Legislative framework of the Russian Federation. Information Security Management System

Really, it's awkward. We reported on the imminent release of the ISO 45001 standard, which should replace the current occupational safety and health management standard OHSAS 18001, and said that we should expect it at the end of 2016... It’s almost midnight, and still no sign of Herman. It's time to admit that ISO 45001 is delayed. True, for good reasons. The expert community had too many questions for him. […]

  • A dual article is in the offing. The International Organization for Standardization has made its position clear on the use of its standards' markings on products - ISO says "no". However, entrepreneurs still want to do this. How should they be? Why not, exactly? The background to the question is as follows. As you understand, ISO standards are not directly related to products manufactured by enterprises certified to them. […]

  • Let's finish the topic. In the last article, we started a conversation about the eight principles of a QMS. The principles on which any quality management system is built. Our goal is to translate these principles from the language of business coaches into human language. So that real benefits can be derived from them. We talked about customer orientation. They talked about how to produce not “something [...]

  • Many people talk about quality management. But for some reason they say it in such a way that ultimately nothing is clear. This means that quality management remains words. Too much with clever words. Let's translate them into normal language and understand how the principles of quality management really help improve the company's activities. Let's do without long preludes. In total, currently relevant quality management systems, the most popular of which [...]

  • Project management... I'm sure there are many people who have spent too long communicating with all sorts of business consultants - and now just hearing such a phrase makes them feel slightly nauseous. What to do? Let's just put business consultants out of our heads and put the matter in human language. Project management is not necessarily a person in a white shirt who draws complex diagrams and flowcharts with a marker […]

    • According to the requirements of the GOST R ISO/IEC 27001-2006 standard. "Information technology. Methods and means of ensuring security. Information security management systems requirements", the organization must implement the following:

      Define an ISMS policy based on the organization's business characteristics, location, assets and technology that:

      • contains a concept that includes goals, main directions and principles of action in the field of information security;

        takes into account business requirements, regulatory requirements, and contractual security obligations;

        is consistent with the strategic content of the organization’s risk management, within the framework of which the ISMS will be developed and maintained;

        establishes risk assessment criteria;

        approved by the management of the organization.

    GOST R ISO/IEC 27002

    Purpose: To provide direction and support from senior management information security in accordance with business requirements and relevant laws and regulations.

    Senior management must set clear policy direction consistent with business objectives and demonstrate support and commitment to information security by developing and maintaining an information security policy within the organization.

    If necessary, there should be a point of contact for information security issues within the organization that interested employees can contact. Contacts should be established with external security specialists or groups of specialists, including relevant authorities, to stay abreast of industry trends, monitor standards and assessment methods, and ensure adequate points of contact when handling information security incidents. A multidisciplinary approach to information security should be encouraged.

    Must be approved by management, published and communicated to all employees of the organization and relevant third parties.

    The information security policy should set out management's responsibilities and also outline the organization's approach to information security management. The policy document must contain provisions regarding:

      defining information security, its general goals and scope, and mentioning the importance of security as a tool to enable information sharing;

      Statements of management intent that support information security goals and principles consistent with business strategy and objectives;

      the approach to establishing controls and controls and the purposes for their application, including the framework for risk assessment and risk management;

      A concise explanation of the organization's most significant security policies, principles, standards and compliance requirements, for example:

      • compliance with legal requirements and contractual obligations;

        security awareness, education and training requirements;

        business continuity management;

        liability for violations of the information security policy;

        defining the general and specific responsibilities of employees within the framework of information security management, including reporting security incidents;

        links to documents that supplement the information security policy, such as more detailed security policies and procedures for specific information systems, as well as security rules that users must follow.

    This information security policy must be communicated to users throughout the organization in a relevant, accessible and understandable manner.

    An information security policy may form part of a general policy document. If the information security policy is distributed outside the organization, measures should be taken regarding the non-disclosure of sensitive information. Further information can be found in ISO/IEC 13335-1.

    GOST R ISO/IEC 27003

    The standard "GOST R ISO/IEC 27003 Information technology. Methods and means of ensuring security. Information security management systems. Guidelines for the implementation of an information security management system" recommends:

    Take as initial data:

      Organizational priorities for developing an ISMS - generalized goals and list of requirements;

      Drawing up a description of a case of using an ISMS for of this enterprise and project plan for management approval - initial management approval of the ISMS project;

      Combining all scopes and boundaries to obtain the scope and boundaries - ISMS scope and boundaries;

      Development of an ISMS policy and obtaining management approval - ISMS policy;

      Determination of information security requirements for the ISMS process;

      Identification of assets within the scope of the ISMS;

      Conducting an information security assessment;

      Results of risk assessment and selection of objectives and controls;

      Development of the final organizational structure for information security;

      Development of a framework for documenting the ISMS;

    The strategic position of management and administration related to the information security objectives regarding the use of the ISMS should be documented.

    An information security policy documents an organization's strategic position regarding information security throughout the organization.

    Policy is built on the basis of information and knowledge. Points recognized by management as important during the previous analysis should be made visible and given attention to Special attention in politics to provide stimulation and motivation in the organization. It is also important to note what happens if the chosen policy is not followed, and to highlight the impact of laws and regulations on the organization in question.

    Examples of information security policies can be taken from reference books, the Internet, communities of interest and industry associations. Language and guidance can be found in annual reports, other policy documents, or documents maintained by management.

    There may be different interpretations and requirements regarding the actual scope of policy documentation. This documentation must be sufficiently summarized to ensure that the organization's employees understand the meaning of the policy. In addition, it must be clear enough about what goals need to be achieved to establish a set of rules and goals for the organization.

    The scope and structure of the information security policy should support the documents that are used in the next stage of the process to introduce the information security management system.

    For large organizations with complex structure(e.g., with a wide range of different business areas) it may be necessary to create a general policy and a variety of lower level policies tailored to specific business areas.

    The proposed policy (with version number and date) should be cross-checked and established within the organization by the operational manager. Once established in a management group or similar body, the operational manager approves the information security policy. It is then communicated to everyone in the organization in an appropriate manner to make it accessible and understandable to readers.

    The output is a document that describes and documents the ISMS policy approved by management. This document must be re-approved in the next phase of the project as it is dependent on the results of the risk assessment.

    GOST R ISO/IEC 27003-2012. Appendix D: Policy Framework

    This annex provides additional guidance on policy design, including information security policy.

    Policy- These are the general intentions and directions formally expressed by management. The content of the policy governs actions and decisions regarding the subject matter of the policy. An organization may have multiple policies, one for each area of ​​activity important to the organization. Some policies are independent of one another, while other policies are in a hierarchical relationship. In the security area, policies are typically organized hierarchically. Typically, an organization's security policy is the highest level policy. It is supported by more specific policies, including an information security policy and an information security management system policy. In turn, the information security policy may be supported by more detailed policies on specific subjects related to aspects of information security. Many of these policies are described in the ISO/IEC 27002 standard, for example, the information security policy is supported by policies relating to access control, clear desk and clear screen policies, use of network services and cryptographic controls. In some cases, it is possible to enable additional policy levels.

    ISO/I EU 27001 requires organizations to have an ISMS policy and an information security policy. However, this does not imply any specific relationship between these policies. These policies may be developed as equal policies: the ISMS policy may be subordinate to the information security policy, or, conversely, the information security policy may be subordinate to the ISMS policy.

      goals and objectives of the organization;

      strategies adapted to achieve these goals;

      the structure and processes adopted by the organization;

      goals and objectives related to the subject of the policy;

      requirements of related higher-level policies.

    Policies can have the following structure:

      Summary of Policy - general description of one or two sentences.

      Introduction - a brief explanation of the subject of the policy.

      Scope - describes the parts or activities of the organization that are affected by the policy. If necessary, the Scope clause lists other policies that are supported by this policy.

      Goals - a description of the purpose of the policy.

      Principles are descriptions of rules regarding actions and decisions to achieve goals. In some cases, it may be useful to identify the key processes associated with the subject matter of the policy and then the rules for executing the processes.

      Areas of responsibility - who is responsible for actions to fulfill the requirements of the policy. In some cases, this clause may describe organizational arrangements as well as the responsibilities of individuals with specific roles.

      Key results are a description of the results obtained by the enterprise if the goals are achieved.

      Related Policies - A description of other policies relevant to the achievement of objectives, usually providing additional details relating to individual subjects.

    Example information security policy

    The following is an example information security policy, showing its structure and sample content.

    Information Security Policy (Example)

    Summary of Policy

    Information must always be protected, regardless of its form and the way it is distributed, transmitted and stored.

    Introduction

    Information can exist in many various forms. It may be printed or written on paper, stored electronically, transmitted by mail or electronic devices, shown on film, or transmitted orally through communication.

    Information security is the protection of information from various threats, designed to ensure the continuity of business processes, minimize business risk and maximize the return on investment and ensure business opportunities.

    Scope

    This policy reinforces the overall security policy of the organization.
    This policy applies to all employees of the organization.

    Information security goals

      Understanding and handling strategic and operational information security risks so that they are acceptable to the organization.

      Protecting the confidentiality of customer information, product developments and marketing plans.

      Maintaining the integrity of accounting materials.

      Ensure that shared web services and intranets meet appropriate accessibility standards.

    Information Security Principles

      The organization promotes risk taking and overcomes risks that conservatively managed organizations cannot overcome by understanding, monitoring and addressing risks to information as needed. A detailed description of the approaches used to assess and treat risks can be found in the ISMS policy.

    It is difficult to imagine the work of enterprises in the 21st century without information and communication technologies. Information is an integral component of all areas of an enterprise’s activity, a tool without which it is impossible to solve many increasingly complex problems facing the enterprise.

    Information has several characteristics, and one of the most important is security. Information security directly affects business functioning, competitiveness, market image and, ultimately, financial performance. Quite often it is understood as restricting the access of third parties to information. In fact, this is only one part of a general set of issues related to information security.

    The international standard is recognized as the best global practice in the field of information security management ISO/IEC 27001:2005(ISO 27001). It specifies requirements for an information security management system (ISMS) to demonstrate an organization's ability to protect its information assets. This standard defines information security as “preserving the confidentiality, integrity and availability of information.”

    Confidentiality - ensuring that information is accessible only to those who have the appropriate authority.

    Integrity - ensuring the accuracy and completeness of information, as well as methods for processing it.

    Availability - ensuring access to information to authorized users at the right time.

    The goal of information security is to ensure the continuity of a company's business and minimize business risks by preventing security incidents and reducing the extent of potential damage. To understand the essence of information security, it is necessary to visualize the entire chain, which includes information, information flows, the properties of these flows, and information problems. Only after this can the role of information security be realized.

    LIFE CYCLE AND INFORMATION FLOW

    Let's start with the key element of the life support of an enterprise - information.

    Information in an enterprise is in constant motion: it appears somewhere, accumulates somewhere, is transferred somewhere, is used by someone for a certain time and eventually becomes unnecessary. In this way, the life cycle of certain information is formed. Each of the stages of this cycle (or a set of these stages) can be considered as information flow. Such flows at the enterprise include the information necessary:

    • for making management decisions (economic indicators of one’s own enterprise and competitors, data on the functioning of business processes, data on suppliers, on the sales market);
    • to fulfill operational business goals (results of management decisions, operational tasks and adjustments, information about raw materials, customer requirements);
    • to ensure the operation of business processes (descriptions of processes and their relationships, methodological documentation, administrative documentation).

    The following properties can be distinguished information flows:

    • short-termism - information is important at a certain point in time,
    • openness—company information is of interest to third parties (customers, suppliers, competitors),
    • propensity for growth - the amount of information in the enterprise is large and constantly growing,
    • variability - information flows in an enterprise are in constant motion.

    It should be noted that information should be understood as all data that is of interest to the enterprise and is in any form - paper, electronic, audio (telephone conversations), graphic (slides). It is not worth highlighting the electronic type of information and approaching it in any particular way from a security point of view, since information forms information flows, which are often formed on paper or in oral speech, then converted into an electronic document, sent via email (fax), and then can be printed on paper. However, electronic information has additional properties such as positive:

    • it can be quickly delivered to any point;
    • you can quickly create new electronic documents based on existing ones;
    • you can accumulate large volumes of information, providing convenient and quick access to the necessary part of it;

    so and negative:

    • it is quite easy to damage or destroy it;
    • it could easily fall into the hands of a competitor.

    At each stage of the information life cycle, various factors act that tend to disrupt the natural, that is, conflict-free, flow of information flows. The general concept for various factors of this kind (objective and subjective) is the concept of information security threats. Threats don't just appear. The emergence of threats is associated with the presence of vulnerabilities in enterprise information systems.

    Examples of information threats and vulnerabilities that lead to threats:

    • commercial information getting to competitors (weak access control system to information resources of third parties);
    • partial or complete loss of information on the development of a new product (fire in the archive, departure of a key employee);
    • untimely receipt of information (lack of clear rules for providing information, failure of computer equipment);
    • incorrectness of the information received to fulfill operational business goals (operator error due to insufficient qualifications or level of data entry control).

    The main objective of an ISMS according to the requirements of ISO 27001 is to prevent incidents that cause damage to the business by effectively limiting internal and external intentional and unintentional threats and vulnerabilities.

    HISTORY OF ISO 27001

    The development of information systems in the early 90s led to the need to create a standard for security management. At the request of the British Government and Industry, the British Department of Trade and Industry developed Practices for ISMS. British Telecom, Marks and Spencer, National Westminster Bank, Nationwide, Shell International, Unilever, etc. took part in the development of this document. The further development of the standard was as follows:

    1995 British Standard BS 7799-1:1995 is introduced. Part 1 describes the principles and structure of an ISMS.

    1998 New edition of BS 7799-1:1998. Introduction of BS 7799-2:1998. Part 2 - ISMS requirements. Allows ISMS certification. From this moment on, it became possible to carry out certification according to the British standard.

    1999 New edition of BS 7799-1:1999. New edition of BS 7799-2:1999

    2000 The emergence of the international standard ISO 17799:2000. Since then, BS 7799-1:1999 has gained international recognition.

    2001 New edition of BS 7799-2:2001.

    2002 New edition of BS 7799-2:2002.

    2003 The National Bank of Moldova has put forward requirements for commercial banks to implement an ISMS based on ISO 17799:2000.

    2004 Belarus has adopted the national GOST 17799. The Central Bank of the Russian Federation, based on ISO 17799:2000, has created an information security management standard for the banking sector.

    2005 Introduction of ISO/IEC 27001:2005, which replaced BS 7799-2:2002. New edition of ISO 17799:2005 (soon to be renamed ISO/IEC 27002).

    2006 Russia is working on the translation of ISO 17799:2005 and ISO 27001:2005 standards. Specialists in ISMS development have appeared in Russia and Ukraine. Enterprises of the CIS countries are working on the development of an ISMS. International certification bodies have received accreditation to carry out certification.

    2007 The emergence of the Russian state standard GOST R ISO/IEC 17799:2005 (analogous to ISO 17799:2000). GOST R ISO 17799:2007 and GOST R ISO 27001:2007 are expected to appear. It is expected that work will begin in Ukraine on the production of DSTU ISO 17799 and DSTU ISO 27001.

    The initial BS 7799 standard has come a long way, with a series of tests and adjustments. The most important stage in his “career” was 2005, when the standard for assessing an ISMS was recognized internationally (that is, the consistency of its requirements for a modern ISMS was confirmed). From that moment on, leading enterprises around the world began to actively implement the ISO 27001 standard and prepare for certification.

    ISO 27001 STRUCTURE

    It is best to start getting acquainted with an ISMS by studying the world's best practices in the field of information security, given in the ISO 27001 standard, which is logical and understandable, and the best practices are formulated as clear requirements. The standard consists of four parts.

    First part“General Provisions” contains information about the purpose of the standard, its relationship with other information security standards, as well as terms and definitions.

    Second part“Requirements for an ISMS” is the main one. It puts forward mandatory requirements for ISMS and allows you to build an effective system based on them. General requirements occupy only nine pages and contain the following sections: “Information security management system”, “Management commitments”, “Internal audits of the ISMS”, “Analysis of the ISMS by management”, “Improving the ISMS”.

    The third part"Appendix A. Objectives and Controls" describes the specific requirements for each area of ​​information security (11 areas in total, which are designated in accordance with sections 5-15 of the ISO/IEC 17799:2005 standard).

    A5. Security Policy. Goal: to ensure clear management and support of information security policy by enterprise management.

    A6. Organization of a security system. Goal: create organizational structure, which will implement and ensure the functionality of the ISMS.

    A7. Asset classification and management. Goal: maintain adequate information security by classifying information assets according to the need and priority of protection, and distribute responsibility.

    A8. Security and personnel. Goal: Reduce the risk of human error, theft and misuse of equipment.

    A9. Physical and external security. Purpose: to prevent unauthorized access, damage and disruption of the organization’s information system.

    A10. Computer and network management. Goal: to ensure the secure operation of computers and networks.

    A11. System access control. Purpose: manage access to information, prevent unauthorized access.

    A12. Acquisition, development and maintenance of an information system. Goal: to ensure compliance with security requirements when creating or developing an organization’s information system, maintaining the security of applications and data.

    A13. Information security incident management. Goal: To ensure that reporting of information security incidents and deficiencies allows for timely corrective actions to be taken.

    A14. Ensuring business continuity. Objective: Prepare a contingency plan to ensure continuity of the organization's operations.

    A15. Compliance with legislation. Purpose: To ensure compliance with applicable civil and criminal laws, including copyright and data protection laws.

    The ISO/IEC 17799:2005 standard contains recommendations for implementing the requirements of Annex A of the ISO/IEC 27001:2005 standard. The requirements of “Appendix A” are mandatory, but the standard allows you to exclude those areas that cannot be applied at the enterprise.

    Fourth part The standard consists of “Annex B: relationship between OECD principles and ISO 27001”, “Annex C: relationship between ISO 9001:2000, ISO 14001:2004 and ISO 27001” and bibliographical references. This part is informative.

    BENEFITS OF IMPLEMENTING ISO 27001

    Let us present the benefits of implementing and certifying an ISMS based on the ISO 27001 standard, along with the requirements of the standard that allow you to obtain these benefits.

    1. Information assets will become clear to the company’s management. The organization must manage assets

    • Asset inventory.
    • Determining who is responsible for assets.
    • Develop principles for classifying assets according to their significance, legal requirements, importance and criticality for the organization.
    • Identify assets according to classification principles.

    [ISO 27001 standard. App. A. Requirement A.7]

    2. Security threats and vulnerabilities to existing business processes will be regularly identified. The organization must identify risks:

    • Identify assets.
    • Identify threats to these assets.
    • Identify vulnerabilities that can be exploited by these threats.
    • Identify impacts that could result in loss of confidentiality, integrity, and availability of resources.

    [ISO 27001 Clause 4.2.1 d)]

    3. Risks will be calculated and decisions will be made based on the company’s business goals. The organization must analyze and assess the risks:

    • Assess damage to business.
    • Assess the likelihood of a violation occurring.
    • Assess risk levels.
    • Determine whether the risk is acceptable or whether risk treatment is required using risk acceptance criteria.

    [ISO 27001. Clause 4.2.1 d)]

    4. System management in critical situations will be effective. The organization must manage business continuity:

    • Define and implement processes for business continuity.
    • Identify events that can lead to disruptions in business processes, determine opportunities and degrees of impact.
    • Develop recovery plans.
    • Prioritize plans for testing and support.
    • Test and update plans regularly.

    [ISO 27001 standard. App. A. Requirement A.14]

    5. The process of implementing the security policy will be carried out (find and correct weak points). Management should:

    • Develop ISMS policies.
    • Set goals and plans.
    • Distribute responsibility in the area of ​​information security.
    • Communicate to all employees.
    • Provide resources.
    • Make decisions about the acceptability of risks.
    • Ensure internal audits are carried out.
    • Conduct ISMS analysis.

    [ISO 27001 Clause 5.1]

    6. Transparency and cleanliness of business before the law will be emphasized due to compliance with the standard. The organization must:

    • Determine applicable law.
    • Ensure intellectual property protection.
    • Ensure the protection of records from loss, destruction and falsification in accordance with legal requirements.
    • Ensure the protection of personal data and private information.
    • Prevent misuse of information processing tools by the user

    [ISO 27001 standard. App. A. Requirement A.15.1]

    7. The cost of maintaining the security system will be reduced and optimized. The standard requires the identification and classification of assets. Classification can be carried out in monetary terms or on a qualitative basis. In addition, the standard requires a risk assessment. To make an objective decision on financing a particular area of ​​information security, the standard requires the development of a risk acceptance scheme (Fig. 1).

    Thus, an objective assessment of “damage-probability” combinations will make it possible to constantly effectively finance information security.

    8. Will appear reliable protection from raider attacks. Raiders are specialists in seizing operational control or property of a company using a specially initiated business conflict. Raiding is the removal of assets from the possession of their legal owners. One of the possible schemes of a raider’s work is to create the maximum number of problems for an enterprise, and then take it from the owners and management for next to nothing in order to sell the enterprise or its property to third parties for a thousandfold profit.

    Enterprise vulnerabilities give rise to raider attacks. Rare enterprises have no “sins”. These “sins”, or rather compromising information, are located within the general information system of the enterprise. By hiding this information from third parties, you can avoid initiating a raider takeover.

    The process of raider takeover itself is based on the study of the internal processes of the enterprise, the rules and regulations of its work. This information allows you to clearly plan and carry out a raid at the most appropriate moment in time. Hiding this information or misinforming the raiders will not allow the plan to seize the enterprise to be carried out.

    9. The security subsystem is integrated into the overall management system. The ISMS is built on the principles of European management. The requirements for the overall management system are reflected in the ISO 9001:2000 standard. The ISO 27001 standard is harmonized with the ISO 9001:2000 quality management system standard and is based on its basic principles.

    The structure of documentation for the requirements of ISO/IEC 27001:2005 may be similar to the structure for the requirements of ISO 9001:2000. Much of the documentation required by ISO/IEC 27001:2005 may already have been developed and used within the overall enterprise management system.

    10. The enterprise will receive international recognition and increase its authority in both domestic and foreign markets. To obtain this benefit, it is necessary to confirm the compliance of the ISMS with the requirements of the standard with the help of an independent third party. The independence of the third party is a key factor in achieving the above benefits. The certification body acts as a third party. The confirmation of the certification body is expressed in the issuance of a certificate. The level of client trust in the system directly depends on the client trust in the certificates of a particular certification authority.

    MANAGEMENT OF RISKS

    The basis of the ISO 27001 standard is the information risk management system.

    The risk management system allows you to get answers to the following questions:

    • What risks currently threaten our business processes?
    • Which area of ​​information security do you need to focus on?
    • How much time and money can be spent on this technical solution for information security?

    The task of risk management is to identify and manage risks. Risk management is a guide for any actions in both the short and long term of an organization’s life. Risk management focuses on preventive measures or measures that mitigate the magnitude of the consequences.

    Risk is the combination of the probability of an event and its consequences (ISO/IEC Guide 73).

    Clause 4.2.1 of ISO 27001 requires:

    • c) evaluate the approach to risk assessment in the organization(determine the risk assessment method, determine the criteria for accepting risks),
    • d) identify risks(identify assets, identify threats, identify vulnerabilities, identify possible impacts that could lead to loss of confidentiality, integrity and availability of assets),
    • e) analyze and assess risks(assess business damage, assess probability, assess risk levels, determine risk acceptability/unacceptability),
    • f) identify and evaluate risk treatment options,
    • g) select objectives and controls for risk treatment.

    The requirements of the standard practically serve as a guide to the implementation of a risk management system.

    The algorithm for assessing and accepting risks is shown in Fig. 2. The standard allows for both qualitative and quantitative risk assessment. In practice, many risks are difficult or impossible to quantify.

    The risk analysis methodology is described in detail in the IT-Grundschutz methodology, in the standard BSI 100-3, which is freely available (www.bsi.de).

    METHODOLOGY FOR IMPLEMENTATION OF IT-GRUNDSCHUTZ ISMS

    The ISO/IEC 27001:2005 standard sets out requirements for an ISMS, but does not describe the implementation methodology. Let's consider one of the simplest and most reliable methods for creating an ISMS - IT-Grundschutz. It was developed by the German government's Federal Office for Information Security (BSI), and the relevant documents are publicly available on the website www.bsi.de. The methodology is compatible with the requirements of ISO/IEC 27001:2005, contains a structured and practical approach, as well as specific, detailed measures to implement the requirements of ISO/IEC 27001:2005.

    Thanks to specifically formulated standard measures (basic protection catalogs) for the most diverse aspects of information security, IT-Grundschutz is the least expensive implementation method. It is based on the following documents.

    Standards:

    • ISO/IEC 27001:2005 - information security management systems (requirements);
    • BSI 100-1 - information security management systems (recommendations);
    • BSI 100-2 - “IT-Grundschutz” methodology (how, what and why to do, in general);
    • BSI 100-3 - risk analysis based on the IT-Grundschutz methodology (allows you to implement a risk management system in accordance with the requirements of ISO/IEC 27001:2005).

    Catalogs (constantly updated):

    • Part M. Modules - describes specific activities for developing an ISMS (for example, the section on developing a security policy includes requirements for the policy, content of the policy, options for developing the policy, examples of security goals that arise from the policy);
    • Part T. Threats. — a detailed description of the threats used in Part M (a catalog of threats to numerous assets);
    • Part S: Defense Methods - Detailed description of the defense methods used in Part M (Catalogue of Threat Mitigation Activities).

    NATIONAL PECULIARITIES OF IMPLEMENTATION

    Responsibility. The initial question in our conditions is responsibility for the functioning of the ISMS. The presence of a corresponding position is not regulated in the ISO/IEC 27001:2005 standard, and European consultants involved in the implementation of an ISMS insist on appointing a responsible person from among management. In our conditions, the powers and responsibilities of such person can be assigned to one of the following persons: head of the security service, head of the quality service, head of the IT service, head of the IT security service, first manager.

    Place in the overall management system. In various sectors of Ukrainian industry, the place of ISMS will be different, since in the industries we have different levels of development of information systems, different degrees of automation, different specifics business.

    Large enterprises of the mining and metallurgical complex, mechanical engineering and chemical enterprises may have an ISMS of the type shown in Fig. 3a.

    I would like to emphasize that the ISMS is almost entirely contained within the general management system, since the most important aspects of security in this case are the integrity and availability of information.

    For enterprises in the financial sector, telecommunications services, airlines, state legislative and executive authorities, statistics departments, the Ministry of Internal Affairs and the Security Service of Ukraine, the structure may be as in Fig. 3b. In this case, the ISMS is the basis of the organization’s life.

    For medium-sized enterprises and organizations, the ISMS may look like in Fig. 3c.

    Naturally, it is impossible to accurately characterize the place of an ISMS in an organization only depending on its industry and size. Each enterprise is always a unique mechanism with its own management style, its own technological and information mechanisms.

    Staff Engagement- another important factor in the success of ISMS implementation in Ukraine. To implement it in our conditions, the following measures are necessary:

    • training those responsible for implementing the system;
    • explaining to all employees involved in the ISMS the need to comply with the requirements of the standard;
    • elimination (minimization) of the system of fines;
    • development of a motivation system.

    The absence of these measures can significantly reduce the effectiveness of the ISMS.

    Alexander Anatolyevich Dmitriev
    systems expert
    information security
    TUF Nord Ukraine (Donetsk)

    September 12th, 2011

    Information security management according to the ISO 27001 Standard. Documentation requirements
    Happinnes exists. Information security management can be built on the basis of the ISO 27001 standard. Mikhail Vinnikov, Deputy Head for Methodological Work in the Information Systems Audit Department of the Department of Audit and Consulting Services for Financial Institutions at FBK, talks about how to do this:

    Today I will talk about a process that seems to have nothing to do with information security, rather to document flow, but in fact it is an important process that saves the operator a lot of time and nerves - about what requirements are imposed on documenting information security processes, or - how to correctly and with describe the ISMS with minimal effort and keep these descriptions up to date. Naturally, focusing on ISO 27001.

    The level of information security (hereinafter - IS), adequate to the needs of the organization, requires a clear statement of the basic rules, principles and objectives, their adequate implementation into repeatable and controlled protective measures, the implementation of measures in practice by the organization's employees while ensuring a prompt reflection of the current situation for the adoption of appropriate managers actions.
    The best way implementation of this - to put ideas, practical thoughts and results of information security activities into documentary form, which will allow, firstly, to determine the structure of interaction between the rules and the practical actions that implement them, and secondly, to communicate the rules to each employee at the appropriate level of the business process and information security requirements that he must follow when performing his job responsibilities, as well as determine the procedure for monitoring their compliance.
    Based on the above, we obtain a new “branch” in the information security management system (ISMS) diagram according to ISO Standard 27001 (hereinafter referred to as the Standard):

    “SMIB” - “develops” - “documentation requirements”.

    The codes in the task names, as already mentioned at the beginning of our publications, indicate the section number of the ISO Standard 27001.
    How to organize a document support system for an ISMS?
    Each document type can be further characterized by the following attribute questions that influence its life cycle:
    - for whom it is intended (who will read it);
    - who coordinates and approves it;
    - how often it can change.
    On the other hand, formally documents can be divided into program (reference) and operational (containing results of activities). In terms of the Standard, such documents are divided, respectively, into actual documents and records.
    According to the Standard, ISMS documentation must include information about:
    - documented provisions of the ISMS policy, its goals and scope of operation, IS policy;
    - procedures and controls used by the ISMS;
    - methodology for assessing IS risks;
    - results of risk assessment and plans for their treatment;
    - procedures for assessing the results of the functioning of the ISMOIS;
    - evidence of the functioning of the ISMS.
    In what format should this information be presented?
    When developing a system of documents that provide an ISMS, a conflict arises between the labor intensity (resource requirement) of the initial creation of documents and their further maintenance in an up-to-date state. On the one hand, there is a desire to keep the number of types (nomenclature) and the number of documents themselves as small as possible (a small number is easier to manage, you can quickly complete the preparation of the entire package, etc.). On the other hand, if the ISMS “lives” and develops all the time, documents periodically, and at some periods of development - quite often, have to be adjusted and finalized. If information security documents are included in the general “bureaucratic” cycle of the organization: “development-coordination-approval”, then the higher the level of approval and approval of documents, the longer the cycle for putting new versions of documents into effect, the more difficult it is to keep them up to date condition.
    Let's assume that an organization has developed an Information Security Policy, including provisions on the rules of action in certain areas of information security (called private information security policies). Due to the fact that all employees of the organization should be familiar with the Information Security Policy, they tried to make the document not very voluminous and detailed, and the provisions of private policies were described briefly, in the form of abstracts.
    What was the result?
    The document still turned out to be heavy - more than a dozen pages, which is a lot. The resulting private policies, due to their lack of specificity, explain practically nothing, so they are impossible to apply. The document is difficult to maintain - in order to make and approve an adjustment to the section, for example, safe use of the Internet when deciding to use, say, an intrusion detection system (IDS), you need to wait for the next meeting of directors, etc. Those. The document turned out to be non-working.
    The information security policy should be easy to understand and ideally fit on one or two pages, because it, as a strategic document, is approved at the highest level of the management hierarchy, and all employees of the organization should become familiar with it. The division of general and private policies into separate documents allows you to refine, expand and adjust private policies more effectively, the approval of the corresponding document will take place much faster, and WITHOUT CHANGING the general information security policy.
    The same thing happens if private policy reflects the use of a specific technology or system, its configuration. Changing the system or reconfiguring it entails changing the document signed at the director level. Wrong! It is easier in private policy to indicate subordinate documents (third and fourth levels), providing in the annex to the private policy the format and list of information necessary to ensure management.
    I hope I have convinced you of the idea that the information security document system should be built according to a hierarchical scheme with the most general and abstract documents at the highest level of the hierarchy, and increasing “specificity” as you get closer to the practical part.
    What do the standards recommend to us?
    The ISO 13335-1 standard provides 4 levels of information security policies (rules):
    - corporate security policy;
    - information security policy;
    - corporate security policy for information and communication technologies;
    - security policy for [individual] information and communication technology systems.
    Recommendations in the field of standardization of the Bank of Russia RS BR IBBS 2.0-2007 offer the following interpretation of the provisions of the standard mentioned above:

    What documents can be classified at each level?

    Document levels

    Document types

    First level

    ISMS Policy, Information Security Policy, Information Security Concept

    Second level

    Private information security policies (ensuring physical security, providing access, using the Internet and e-mail, information security in technological processes, etc.)

    Third level

    Instructions, regulations, procedures, manuals, teaching aids and training programs, configuration requirements, etc.

    Fourth level

    Entries in system logs of OS, DBMS and IS; registers of information assets; applications and completed orders to provide access; entries in information security training and instruction logs, test reports, acts, obligations on non-disclosure of confidential information, etc.

    Documents assigned to different hierarchy levels have different life cycles.

    Document levels

    How often do they change?

    First level

    rare (strategic level changes)

    Second level

    not often (with changes at the level of tactical decisions)

    Third level

    relatively often

    Fourth level

    continuously

    High-level documents should be as general and abstract as possible and change with changes at the strategic level - a change in business strategy, the adoption of new standards, a radical change in the information system, etc. Documents subordinate in the hierarchy (third level) can change much more often - with the introduction of new products, information security technologies, the formation of additional training courses, or the development of information backup procedures. At the fourth level, records are generated continuously and over time, most likely, their format will be refined.

    Documents located at different levels of the hierarchy require approval at different levels of management.

    High-level documents - ISMS and IS policies, which define strategic approaches to ensuring IS, are approved at the level of owners or board of directors.
    Private policies that define information security rules in certain areas can be approved at the level of the executive director or supervising manager, but must have a wide range of approval in the departments affected by these areas of activity.
    Regulations, instructions and other practical documents are working documents of the departments operating the information security infrastructure; they create, adjust and change them. In some cases, some third party documents may require approval at the level of the organization's management (for example, regulations on divisions, etc.).
    Evidence of the functioning of information security is, if necessary, authenticated by the signature of the performer.
    In order not to get confused in the versions of documents, correctly distribute documents among the employees for whom they are intended, all this pile of documents must be MANAGED.
    The document management procedure should ensure:
    - approval of documents at the appropriate level of the organization’s management structure;
    - revision and modernization, if necessary, of documents;
    - ensuring identification of changes made and the current status of document versions;
    - access to working versions of documents at the places of their use;
    - existence of a procedure for identifying documents and providing access to them;
    - access to documents of authorized persons, as well as the fact that their life cycle (transfer, storage and destruction) is carried out in accordance with the level of their confidentiality classification;
    - identification of documents created outside the organization;
    - control over the distribution of documents;
    - preventing the use of outdated documents;
    - appropriate identification of obsolete documents if they are retained for any purpose.
    It is advisable to describe the procedure for managing information security documents in the form of a separate document containing, among other things, a list and purpose of all documents, the period and/or conditions of revision, who is the owner of each document, who approves and approves which document, for whom each type of document is intended and so on.
    All rules for creating, amending, agreeing and approving documents must comply with the document flow rules adopted in the organization.
    It should be noted that the procedure for revising documents does not necessarily imply changes to the documents. It is useful to provide for some types of documents a procedure for confirming their relevance, carried out at large but regular intervals. From the recommendations of the Bank of Russia on a period of three years for conducting a self-assessment or audit of compliance with the requirements of the STO BR IBBS-1.0 standard, it can be assumed that the same period for reviewing/confirming the information security policy can be considered reasonable (in the sense, NOT SMALLER!). For other documents, the revision procedure may need to be carried out somewhat more often.
    Evidence of the functioning of the ISMS should also be generated in the form of documents existing in regular paper form or electronic. Evidence of the functioning of the ISMS includes various requests and orders for providing access, log records of operating systems, DBMS and application programs, the results of the functioning of intrusion prevention systems and reports on the results of penetration tests, acts of checking the configuration of workstations and servers, etc. This class of documents is designated in the Standard as “records”. The records management procedure must ensure their control and protection from modification, because under certain conditions, they can be materials for conducting an investigation of information security incidents, and the quality of storage of these materials determines whether these materials will be recognized as legitimate or, on the contrary, not trustworthy. The records can also include the results of ISMS monitoring, investigations of information security incidents, reports on the results of the operation of the ISMS, etc.
    Records management procedures should:
    - ensure clarity, simplicity, identifiability and retrievability of documentary evidence;
    - use controls that ensure identification, storage, protection of confidentiality and integrity, retrieval, determination of retention periods and destruction procedures.
    As an example, we give a small “vertical” fragment of the list of document types that make up the ISMS documentation system, for example, providing information security when accessing the Internet:

    Level

    Documentation

    First level

    > Organizational information security policy

    > Information security concept

    Second level

    > Private information security policy of an organization when working with Internet resources

    > Terms used in information security documents (glossary)

    Third level

    > The procedure for providing user access to Internet resources

    > Description of access profiles (set of permissions and restrictions) to Internet resources

    > Diagram of a computer network connected to the Internet

    > Proxy server settings card

    > Firewall configuration card between internal network segments and the demilitarized zone ( DMZ)

    > Workstation setup card [to provide Internet access]

    > User's reminder about how to use Internet resources

    > Description and qualification requirements of the functional role “Internet access systems administrator”

    > Job description of an employee performing the functional role of “Internet access systems administrator”

    Fourth level

    > Application form for connecting a user to the use of Internet resources

    > List of users connected to the Internet with an indication of the access profile

    > Proxy server log about user access to Internet resources

    > Intrusion detection system log ( IDS ) in a network segment located in DMZ

    > Intrusion Report DMZ , detected by IDS

    > The act of checking the firewall configuration

    The above list is far from exhaustive even for the chosen area and depends on the specific technologies and services received or provided by the organization using the Internet, as well as approaches to ensuring information security.
    Here are some general recommendations for creating ISMS documents.
    > As a separate document, a document called “Glossary” should be developed, common to at least the documents of the first two levels, used when developing documents and indicated in the documents as a link.
    > To standardize document forms, it is possible to indicate in appendices to high-level documents the forms of subordinate documents, especially those that are evidence of completion (reports, request forms, etc.). On the one hand, this somewhat complicates the procedure for the initial development of the document. On the other hand, if all related documents are developed as elements of a procedure, you have ready-to-use technology right away.
    > A common mistake when preparing high-level documents (policies and private policies, regulations, etc.) is to insert specific names, system names, etc. directly into the text of the documents. Accordingly, a change of contractor also leads to the launch of a long cycle of approval of a “new” version of the document. It is better to initially transfer such “variables” to applications, subordinate documents or records (fourth level documents).
    > When creating “practical” documents when describing the performance of a particular function, it is advisable to indicate not a position, but a functional role, for example, “anti-virus system administrator” or “backup system operator”, and in a separate document keep a register of employees performing a particular role . This will extend the life cycle of the document, without the need for its correction, and will provide flexibility in its use, because you can maintain a separate register of “competencies” and quickly replace performers if such a need arises.
    > Each document must contain the identification of its owner (responsible employee), scope and terms of revision.
    > ISMS documents and records can exist in both “hard” (paper) and electronic form. To provide auditors or inspectors with copies of copies of documents in electronic form, appropriate procedures must exist and their responsible persons must be identified.
    To the above, we can add that if the development of high-level documents (policies, regulations, etc.) can be entrusted to external consultants, then documents and records of lower levels should be generated and kept up to date by employees of the organization who are maximally involved in the process of functioning of the ISMS and its constituent procedures.
    In the next publication we will discuss the participation of the organization’s management in the information security management system.

    In the world of information technology, the issue of ensuring the integrity, reliability and confidentiality of information becomes a priority. Therefore, recognizing the need for an organization to have an information security management system (ISMS) is a strategic decision.

    It was developed for the creation, implementation, maintenance and continuous improvement of an ISMS in an enterprise. Also, through the use of this Standard, the organization’s ability to meet its own information security requirements becomes apparent to external partners. This article will discuss the main requirements of the Standard and discuss its structure.

    Your business will reach new level quality if you obtain a legitimate ISO Certificate with the help of experienced professionals.

    Main objectives of the ISO 27001 Standard

    Before moving on to describing the structure of the Standard, we will outline its main objectives and consider the history of the appearance of the Standard in Russia.

    Objectives of the Standard:

    • establishing uniform requirements for all organizations for the creation, implementation and improvement of an ISMS;
    • ensuring interaction between senior management and employees;
    • maintaining confidentiality, integrity and availability of information.

    Moreover, the requirements established by the Standard are general and are intended to be applied by any organizations, regardless of their type, size or nature.

    History of the Standard:

    • In 1995, the British Standards Institution (BSI) adopted the Information Security Management Code as a UK national standard and registered it as BS 7799 - Part 1.
    • In 1998, BSI published the BS7799-2 standard, consisting of two parts, one of which included a set of practical rules, and the other is the requirements for information security management systems.
    • During subsequent revisions, the first part was published as BS 7799:1999, Part 1. In 1999, this version of the standard was transferred to the International Certification Organization.
    • This document was approved in 2000 as International Standard ISO/IEC 17799:2000 (BS 7799-1:2000). Latest version This standard, adopted in 2005, is ISO/IEC 17799:2005.
    • In September 2002, the second part of BS 7799, Information Security Management System Specification, came into force. The second part of BS 7799 was revised in 2002, and at the end of 2005 it was adopted by ISO as the International Standard ISO/IEC 27001:2005 Information technology - Security techniques - Information security management systems - Requirements.
    • In 2005, the ISO/IEC 17799 standard was included in the 27th series of standards and received a new number - ISO/IEC 27002:2005.
    • On September 25, 2013, the updated standard ISO/IEC 27001:2013 “Information Security Management Systems. Requirements". Currently, certification of organizations is carried out according to this version of the Standard.

    Structure of the Standard

    One of the advantages of this Standard is the similarity of its structure with ISO 9001, as it contains identical subsection headings, identical text, common terms and basic definitions. This circumstance allows you to save time and money, since some of the documentation has already been developed during ISO 9001 certification.

    If we talk about the structure of the Standard, it is a list of requirements for an ISMS that are mandatory for certification and consists of the following sections:

    Main sectionsAppendix A
    0. Introduction A.5 Information security policies
    1 area of ​​use A.6 Information security organization
    2. Normative references A.7 Safety human resources(staff)
    3. Terms and definitions A.8 Asset management
    4. Organizational context A.9 Access control
    5. Leadership A.10 Cryptography
    6. Planning A.11 Physical and environmental security
    7. Support A.12 Security of operations
    8. Operations (Operation) A.13 Communication security
    9. Evaluation (Measurement) of performance A.14 Acquisition, development and maintenance of information systems
    10. Improvement (Improvement) A.15 Relationships with suppliers
    A.16 Incident management
    A.17 Business continuity
    A.18 Compliance with legislation

    The requirements of “Appendix A” are mandatory, but the standard allows you to exclude areas that cannot be applied at the enterprise.

    When implementing the Standard at an enterprise for further certification, it is worth remembering that exceptions to the requirements established in sections 4 - 10 are not allowed. These sections will be discussed further.

    Let's start with Section 4 - Organizational Context

    Organization Context

    In this section, the Standard requires the organization to identify external and internal issues that are significant to its objectives and that affect the ability of its ISMS to achieve its intended results. In this case, it is necessary to take into account the legislative and regulatory requirements and contractual obligations regarding information security. The organization must also define and document the boundaries and applicability of the ISMS to establish its scope.

    Leadership

    Top management should demonstrate leadership and commitment to the information security management system by, for example, ensuring that the information security policy and information security objectives are established and consistent with the organization's strategy. Also, senior management must ensure that all necessary resources for the ISMS are provided. In other words, it should be obvious to employees that management is involved in information security issues.

    The information security policy must be documented and communicated to employees. This document is similar to the ISO 9001 quality policy. It must also be consistent with the purpose of the organization and include information security objectives. It will be good if these are real goals, such as maintaining confidentiality and integrity of information.

    Management is also expected to distribute functions and responsibilities related to information security among employees.

    Planning

    In this section we come to the first stage of the management principle PDCA (Plan - Do - Check - Act) - plan, do, check, act.

    When planning an information security management system, the organization should take into account the issues mentioned in Clause 4, and identify the risks and potential opportunities that need to be taken into account to ensure that the ISMS can achieve its intended results, prevent unwanted effects and achieve continuous improvement.

    When planning how to achieve its information security objectives, the organization must determine:

    • what will be done;
    • what resources will be required;
    • who will be responsible;
    • when the goals will be achieved;
    • how the results will be assessed.

    In addition, the organization must maintain information security objectives as documented information.

    Security

    The organization must identify and provide the resources necessary to develop, implement, maintain and continuously improve the ISMS, this includes both personnel and documentation. In terms of personnel, the organization is expected to select qualified and competent employees in the field of information security. The qualifications of employees must be confirmed by certificates, diplomas, etc. It is possible to engage third-party specialists under a contract, or to train your own employees. As for documentation, it should include:

    • documented information required by the Standard;
    • documented information determined by the organization to be necessary to ensure the effectiveness of the information security management system.

    The documented information required by the ISMS and the Standard must be controlled to ensure that it:

    • accessible and suitable for use where and when it is needed, and
    • is adequately protected (for example, against loss of confidentiality, misuse, or loss of integrity).

    Operation

    This section addresses the second stage of the PDCA management principle - the need for the organization to manage processes to ensure compliance, and carry out the actions identified in the Planning section. It also states that the organization should perform information security risk assessments at planned intervals or when significant changes are proposed or occur. The organization shall retain the results of the information security risk assessment as documented information.

    Performance evaluation

    The third stage is verification. The organization shall evaluate the operation and effectiveness of the ISMS. For example, it should conduct an internal audit to obtain information about

    1. Is the information security management system compliant?
      • the organization’s own requirements for its information security management system;
      • requirements of the Standard;
    2. that the information security management system is effectively implemented and functioning.

    Of course, the scope and timing of audits should be planned in advance. All results must be documented and retained.

    Improvement

    The essence of this section is to determine the course of action when a nonconformity is identified. The organization needs to correct the discrepancy, the consequences and conduct an analysis of the situation so that this does not happen in the future. All nonconformities and corrective actions must be documented.

    This concludes the main sections of the Standard. Appendix A provides more specific requirements that an organization must meet. For example, in terms of access control, use mobile devices and storage media.

    Benefits of ISO 27001 implementation and certification

    • increasing the status of the organization and, accordingly, the trust of partners;
    • increasing the stability of the organization’s functioning;
    • increasing the level of protection against information security threats;
    • ensuring the necessary level of confidentiality of information of interested parties;
    • expanding the organization's participation in large contracts.

    Economic advantages are:

    • independent confirmation by the certification body that the organization has a high level of information security, controlled by competent personnel;
    • proof of compliance with applicable laws and regulations (compliance with the system of mandatory requirements);
    • demonstration of a certain high level of management systems to ensure the proper level of service to clients and partners of the organization;
    • Demonstration of conducting regular audits of management systems, performance assessments and continuous improvements.

    Certification

    An organization may be certified by accredited agencies to this standard. The certification process consists of three stages:

    • Stage 1 - examination by the auditor key documents ISMS for compliance with the requirements of the Standard can be carried out both on the territory of the organization and by transferring these documents to an external auditor;
    • Stage 2 - detailed audit, including testing of implemented measures and assessment of their effectiveness. Includes a full study of the documents required by the standard;
    • Stage 3 - performing a surveillance audit to confirm that the certified organization meets the stated requirements. Performed on a periodic basis.

    Bottom line

    As you can see, the use of this standard at an enterprise will allow one to qualitatively increase the level of information security, which is worth a lot in modern realities. The standard contains many requirements, but the most important requirement is to do what is written! Without real application of the requirements of the standard, it turns into an empty set of pieces of paper.



    © 2024 We know everything about foundations. Job. Materials. Choice. Documentation