Enterprise Information Security

Contents

Table of contents

Introduction

1. Characteristics of the protection object

1.1. General characteristic

1.2. Staff Functional Responsibilities

2. Information security concept. General provisions

2.1. Information Security Regulations

2.2. Threat and Risk Analysis

2.3. Threats with technical means

2.4. Software-based threats

2.5. Threats of information leakage via technical communication channels

2.6. Classification of information systems by security

2.7. Safety Concept

2.7.1. Information Security Organization

2.7.2. Requirements for security functions implemented at different levels of information interaction

3. Implementation of security measures at various levels and information interaction

3.1. Operating System Security (OS)

3.2. Providing Security Measures at the Network Services Layer

3.3. Database Level Security (OBD)

3.4. Ensuring safety measures at the network equipment level

3.5. Application-level security

3.6. Information security engineering

Conclusion

List of literature

Application

Introduction

The purpose of the work is to ensure the protection of information in the automated systems of LLC "GTE" branch of Kartalinskoye LPU MG. The implementation of this work examines the following educational goals, namely: the study and application of regulatory legal acts in the field of information security (hereinafter referred to as IS), the use of standards for the implementation of IS measures. In addition, study and application of GOST for the preparation of technical documentation of standards and unified design documentation (ESKD).

The creation of an information security system should be seen as a complex task to ensure information security due to the diversity of technological and organizational solutions. Information security can be ensured by the integrated use of all available security in all structural elements of the production system and throughout the information processing process cycle.

A comprehensive information protection system combines all the methods and tools used and only then gives the greatest effect of ensuring the security of information. At the same time, the functioning of the system should be monitored, updated and supplemented depending on changes in external and internal conditions.

When implementing engineering and technical support measures, skills will be acquired in the computer-aided design system COMPASS 3D, studying the functional duties of personnel and applying regulatory legal acts to them.

Characteristics of the protection object

General characteristic

LLC "GTE" branch of Kartalinskoye LPU MG at Rostovskaya. Kartalinsky district st. Sennoy has a total area of ​ ​ 2 floors of 600.6 square meters. Located on the second floor of the building.

In the housing there are foam block walls, which simplifies drilling of holes in the wall for installation of sockets. False shelves and false floors are installed, thereby simplifying the installation of fire alarm sensors and the drawing of Internet cables. Plastic frames with double-glazed windows, wooden and iron doors are also installed.

The enterprise consists of the following premises: 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 213B, 214, 215, 216.

According to SanPiN 2.2.2/2.4.134003, the area per PC (Personal Electronic Computing Machine) shall be not less than 6 square meters for electron beam IWT (Video-Display Terminal) and not less than 4.5 square meters when using IWT based on flat discrete screens (liquid crystal, plasma).

All rooms shall have access to the local area network of the building and the Internet, as well as sockets for connection to cable broadcasting and telephone network.

In room 201 there is a server, a mounting cabinet with network equipment, a CCTV camera and a fire alarm.

In the office 202 there are: 2 automated workplaces, including a personal computer and a telephone, a fire alarm.

In room 203 there are 2 automated workplaces, a computer, a telephone, a fire alarm.

Office 204 has 5 automated workstations, a telephone, a computer, a fire alarm, and a CCTV camera.

In the office 205 there are 4 automated workplaces,

computer, telephone, fire alarm.

In room 206 there are 2 automated workplaces,

computer, telephone, CCTV camera, fire alarm.

In office 207 there are 4 automated workstations, a computer, a telephone, a video surveillance camera, a fire alarm.

Office 208 has 5 automated workstations, a computer, a telephone, a CCTV camera, a fire alarm.

In room 209 there is a fire alarm.

In room 210 there are 2 automated workplaces, a computer, a telephone, a fire alarm.

In room 211 there are 2 automated workplaces, a computer, a telephone, a fire alarm.

In room 212 there are 2 automated workplaces, a computer, a telephone, a fire alarm.

In office 213 there are 3 automated workplaces, a computer, a telephone, a fire alarm.

Office 213B has 5 automated workstations, a computer, a telephone, a CCTV camera, a fire alarm.

Office 214 has 4 automated workstations, a computer, a telephone, a CCTV camera, and a fire alarm.

In the office 215 there are 2 automated workplaces, a computer, a telephone, a fire alarm.

In room 216 there are 2 automated workplaces, a computer, a telephone, a fire alarm.

Staff Functional Responsibilities

Organization of activities:

Director - considers issues that directly relate to the production, economic and financial activities of the enterprise within the limits of his authority, to assign the conduct of certain activities to other officials - deputy directors, heads of branches and production units of enterprises and divisions. Organize effective interaction and work of all production units, workshops and structural divisions, as well as direct their activities to improve and develop production taking into account market priorities and social ones; increasing the volume of sold products and profits, increasing the efficiency of the enterprise, competitiveness and quality of the produced products, meeting its world standards in order to conquer the foreign and domestic market and meet the needs of the population in domestic production.

Equipment provided to the head of the enterprise:

Computer;

Printer, copy machine.

Networking Telecommunications

Applications at the disposal of the enterprise manager:

Microsoft Office 2007

Browser

Access to enterprise information provided

Access any directories on your computer, as well as subordinate computers

Access to any facility

Access to electronic and paper-based information on the firm's workforce

Internet and LAN access

Registrar - Accepts correspondence that is submitted to the manager of the enterprise and transmitted to specific executors for use in the process of work or preparation of answers.

Carries out work on organizational and technical support of administrative and administrative activities of the head. Performs the necessary operations using computer equipment designed to process information in preparing and making decisions. Accepts applications and documents for the signature of the head. Conducts office work. Prepares materials and documents for the work of the manager.

Monitors the timeliness of consideration and submission by specific executors and structural departments of documents submitted for signature to the head, ensures their high-quality editing. Equipment provided to the Secretary:

Computer;

Printer, copy machine.

Networking Telecommunications

Annexes held by the Inspection Manager:

Microsoft Office 2007

Browser

Chief Engineer - Guided by the approved business plans of the enterprise for the medium and long term, lead the development of measures for the reconstruction and modernization of the enterprise, preventing the harmful impact of production on the environment, careful use of natural resources, creating safe working conditions and improving the technical culture of production.

Effectively provide design solutions, timely and high-quality preparation of production, repair and modernization of equipment, technical operation, achievement of high quality of products in the process of its development and production.

Head of department - Performs himself and requires work from the specialists of the department.

Installer - performs work on laying cable communication lines, splits the cable routing, establishes parts and fittings for fastening and about cable laying in shafts, wells and walls, equips cable supports, prepares channels for drawing cable, cable wells for laying (establishes protections, opens and closes wells, etc. Carries out a cable entry to the building, installs junction boxes, boxes, a conflict dividing cases, cable boxes and protective strips.

Technician - Under the guidance of a more qualified specialist, performs work on carrying out the necessary technical calculations, developing simple projects and simple schemes, ensuring their compliance with technical specifications, current standards and regulatory documents. Carries out adjustment, control, adjustment and skilled check of the equipment and systems in vitro and on objects, watches its working order.

System Administrator - Installs on servers and workstations, operating systems, and required software. Configures the software on servers and workstations. Supports server and workstation software.

Equipment provided to the Informatization Department: All equipment at the enterprise

Applications at the disposal of the Informatization Department: Absolutely all enterprise programs.

Safety Engineer system.comp - Timely maintenance, repair and modernization of the computer fleet of television. Provides jobs for television workers with new computer, copy multiplier equipment and consumables.

Chief Accountant - Manages the formation of the accounting and reporting information system in accordance with the requirements of accounting, tax, statistical and management accounting, ensures the provision of the necessary accounting information to internal and external users. Ensures the preservation of accounting documents and their submission to the archive in accordance with the established procedure.

Accountant - Performs work on accounting of property, liabilities and economic operations (accounting of fixed assets, inventory, production costs, sales of products, results of economic and financial activities; settlements with suppliers and customers, for services provided, etc.). Participates in the development and implementation of activities aimed at financial discipline and rational use of resources.

Economist - Performs work on the economic activity of the enterprise aimed at increasing the efficiency and profitability of production, the quality of production and the development of new types of products, achieving high final results with optimal

the use of material, labour and financial resources. Prepares initial data for the preparation of projects of economic, financial, production and commercial activities (business plans) of the enterprise in order to ensure the growth of sales of products and increase profits.

Director of Safety - Organizes and leads the work on legal and organizational protection of the enterprise. Develops and manages security measures for protected sites. Develops adequate means of protection and types of protection regimes for the threat.

Security Specialist - Conducts work on legal and organizational protection of the enterprise, protection of trade secrets. Organizes work on the distribution of additional duties among personnel in order to ensure a security regime.

Commercial Director - Manages the financial management activities of the enterprise in the field of material and technical support, sales of products (sale of goods, provision of services). Coordinates the development and preparation of promising and current plans for material and technical support and sales of products (sale of goods, provision of services), financial plans.

Start. Subscriber, Department - Supervises the conclusion of contracts with subscribers. Organizes cash settlement services. It ensures collection of payments and payment with subscribers for provided housing and communal services on the basis of existing norms and rules, contracts and established schedules. Supervises the correctness of subscribers taking measurements and presenting them with information about the volumes of services received.

Customer Service Center Specialist - Work to find potential consumer customers of goods (services) and work with regular consumer customers of goods (services) aimed at maximizing their needs and maintaining long-term cooperation. Conduct an analysis of the audience of potential clients, identify the needs of customers, their level and orientation. Develop methods of customer search, plan customer work, draw up schemes for contacting customers.

Specialists - Performs work on staffing the enterprise with the required professions, specialties and qualifications. Takes part in work on selection, selection, placement. Conducts research and analysis of the professional and professional structure of the personnel of the enterprise and its divisions.

Human Resources and Security Department:

Maintain Employee Personal Files

Conduct recruitment interviews

Promotion contests held

Control of employees in matters of information security.

Conduct of computer security awareness-raising lectures

Keeping records of paper and non-paper confidential information media

Information security concept. General provisions

Information Security Regulations

The project uses the following regulatory documents to ensure the availability of information, integrity of information, confidentiality, reliability, authenticity:

RD 5068088 "Methodological Guidelines. Automated systems. Basic provisions. " Resolution of the USSR State Committee on Standards of 28.12.88 No. 4622 [1].

GOST 34.1094. "Information technology. Cryptographic information protection. Procedures for generating and verifying an electronic digital signature based on an asymmetric cryptographic algorithm. "

GOST R ISO/IEC 1540812002 "Information Technology. Security techniques and tools. Criteria for assessing information technology security. Part 1. Maintenance and General Model.

GOST R ISO/IEC 1540822002 "Information Technology. Security techniques and tools. Criteria for assessing information technology security. Part 2. Functional safety requirements. "

GOST R ISO/IEC 1540832002 "Information Technology. Security techniques and tools. Criteria for assessing information technology security. Part 3. Security trust requirements. "

GOST R 515832000 "Information Protection. Procedure for creation of automated systems in a secure version. "

GOST R 5092296. "Protecting information. Basic terms and definitions. "

GOST R 5073995. "Computer equipment. Protection against unauthorized access to information. General technical requirements. "

GOST R 5127599. "Protecting information. Information object. Factors affecting information. General provisions. "

Law of the Russian Federation of March 5, 1992 No. 24461 "On Safety."

Federal Law of July 27, 2006 No. 149FZ "On Information Technology Information and on Protection and Information."

Federal Law of July 27, 2006 No. 152FZ "On Personal Data."

Federal Law of December 27, 2002 No. 184FZ "On Technical Regulation."

Decree of the President of the Russian Federation of March 6, 1997 No. 188 "On Approval of the List of Confidential Information."

Decree of the Government of the Russian Federation of November 17, 2007 No. 781 "On approval of the Regulation on ensuring the security of personal data during their processing in personal data information systems."

Decree of the Government of the Russian Federation of June 26, 1995 No. 608 "On certification of means of information protection."

Decree of the Government of the Russian Federation of January 26, 2006 No. 45 "On the organization of licensing of certain types of activities."

Decree of the Government of the Russian Federation of August 15, 2006 No. 504 "On licensing of activities for the technical protection of confidential information."

Documents of the enterprise (organizational support of IB) it is actually the concept of IB and also orders, orders and also plans schedules of works on providing IB.

Information security concept;

Information security policy;

Information System Security Class Determination Certificate;

Model of violator and threats to information security.

Documents containing the provisions of private policies (documents of the second level) detail the provisions of the corporate policy of the IB in relation to one or more areas of the IB, types and technologies of the organization's activities. Such documents include:

Information on trade secrets;

Regulation on personal data of the enterprise;

Regulation on the use of the Internet in the enterprise;

Department regulation.

Documents containing the IB provisions applicable to the procedures, namely, to the procedure for performing actions or operations to provide the IB (third level documents). Such documents contain rules and parameters that establish the method of carrying out and performing specific actions related to IS in the framework of technological processes used in the organization, or restrictions on the implementation of individual actions related to the implementation of protective measures in the processes used (technical specifications, regulations, procedures, instructions).

Instruction on antivirus protection of HIPD;

Instruction on modification of HPMS software and hardware;

Instructions for processing personal data of visitors;

Instructions to the user on actions in emergency situations.

On the basis of the regulatory acts used at the enterprise and Order No. 293 "On Restructuring the Information Security System," the following orders were taken for execution:

Inventory and identify enterprise network user groups.

Exclude storage of service information on local information storage devices.

Regulate the access of individual users and groups of users to resources external to the corporate network.

Prevent use of external hardware storage devices

Regulate the installation and use of electronic communications.

Analyze the passing traffic for correctness and availability of malicious software.

Audit your existing software to see if you have the right number of licenses.

In the workplace of users, it is technically possible to carry out only, of course, the programs necessary for the day-to-day operation

Perform continuous antivirus check of the software.

When developing its own software by the relevant departments of the Enterprise, provide for mandatory personalized authentication of users before using the programs, as well as detailed logging of user actions.

Develop an employee recruitment and separation monitoring system for timely creation and deletion of data.

It is mandatory to bring under signature to all employees of the Enterprise, job description on the use of information and technical systems of the Enterprise.

If the Company's employees do not comply with the requirements, immediately disconnect the personal computer from the corporate network.

Develop an enterprise information security policy based on existing industry standards (ISO 17799).

At least once a quarter, submit a report on the state of information security to senior management.

Immediately notify senior management of incidents.

2.2 Threat and Risk Analysis

The following types of enterprise information resources are considered as security objects under this concept: Information (data, telephone calls and faxes) transmitted through communication channels.

Information stored in databases, file servers and workstations, directory servers, corporate network user mailboxes, etc.

Configuration information and operation protocols of network devices, software systems and complexes.

Based on the listed properties, all threats to the information resources of the system can be classified as one of the following categories:

Threats to the availability of information stored and processed in the IE and information transmitted through communication channels;

Threats to the integrity of information stored and processed in the IE and information transmitted through communication channels;

Threats to confidentiality of information stored and processed in IE and information transmitted through communication channels.

Threats to the security of information resources, from the point of view of implementation, can be divided into the following groups:

Threats implemented using technical means;

Threats implemented using software tools;

Threats realized through the use of technical information leakage channels.

Threats with technical means

General description

Technical means of the system include transceiving and switching equipment, equipment of servers and workstations, as well as communication lines. This class includes threats to the availability, integrity and, in some cases, confidentiality of information stored, processed and transmitted over the communication channels of the system related to damage and failures of IE hardware, transceiver and switching equipment and damage to communication lines.

Types of threats

Technical means are characterized by threats related to their intentional or unintentional damage, configuration errors and failure: Failure (intentional or unintentional);

Unauthorized or erroneous reconfiguration of active network equipment and transceiver equipment;

Physical damage to equipment, communication lines, network and channelization equipment;

Interruptions in the power supply system;

Technical equipment failures;

Installation of unverified hardware or replacement of failed hardware components with non-identical components;

Theft of technical means and long-term storage of confidential information due to lack of control over their use and storage.

Threat Sources

The sources of security threats to the technical means of the system are both external and internal violators and natural phenomena. Among the sources of threats to technical means can be noted: natural disasters, fire, theft of equipment, sabotage, mistakes of maintenance personnel, terrorism, etc.

Threats Implemented Using Software General Description

This is the most numerous class of threats to the confidentiality, integrity and availability of information resources, associated with obtaining the NSD to information stored and processed in the system, as well as transmitted through communication channels, using the capabilities provided by the IS software. Most of the threats considered in this class are implemented through local or remote attacks on the system's information resources by internal and external attackers. As a result of successful implementation of these threats, the NSD receives information from the database and file systems of the corporate network, data stored on the operator's AWS, configuration of routers and other active network equipment.

Types of threats

This class covers the following main types of threats:

Introduction of viruses and other destructive software impacts;

Violation of executable file integrity;

Errors in software code and configuration, active network equipment;

Software analysis and modification;

The software has undeclared capabilities left for debugging or intentionally implemented;

Monitor system operation by using network traffic analysis software and OS utilities to obtain information about the system and the state of network connections;

Use of software vulnerabilities to hack software protection in order to obtain NSD to information resources or disrupt their availability;

One user performs unauthorized actions on behalf of another user ("masquerade");

Disclosure, interception and theft of secret codes and passwords;

Reading of residual information in OP computers and on external media; Errors of input of control information from the operator's AWS into the database;

Loading and installation of non-licensed, unverified system and application software in the system;

Blocking the operation of system users by software.

The threats associated with the use of data networks should be considered separately. This threat class is characterized by an internal or external intruder gaining network access to database servers and file servers, routers, and active network equipment. Here are the following types of threats specific to the enterprise CPDD:

interception of information on communication lines by using various types of network traffic analyzers;

Replace, insert, delete, or modify user data in the information flow

intercepting information (e.g., user passwords) transmitted through communication channels for subsequent use to bypass network authentication means;

statistical analysis of network traffic (for example, presence or absence of certain information, transmission frequency, direction, data types, etc.).

Threat Sources

The sources of security threats for the software of the system are external and internal violators.

External threats:

Introduction of viruses and other destructive software impacts;

Analysis and modification/destruction of installed software;

Exploiting software vulnerabilities to hack software protection in order to obtain unauthorized rights to read, copy, modify or destroy information resources, as well as to violate their availability;

Reading residual information in computer memory and on external media;

Blocking of system users by software, etc.

Internal threats:

Unclean employees seeking to earn extra money at the expense of the employer. Such insiders are employees who use the company's secret information resources for their own benefit. Customer databases, intellectual property of the company, composition of trade secrets - such information can be used by an insider for personal interests, or sold to competitors.

Introduced and recruited insiders. The most dangerous and most difficult-to-identify type of internal attackers. They are usually part of a criminal chain or a member of an organized criminal group. Such employees have a sufficiently high level of access to confidential information, the damage from their actions can be fatal for the company.

Threats of information leakage via technical communication channels

Types of technical information leakage channels

During works with the use of confidential information and operation of IE hardware, the following channels of leakage or violation of integrity of information (operability) of hardware are possible:

side electromagnetic radiation of the information signal from technical means and information transmission lines;

acoustic radiation of an informative speech signal or a signal caused by operation of information processing equipment; unauthorized access to information processed in automated systems;

theft of equipment with information stored in it or individual media;

viewing information from display screens and other display means using optical means;

impact on technical or software tools in order to violate the integrity (destruction, distortion) of information, operability of technical tools.

Since the object is not a mode object (there is no information related to state secrets), and only commercial information is of interest, the threats related to the use of electromagnetic fields, acoustic and ultrasonic frequencies are not considered for this enterprise. And for the implementation of safety systems at the engineering level, it is enough to provide fire protection alarms and admission control systems in specialized rooms. For example, to the switching office or the room where the servers are located.

Threat Sources

The sources of security threats to the technical means of the system are external and internal violators equipped with specialized technical intelligence.

Classification of information systems by security

FOD class: administering

-The position of the Director - shall determine [the appointment: management commitments], including clear direction, visible leadership support, advice of security specialists, support with appropriate resources and integration into the processes of security promotion. "

System Administrator - Defines personnel administration in the context of automated system security.

Security Director - Defines security incident management as the object of administration.

Safety Specialist - shall determine [purpose: safety requirements] for actions to restore normal functioning after safety violations or system failures. "

-System Administrator - shall determine the [purpose: security requirements] for the ability of the network service provider to provide them safely and stipulate the right of the organization to conduct an audit. "

FOS Class: IT Systems

Chief Engineer - shall define [purpose: procedures] for software change management to ensure that the most recent approved corrective patches and application corrections are installed for all authorized software. "

System Administrator - Must determine the [purpose: responsibilities] for protecting systems from malware, training to use appropriate protective tools, report malware attacks and neutralize their consequences.

System Administrator - must provide [purpose: regulators] so that all cryptographic keys associated with

encrypted archives or digital signatures, have been secured and are available to authorized persons if necessary.

Safety Specialist - shall provide [assignment:

regulators] to protect software, data and other information requiring a high level of integrity made available on public systems.

System Administrator - must provide [purpose: regulators] to limit the access of ITT support personnel to program source libraries.

System Administrator - must provide [purpose: measures] to link network access rights to specific dates and times of day.

Security Specialist - Define the [purpose: security requirements] for the organization of backups on individual systems to ensure that business continuity plans are met.

FOA Class: User Assets

System Administrator - Must define [purpose: rules] not use operational databases containing personal information for testing purposes.

FOB Class: Production Activities

Human Resources - must define [roles and responsibilities] and information for candidates prior to enrollment.

System Administrator - Must define [purpose: rules] for special access to automated system assets during security violations.

FOP Class Infrastructure and Equipment

Active Equipment Engineer - shall provide [purpose: measures] protection against risks associated with the use of mobile computing devices.

- Active Equipment Engineer - shall determine the [purpose: rules] of storage of standby equipment and media at a safe distance from the main production site in order to avoid their damage in the event of an accident at the specified site. "

System Administrator - Must define [purpose: security requirements] for the use of the information processing infrastructure. "

Third Party FOT Class

Safety Specialist - shall determine [purpose: security requirements] to license agreements, ownership of software code and intellectual property rights, certification of the quality and correctness of the work performed, procedure for resolving the situation in the event of failure of a third-party organization, right, access to conduct an audit of the quality and correctness of the work done, Contractual requirements for code quality and pre-installation testing to identify Trojan code if a third party is assigned to develop software. "

- System Administrator - shall determine the [purpose: rules] not to grant third-party organizations access to the organization's information unless appropriate regulators are established and an agreement is signed defining the boundaries and conditions of connection or access and the procedure for performance of work. "