of the President of the Russian Federation "On measures to ensure the information security of the Russian Federation when using information and telecommunication networks of international information exchange" dated March 17, 2008 No. 351;

Galatenko, V.A. Fundamentals of information security. Internet University of Information Technology. INTUIT. ru, 2008;

Galatenko, V.A. Information security standards. Internet University of Information Technology. INTUIT. ru, 2005;

Business Security is a set of activities and measures aimed at comprehensive protection entrepreneurial activity from various types of threats (informational, legal, physical, economic, organizational and personnel). All decisions regarding the comprehensive protection of the business and the measures taken are assigned to the security service, the heads of the relevant departments and the director of the organization.

Types of business security problems and ways to solve them

In any kind of business, there is always room for risk. At the same time, a good leader will not wait for problems - he will take timely measures to protect against the most likely problems in the business area. These include:

- corporate troubles– disputes and conflict situations between the shareholders of the company, conflicts between top managers or the complexity of the relationship between the owners of the company and the heads of departments;

- external dangers- threats from criminal structures, conflicts with law enforcement and government agencies, raider raids, and so on;

- financial losses- fraudulent actions of personnel (customers), theft, unscrupulous intermediaries or suppliers, inappropriate use of company resources, taking bribes for certain activities against the interests of the company;

- information hazards– leakage of the company’s secret information (its concealment or destruction), obtaining unauthorized access to confidential data, disclosure of trade secrets, etc.;

- security holes- theft of material and technical assets by unauthorized persons, unauthorized entry into the company's territory, violation of labor discipline;

- reputation issues- the presence in the structure of employees with a bad reputation, cooperation with people (counterparties) with a bad reputation.

To solve all these business problems, the following types of protection are required:

- physical– security systems, security, surveillance cameras and so on;
- economic– verification of the counterparty, protection of the client bank, tax optimization;
- organizational and personnel– verification of incoming personnel, control of existing employees;
- informational– protection against intrusions, protection of files and documents, optimization and protection of 1C, single authentication, protection against information leaks, and so on;
- legal– examination of completed transactions, verification of draft documents, subscription services, and so on.

business

According to statistics, more than half of all business problems arise due to "gaps" in information security. Leakage of information to competitors, loss of data, transfer of company secret information into the wrong hands - all this carries a big risk for the business. In such a situation, IT managers of the company take a number of effective measures to ensure comprehensive protection of the company.

In the first place is the protection of financial data, in the second - protection against leaks, and in the third - protection against DDoS attacks. And if the first two points have long been in the top three, then the problem with attacks has appeared only recently. The reason for this interest is the increased number of DDoS attacks on small and medium-sized companies.

Among the main measures that Russian companies have taken in the field of security are malware protection, update management, application control, network structure, solutions for protecting financial transfers, control of the use of external devices, protection mobile phones etc.


Basic Methods information protection businesses are as follows:

1. Intrusion protection– installation of programs or equipment necessary to control traffic on the network. When the first danger (intrusion) appears, the system reacts and blocks access. At the same time, the responsible employee is notified.

The protection system is implemented in one of two ways:

- IPS system. Its task is to block any network activity that arouses suspicion, to effectively screen out "extra" traffic. The advantage of the system is the ability not only to detect, but also to prevent intrusion. Minus - a high percentage of false positives, which leads to constant distraction of employees from the case and downtime of the computer network during the check;

- IDS system– monitors the current anomalous activity, upon occurrence of which a signal is given to the administrator. Positive features - an effective fight against intrusion, the transfer of decision-making rights to the administrator. The downside is that the responsible employee may not have time to take action and the system will be irreparably damaged.

The ideal intrusion defense system looks like this:

2. Leak protection– a set of measures to prevent confidential information from falling into unauthorized hands. A leak can happen in two ways:

By malicious theft (espionage, raiders, insiders);
- due to a staff oversight (loss of media, sending a password by mail, going to a page with a virus, lack of responsible people for transferring data access rights, and so on).

In case of malicious theft, the protection methods are as follows - limiting the access mode to, installing surveillance cameras, installing data destruction tools on servers, encrypting information, storing data on foreign servers.

To protect against personnel errors, the following methods can be called effective - minimizing the rights of access to confidential information, individual responsibility of employees, using secure channels, creating regulations for employees to work with important documents, introducing responsibility for data carriers transferred to employees.

In addition, to protect against accidental errors, it is important to organize - recording telephone conversations, monitoring traffic and employee work at a PC, encrypting USB cards, using RMS, implementing DLP systems, and so on.

3. File protection implies the safety of all the most important information that is stored on computers and servers within the company. It is implemented as follows:

- encryption of file systems (data)– use of EFS, Qnap, CryptoPro systems and so on;

- encryption of laptops (netbooks), storage media, mobile devices - software solutions (Kasperskiy, SecretDisk, Endpoint Encryption) or encryption modules from Sony, Asus and other companies;

Here, of course, there can be an ambiguous attitude ... Perhaps, it should be clarified - the likelihood that an employee who is privy to the secrets of the enterprise will leak information to the side should be minimal. And this is also part of the concept of information security.
Another interesting fact is that the information landsknecht can, as a professional, change his master. Ethics and the material side are not always compatible. Moreover, it is one thing - when it comes to the security of the country, and another - when a person guards an abstract entity, which is not a fact that it will not be thrown under the tank. I also observed such cases ... Decent and respected people sometimes ended up in ... (well, in a puddle or something - how to put it mildly?). But! Behind them is a family! And then the question of the priority of the most slippery concept - "debt" - is decided - who owes more - to the family or the enterprise? Should the family suffer because of the enterprise? And this, after all, is the reason for the destruction of many families and longing in the eyes of children - "... and I remember this is how we are with the folder!..." I do not dramatize - I remember those times that were a little earlier and compare them with future forecasts months and years. I think that it is worth drawing parallels - an increase in the level of crime, connivance, education of information saboteurs, etc.
So in fact Denis raised a very important topic in this conference, which grew into a discussion about deeper security issues.
This week, my book "Theory of Security" should be published in a trial edition, the announcements of some chapters from which we published in our "Personnel X-ray" - http://www.absg.ru/test - where I consider issues of information wars, confrontation of security concepts, the importance of personalities in security systems, etc. Unfortunately, due to the conditions of the publishing house, I do not dispose of this book for a certain time, therefore I will ask permission to post at least one chapter in full for review and judgment by respected colleagues.
Alexandru T:
"Although the concept of professional ethics is not an empty phrase for me:
Alexander! In fact, it is very pleasant to know that there are people who can consider themselves a certain caste. Caste of incorruptible people. This quality should be combined with the concepts of justice and morality in the best possible way.
If dear colleagues do not consider it hard work - please see 2 links -
http://train.absg.ru/?p=19 - a moral code that we propose to observe for all citizens and, at a minimum, to adhere to its basic principles, analyzing their actions from the point of view of morality. As well as
http://www.absg.ru/5mln in the section of multimedia versions - I took the liberty of commenting on the declaration of human rights and the constitution. Unfortunately, I can’t find the text version in any way except in the text of the magazine.
Sorry, that might be somewhat off topic - it’s just that for some reason the phrase about professional ethics touched something in my soul ... If you look around - ... but what can I say - it’s worth its weight in gold now and just as grains the earth is scattered like golden sand in the depths!..

The Role of Information Security in Business Continuity

Alexander Antipov

The information security strategy should be tightly integrated into the overall corporate business continuity program.

Modern business depends on information technology and is in dire need of ensuring the continuity of processes: even an hour of downtime for services in financial services or telecommunications companies can lead to huge losses. Business continuity is directly related to IT and is critical for any organization, whether it be large retailers, airline ticket agencies or government agencies. In industry, in infrastructure enterprises or in the transport sector, things are still more serious: with the introduction of digital technologies, failures of IT services can lead not only to financial losses, but also to man-made disasters. Of course, it usually doesn't make sense for small companies to implement continuity plans; they solve problems informally. But for big business the risks are incomparably higher.

Excursion into history

For the first time, business continuity was thought about in the fifties of the last century - engineers began to seriously deal with the problem of disaster recovery after incidents. The final formation of this practice happened in the eighties, and the next decade, with its rapid development of technologies, increased the complexity of the approaches used.

The concept of business continuity or BCM (Business Continuity Management) replaced disaster recovery in the second half of the nineties, but many experts still confuse these things. Today, data backup, cold or hot backup site is no longer enough. The problem of the smooth operation of the entire organization affects production equipment and technological processes, means of communication, personnel and much more. We will focus primarily on IT systems, since their failure can completely paralyze the company's activities.

Standards and tools

There are many international organizations dealing with business continuity issues. The most famous is considered to be developed by the BSI (British Standard Institute) standard BS25999. It is worth mentioning the best practices of the British BCI (Business Continuity Institute), as well as the American DRI (Disaster Recovery Institute) and SANS (SysAdmin, Audit, Network, Security Institute) and the leadership of the Australian National Audit Office (ANAO).

You can also add various national, industry and even internal corporate standards to this - it is easy to drown in this informational sea. Worst of all, describing theoretical basis the documents do not answer the simple question: "How to solve the problem in practice?".

We initiate a project

We will try to bring the existing methodologies together and will consider ensuring the continuity of business processes as a project - in stages. It is important to understand that its implementation is a continuous cyclical process that takes into account changes in business, Russian and international legislation, and technological innovations.

The goal of our project is to create and implement an enterprise business continuity management (BCM) program. To begin with, it will be necessary to formulate its content and compose step by step plan execution. Then - define the roles of team members, the goals of the project and think about how to monitor and control. To prevent the project from stalling, it is worth creating a special committee of representatives of all interested parties - it should meet periodically to discuss the progress of work and emerging problems.

When working on the creation of a plan, it is important to understand whether the project will require the involvement of outside consultants or will be able to manage on its own. It is even worth allocating a business continuity manager to manage the project - an employee of the company or an outsourced consultant.

Analyzing the impact on business

Step number one: we conduct a detailed study of business processes (Business Environment Analysis, BEA) of the company and determine the requirements for continuity.

Most often, the consultant in charge of the project conducts interviews with the heads of departments affected by the project. A list of processes is compiled and work begins with their owners: it is necessary to determine the type of impact of the process on the business, the degree of its dependence on IT, as well as the maximum allowable downtime (Maximum Allowable Outage, MAO), after which there is a threat of loss of viability of the organization.

Having determined the MAO for each business process, you need to designate the allowable recovery time (recovery time objective, RTO) and target point recovery (recovery point objective, RPO) - this is usually the time range before the occurrence of an emergency, for which data can be lost. It is also worth designating acceptable levels of performance (Level of Business Continuity, LBC) in emergency situations - usually as a percentage of normal operation.

Impact assessment (Business Impact Analysis, BIA) analyzes the impact of processes on the entire business as a whole. As a result, a list of critical processes and their interdependencies should be compiled, as well as downtime and recovery times for both the processes themselves and the information systems associated with them. Further, risk analysis (Risk Analysis, RA) is required, during which vulnerabilities, threats to process continuity and the effectiveness of their prevention are assessed.

By identifying the processes that can disrupt the company's activities, as well as the possible damage, we will be able to predict potential hazards, sources of threats and our own vulnerabilities.

Strategy and plans

Step number two: develop the right business continuity strategy (Business Continuity Strategy definition), affecting all aspects of the company.

For each direction, a separate section is created that describes possible technical and organizational solutions for the prompt restoration of business processes. The IT solutions used are mainly hot and cold standby sites, dynamic load balancing tools, as well as mobile sites and capacities of third-party service providers (outsourcing). They differ mainly in cost and recovery time.

It is necessary to create business continuity plans (Business Continuity Plan, BCP) and infrastructure recovery in emergency situations (Disaster Recovery Plan, DRP), as well as create technical and organizational system BCM. Plans typically include three phases of restoring continuity: responding to an incident, performing business-critical processes during an emergency, and transitioning to normal operations.

Implementation and support

Step number three: we purchase and implement the selected solutions.

Implementation is a complex process that may require the involvement of a third party contractor. But even after completing it, you should not rest on your laurels - ensuring business continuity is a continuous and cyclical process.

The corporate BCM program will not only have to be constantly improved, but also integrated into corporate culture. It will not be possible to limit ourselves to only drawing up plans - they will need to be tested, either by desktop checks (Tabletop), simulations (Imitation) or full testing (Full business continuity testing). Based on the results of the tests, reports are compiled with the scenarios used and the results obtained, as well as with suggestions for improving existing plans. They are usually updated annually, and sometimes more often - in case of significant changes in the IT infrastructure, for example, or in legislation.

Communication with IS

Experts share business continuity plans and disaster recovery plans, but the role of information security policy in the BCM program is not obvious to everyone.

One of the recent cases is the incident on the Moscow cable car, the activity of which was completely paralyzed as a result of a cyber attack. No matter how good the Disaster Recovery Plan was in this case, it did not help to quickly set up the operation of the enterprise - servers restored from a backup will be subject to the same vulnerabilities. That is why business continuity plans needed to include a list of actions in the event of a successful attack on the IT infrastructure to reduce downtime without risking passengers.

There are many more threats in the industry. If we take the oil and gas industry, which is considered the most highly automated in Russia, as an example, then the technological processes at mining, processing and marketing enterprises are actually controlled by computers. No one takes manual readings of analog instruments, they have been replaced by digital sensors and smart monitoring systems.

Gate valves, valves and other actuators have also become digital. If a successful attack on an automated process control system interrupts the process for a few seconds, this can lead to a plant shutdown for many hours or weeks, to the failure of expensive equipment, and even to serious man-made disasters. Until recently, it was believed that the isolation of the technological part from public networks makes hacker attacks on industrial control systems impossible, but with the development of digitalization of production, this isolation is decreasing, and the number of threats is growing. In addition to industry, there are other areas of activity, besides, not all business-critical services can be isolated.

The main conclusion is that the information security strategy should be closely integrated into the overall corporate business continuity program. This requires comprehensive solutions that can bring together all the tools that ensure the availability of resources and protection from hacker attacks, data confidentiality and integrity, as well as automated control of source code and application security. During the risk analysis and business impact assessment steps, consideration should be given to the possible presence of information systems vulnerabilities subject to attack by malicious actors, and the Business Continuity Plan will have to include procedures for obtaining up-to-date data on threats to the IT infrastructure, their criticality and the availability of fixes. The business continuity strategy should also include procedures for restoring services after successful attacks.

Information security of the enterprise
Information protection of business

*From Wikipedia

Information Security- This is the state of security of the information environment. Information protection is an activity to prevent leakage of protected information, unauthorized and unintentional impacts on protected information, that is, a process aimed at achieving this state.

Information security of the enterprise: an internal threat

A number of serious specialists in information security of the organization calls the internal threat the most important, giving it up to 80% of the total number of potential risks. Indeed, if we consider the average damage from hacker attacks, then it will be close to zero, due to the large number of hacking attempts and their very low effectiveness. A single instance of human error or a successful insider atrocity can cost a company millions of dollars in losses (direct and indirect), litigation, and notoriety in the eyes of customers. In fact, the very existence of the company may be threatened, and this, alas, is a reality. How to ensure ? How to protect yourself from information leaks? How to recognize and prevent an internal threat in time? What methods of dealing with it are most effective today?

Enemy within

Almost any employee who has access to confidential company information can become an internal attacker, or insider. The motivation of the insider's actions is not always obvious, which entails significant difficulties in identifying him. A recently fired employee who harbors a grudge against the employer; a dishonest employee who wants to earn extra money by selling data; modern Herostratus; a specially implanted agent of a competitor or a criminal group - these are just a few archetypes of an insider.

The root of all the evil that insider malfeasance can bring lies in the underestimation of the importance of this threat. According to a study conducted by Perimetrix, the leakage of more than 20% of a company's confidential information in most cases leads to its collapse and bankruptcy. An especially frequent, but still the most vulnerable victim of insiders are financial institutions, and of any size - with a staff of hundreds to several thousand employees. Despite the fact that in most cases companies try to hide or significantly underestimate the real figures of damage from insider actions, even the officially announced losses are truly impressive. Much more painful than financial losses for the company is the damage to the company's reputation and a sharp decline in customer confidence. Often, indirect losses can many times exceed the actual direct damage. Thus, the case of the Liechtenstein bank LGT is widely known, when in 2008 a bank employee handed over a database of depositors to the special services of Germany, the USA, Great Britain and other countries. As it turned out, a huge number of foreign clients of the bank used the special status of LGT to conduct transactions bypassing the tax laws in their countries. A wave of financial investigations and related litigation swept the world, and the LGT bank lost all its significant customers, suffered critical losses and plunged the whole of Liechtenstein into a severe economic and diplomatic crisis. You don't need to look far for very fresh examples either - in early 2011, such a financial giant as Bank of America admitted the fact of a leak of customer personal data. As a result of fraudulent activities, information was leaked from the bank with names, addresses, social security and phone numbers, bank account and driver's license numbers, email addresses, PIN codes and other personal data of depositors. It is hardly possible to accurately determine the real scale of the bank's losses, if only the amount "more than 10 million dollars" was officially announced. The reason for the data leak is the actions of an insider who passed information to an organized criminal group. However, under the threat of insider attacks, not only banks and funds, it will be enough to recall a number of high-profile scandals related to the publication of confidential data on the WikiLeaks resource - according to experts, a fair amount of information was obtained through insiders.

prose of life

Unintentional harm to company confidential data, its leakage or loss is a much more frequent and prosaic thing than the harm caused by insiders. The carelessness of the staff and the lack of proper technical information security can lead to a direct leak of corporate secrets. Such negligence not only causes serious damage to the company's budget and reputation, but can also cause widespread public dissonance. Having broken free, secret information becomes the property not of a narrow circle of intruders, but of the entire information space - the leak is discussed on the Internet, on television, in the press. Let's remember the high-profile scandal with the publication of SMS-messages of the largest Russian mobile operator MegaFon. Due to the inattention of technical personnel, SMS messages were indexed by Internet search engines, and subscribers' correspondence containing information of both personal and business nature got into the network. A very recent case: the publication of personal data of clients of the Pension Fund of Russia. The error of representatives of one of the regional representative offices of the fund led to the indexing of personal information of 600 people - names, registration numbers, detailed amounts of savings of PFR clients could be read by any Internet user.

A very common cause of confidential data leaks due to negligence is related to the daily rotation of documents within the company. So, for example, an employee can copy a file containing sensitive data to a laptop computer, USB stick or PDA to work with data outside the office. Also, information can get to a file sharing service or personal mail of an employee. In such situations, the data is completely defenseless for attackers who can take advantage of an unintentional leak.

Golden armor or body armor?

To protect against data leakage in the information security industry, various systems for protecting information from leakage are being created, traditionally denoted by the abbreviation DLP from English. Data Leakage Prevention ("prevention of data leakage"). As a rule, these are the most complex software systems with wide functionality to prevent malicious or accidental leakage of secret information. A feature of such systems is that their correct operation requires a well-established structure of the internal circulation of information and documents, since the security analysis of all actions with information is based on working with databases. This explains the high cost of installing professional DLP solutions: even before direct implementation, the client company has to purchase a database management system (usually Oracle or SQL), order an expensive analysis and audit of the information flow structure, and develop a new security policy. A common situation is when more than 80% of information is unstructured in a company, which gives a visual idea of ​​the scale of preparatory activities. Of course, the DLP system itself also costs a lot of money. Not surprisingly, only large companies that are willing to spend millions on information security of the organization.

But what about small and medium-sized businesses that need to provide business information security, but there are no funds and opportunities to implement a professional DLP system? The most important thing for a company executive or security officer is to determine what information to protect and which parties information activities employees to be supervised. In Russian business, the opinion still prevails that absolutely everything needs to be protected, without classifying information and calculating the effectiveness of protection measures. With this approach, it is quite obvious that having learned the amount of expenses for enterprise information security, the head of medium and small business waves his hand and hopes for "maybe".

Exist alternative ways protections that do not affect databases and the established life cycle of information, but provide reliable protection against the actions of intruders and negligence of employees. These are flexible modular complexes that work without problems with other security tools, both hardware and software (for example, with antiviruses). A well-designed security system provides very reliable protection against both external and internal threats, providing an ideal balance of price and functionality. According to experts of the Russian company-developer of information security systems SafenSoft, the optimal combination of elements of protection against external threats (for example, HIPS for intrusion prevention, plus a virus scanner) with tools for monitoring and controlling user and application access to individual sectors of information. With this approach, the entire network structure of the organization is completely protected from possible hacking or infection with viruses, and the means of monitoring and monitoring the actions of personnel when working with information can effectively prevent data leaks. In the presence of all the necessary arsenal of protective equipment, the cost of modular systems is ten times less than complex DLP solutions and does not require any costs for preliminary analysis and adaptation of the company's information structure.

So, let's sum up. Threats enterprise information security quite real, they should not be underestimated. In addition to counteracting external threats, special attention should be paid to internal threats. It is important to remember that leaks of corporate secrets happen not only due to malicious intent - as a rule, they are caused by elementary negligence and inattention of an employee. When choosing means of protection, one should not try to cover all conceivable and unthinkable threats, there simply will not be enough money and strength for this. Build a reliable modular security system that is closed from the risks of intrusion from the outside and allows you to control and monitor the flow of information within the company.