Suitable
The adoption of the PDCA model also reflects the principles established in the Directives of the Organization for Economic Cooperation and Development (OECD) and the defining security of information systems and networks. This standard is a visual model for implementation in practice of these principles that allow us to assess the risks, designing and implementing the information security system, its management and revaluation.
1 The requirement may approve that information security violations do not lead to significant financial damage to the organization and / or to significant difficulties in its activities,
2 The expected result may be in the organization of fairly well-trained employees for conducting procedures that allow you to minimize possible unfavorable consequences In the case of a serious incident, such as unauthorized penetration (attack of hackers) on the website of the organization through which it exercises electronic trading.
| Table 1 | |
This standard is agreed with the standards of "Quality Management Systems. Requirements" and "Management Systems environmental. Requirements and Guide for Application "In order to support consistent and integrated implementation and interaction with other similar interrelated standards in the field of management. Thus, one properly built management system in an organization can meet the requirements of all these standards.
This standard is intended for the use of any form of ownership (for example, commercial, state and non-profit organizations). This standard establishes the requirements for the development, implementation, operation, monitoring, analysis, support and improvement of a documented information security management system (ISMS) among the general business risks of the Organization. In addition, the Standard establishes the requirements for the implementation of information security management measures and its control, which can be used by organizations or their divisions in accordance with the established goals and objectives of providing information security (IB).
The goal of building the ISMS is the choice of appropriate security management measures designed to protect information assets and guaranteeing the confidence of stakeholders.
Note - The term "business", in this standard understood in a broad sense, denotes all the activity that is the basis for the purpose of the organization's existence.
Requirements established by this Standard are intended for use in all organizations regardless of the type, scale and sphere of their activities. Elimination of any of the requirements specified in
Act Editorial 27.12.2006
| Name Document | "Information technology. Methods and security tools. Information security management systems. Requirements. GOST R ISO / IEC 27001-2006" (approved by order of Rostechregulation from 27.12.2006 N 375-ST) |
| Document type | order, Standard, GOST, ISO |
| Accepted by | rostechregulation |
| Document Number | ISO / IEC 27001-2006 |
| Date of adoption | 01.01.1970 |
| Date of editorial | 27.12.2006 |
| Date of registration in the Ministry of Justice | 01.01.1970 |
| Status | act |
| Publication |
|
| Navigator | Notes |
"Information technology. Methods and security tools. Information security management systems. Requirements. GOST R ISO / IEC 27001-2006" (approved by order of Rostechregulation from 27.12.2006 N 375-ST)
8. Improving information security management system
8.1. Continuous improvement
The organization should constantly improve the effectiveness of the ISMS by refining the IB policy, IB goals, the use of audit results, analysis of controlled events, corrective and preventive actions, as well as using the management of the results of the IMIM analysis (see section 7).
8.2. Corrective actions
The organization should hold measures to eliminate the reasons for inconsistencies with the requirements of the ISMS in order to prevent their re-emergence. The documented corrective action procedure should set the requirements on:
a) identify inconsistencies;
b) determining the causes of inconsistencies;
C) evaluating the need for action to avoid repeating inconsistencies;
d) the definition and implementation of the necessary corrective actions;
(e) Maintaining the results of the actions taken (see 4.3.3);
f) Analysis of the undertaken corrective action.
8.3. Warning Actions
The organization should determine the actions necessary to eliminate the causes of potential inconsistencies with the requirements of the ISMS, in order to prevent them repeated appearance. The warning actions undertaken must comply with the consequences of potential problems. The documented procedure of the preferred actions should set the requirements on:
a) identifying potential inconsistencies and their reasons;
b) evaluating the need to steal in order to prevent the emergence of inconsistencies;
c) the definition and implementation of the necessary warning action;
d) recording the results of the action taken (see 4.3.3);
e) analyzing the results of the action.
The organization should determine the changes in risk assessments and establish the requirements for warning actions, while paying special attention On substantially modified quantitative risk indicators.
Priorities regarding the implementation of warning actions must be determined based on the results of risk assessment.
Note - Typically, the costs of carrying out non-compliance prevention measures are more economical than on corrective actions.
In the world of information technology, the issue of ensuring the integrity, reliability and confidentiality of information becomes priority. Therefore, the recognition of the need for an information security management system (ISMS) is a strategic solution.
It was developed for creating, implementing, maintaining the functioning and continuous improvement of the ISMIM in the enterprise. Also, thanks to the application of this standard, external partners are becoming an obvious organization's ability to comply with its own information security requirements. This article will deal with the basic requirements of the standard and discussing its structure.
Your business will come to a new level of quality, if you get a legitimate ISO certificate with the help of experienced specialists.
The main tasks of the ISO 27001 standard
Before switching to the description of the Standard Structure, we will discuss its main tasks and consider the history of the emergence of the standard in Russia.
Tasks of the Standard:
- establishing uniform requirements for all organizations to create, implement and improve ISMS;
- ensuring the interaction of the highest leadership and employees;
- saving confidentiality, integrity and availability of information.
At the same time, the requirements established by the standard are common and are intended for use by any organizations, regardless of their type, size or character.
Standard History:
- In 1995, the British Institute of Standards (BSI) adopted the Information Security Management Code as National Standard of Great Britain and registered it at the BS 7799 - Part 1 number.
- In 1998, BSI publishes the BS7799-2 standard, consisting of two parts, one of which included a set of practical rules, and the other - requirements for information security management systems.
- In the process of the following revisions, the first part was published as BS 7799: 1999, part1. In 1999, this version of the standard was transferred to the International Certification Organization.
- This document was approved in 2000 as an international standard ISO / IEC 17799: 2000 (BS 7799-1: 2000). Last version This standard adopted in 2005 is ISO / IEC 17799: 2005.
- In September 2002, the second part of the BS 7799 standard "Specification of the Information Security Management System" was entered into force. The second part of the BS 7799 was revised in 2002, and at the end of 2005 ISO was adopted as an international standard ISO / IEC 27001: 2005 " Information Technology - Security Methods - Information Security Management Systems - Requirements.
- In 2005, the ISO / IEC 17799 standard was included in the 27th series standards line and received new number - ISO / IEC 27002: 2005.
- On September 25, 2013, an updated ISO / IEC 27001 standard was published. "Information security management systems. Requirements. Currently, certification of organizations is carried out according to this version of the standard.
Standard Structure
One of the advantages of this standard is the similarity of its structure with ISO 9001, since the identical headlines of subsections, identical text, general terms and basic definitions be identical. This circumstance saves time and money, as part of the documentation has already been developed when certified by ISO 9001.
If we talk about the structure of the standard, then the list of requirements for the ISMS, mandatory for certification and consists of the following sections:
| Main sections | Appendix A. |
|---|---|
| 0. Introduction | A.5 Information Security Policies |
| 1 area of \u200b\u200buse | A.6 Information Security Organization |
| 2. Regulatory references | A.7 Safety of Human Resources (Personnel) |
| 3. Terms and definitions | A.8 Asset management |
| 4. Context of the organization | A.9 Access control |
| 5. Leadership | A.10 Cryptography |
| 6. Planning | A.11 Physical Safety and Environmental Protection |
| 7. Support | A.12 Security operations |
| 8. Operations (operation) | A.13 Security Communications |
| 9. Evaluation (measurement) of performance | A.14 Acquisition, Development and Service Information Systems |
| 10. Improvement (improvement) | A.15 Relationship with suppliers |
| A.16 Incident service management | |
| A.17 Business Continuity Provision | |
| A.18 Compliance with legislation |
The requirements of "Annex A" are mandatory for implementation, but the standard allows you to exclude areas that cannot be applied to the enterprise.
When implementing the standard in the enterprise to pass further certification, it is worth remembering that the exceptions of the requirements established in sections 4 - 10 are not allowed. These sections will be discussed further.
Let's start with section 4 - the context of the organization
Context of the organization
In this section, the Standard requires the organization to identify external and internal problems that are significant from the point of view of its goals, and which affect the ability of its ISMS to achieve the expected results. At the same time, legislation and regulatory requirements and contractual obligations regarding information security should be taken into account. Also, the organization should determine and document the boundaries and applicability of the ISMS to establish its scope.
Leadership
The top management should demonstrate leadership and obligations with regard to the information security management system through, for example, the guarantee that the information security information policy and the objective of information security are established and consistent with the organization's strategy. Also, the highest guide should guarantee the provision of all the necessary resources for the ISMS. In other words, the involvement of guidelines for information security should be apparent for workers.
Must be documented and brought to the attention of workers in the field of information security. This document recalls ISO 9001 quality policy. It must also meet the appointment of the organization and include information security goals. Well, if it is real goals, such as preserving the confidentiality and integrity of information.
Also, the leadership is expected to distribute functions and responsibilities related to information security among employees.
Planning
In this section we come to the first stage management principles PDCA (Plan - Do - Check - ACT) - Plan, perform, check, act.
Planning the information security management system, the organization should take into account the problems mentioned in Section 4, as well as determine the risks and potential capabilities that need to be taken into account in order to ensure that the ISMS can achieve the expected results, prevent undesirable effects and achieve continuous improvement.
When planning, how to achieve its information security goals, the organization must determine:
- what will be done;
- what resources will be required;
- who will be responsible;
- when goals will be achieved;
- how results will be evaluated.
In addition, the organization must maintain information on information security objectives as documented information.
Security
The organization should determine and ensure the resources necessary for the development, implementation, maintenance of functioning and continuous improvement of the ISMS, this includes both staff and documentation. In relation to personnel from the organization, the selection of qualified and competent information security workers is expected. The qualifications of workers must be confirmed by certificates, diplomas, etc. It is possible to attract under the contract of third-party specialists, or the training of their employees. As for the documentation, it should include:
- documented information required by the standard;
- documented information recognized by the Organization necessary to ensure the effectiveness of the information security management system.
Documented information required by the ISMS and the Standard must be managed to ensure that it is:
- available and suitable for use where and when it is necessary and
- properly protected (for example, from loss of confidentiality, improper use or loss of integrity).
Functioning
This section refers to the second stage of the PDCA management principle - the need to organize the proceedings to ensure compliance with the requirements, and perform actions defined in the Planning section. It is also said that the organization should fulfill the risk assessment through the planned time intervals or when significant changes have been proposed or occurred. The organization should maintain the results of an assessment of information security risks as documented information.
Assessment of performance
Third stage - check. The organization should evaluate the functioning and effectiveness of the ISMS. For example, internal audit should be conducted in it to receive information about
- is the information security management system complies with
- own requirements of the organization to its information security management system;
- requirements of the standard;
- that the information security management system is perfect and functioning.
Of course, the volume and timing of audits should be planned in advance. All results must be documented and saved.
Improvement
The essence of this section is to determine the procedure when identifying inconsistencies. Organizations need to correct the inconsistency, consequences and conduct an analysis of the situation so that in the future does not occur. All inconsistencies and corrective actions should be documented.
This end the main partitions of the standard. Annex A provides more specific requirements to which the organization must comply. For example, in terms of access control, use of mobile devices and media.
Benefits from ISO 27001 Implementation and Certification
- increase the status of the organization and respectively confidence of partners;
- improving the stability of the organization's functioning;
- increased protection against information security threats;
- ensuring the level of confidentiality of information of stakeholders;
- empowering the organization's participation opportunities in large contracts.
Economic advantages are:
- independent confirmation by the certification authority in organizing a high level of information security controlled by competent personnel;
- proof of compliance with existing laws and regulations (implementation of a system of compulsory requirements);
- demonstration of a certain high levels of management to ensure the proper level of customer service and partners of the organization;
- demonstration of regular audits of management systems, evaluating performance and permanent improvements.
Certification
The organization can be certified by accredited agencies in accordance with this standard. The certification process consists of three stages:
- The 1st stage is the study by the auditor of the key documents of the ISMS for compliance with the requirements of the standard- can be carried out both on the territory of the organization and by transferring these documents an external auditor;
- The 2nd stage is a detailed audit, including testing of embedded measures, and evaluating their effectiveness. Includes a complete study of documents that require standard;
- 3rd stage - performing an inspection audit to confirm that the certified organization meets the stated requirements. Periodic basis.
Outcome
As you can see, the application of this standard in the enterprise allows you to qualitatively increase the level of information security, which in conditions modern realities Dear stands. The requirements of the standard contains a lot, but the most important requirement is to do what is written! Without real application The requirements of the standard it turns into an empty set of pieces of paper.
Send your good work in the knowledge base is simple. Use the form below
Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.
Posted by http://www.allbest.ru/
"Information security management system"
management International Standard
INmaintenance
The information security management system is a combination of processes that work in the company to ensure confidentiality, integrity-accessory informational assets. The first part of the abstract examines the process of implementing the management system to the organization, as well as the main aspects of the benefit from the implementation of the information security management system.
Fig.1. Control cycle
List of processes and recommendations like the best way To organize their operation, are given in the international standard ISO 27001: 2005, which is based on the PLAN-DO-Check-ACT control system. In accordance with it, the life cycle of the ISMS consists of four types of activities: the creation - implementation and operation - monitoring and analysis - support and improvement (Fig. 1). This standard will be discussed in more detail in the second part.
FROMestimatmanagementinformationsecurity
The information security management system (ISMS) is called the part of the common management system, which is based on the approach of business risks when creating, implementing, functioning, monitoring, analyzing, supporting and improving information security. The ISMIMS processes are created in accordance with the requirements of the ISO / IEC 27001: 2005 standard, which is based on the cycle
The operation of the system is based on approaches modern theory Management risks, which ensures its integration into the overall risk management system of the organization.
The introduction of the information security management system involves the development and implementation of a procedure aimed at systematic identification, analysis and mitigation of information security risks, that is, risks, as a result of which information assets (information in any form and any nature) lose confidentiality, integrity and accessibility.
To ensure systematic mitigation of information security risks, on the basis of the results of risk assessment, the following processes are being implemented in the organization:
· Management of the internal organization of information security.
· Ensuring information security when interacting with third parties.
· Management of information asset registry and rules for their classification.
· Equipment security management.
· Ensuring physical security.
· Providing information security personnel.
· Planning and adoption of information systems.
· Backup.
· Ensuring network security.
The information security management system processes affect all aspects of the management of the IT infrastructure of the organization, as information security is the result of the sustainable functioning of processes related to information technologies.
When building a ISMS in companies, specialists carry out the following work:
· Organize project management, form a project group by the customer and the contractor;
· Determine the area of \u200b\u200bactivity (OD) of the ISMS;
· Explore the organization in OD Smib:
o in part of the business processes of the organization, including analysis negative consequences IB incidents;
o in terms of organization management processes, including existing quality management and management management processes;
o in part of the IT infrastructure;
o In part of the IB infrastructure.
· Develop and coordinate an analytical report containing a list of basic business processes and an assessment of the consequences of the implementation of IB threats in their respect, a list of management processes, IT systems, information security subsystems (PIB), an assessment of the degree of fulfillment by the organization of all requirements ISO 27001 and evaluating the maturity of processes organizations;
· Choose the original and target level of maturity of the ISMS, develop and approve the Maturity Program of the Maturity; Develop high-level documentation in the field of IB:
o concept of providing IB,
o politician IB and Smib;
· Choose and adapt the methodology for assessing risks applicable to the organization;
· Choose, deliver and deploy software used to automate the MSIM processes, organize training of company specialists;
· The risk assessment and processing, during which, for their reduction, the measures of the application "A" of the standard 27001 are selected and the requirements for their implementation in the organization are preliminarily selected;
· Develop sketch projects of PIB, assess the cost of risk processing;
· Organize approval of risk assessment by the highest management of the organization and develop provisions on applicability; Develop organizational measures to provide IB;
· Develop and implement technical projects on the implementation of technical information security subsystems that support the implementation of selected measures, including the supply of equipment, commissioning work, development of operational documentation and user training;
· Provide consultations during the operation of the built Smis;
· Organize training internal auditors and conducting internal audits of the ISMS.
The result of these works is the functioning ISMIM. The benefit from the implementation of the ISMS in the company is achieved at the expense:
· Effective management of compliance with the requirements of legislation and business requirements in the field of IB;
· Preventing the occurrence of IB incidents and reduce damage in case of their occurrence;
· Enhance the culture of IB in the organization;
· Enhance maturity in the field of management of IB;
· Optimization of funds for the provision of IB.
ISO / IEC.27001-- internationalstandardbyinformationsecurity
This standard was developed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard contains information security requirements for creating, developing and maintaining the ISMS. ISO 27001 establishes the requirements for the ISMS to demonstrate the organization's ability to protect their information resources. The international standard uses the concept of "information protection" and is interpreted as ensuring the confidentiality, integrity and availability of information. The basis of the standard is the risk management system associated with information. This standard can also be used to assess the compliance with interested internal and external parties.
To create, implement, operation, continuous control, analysis, maintaining in working condition and improving the information security management system (SMS), the standard is taking a process approach. It is to apply the system of processes within the framework of the organization together with the identification and interaction of these processes, as well as their management.
The international standard accepts the model "Plan-Do-Check-ACT" (PDCA), which is also called the Cycle of Shujhat-Deming. This cycle is used to struduce all SMB processes. Figure 2 shows how the SMS takes as input data protection requirements and the expectations of stakeholders and through the necessary actions and processes issues the results of protecting information that meet these requirements and expectations.
Planning is the phase of creating a SMB, creating a list of assets, assessing risks and choosing measures.
Figure 2. PDCA model applied to the process of SMB
Implementation is a stage of implementing and implementing relevant measures.
Check - the phase of the evaluation of the effectiveness and performance of the Smis. Usually performed by internal auditors.
Action - performing preventive and corrective actions.
INsirovy.
ISO 27001 describes general model The introduction and operation of the ISMS, as well as actions on monitoring and improving the ISMS. ISO intends to harmonize various standards for management systems, such as ISO / IEC 9001: 2000, which is devoted to quality management, and ISO / IEC 14001: 2004, intended for environmental management systems. The ISO goal is to ensure consistency and integration of the ISMIM with other management systems in the company. The similarity of standards allows you to use similar tools and functionality to implement, control, revise, check and certification. It is understood that if the company has implemented other standards of management, it can use unified system audit and management, which is applicable to quality management, environmental management, security management, etc. Implementing the ISMS, top management receives monitoring and security management tools, which reduces residual business risks. After the introduction of the ISMS, the company may officially ensure the safety of information and continue to comply with the requirements of customers, legislation, regulators and shareholders.
It is worth noting that in the legislation of the Russian Federation there is a document GOST R ISO / IEC 27001-2006, which is the translated version of the international standard ISO27001.
FROMpikov.literature
1. Korev I.R., Belyaev A.V. Information security of the enterprise. - SPb.: BHV-Petersburg, 2003. - 752 p.: Il.
2. International Standard Wiso 27001 (http://www.specon.ru/files/iso27001.pdf) (Date of handling: 05/23/12)
3. National standard Russian Federation GOST R ISO / IEC 27003 - "Information technologies. Security methods. Guidelines for the implementation of the information security management system" (http://niisokb.ru/news/documents/idt%20iso%20IEC%2027003-2011-09-14. PDF) (date of handling: 05/23/12)
4.Serbiba V.Y., Kurbatov V.A. Guide to protect against internal threats of information security. St. Petersburg: Peter, 2008. - 320 C.: IL.
5. Standards of free encyclopedia »Wikipedia," Management System
information security "(http://ru.wikipedia.org/wiki/%D0%A1%D0%9C%D0%98%D0%91) (Date of handling: 05/23/12)
6.Sigurjon Thor Arnasony Keith D. Willett "How to Achieve 27001 Certification" ("Like CertificatePostandart ISO 27001")
Posted on Allbest.ru.
Similar documents
Threats of information security at the enterprise. Detection of deficiencies in the information security system. Objectives and objectives of the formation of the information security system. The proposed measures to improve the organization's information security system.
course work, added 02/03/2011
Analysis of the information security system at the enterprise. Information on information security issues. Threats of information security, characteristic of the enterprise. Methods and means of information protection. Model of the information system from the security position.
course work, added 02/03/2011
The main stages of creating a management system at the enterprise food Industry. HACCP as the basis of any food management system of the food product. Security management system food products. Dangerous factors and warning actions.
abstract, added 14.10.2014
Modern management systems and their integration. Integrated quality management systems. Characteristic of OJSC "275 ARZ" and its management system. Development of a labor protection management system. Methods for assessing an integrated security system.
thesis, added 31.07.2011
Implementation of the quality management system. Certification of quality management systems (ISO 9000), environmental management (ISO 14 000), labor protection management systems and organization safety systems (OHSAS 18 001: 2007) on the example of OJSC Tape.
abstract, added 06.10.2008
Development of a standard for organizing an integrated management system that establishes a single procedure for the implementation of the documentation management process. Stages of creating a quality management system of JSC "ZSMK". Placing electronic versions of documents.
thesis, added 01.06.2014
Hierarchical scheme of employees. Information protection tools. Questions about security. Scheme information flows Enterprises. Methods for monitoring the integrity of the information system. Modeling access control information.
course work, added 30.12.2011
The concept of management information and its place in general System management. Types of information systems and their content. The concept of management as an information system. Functions of the Financial Management System. Systems of making transactions and operations.
abstract, added 01/06/2015
Concepts in the field of labor health and safety. International Standards ISO on quality management systems, environmental management systems, professional security and health management systems. Adaptation of the OHSAS Standard 18001-2007.
coursework, added 12/21/2014
Characteristics of information management; subjects of information and legal relations; legal mode of receipt, transfer, storage and use of information. Features I. legal aspects Information exchange and information security.
September 12th, 2011
IB Management according to ISO 27001. Documenting Requirements
Happinnes exists. Information security can be built on the basis of the ISO 27001 standard. On how to do this, the deputy head of the methodological work of the direction of "Audit of Information Systems" of the Department of Audit and Consulting Services in the FBK Financial Institutions Mikhail Vinnikov:
Today I will tell about the process seemingly not related to IB, rather - to the document flow, but in fact, the process is an important, saving a bunch of time and nerves - how the requirements are presented to document the processes of IB, or - as properly and with The minimum cost of strength to describe the ISMIM and maintain these descriptions are up to date. Naturally, focusing on ISO 27001.
The level of information security (hereinafter - IB), adequate needs of the organization, requires a clear presentation of the basic rules, principles and tasks, adequately implementing them into repeated and controlled protective measures, the incarnation of measures in practice by the organization's staff when ensuring the operational reflection of the current situation for the adoption of relevant managers actions.
Best way The implementation of this is to clothe ideas, practical thoughts and the results of IB activities in a documentary form, which will allow, firstly, to determine the structure of the interaction of the rules and implementing their practical actions, and secondly, to bring to each employee at the relevant level of business process and the requirements for the provision of IB, which he must be guided when performing his official duties, as well as determine the procedure for monitoring their observance.
Based on the above, we obtain a new "branch" in the scheme of the IB management system (ISO) according to ISO 27001 (hereinafter referred to as standard):
"Smis" - "develops" - "Documentation Requirements".
Codes in the names of tasks, as already mentioned at the beginning of our publications, indicate the number of the ISO 27001 standard section.
How to organize the system of documentary support of the Smis?
Each type of document can be additionally characterized by the following attribute issues affecting its life cycle:
- For whom it is intended (who will read it);
- who coordinates him and claims;
- How often he can change.
On the other hand, formally documents can be divided into software (reference) and operational (containing performance). In terms of the standard, such documents are divided, respectively, to actually documents and records.
According to the standard, the ISMS documentation should include information about:
- documented provisions of the Policy of the IB policy, its goals and the field of functioning, IB policy;
- procedures and measures of management used by the ISMS;
- IB risk assessment methodologies;
- Results of risk assessment and processing plans;
- procedures for assessing the results of the functioning of the mix;
- Evidence of the functioning of the Smis.
What format should this information be submitted?
When developing a system of documents providing the ISMS, a collision arises between the complexity (the need for resources) of the initial creation of documents and further maintain them in the actual state. On the one hand, there is a desire to have the number of types (nomenclature) and the number of documents themselves as small as possible (it is easier to manage to manage, faster it is possible to finish the preparation of the entire package, etc.). On the other hand, if the Smysman "lives" and develops all the time, the documents are periodically, and in some periods of development - it is quite often necessary to adjust and refine. If documents for the provision of IB are included in the general "bureaucratic" cycle of the organization: "Development-coordination-approves E", the higher level of approval and coordination of documents, the longer there will be an input cycle of new versions of documents, the harder to maintain them in the up-to-date condition.
Suppose the organization has developed a policy of information security, including provisions on the rules of actions in certain directions of IB (called private policies by IB). Due to the fact that all employees of the IB should be familiar with IB policies, the document was trying to make not very voluminous and detailed, and the provisions of private policies were described briefly in the form of theses.
What happened as a result?
The document still turned out to be heavy - more than a dozen pages, which is a lot. The resulting private policies due to non-specificity are practically not explained, therefore it is impossible to apply them. The document is difficult to accompany - in order to make and approve the adjustment to the section, for example, the safe use of the Internet when making a decision on the use, say, intrusion detection systems (IDS), you need to wait for the next meeting of directors, etc. Those. The document turned out to be inoperative.
The policy of the IB should be simple for understanding and fit, ideally, for one or two pages, because it as a strategic document is approved at the highest level of the management hierarchy, and all employees of the organization should meet with it. The division of general and private policies to individual documents allows you to refine, expand and adjust private policies more efficiently, the approval of the relevant document will be significantly faster, while without changing the general policy of IB.
Similarly, it turns out if in a private policy to reflect the use of any particular technology or system, its configuration. Changing the system or its reconfiguration entails a change in the document subscribed at the director level. Not properly! It is easier to specify the subordinate documents (third and fourth level) to the subordinate documents (third and fourth level), bringing a format and list of information required to provide management to private policies.
I hope, I convinced you to think that the IB document system should be built on a hierarchical scheme with the highest possible and abstract hierarchy documents, and an increase in "concreteness" as they approach the practical part.
What are the standards recommend us?
The ISO 13335-1 standard provides 4 levels of information security policies (rules):
- corporate security policy;
- information security policy;
- Corporate security policy of information and communication technologies;
- security policy [separate] information and communication technologies.
Recommendations in the standardization of the Bank of Russia RS BR IBBS 2.0-2007 offer the following interpretation of the provisions of the standard mentioned above:
What documents can be attributed to each of the levels?
Document levels | Types of documents |
First level | Smis Policy, Information Security Policy, Information Security Concept |
Second level | Private information security policies (provision of physical security, access, the use of the Internet and email, IB in technological processes, etc.) |
Third level | Instructions, provisions, orders, manuals, methodological benefits and training programs, configuration requirements, etc. |
Fourth Level | Entries in system logs OS, DBMS and IP; registries of information assets; Applications and accomplished access to access; Entries in journals of training and briefing on IB, test reports, acts, obligations on non-disclosure of confidential information, etc. |
Documents related to different levels of hierarchy have different life cycle duration.
Document levels | How often are changed? |
First level | rarely (strategic level changes) |
Second level | not often (if there are changes at the level of tactical solutions) |
Third level | regardless |
Fourth Level | continuous |
High-level documents must be maximally generalized and abstract and change when changing strategic levels - a change in business strategy, adopting new standards, cardinal change of information system, etc. Subordinates on the hierarchy Documents (third level) may vary significantly more often - in the introduction of new products, technologies of providing IB, forming additional training courses or developing information backup information. At the fourth level, the records are formed continuously and with time, most likely, their format will be refined.
Documents that are at different levels of hierarchy require approval at different levels of management.
High-level documents - politicians of the ISM and IB, defining strategic approaches to the provision of IB, are approved at the level of owners or board of directors.
Private policies that determine the rules of information security in individual areas can be approved at the level of the executive director or the supervisor, but at the same time should have a wide range of coordination in the divisions that these areas of activity affect.
Provisions, instructions and other practical documents are working documents of units operating the infrastructure of the IB security, they create them, corrected and change. IN some casesSome reports of the third may require approval at the organization's management level (for example, the provisions on divisions, etc.).
Evidence of the functioning of IB, if necessary, authenticated by the signed by the Contractor.
In order not to confuse in the versions of the documents, it is necessary to manage all this boiling documents to properly disseminate documents among employees for whom.
The document management procedure should provide:
- approval of documents at the appropriate level of the management structure of the organization;
- revision and upgrades, if necessary, documents;
- ensuring the identification of changes made and the current status of the versions of documents;
- access to the working versions of documents in places of use;
- the presence of the procedure for identifying documents and provide access to them;
- access to documents of authorized persons, as well as the fact that their life cycle (transmission, storage and destruction) is carried out in accordance with the level of confidentiality classification;
- identification of documents created outside the organization;
- control over the dissemination of documents;
- preventing the use of obsolete documents;
- relevant identification of outdated documents in case they are saved for any purpose.
The procedure for managing IB documents is desirable to describe in the form of a separate document containing, including the list and appointment of all documents, the period and / or a review of the revision, who is the owner of each of the documents who coordinate and approves, for whom each type of documents is intended etc.
All rules for the creation, change, coordination and approval of documents must comply with the rules of document management adopted in the organization.
It should be noted that the procedure for revising documents does not necessarily imply changes in documents. It is useful to provide for some types of documents to confirm their relevance, carried out through large, but regular intervals. From the recommendations of the Bank of Russia on a period of three years for self-assessment or audit compliance with the requirements of the STR BR EBBS-1.0 standard, it can be assumed that the same period for revision / confirmation of IB policies can be recognized as reasonable (in the sense, not less than!). For other documents, it is possible that the revision procedure must be carried out somewhat more often.
Evidence of the operation of the ISMS should also be formed in the form of documents that exist in a regular paper form or electronic. Evidence of the Functioning of the ISMS can be attributed to various applications and access to access, log entries operating systems, DBMS and application programs, the results of the functioning of intrusion prevention systems and reports on the results of the penetration test, acts of checking the configuration of workplaces and servers, etc. This class of documents is indicated in the standard as "records". The procedure for managing records should ensure their control and protection against modification, because Under certain conditions, they may be materials for the investigation of IB incidents and the quality of storage of materials determines whether these materials will be recognized by the materials legitimate or vice versa with not trustworthy. You can also include the results of the monitoring of the ISMS, the investigation of IB incidents, reports on the results of the operation of the ISMS, etc.
Management procedures should:
- ensure clarity, simplicity, identifiability and restability of documentary evidence;
- Use management measures to provide identification, storage, privacy and integrity protection, search, definition of storage time and destruction.
As an example, we give a small "vertical" fragment of a list of types of documents that make up the IB documentation system, for example, providing IB when accessing the Internet:
Level | Documentation |
First level | > Information security policy organization > Information Security Concept |
Second level | > Private information security policy organization when working with Internet resources > Terms used in IB documents (Glossary) |
Third level | > The procedure for providing access to users to the Internet resources > Description of access profiles (set of permissions and prohibitions) to Internet resources > Computer network circuit connected to the Internet > Proxy Settings Card > Card setting a firewall between the segments of the internal network and the demilitarized zone (DMZ) > Workstation Settings Card [To provide Internet access] > User Memo on the procedure for using network resources > Description and Qualification Requirements for the functional role "Administrator of Internet Access Systems" > Official instruction of an employee performing the functional role "Administrator of Internet access systems" |
Fourth Level | > Application-Outfit for User Connecting to Use Internet Resources > List of users connected to the Internet with an indication of access profile > Journal of Proxy Server On Internet Access Resources > Intrusion detection system log (IDS. ) in the network segment located inDmz. > Invasion report inDmz. IDS detected > The act of checking the configuration of the firewall |
The listed list is far from comprehensive even for the selected direction and depends on the specific technologies and services obtained or provided by the organization using the Internet, as well as approaches to provide information security.
We give several general recommendations for the creation of ISMS documents.
\u003e In the form of a separate document, a document under the name "Glossary" should be developed, a common, at least for the documents of the first two levels, use it when developing documents and specify it in the documents in the form of reference.
\u003e To carry out the standardization forms of documents, you can specify the forms of subordinate documents to the high-level documents, especially those that are evidence of execution (reports, form of requests, etc.). On the one hand, it somewhat complicates the procedure for the initial document development. On the other hand, if all related documents are developed as elements of the procedure, you immediately get ready-to-use technology.
> Frame error When preparing high-level documents (policies and private policies, provisions, etc.) is an introduction directly to the text of documents of specific surnames, systems names, etc. Accordingly, the change of the artist also leads to the launch of a long cycle of matching the "new" version of the document. Similar "variables" are better to initially transfer to applications, subordinate documents or records (fourth-level documents).
\u003e When creating "practical" documents, when describing the execution of a particular function, it is advisable not to specify a position, but a functional role, such as the "Anti-virus system administrator" or "backup system operator", and in a separate document, keep the register of employees who perform one or another role . This will extend the life cycle of the document, without the need for its correction and will ensure the flexibility of its application, because You can conduct a separate register of "competencies" and promptly substitute performers in the event of such a need.
\u003e Each document must contain a sign of its owner (responsible employee), an area of \u200b\u200baction and a revision.
The documents and records of the ISMS can exist both in "solid" (paper) and in electronic form. To provide auditors or verifying copies of copies of documents in electronic form, appropriate procedures should exist and their responsible performers are determined.
To the above, you can add that if the development of high-level documents (policies, provisions, etc.) can be entrusted to external consultants, the documents and records of the lower levels should form and maintain up to date the employees of the Organization, the most involved in the process of the operation of the ISMS and components of its procedures.
In the next publication, we will discuss the participation of the organization's management in the information security management system.
