Information Security (IS) is the protection and preservation of information resources from accidental, malicious or extraordinary internal/external influences and disruptions designed to ensure business continuity, minimize business risk and maximize return on investment and provide business opportunities. Information security consists of strict compliance with the requirements and principles set forth in this Policy.

General provisions

This document defines:

  • objectives of the IS system;
  • objects of protection;
  • the main classes and sources of IS threats;
  • risks and financial losses from them;
  • main measures and approaches to creation of IS system;

This Policy serves as the basis for:

  • creation of a unified system of legal, organizational, technical, regime and
    other security measures;
  • development of programs and activities to ensure information security;

Purpose of information security policy:

  • Information security policy is a systematic set of rules, requirements and
    instructions in the field of information security, which governs its activities.
  • Information security policies regulate effective work of information
    protection means. They cover all features of information processing, defining the
    behavior of information systems and their users in various situations.

Scope:

  • The provisions of this Policy apply to all information resources and services.
  • This Policy applies to all information, regardless of the type of media on
    which it is recorded.
  • Provisions of this Policy are applicable for use in internal regulatory and
    methodological documents and contracts.
  • Scope of private (detailed) information security policies is defined in the
    policies themselves.

Terms and definitions

This normative document uses the following terms with appropriate definitions: Information confidentiality is a subjectively defined (attributed) to information characteristic (property) indicating necessity to impose restrictions on circle of subjects having access to this information and ensured by ability of system (environment) to keep this information secret from subjects not entitled to access it. Integrity of information is a property of information consisting in its existence in an undistorted form (unchanged relative to some fixed state); — relevance and consistency of information, its protection from destruction and unauthorized change. Information accessibility — a property of a system in which information circulates (means and technology of its processing), characterized by the ability to provide timely unhindered access to information of subjects entitled to it.

Information security objectives

The main objectives of ensuring IS are:

  • ensuring the confidentiality of critical information resources to ensure the continuity of business processes (operations) that form the basis of activities;
  • ensuring integrity of information resources to maintain the ability to provide quality services and make effective management decisions;
  • ensuring the necessary availability and continuity of access to information
  • resources to support business activities;
  • preventing disclosure and leakage of confidential information;
  • prevention of unauthorized access to sources of confidential information;
  • prevention of threats and/or minimization of damage from information security threats to permissible values;
  • ensuring compliance with IS legislative requirements;
  • achievement of adequacy of protection measures to actual IS threats;
  • raising user awareness of information security issues;
  • defining the degree of responsibility and obligations of employees to ensure information security;
  • meeting the expectations of partners;
  • improvement of business reputation and culture.

Objects of security

The objects subject to protection are: information (information assets/resources) that is confidential, trade secret, sensitive to accidental and unauthorized influences and violation of its security, as well as any internal information necessary for the implementation of activities, regardless of the form and type of its presentation. software: application software, system software, service software and any other software, regardless of the form of obtaining (purchased, proprietary, freely distributed); physical assets: hardware; service assets: computing and communication services.

Main classes of threats

IS threats are defined as potential adverse effects on protected information that include:

  • Inaccessibility of information as a result of its blocking, hardware or software
    failure, disruption of operating systems of workstations, servers, routers, database
    management systems, distributed computing networks, viruses, natural disasters
    and other force majeure circumstances.
  • Loss of information constituting trade secrets, secrets and other protected
    information, as well as distortion (unauthorized modification, forgery) of such
    information;
  • Leak — unauthorized familiarization with protected information by
    unauthorized persons (unauthorized access, copying, theft, etc.), as well as leakage
    of information via communication channels and due to electromagnetic emissions.

Sources of IS threats are divided into:

  • internal, caused by the actions of employees, authorized users of the information
    system — access and theft of confidential information, intentional distortion or
    destruction of information in the system, performing manipulations that lead to
    distortion of the system or its failure, non-compliance with the basic rules of safe
    work with the mail, active elements on web-pages, data distortion due to careless
    actions, etc;
  • external, caused by external influences — network attacks and unauthorized
    intrusion into computer networks, viruses and worms from e-mail and Web-pages,
    spam, interception of unencrypted traffic, etc;
  • natural and technical and extraordinary, caused by improper use of equipment
    and improper storage of data, theft of paper and electronic media, force majeure,
    breakdowns, etc.

Definition of risks

As a result of the impact of threats, the following negative consequences may
arise, affecting the IS and its normal functioning:

  • financial losses associated with leakage or disclosure of protected information
    (losses associated with breach of confidentiality);
  • financial losses related to destruction and subsequent recovery of lost
    information and resources (losses associated with violation of integrity, availability
    of information resources, etc.);
  • losses from downtime and losses connected with the inability to perform one’s
    obligationsl
  • moral losses, damage to reputation.

The decision on the protection of specific information technology resources and
the degree of protection, financial and technical decisions are made on the basis of
the value of resources on the criteria of possible risks and the probability of
threats.

Measures to provide IS

General measures aimed at ensuring IS include:

  • administrative and legal, organizational and regime;
  • technical, based on the use of hardware and software and special means.

List of administrative-legal and organizational measures:

  • Definition of the legal status of all subjects of relations in the information
    environment, establishing their responsibility through compliance with regulations,
    provisions and policies in the field of IS.
  • Definition of information resources (assets) and their classification by criteria
    of confidentiality, availability and integrity with definition of information protection
    requirements for each class. Defining for each information resource of the
    company an authorized person (resource owner), responsible for providing access
    to it and effective functioning of information protection measures applied to
    protect the resource.
  • Ensuring the principle of separate access: Information should only be
    available to those for whom it is intended and authorized. Providing employees
    with minimally sufficient access rights to the information they need to perform
    their functional duties.
  • Identify and formalize all operational processes related to the use of
    information systems for which it is important to ensure continuity as well as
    information protection. Identify and document all possible incidents in operational
    processes and develop a system of proactive measures to reduce the likelihood of
    incidents occurring.
  • Performing IS risk analysis and assessment, processing IS risks for the most
    critical information assets.
  • Identification of main threats to which information resources are exposed,
    timely detection of problems potentially affecting IS of the company, adjustment
    of threat models and the executor.
  • Conducting regular briefings and training sessions on information security for
    employees.
  • Development of rules for the operation of technical and software tools
    (regulations, procedures) and rules for responding to security breaches (suspected
    breaches).
  • Certification of the security of information technology objects, if necessary.
  • Ensuring the continuity of the development of technological and software
    solutions.
  • Creation of effective system of control over observance of local normative
    acts on IS. Users of information resources shall be aware of the availability of the
    information control and protection system.
  • Development of a list of possible violations of IS and local regulations. To
    improve the regulatory framework for handling confidential information and data
    within the company and with third-party organizations.
  • Determining requirements for the physical security of equipment involved
    in the storage, processing and transmission of information (PCs, servers,
    communication lines, switching equipment, etc.).

List of regime activities:

  • Categorization of premises depending on the criticality of the information
    assets placed in them. In accordance with the category, ensuring technical
    reinforcement of premises, equipping them with video surveillance, access control,
    firefighting and alarm systems. Restricting access and controlling access to
    designated rooms.
  • Determining the list of critical internal documents of the company, the places
    and terms of their storage, access and destruction procedures.
  • Determining emergency procedures for all departments and services.
  • Holding regular management meetings to coordinate the implementation
    and improvement of the information security policy.
  • Conducting regular independent reviews of information security assurance.

List of technical measures:

  • Ensuring failure-free operation of hardware: redundancy, special rooms.
  • Use of software (software), which passed the stage of verification for
    compliance with IS requirements, testing and pilot operation. When selecting
    software, intellectual property requirements are observed.
  • Use of information protection means for processing, storage and transfer of
    confidential information, if necessary use of protected connections with
    encryption, in particular for remote connections.
  • Conducting a comprehensive anti-virus protection.
  • Conducting detection, prevention and remediation activities to protect
    against malicious code.
  • Carrying out effective password protection. Using a system of user
    authorization and delimitation of rights of access to resources.
  • Exercising control over the computer software and information (software
    composition and integrity, correctness of settings, etc.) and routers (route tables,
    filters, passwords).
  • Allocating separate isolated environments for experimenting with new
    technologies and software testing.
  • Defining and ensuring actions for backup and protection of information in
    case of emergencies.