Information Security (IS) is the protection and preservation of information resources from accidental, malicious or extraordinary internal/external influences and disruptions designed to ensure business continuity, minimize business risk and maximize return on investment and provide business opportunities. Information security consists of strict compliance with the requirements and principles set forth in this Policy.
General provisions
This document defines:
- objectives of the IS system;
- objects of protection;
- the main classes and sources of IS threats;
- risks and financial losses from them;
- main measures and approaches to creation of IS system;
This Policy serves as the basis for:
- creation of a unified system of legal, organizational, technical, regime and
other security measures; - development of programs and activities to ensure information security;
Purpose of information security policy:
- Information security policy is a systematic set of rules, requirements and
instructions in the field of information security, which governs its activities. - Information security policies regulate effective work of information
protection means. They cover all features of information processing, defining the
behavior of information systems and their users in various situations.
Scope:
- The provisions of this Policy apply to all information resources and services.
- This Policy applies to all information, regardless of the type of media on
which it is recorded. - Provisions of this Policy are applicable for use in internal regulatory and
methodological documents and contracts. - Scope of private (detailed) information security policies is defined in the
policies themselves.
Terms and definitions
This normative document uses the following terms with appropriate definitions: Information confidentiality is a subjectively defined (attributed) to information characteristic (property) indicating necessity to impose restrictions on circle of subjects having access to this information and ensured by ability of system (environment) to keep this information secret from subjects not entitled to access it. Integrity of information is a property of information consisting in its existence in an undistorted form (unchanged relative to some fixed state); — relevance and consistency of information, its protection from destruction and unauthorized change. Information accessibility — a property of a system in which information circulates (means and technology of its processing), characterized by the ability to provide timely unhindered access to information of subjects entitled to it.
Information security objectives
The main objectives of ensuring IS are:
- ensuring the confidentiality of critical information resources to ensure the continuity of business processes (operations) that form the basis of activities;
- ensuring integrity of information resources to maintain the ability to provide quality services and make effective management decisions;
- ensuring the necessary availability and continuity of access to information
- resources to support business activities;
- preventing disclosure and leakage of confidential information;
- prevention of unauthorized access to sources of confidential information;
- prevention of threats and/or minimization of damage from information security threats to permissible values;
- ensuring compliance with IS legislative requirements;
- achievement of adequacy of protection measures to actual IS threats;
- raising user awareness of information security issues;
- defining the degree of responsibility and obligations of employees to ensure information security;
- meeting the expectations of partners;
- improvement of business reputation and culture.
Objects of security
The objects subject to protection are: information (information assets/resources) that is confidential, trade secret, sensitive to accidental and unauthorized influences and violation of its security, as well as any internal information necessary for the implementation of activities, regardless of the form and type of its presentation. software: application software, system software, service software and any other software, regardless of the form of obtaining (purchased, proprietary, freely distributed); physical assets: hardware; service assets: computing and communication services.
Main classes of threats
IS threats are defined as potential adverse effects on protected information that include:
- Inaccessibility of information as a result of its blocking, hardware or software
failure, disruption of operating systems of workstations, servers, routers, database
management systems, distributed computing networks, viruses, natural disasters
and other force majeure circumstances. - Loss of information constituting trade secrets, secrets and other protected
information, as well as distortion (unauthorized modification, forgery) of such
information; - Leak — unauthorized familiarization with protected information by
unauthorized persons (unauthorized access, copying, theft, etc.), as well as leakage
of information via communication channels and due to electromagnetic emissions.
Sources of IS threats are divided into:
- internal, caused by the actions of employees, authorized users of the information
system — access and theft of confidential information, intentional distortion or
destruction of information in the system, performing manipulations that lead to
distortion of the system or its failure, non-compliance with the basic rules of safe
work with the mail, active elements on web-pages, data distortion due to careless
actions, etc; - external, caused by external influences — network attacks and unauthorized
intrusion into computer networks, viruses and worms from e-mail and Web-pages,
spam, interception of unencrypted traffic, etc; - natural and technical and extraordinary, caused by improper use of equipment
and improper storage of data, theft of paper and electronic media, force majeure,
breakdowns, etc.
Definition of risks
As a result of the impact of threats, the following negative consequences may
arise, affecting the IS and its normal functioning:
- financial losses associated with leakage or disclosure of protected information
(losses associated with breach of confidentiality); - financial losses related to destruction and subsequent recovery of lost
information and resources (losses associated with violation of integrity, availability
of information resources, etc.); - losses from downtime and losses connected with the inability to perform one’s
obligationsl - moral losses, damage to reputation.
The decision on the protection of specific information technology resources and
the degree of protection, financial and technical decisions are made on the basis of
the value of resources on the criteria of possible risks and the probability of
threats.
Measures to provide IS
General measures aimed at ensuring IS include:
- administrative and legal, organizational and regime;
- technical, based on the use of hardware and software and special means.
List of administrative-legal and organizational measures:
- Definition of the legal status of all subjects of relations in the information
environment, establishing their responsibility through compliance with regulations,
provisions and policies in the field of IS. - Definition of information resources (assets) and their classification by criteria
of confidentiality, availability and integrity with definition of information protection
requirements for each class. Defining for each information resource of the
company an authorized person (resource owner), responsible for providing access
to it and effective functioning of information protection measures applied to
protect the resource. - Ensuring the principle of separate access: Information should only be
available to those for whom it is intended and authorized. Providing employees
with minimally sufficient access rights to the information they need to perform
their functional duties. - Identify and formalize all operational processes related to the use of
information systems for which it is important to ensure continuity as well as
information protection. Identify and document all possible incidents in operational
processes and develop a system of proactive measures to reduce the likelihood of
incidents occurring. - Performing IS risk analysis and assessment, processing IS risks for the most
critical information assets. - Identification of main threats to which information resources are exposed,
timely detection of problems potentially affecting IS of the company, adjustment
of threat models and the executor. - Conducting regular briefings and training sessions on information security for
employees. - Development of rules for the operation of technical and software tools
(regulations, procedures) and rules for responding to security breaches (suspected
breaches).
- Certification of the security of information technology objects, if necessary.
- Ensuring the continuity of the development of technological and software
solutions. - Creation of effective system of control over observance of local normative
acts on IS. Users of information resources shall be aware of the availability of the
information control and protection system. - Development of a list of possible violations of IS and local regulations. To
improve the regulatory framework for handling confidential information and data
within the company and with third-party organizations. - Determining requirements for the physical security of equipment involved
in the storage, processing and transmission of information (PCs, servers,
communication lines, switching equipment, etc.).
List of regime activities:
- Categorization of premises depending on the criticality of the information
assets placed in them. In accordance with the category, ensuring technical
reinforcement of premises, equipping them with video surveillance, access control,
firefighting and alarm systems. Restricting access and controlling access to
designated rooms. - Determining the list of critical internal documents of the company, the places
and terms of their storage, access and destruction procedures. - Determining emergency procedures for all departments and services.
- Holding regular management meetings to coordinate the implementation
and improvement of the information security policy. - Conducting regular independent reviews of information security assurance.
List of technical measures:
- Ensuring failure-free operation of hardware: redundancy, special rooms.
- Use of software (software), which passed the stage of verification for
compliance with IS requirements, testing and pilot operation. When selecting
software, intellectual property requirements are observed. - Use of information protection means for processing, storage and transfer of
confidential information, if necessary use of protected connections with
encryption, in particular for remote connections. - Conducting a comprehensive anti-virus protection.
- Conducting detection, prevention and remediation activities to protect
against malicious code. - Carrying out effective password protection. Using a system of user
authorization and delimitation of rights of access to resources. - Exercising control over the computer software and information (software
composition and integrity, correctness of settings, etc.) and routers (route tables,
filters, passwords). - Allocating separate isolated environments for experimenting with new
technologies and software testing. - Defining and ensuring actions for backup and protection of information in
case of emergencies.