Categorization of information and information systems. Ensuring a basic level of information security. Categorizing information by importance

Mikhail Koptenkov | © M. Koptenkov

Information security is a state of security information environment. Information security should be considered as a set of measures, among which it is impossible to single out more or less important ones. Concept information security is closely related to the concept of information security, which is an activity to prevent the leakage of protected information, unauthorized and unintentional impacts on it, i.e., a process aimed at achieving a state of information security. However, before protecting information, it is necessary to determine what information should be protected and to what extent. For this purpose, categorization (classification) of information is used, i.e., establishing gradations of the importance of ensuring information security and assigning specific information resources to the corresponding categories. Thus, categorizing information can be called the first step towards ensuring the information security of an organization.

Historically, when classifying information, it immediately begins to be classified according to the level of secrecy (confidentiality). At the same time, requirements for ensuring availability and integrity are often not taken into account or taken into account along with the general requirements for information processing systems. This is the wrong approach. In many areas, the proportion of confidential information is relatively small. For open information, the damage from disclosure of which is absent, the most important properties are: availability, integrity and protection from unauthorized copying. An example is an online store, where it is important to constantly maintain accessibility to the company’s website. Based on the need to ensure different levels of information protection, different categories of confidentiality, integrity and availability can be introduced.

1. Confidentiality categories of protected information

Confidentiality of information is a property of information that indicates the need to introduce restrictions on the circle of persons who have access to this information.
The following categories of information confidentiality are introduced:
– – information that is confidential in accordance with legal requirements, as well as information, restrictions on the dissemination of which are introduced by decisions of the organization’s management, the disclosure of which could lead to significant damage to the organization’s activities.
– Confidential information– information that is not strictly confidential, restrictions on the dissemination of which are introduced only by decision of the organization’s management, the disclosure of which could lead to damage to the organization’s activities.
– Open information– this category includes information that is not required to be kept confidential.

2. Categories of information integrity

Information integrity is a property in which the data retains a predetermined form and quality (remains unchanged in relation to some fixed state).
The following categories of information integrity are introduced:
– High– this category includes information whose unauthorized modification or falsification could lead to significant damage to the organization’s activities.
– Low– this category includes information, the unauthorized modification of which could lead to moderate or minor damage to the organization’s activities.
– No requirements– this category includes information for which there are no requirements to ensure the integrity.

3. Categories of information availability

Availability is a state of information in which subjects who have the right of access can exercise it without hindrance.
The following categories of information availability are introduced:
– – access to information must be ensured at any time (the delay in obtaining access to information should not exceed several seconds or minutes).
– High Availability– access to information should be carried out without significant time delays (the delay in gaining access to information should not exceed several hours).
– Average Availability– access to information can be provided with significant time delays (the delay in receiving information should not exceed several days).
– Low availability– time delays in accessing information are practically unlimited (the permissible delay in obtaining access to information is several weeks).

From the above it is clear that the categories of confidentiality and integrity of information directly depend on the amount of damage to the organization’s activities if these properties of information are violated. Accessibility categories are to a lesser extent, but also depend on the amount of damage to the organization’s activities. To determine the amount of damage, its subjective assessment is used and a three-level scale is introduced: significant damage, moderate damage and low damage (or no damage).
short, if the loss of availability, confidentiality and/or integrity of information has a minor negative impact on the organization's activities, its assets and personnel.
The insignificance of the negative impact means that:
- the organization remains capable of performing its activities, but the effectiveness of its core functions is reduced;
- minor damage is caused to the organization’s assets;
- the organization suffers minor financial losses.
Damage to the organization's activities is assessed as moderate if the loss of availability, confidentiality and/or integrity has a significant adverse impact on the organization's operations, assets and personnel.
The severity of the negative impact means that:
- the organization remains capable of performing its activities, but the effectiveness of its core functions is significantly reduced;
- significant damage is caused to the organization’s assets;
- the company suffers significant financial losses.
Potential damage to the organization is assessed as significant, if the loss of availability, confidentiality and/or integrity has a severe (catastrophic) negative impact on the organization’s activities, its assets and personnel, i.e.:
- the organization loses the ability to perform all or some of its core functions;
- major damage is caused to the organization’s assets;
- the organization suffers large financial losses.
Thus, when assessing the damage to an organization’s activities in the event of a violation of the confidentiality, integrity and availability of information and on this basis determining the categories of information, we can distinguish three types: the most critical, critical and non-critical.

The type of information is determined by comparing the categories of this information.
Table 1 provides a definition of information type.

Table 1: Definition of information type

Thus, categorizing information is the first step to ensuring an organization’s information security, since before protecting anything, it is first necessary to determine what exactly needs to be protected and to what extent. Both user and system information presented both in electronic form and on physical media should be categorized. To determine the type of information to be protected, it is necessary to determine what damage to the organization will be caused if the confidentiality, integrity and availability of such information is lost.
In the future, having determined which type of information belongs to which, you can apply various measures to protect each type of information. This will allow not only to structure the data processed in the organization, but also to most effectively implement and use the access control subsystem to protected information, as well as optimize the costs of ensuring information security.

Bibliography:
1. Bezmaly V., Information Security Service: first steps, 2008, http://www.compress.ru/Article.aspx?id=20512
2. Gladkikh A. A., Dementyev V. E., Basic principles of information security computer networks. Ulyanovsk: UlSTU, 2009. – 156 p.

The problem of information security can hardly be called far-fetched. Everywhere we hear about hacks, viruses, malware, attacks, threats, vulnerabilities... And every time we have to think, has everything been done for our safety? Can we sleep peacefully? Let's try to figure out where the work of the information security service begins.

Information security as a system

Information security is a set of measures, among which it is impossible to single out more or less important ones. And it cannot be perceived any other way. Everything is important here! Protection measures must be observed at all points of the network, when any subjects work with your information (under the subject in in this case refers to the user of a system, process, computer or software for processing information). Every information resource, be it a user's computer, an organization's server or network equipment, must be protected from all kinds of threats. Must be protected file systems, network, etc. We will not consider methods for implementing protection in this article because of their huge variety.

It is impossible to provide 100% protection. At the same time, you need to understand that the higher the level of security, the more expensive the system and the more inconvenient it becomes for the user to use, which naturally leads to deterioration of protection due to influence human factor. For example, overcomplicating passwords leads to users sticking sticky notes with passwords on monitors, keyboards, etc. It is also worth remembering the fact that, according to some Western researchers, up to 45% of the time the customer support service spends on recovering passwords lost by users!

There is a huge amount software, aimed at solving information security problems: anti-virus software, firewalls, built-in operating system tools and much more. However, the most vulnerable link in protection is the person, because the performance of any software depends on the quality of its writing, on the literacy of the administrator of the corresponding security tool, on the level of discipline of the users who work with this software. In this regard, many organizations create information security services (departments) or set corresponding tasks for their IT departments. However, you cannot load the IT service with functions that are unusual for it. This has already been discussed more than once. After all, if you entrust information security to the IT department, then these tasks will be performed either last resort, or to the detriment of its main tasks. Moreover, all this will happen only if your IT department understands what and how it should do.

So, let's assume that your organization has created an information security department. What to do next? Where to begin?

You need to start with training employees of the information security department, and in the future make this a regular process (they must undergo training at least twice a year). Training general staff in the basics of information security is the responsibility of the information security department and should also be conducted at least twice a year.

Many managers immediately want to receive a document called “Organizational Security Policy” from the information security department. Is it correct? In my opinion - no. Before you begin writing this enormous work, you need to answer the following questions:

• what information do you process?
• how to classify it by properties?
• what resources do you have?
• How is information processing distributed among resources?
• how to classify resources?

Classification of information

Historically, as soon as the question of classification of information is raised (primarily this applies to information owned by the state), it immediately begins to be classified according to the level of secrecy (confidentiality). At the same time, the requirements for ensuring availability, integrity, and observability are remembered, if at all, in passing, along with the general requirements for information processing systems.

If such an approach can still be somehow justified in relation to government information, then transferring it to another subject area is simply ridiculous.

In many areas, the proportion of confidential information is relatively small. For open information, the damage from disclosure of which is small, the most important properties are accessibility, integrity and protection from unauthorized copying. Let us take as an example the website of an online publication, the priorities for which, in my opinion, will be the availability and integrity of information, rather than its confidentiality.

If you consider and classify information only from a position of secrecy, it will lead to failure. The main reasons for this behavior are the narrowness of the traditional approach to information protection, the lack of experience in ensuring the availability, integrity and observability of information that is not secret (confidential). According to legal requirements, the owner of the information himself determines the level of its confidentiality (if this information does not belong to the state).

Categories of protected information

Based on the need to ensure various levels of protection of information (not containing information constituting a state secret) stored and processed in an organization, we will introduce several categories of confidentiality and several categories of integrity of protected information.

• Withcompletely confidential- information recognized as confidential in accordance with the requirements of the law, or information, restrictions on the dissemination of which were introduced by a decision of management and the disclosure of which could lead to severe financial and economic consequences for the organization, including bankruptcy;
• confidentially- this category includes information that does not fall into the “completely confidential” category, restrictions on the dissemination of which were introduced by a decision of management in accordance with the rights granted to it, as the owner of the information, by current legislation, the disclosure of which could lead to significant losses and loss of competitiveness of the organization (causing significant damage to the interests of its clients, partners or employees);
• open- this category includes information that is not required to be kept confidential.

• Vhigh- information, unauthorized modification or falsification of which could lead to significant damage to the organization;
• low- this category includes information, unauthorized modification of which could lead to minor damage to the organization, its clients, partners or employees;
• no requirements- this category includes information for which there are no requirements to ensure the integrity and authenticity.

According to the degree of availability, we will introduce four categories depending on the frequency of solving functional problems and the maximum permissible delay in obtaining the results of their solution:

• real time- access to the task must be provided at any time;
• hour- access to the task must be carried out without long periods of time s x delays (the problem is solved every day, the delay does not exceed several hours);
• day- access to the task can be provided with significant time s delays (the problem is solved every few days);
• a week- temporary s There are no delays in accessing the problem (the period for solving the problem is several weeks or months, the acceptable delay in obtaining the result is several weeks).

Categorizing information

1. Categorization of all types of information used when solving problems on specific computers (setting categories of confidentiality, integrity and availability of specific types of information).
2. Categorization of all tasks that are solved on this computer.
3. Based on the maximum categories of information being processed, the category of the computer on which it is processed is determined.

Resource Inventory

Before talking about protecting information in an organization, you should clearly define what you are going to protect and what resources you have? To do this, it is necessary to carry out an inventory and analysis of all resources automated system organizations to be protected. To do this you need to do the following:

1. A special working group is formed to conduct an inventory and categorize resources to be protected. It includes specialists from the department computer security and other departments of the organization that can provide assistance in considering issues of automated information processing technology in the organization.
2. In order for the created group to have the necessary organizational and legal status, a corresponding order is issued by the management of the organization, which states that all heads of the relevant departments of the organization must provide assistance and the necessary assistance working group in analyzing the resources of all computers.
3. To provide assistance during the work of the group in departments, their managers should allocate employees who are proficient in detailed information on issues of automated information processing in these departments.
4. This order is brought to the attention (against signature) of the heads of all departments.
5. During the survey (analysis) of the organization and automated subsystems, all functional tasks solved with the help of computers are identified and described, as well as all types of information used to solve these problems in departments.
6. At the end of the survey, a form is drawn up for each problem solved in the organization. It should be understood that the same task in different departments can be called differently, and vice versa - different tasks can have the same name. At the same time, records are kept software, used in solving functional tasks of the department.

During the survey, all types of information are identified (incoming, outgoing, stored, processed, etc.). It is necessary to take into account not only confidential information, but also information whose integrity or availability could cause significant harm to the organization.

When analyzing information processed in an organization, it is necessary to assess the severity of the consequences that a violation of its properties may lead to. To do this, it is necessary to conduct surveys (testing, questioning) of specialists who work with it. In this case, it is necessary to find out who benefits from illegally using this information or influencing it. If you cannot quantify the possible damage, make a qualitative assessment (low, high, very high).

To understand the categories of availability, it is necessary, when analyzing the tasks being solved in the organization, to find out the maximum permissible delay time for results, the frequency of their solution and the severity of the consequences if their availability is disrupted (tasks are blocked).

During the analysis, each type of information must be assigned to a certain degree (class) of confidentiality (based on the requirements of current legislation and the rights granted to the organization). At the same time, to assess the confidentiality category of specific types of information, managers (leading specialists) of a structural unit are asked for their personal assessments of the likely damage from a violation of the confidentiality properties and integrity of information.

Upon completion of the analysis, a “List of information resources to be protected” is compiled. Then it is agreed upon with the heads of IT and computer security departments and put forward for consideration by the organization's management.

Next, it is necessary to categorize functional tasks. Based on the accessibility requirements set by the heads of the organization’s departments and agreed upon with the IT service, all application tasks solved in the departments are categorized. Information about the categories of applied tasks is entered into task forms. It should be noted that it is impossible to categorize system tasks and software without reference to specific computers and application tasks.

In the future, with the participation of specialists from the IT service and the information security department, it is necessary to clarify the composition of resources (information, software) for each task and enter into the specific task form information on user groups for this task and instructions for setting up the protection means used to solve it (for example, permissions access of user groups to the listed task resources). In the future, based on this information, security measures will be configured for the computers on which this task will be solved.

At the next stage, computers are categorized. The category of a computer is established based on the maximum category of tasks performed on it, and the maximum categories of confidentiality and integrity of information used in performing these tasks. Information about the computer category is entered into its form.

The concept of resource inventory includes not only the reconciliation of those active and passive network resources that you have, with a list of equipment (and its completeness) purchased by the organization (for this you can use the appropriate software, for example Microsoft Systems Management Server). This also includes creating a network map with a description of all possible points connections, a list of software used, a fund of standards of licensed software used in the organization, and a fund of algorithms and programs of our own development.

It should be noted that the software can be allowed to work only after it has been checked by the information security department for compliance with the assigned tasks and the absence of all kinds of bookmarks and “logical bombs”.

In this regard, I would like to note the emerging trend in our country towards the use of Open Source program code. I don’t argue that this allows you to significantly save resources. However, in my opinion, in this case the issue of security becomes a matter of trust not only in the system developer, but also in your administrator. And if you remember how much your administrator earns, it is not difficult to conclude that buying your secrets is much easier and cheaper than carrying out a direct external attack. It is also worth mentioning that O Most of the successful attacks were carried out by insiders, that is, by the company's own employees.

In my opinion, you can use freely distributed software only if it is delivered to you in compiled form and with a digital signature from an organization that guarantees that it does not contain logic bombs, various kinds bookmarks and back doors. Moreover, the organization must bear financial responsibility for its guarantee, which, in my opinion, is impossible. However, the choice is yours.

After verification, the reference software is entered into the collection of algorithms and programs (the reference copy must be accompanied by a checksum file, or better yet - electronic signature developer). In the future, when versions change and updates appear, the software is checked in the prescribed manner.

Subsequently, information about the installed software, the date of its installation, goals, tasks solved with its help, as well as the names and signatures of the persons who installed and configured the programs are entered into the form of each computer. After creating such forms, the information security service must ensure regular verification of the compliance of the actual state of affairs with the form.

I would especially like to consider such a difficult point as the “inventory” of personnel. When your organization was created, it is not at all a fact that personnel were recruited who understood what and how to do. Therefore, knowledge testing and personnel training are necessary. In parallel with testing knowledge, you should mandatory familiarize staff with the relevant articles of the Criminal Code against signature, so that in case of violation, employees understand what they are doing.

The next stage in building an information security service is an analysis of the organization's risks, which determines the security policy.

Conclusion

Upon completion of the described work, you will receive the initial data for writing a security policy, which will be based on relevant international standards.

From the editor

Any type of human activity can be represented as a process that results in a product, material or intellectual, that has a certain value, that is, cost. Information is one of the varieties of such values; its value can be so high that its loss or leak, even partial, can call into question the very existence of the company. Therefore, information protection is becoming more and more important every day. higher value, almost all more or less large organizations have their own information security departments.

The range of information security offerings is growing in the IT market. How to navigate this stream of products offered? How to choose the best option in terms of financial costs and take into account all the needs of your company? What selection criteria should I apply? After all, although the information security service of any organization or enterprise itself does not produce any intellectual or material assets, no one doubts its necessity and importance, and they rarely save on the costs of this service.

What needs to be done to ensure that the costs and level of information security of the company are in line? optimal ratio- this publication is devoted to these issues.

Introduction

Information security (IS) measures, as is known, do not generate income; with their help, you can only reduce the damage from possible incidents. Therefore, it is very important that the costs of creating and maintaining IS at the proper level are commensurate with the value of the organization’s assets associated with its information system (IS). Proportionality can be ensured by categorizing information and the information system, as well as selecting security regulators based on the results of the categorization.

Categorization of information and information systems

The assignment of security categories to information and information systems is based on an assessment of the damage that can be caused by security violations. Such incidents can prevent an organization from fulfilling its mission, compromise assets, put the company in the position of violating current legislation, pose a threat to daily activities, and put personnel at risk. Security categories are used in conjunction with vulnerability and threat data to analyze the risks to which an organization is exposed.

There are three main aspects of information security:

• availability;
• confidentiality;
• integrity.

Generally speaking, information security violations may affect only some of these aspects, just as security regulations may be specific to certain aspects. Therefore, it is advisable to assess the possible damage separately for violations of availability, confidentiality and integrity, and if necessary, an integral assessment can be obtained.

It is convenient to estimate the amount of damage on a three-level scale as short, moderate or high ().

Figure 1. Damage assessment scale for an information security breach

The potential harm to an organization is assessed as low if the loss of availability, confidentiality and/or integrity has limited detrimental impact on the organization's operations, assets and personnel. Limited harmful impact means that:

• the organization remains capable of fulfilling its mission, but the effectiveness of its core functions is noticeably reduced;
• the organization's assets suffer minor damage;
• the organization suffers minor financial losses;
• minor harm to personnel.

Potential damage to the company is estimated as moderate if the loss of availability, confidentiality and/or integrity has a significant adverse impact on the organization's operations, assets and personnel. The severity of the harmful impact means that:

• the company remains capable of fulfilling its mission, but the efficiency of its core functions is significantly reduced;
• the organization's assets suffer significant damage;
• the company suffers significant financial losses;
• personnel suffer significant harm that does not pose a threat to life or health.

Potential damage to the organization is assessed as high, if the loss of availability, confidentiality and/or integrity has a severe or catastrophically harmful impact on the organization's operations, assets and personnel, that is:

• the company loses the ability to perform all or some of its core functions;
• major damage is caused to the organization's assets;
• the organization suffers large financial losses;
• personnel suffer severe or catastrophic harm resulting in possible threat life or health.

It is necessary to categorize both user and system information presented both in electronic form and in the form of a “hard” copy. Public information may not be classified as confidential. For example, information contained on an organization's public web server is not classified as confidential, and its availability and integrity are rated as moderate.

When categorizing an information system, the categories of information stored, processed and transmitted by IS means are taken into account, as well as the value of the assets of the IS itself, i.e. a maximum of categories is taken for all types of information and assets. To obtain an integral assessment, you should take a maximum of categories for the main aspects of information security.

Minimum (basic) security requirements

Minimum (basic) safety requirements are formulated in general view, without taking into account the category assigned to the IP. They set the basic level of information security; all information systems must satisfy them. The categorization results are important when choosing safety regulators that ensure compliance with the requirements formulated based on risk analysis (Fig. 2).

Figure 2. Information security levels

The minimum security requirements (Fig. 3) cover the administrative, procedural and software and hardware levels of information security and are formulated as follows.

Figure 3. Basic security requirements for information and IP.

• The organization must develop, document and publicly disclose formal security policies and formal procedures to address the requirements below and ensure that the policies and procedures are effectively implemented.
• The company must periodically conduct risk assessments, including assessments of threats to the mission, operation, image and reputation of the organization, its assets and personnel. These threats are a consequence of the exploitation of information systems and the processing, storage and transmission of data carried out during this process.
• In relation to the purchase of systems and services in a company, it is necessary to:
  • allocate sufficient resources to adequately protect IP;
  • when developing systems, take into account information security requirements;
  • limit the use and installation of software;
  • ensure that external service providers allocate sufficient resources to protect information, applications and/or services.
• In the field of certification, accreditation and safety assessment, the organization should carry out:
  • continuous monitoring of safety regulators to have confidence in their effectiveness;
  • periodic evaluation of security controls used in IS to monitor their effectiveness;
  • developing and implementing an action plan to eliminate deficiencies and reduce or eliminate vulnerabilities in the IP;
  • authorization of putting into operation the IS and establishing connections with other information systems.
• In the field of personnel security it is necessary:
  • ensure the reliability (power of attorney) of officials holding responsible positions, as well as the compliance of these persons with the security requirements for these positions;
  • ensure the protection of information and information systems during disciplinary actions, such as dismissal or relocation of employees;
  • apply appropriate formal sanctions to violators of security policies and procedures.
• The organization must provide information and training to employees:
  • so that managers and users of information systems are aware of the risks associated with their activities and of relevant laws, regulations, guidance documents, standards, instructions, etc.;
  • ensure that staff have adequate practical training to perform information security-related responsibilities.
• In the planning area, it is necessary to develop, document, periodically change and implement IS security plans that describe security controls (existing and planned) and rules of conduct for personnel who have access to the IS.
• To plan for business continuity, a company should establish, maintain, and effectively implement emergency response, backup, and disaster recovery plans to ensure the availability of critical information resources and continuity of operations in emergency situations.
• In terms of responding to information security breaches, the organization should:
  • create a functioning structure for responding to incidents, taking into account adequate preparatory measures, identification, analysis and localization of violations, recovery from incidents and servicing user requests;
  • ensure that incidents are tracked, documented and reported to appropriate organizational officials and authorities.
• For the purpose of physical protection, the organization must:
  • provide physical access to IP, equipment, and production premises only to authorized personnel;
  • physically protect hardware and supporting IS infrastructure;
  • provide proper technical conditions for the functioning of the IS;
  • protect IP from environmental threats;
  • ensure control of the conditions in which the IS operates;
  • Provide access control by restricting access to IP assets to authorized users, processes acting on behalf of those users, and devices (including other IP) to perform user-authorized transactions and functions.
• To ensure logging and auditing, you must:
  • create, secure and maintain logs to monitor, analyze, investigate and report on illegal, unauthorized or inappropriate activity;
  • ensure traceability of actions in the information system accurate to the user (user accountability).
• A company's configuration management plan should:
  • establish and maintain basic configurations;
  • have an inventory (map) of the IP, updated taking into account the life cycle, which includes hardware, software and documentation;
  • install and provide practical use settings for configuring security features in products included in the IP.
• In the area of ​​identification and authentication, it is necessary to ensure the identification and authentication of IS users, processes acting on behalf of users, as well as devices such as necessary condition providing access to IP.

In addition, you must:

• In relation to support:
  • carry out periodic and timely maintenance of the information system;
  • provide effective regulators for the means, methods, mechanisms and personnel providing support.
• To protect media:
  • protect data storage media, both digital and paper;
  • provide access to data on media only to authorized users;
  • sanitize or destroy media before decommissioning or before transferring for reuse.
• To protect systems and communications:
  • monitor, control and protect communications (that is, transmitted and received data) at external and key internal boundaries of the IS;
  • apply architectural and hardware-software approaches that increase the current level of information security of the IS.
• To ensure the integrity of systems and data:
  • identify, report, and correct IS and data defects in a timely manner;
  • protect IP from malicious software;
  • monitor security breaches and reports of new threats to the information system and respond appropriately to them.

Selecting a basic set of safety regulators to meet safety requirements

A necessary condition for meeting safety requirements is the selection and implementation of appropriate safety regulators, that is, the development and application of economically justified countermeasures and means of protection. Security regulators are divided into administrative, procedural and software-technical and serve to ensure the availability, confidentiality and integrity of the information system and the data processed, stored and transmitted by it.

The selection of security regulators is carried out based on the results of categorizing the data and information system. In addition, consideration should be given to which security controls have already been implemented and for which there are specific implementation plans, as well as the required degree of confidence in the effectiveness of existing controls.

An adequate selection of security regulators can be simplified if it is made from predefined basic sets associated with the required level of information security. Using a three-level scale, three basic sets are used, respectively, for minimal (low, basic), moderate and high levels of information security.

Security regulators for the minimum level of information security

At a minimum level of information security, it is advisable to apply the following: administrative security regulators.

Figure 4. Security regulators by information security level

• Risk assessment: policies and procedures.
  • a formal, documented risk assessment policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • formal documented procedures to support the implementation of policies and associated risk assessment controls.
• Risk assessment: categorization according to safety requirements. Categorization of data and information system, documentation of results, including justification of established categories; the document is certified by management.
• Risk assessment: implementation. Assessing the risks and possible damage from unauthorized access, use, disclosure, disruption, modification and/or destruction of data and/or information system, including resources managed by external organizations.
• Risk assessment: review of results. Review of the risk assessment results is carried out either at a specified frequency, or after significant changes in the IS or supporting infrastructure, or after other events that could significantly affect the level of IS security or its accreditation status.
• Security planning: policies and procedures.
  • a formal, documented security planning policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • formal documented procedures to support the implementation of security planning policies and associated controls.
• Security Planning: IS Security Plan. Development and implementation of a plan for the information system, which describes the security requirements for the information system and existing and planned security regulators that serve to fulfill these requirements; the document is certified by management.
• Security planning: Modifying the IS security plan. The IS security plan is reviewed at a specified frequency. It is amended to reflect changes in the company and its information system, or problems identified during the implementation of the plan or in the assessment of security regulators.
• Safety planning: rules of conduct. The organization establishes and communicates to IS users a set of rules that describe responsibilities and expected behavior in relation to the use of information and the information system. Before accessing the IS and its information resources, users sign an acknowledgment that they have read, understood and agree to comply with the prescribed rules of conduct.
• Security planning: Assessing privacy. The company is assessing compliance with privacy requirements in the IP.
• Procurement of systems and services: policies and procedures.
  • A formal, documented policy for the procurement of systems and services that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • formal documented procedures that facilitate the implementation of policies and associated regulations for the procurement of systems and services.
• Procurement of systems and services: allocation of resources. Identifying, documenting, and allocating the resources needed to adequately protect a company's information system are part of the capital planning and investment management processes.
• Procurement of systems and services: life cycle support. The organization manages the information system using a life cycle support methodology that takes into account information security aspects.
• Procurement of systems and services: procurement. Procurement contracts include safety requirements and/or specifications based on the results of the risk assessment.
• It is necessary to ensure that adequate documentation of the information system and its component parts is available, secured and distributed to authorized company officials.
• Procurement of systems and services: restrictions on the use of software. The organization enforces existing restrictions on the use of the software.
• Procurement of systems and services: software installed by users. Explicit rules regarding how users download and install software must be enforced.
• Procurement of systems and services: outsourcing of information services. Care must be taken to ensure that external organizations providing information services, apply adequate safety controls that comply with applicable law and contract terms, and monitor the adequacy of safety controls.
• Certification, accreditation and safety assessment: policies and procedures. Development, distribution, periodic revision and changes:
  • a formal, documented safety assessment, certification and accreditation policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures and compliance with applicable laws;
  • formal documented procedures to support the implementation of policies and associated regulators for safety assessment, certification and accreditation.
• Certification, accreditation and security assessment: connections to other IS. Authorization by the company of all connections of its information system with other information systems located outside the boundaries of accreditation, and constant monitoring/control of these connections; signing by authorized officials of an agreement on establishing connections between systems.
• The organization evaluates the security controls used in the information system to verify that they are implemented correctly, function in accordance with specifications, and produce the expected results in terms of meeting the information security requirements for the information system.
• Certification, accreditation and safety assessment: calendar of activities. The organization develops and changes a calendar plan of events with a given frequency. It describes the planned, implemented, and evaluated corrective actions to address all deficiencies identified during the security regulatory assessment process and to reduce or eliminate known IS vulnerabilities.
• Certification, accreditation and safety assessment: accreditation. The company explicitly authorizes (accredits) the putting into operation of the information system and carries out re-accreditation at a given frequency, but no less than once every three years.
• Certification, accreditation and safety assessment: continuous monitoring. Constant monitoring of security regulators in IS.

Figure 5. Maintaining the required level of security

procedural safety regulators.

• Personnel security: policies and procedures. Development, distribution, periodic review and modification:
  • a formal, documented personnel security policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures and compliance with applicable laws;
  • formal documented procedures to facilitate the implementation of personnel security policies and associated regulations.
• Personnel security: categorization of positions. Each position is associated with a certain level of risk and criteria for selecting candidates for these positions are established. It is advisable to review with a given frequency set levels risk.
• Personnel security: personnel selection. Before providing access to information and information systems, a check is carried out on persons requiring such access.
• Personnel security: dismissal. The dismissed employee is deprived of access to the information system, a final conversation is held with him, the delivery of all government property is checked, including keys, identification cards, passes, and they are convinced that the appropriate officials have access to official data created by the dismissed employee and stored in the information system.
• Personnel security: personnel movement. When an employee moves to another position, the organization reviews the access rights granted to him to the information system and its resources, and carries out appropriate actions, such as producing new keys, identification cards, passes, closing old and opening new system accounts, as well as changing access rights.
• Personnel security: access agreements. Before providing access to information and an information system to an employee who needs such access, appropriate agreements are drawn up (for example, on non-disclosure of information, on the proper use of IP), as well as rules of conduct, the company ensures that these agreements are signed by the parties and revises them with a given frequency.
• Personnel security: security requirements for employees of third-party organizations. The organization establishes security requirements, including roles and responsibilities, for employees of third parties (services, contractors, developers, suppliers information services and systems and network management services) and monitors whether third parties provide an adequate level of information security.
• Personnel security: sanctions. The company has a formal process for disciplining employees who violate established security policies and procedures.
• Physical security: policies and procedures. Developed, distributed, periodically reviewed and changed:
  • a formal, documented physical security policy that outlines the purpose, scope, roles, responsibilities, management support, coordination among organizational structures, and compliance with applicable laws;
  • formal documented procedures to facilitate the implementation of physical protection policies and associated controls.
• Physical security: physical access authorization. The organization compiles and maintains up-to-date lists of employees who have access to the premises in which the components of the information system are located (except for premises officially considered publicly accessible), and issues appropriate certificates (badges, identification cards, smart cards); relevant officials review and approve lists and certificates with a given frequency.
• Physical security: physical access control. It is necessary to control physical access points, including officially designated entry/exit points, to the premises in which information system components are located (except for premises officially considered publicly accessible). You should check the rights granted to employees before allowing them access. In addition, access to premises officially considered publicly accessible is controlled in accordance with a risk assessment.
• Physical access to the system is monitored to identify and respond to violations.
• Physical access to the information system is controlled by authenticating visitors before allowing entry into the premises where the IS components are located (except for premises officially considered publicly accessible).
• The company maintains logs of visits to premises (except for those that are officially considered publicly accessible), which record:
  • last name, first name of the visitor and name of the organization;
  • visitor signature;
  • submitted documents (identification form);
  • date and time of access (entry and exit);
  • visit purpose;
  • last name, first name of the person visited and his organizational affiliation; Relevant officials review visit logs at specified frequencies.
• Physical protection: emergency lighting. The company must apply and support automatic systems emergency lighting, which turns on during power outages and covers emergency exits and escape routes.
• Operates and maintains fire suppression and fire detection devices/systems.
• Physical protection: temperature and humidity controls. Temperature and humidity in areas containing IC components are monitored and maintained within acceptable limits.
• It is necessary to protect the IP from flooding and leaks due to damaged water mains or other causes by ensuring that water shut-off valves are accessible and in good working order and that the appropriate officials are informed of the location of these valves.
• Physical protection: delivery and removal. The organization controls the delivery and removal of information system components (hardware and software) and maintains information about the location of these components.
• Business continuity planning: policies and procedures. Developed, distributed, periodically reviewed and changed:
  • A formal, documented business continuity planning policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • Formal documented procedures that support the implementation of business continuity planning policies and associated controls.
• A plan is being developed and implemented to ensure the uninterrupted operation of the information system, which describes the roles and responsibilities of responsible officials and indicates their contact coordinates. In addition, the plan specifies the actions to be taken when restoring the information system after damage and accidents. Appropriate officials review and approve the plan and communicate it to the employees responsible for smooth operations.
• Business continuity planning: Change the business continuity plan. At a specified frequency, but at least once a year, the organization reviews its information system continuity plan to reflect changes in the IS or organization structure and/or to correct problems identified during implementation, execution and/or testing of the plan.
• Carried out at a given frequency backup User and system data contained in the information system (including data on the state of the information system), backup copies are stored in properly protected places.
• The organization uses mechanisms and supporting procedures to restore the information system after damage or accidents.
• Configuration management: policies and procedures. Developed, distributed, periodically reviewed and changed:
  • A formal, documented configuration management policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • Formal, documented procedures that support the enforcement of configuration management policies and associated controls.
• The company develops, documents and maintains an up-to-date basic configuration of the information system, an inventory of IS components and relevant data about their owners.
• In company:
  • mandatory settings for products are approved information technologies, used in IS;
  • the security settings of information technology products are set to the most restrictive mode compatible with operational requirements;
  • settings are documented;
  • proper settings of all components of the information system are ensured.
  • Maintenance: policies and procedures. Developed, distributed, periodically reviewed and changed:
  • a formal, documented maintenance policy that outlines purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • Formal documented procedures that facilitate the implementation of policies and associated maintenance controls.
• Plan, implement, and document routine, preventive, and routine maintenance of information system components in accordance with manufacturer or supplier specifications and/or organizational requirements.
• The organization authorizes, controls and monitors remotely performed maintenance and diagnostic activities.
• Escort: Escort staff. It is necessary to maintain a list of persons authorized to maintain the information system. Only authorized personnel provide IS support.
• Systems and Data Integrity: Policies and Procedures. Development, distribution, periodic review and modification:
  • a formal, documented systems and data integrity policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • formal documented procedures that support the implementation of policies and associated controls for system and data integrity.
• Systems and data integrity: eliminating defects. Identification of information system defects, reporting them and correcting them.
• The company implements protection against malicious software in its information system, including the possibility of automatic updates.
• System and data integrity: security alerts and new threat alerts. Security alerts and reports of new IP threats must be regularly monitored, brought to the attention of appropriate officials, and responded to appropriately.
• Media Security: Policies and Procedures. Development, distribution, periodic review and modification:
  • a formal, documented media protection policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • formal documented procedures to facilitate the implementation of media protection policies and associated regulators.
• It is necessary to ensure that only authorized users have access to information in printed form or on digital media removed from the information system.
• Media protection: sanitization and decommissioning. Organization:
  • sanitizes media (both paper and digital) before decommissioning or reuse;
  • monitors, documents and verifies media remediation activities;
  • Periodically tests sanitation equipment and procedures to ensure they are functioning correctly.
• Responding to information security breaches: policies and procedures. Development, distribution, periodic revision and changes:
  • a formal, documented information security breach response policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • formal documented procedures that facilitate the implementation of policies and associated regulators for responding to information security breaches.
• The company creates structures to respond to information security violations (response team), including preparation, identification and analysis, localization, elimination of the impact and recovery from violations.
• It is necessary to promptly bring information about information security violations to the attention of authorized officials.
• Formation of a structure for issuing recommendations and assisting IS users in responding to and reporting IS violations; this structure is integral integral part response teams.
• Information and training: policies and procedures. Development, distribution, periodic revision and changes:
  • a formal, documented employee information and training policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • formal documented procedures to facilitate the implementation of the policy and associated regulations for informing and training employees.
• Information and training: informing about information security problems. It should be ensured that all users, including managers, are provided with basic information about information security issues before these users are granted access to the information system; Such information should continue to be provided at a given frequency, but not less than once a year.
• Information and training: training on information security issues. It is necessary to identify the officials playing important role and those with responsible responsibilities for ensuring information security of the IP, document these roles and responsibilities and provide appropriate training to these individuals before granting them access to the IP. Such training should continue at a given frequency.
• Outreach and training: documenting information security training. The company documents and tracks the progress of each employee's information security training, including induction and information security-specific courses.
• Awareness and education: contacts with information security groups and associations. It is advisable to establish and maintain contacts with groups, forums and associations specializing in information security to stay informed current state Information security, advanced recommended protective equipment, methods and technologies.

At a minimum level of information security, the following is recommended: software and hardware safety regulators.

• Identification and Authentication: Policies and Procedures. Development, distribution, periodic revision and changes:
  • a formal, documented identification and authentication policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • formal, documented procedures to support the enforcement of identification and authentication policies and associated controls.
• The information system uniquely identifies and authenticates users (or processes acting on behalf of users).
• Identification and authentication: identity management. The organization manages user identities through:
  • unique identification of each user;
  • verification of each user's ID;
  • obtaining formal approval from authorized officials to issue a user ID;
  • ensuring that an identifier is issued to the correct user;
  • terminating a user ID after a specified period of inactivity;
  • archiving user IDs.
• Identification and authentication: managing authenticators. The company manages authenticators in the information system (tokens, certificates in the infrastructure public keys, biometric data, passwords, key cards, etc.) through:
  • determining the initial content of authenticators;
  • regulating the administrative procedures for the initial distribution of authenticators, the replacement of lost, compromised or damaged authenticators, and the revocation of authenticators;
  • changing implied authenticators after installing the information system.
• Identification and Authentication: Response of Authenticators. The information system hides the echo display of authentication information during the authentication process to protect this information from possible use by unauthorized persons.
• Identification and Authentication: Authentication with respect to cryptographic modules. For authentication in relation to cryptographic modules, the information system uses methods that meet the requirements of standards for such modules.
• Access Control: Policies and Procedures. Development, distribution, periodic revision and changes:
  • a formal, documented access control policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • formal documented procedures to facilitate the enforcement of access control policies and associated controls.
• The organization manages accounts in the information system, including their creation, activation, modification, revision (with a given frequency), disabling and deleting.
• The information system enforces assigned privileges to control access to the system in accordance with applicable policies.
• Access control: failed login attempts. The information system enforces a given limit on the number of consecutive unsuccessful attempts access by the user for a specified period of time, automatically locking the account or delaying, according to a given algorithm, the issuance of an invitation to enter for a specified time when the maximum permissible number of unsuccessful attempts is exceeded.
• Access Control: System Usage Warning. The information system displays an officially approved warning message about the use of the system before granting access to it, informing potential users:
  • about the organizational affiliation of the system;
  • on possible monitoring, logging and auditing of system use;
  • about the prohibition and possible punishment for unauthorized use of the system;
  • the user’s consent to monitoring and logging when using the system; The warning message contains the relevant security policy provisions and remains on the screen until the user takes explicit action to log into the IS.
• Access control: supervision and review. The organization supervises and verifies the actions of users regarding the implementation and use of access controls available in the IS.
• Access control: actions allowed without identification and authentication. Determination of specific user actions that can be performed in the information system without identification and authentication.
• Document, track and control all types of remote access to the IS (for example, via modem inputs or via the Internet), including remote access to perform privileged actions; appropriate officials authorize the use of each type of remote access and authorize only those users who need it to use it.
• Organization:
  • establishes restrictions on the use and directs the implementation of wireless technologies;
  • documents, monitors and controls wireless access to IS; appropriate officials authorize the use of wireless technologies.
• Access control: personal information systems. Limitation of the use of personal information systems for production needs, including processing, storage and transmission of production information.
• Recording and auditing: policies and procedures. Development, distribution, periodic revision and changes:
  • a formal, documented recording and auditing policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • formal documented procedures to support the implementation of policies and associated recording and auditing controls.
• Logging and auditing: logged events. The information system generates registration records for specified events.
• The information system stores enough information in the registration records to establish what event occurred, what was the source of the event, and what the outcome of the event was.
• Logging and Auditing: Resources for storing log information. You must allocate sufficient resources to store login information and configure logging to ensure that these resources are not exhausted.
• In the event of a logging failure or exhaustion of storage resources for registration information, the information system alerts the appropriate officials and takes specified additional actions.
• Logging and auditing: protecting registration information. The information system protects registration information and logging/auditing tools from unauthorized access, modification and deletion.
• Logging and auditing: saving registration information. Registration information should be retained for a specified period of time to support investigations of prior information security breaches and to comply with applicable legal and organizational retention requirements.
• Security of systems and communications: policies and procedures. Development, distribution, periodic review and modification:
  • a formal, documented systems and communications security policy that outlines the purpose, scope, roles, responsibilities, management support, coordination across organizational structures, and compliance with applicable laws;
  • formal documented procedures to facilitate the implementation of policies and associated controls for the protection of systems and communications.
• Security of systems and communications: protection against attacks on availability. The information system protects against attacks on the availability of specified types or limits their impact.
• The information system monitors and controls communications at its external and key internal IS boundaries.
• Security of systems and communications: application of legal cryptography. If the information system uses cryptographic means, they must meet the requirements of current legislation, technical regulations, standards, guidelines and regulatory documents, industry and organizational standards.
• Protecting systems and communications: Protecting public systems. The information system ensures data and application integrity for public systems.

Additional and enhanced security controls for moderate level of information security

For a moderate level of information security, it is advisable to use the following additional and enhanced (compared to the minimum level) security regulators.

• At a given frequency or after information about new IS-critical vulnerabilities appears, it is necessary to scan for vulnerabilities in the information system.
• Security Planning: Planning for security related activities. Ensure that security-related activities affecting the information system are properly planned and coordinated to minimize negative impacts on the organization's operations and assets (including its mission, functions, image and reputation).
• Procurement of systems and services: documentation. It is necessary to include in the general package of documents documentation from the manufacturer/supplier (if any) describing the functional properties of the security regulators involved in the information system, sufficiently detailed to make analysis and testing of the regulators possible.
• Procurement of systems and services: principles of information security design. The design and implementation of an information system is carried out using information security design principles.
• Procurement of systems and services: security testing by the developer. The information system developer creates a testing and security assessment plan, implements it and documents the results; the latter can be used to support security certification and accreditation of the delivered IP.
• Certification, accreditation and safety assessment: safety assessment. At a given frequency, but no less than once a year, it is advisable to evaluate the security controls in the information system to determine whether they are correctly implemented, operate in accordance with specifications and produce the expected results in terms of meeting the information security requirements for the information system.
• Certification, accreditation and safety assessment: certification according to safety requirements. The assessment of security regulators in an information system for the purposes of certification according to security requirements is carried out by an independent certifying organization.
• Physical protection: access control to information display devices. Control of physical access to information display devices in order to protect the latter from viewing by unauthorized persons.
• Physical security: physical access monitoring. Incoming intrusion signals and data from tracking devices are monitored in real time.
• Physical protection: visitor control. Providing accompaniment to visitors and, if necessary, monitoring of their activity.
• Physical protection: electrical equipment and wiring. Protection of electrical equipment and wiring for the information system from damage and destruction.
• Physical protection: emergency shutdown. For certain premises in which information system resources are concentrated (data centers, server rooms, mainframe computer rooms, etc.), it should be possible to turn off the power supply to any failure (for example, due to short circuit) or a compromised (e.g., water main rupture) component of the IP without exposing personnel to the hazards associated with accessing the equipment.
• Providing short-term sources uninterruptible power supply to allow you to carefully turn off the information system in the event of a main power failure.
• Physical protection: fire protection. Fire extinguishing and fire detection devices/systems that automatically activate in the event of a fire must be used and maintained.
• Physical protection: alternate production site. The organization's employees at the alternate production site apply the appropriate IC safety controls.
• Physical protection: location of information system components. Information system components should be located in designated areas to minimize potential damage from physical and environmental hazards, as well as the possibility of unauthorized access.
• Business continuity planning: Business continuity plan. The organization coordinates the development of the business continuity plan with entities responsible for related plans (for example, disaster recovery plans, security response plans, etc.).
• The company organizes training for employees in their roles and responsibilities to ensure the smooth operation of the information system, and also conducts training to maintain practical skills at a given frequency, but at least once a year.
• At a given frequency, but not less than once a year, the organization tests a plan to ensure uninterrupted operation of the information system. To do this, specified tests and training procedures are used to determine the effectiveness of the plan and the organization's readiness to implement it. Appropriate officials review the plan testing results and initiate corrective actions. The organization coordinates the testing of the business continuity plan with entities responsible for related plans (for example, disaster recovery plans, security incident response plans, etc.).
• It is necessary to determine a backup storage location and conclude the necessary agreements to make it possible to store backup copies of information system data there; The spare storage location should be geographically distant from the main one so as not to expose it to the same dangers.
• A backup data processing location is identified and the necessary agreements are initiated to enable the information system to resume critical production functions within a specified period of time if primary data processing facilities are unavailable. The secondary data processing location is geographically remote from the main one and, therefore, is not subject to the same dangers. Potential problems with access to a backup processing site in the event of large-scale accidents or natural disasters are identified, and explicit actions are outlined to mitigate the identified problems. The Data Alternate Site Agreement contains priority service obligations based on the organization's availability requirements.
• The main and backup sources of telecommunication services supporting the information system are determined. Necessary agreements are initiated to allow the information system to resume critical business functions within a specified period of time if the primary source of telecommunications services is unavailable. Primary and backup telecommunications service agreements contain obligations to provide priority service based on the organization's availability requirements. The backup source of telecommunications services does not share a single point of failure with the primary source.
• Business continuity planning: backup. The organization tests backups at a specified frequency to ensure the reliability of the media and the integrity of the data.
• Configuration management: basic configuration and inventory of information system components. When installing new components, the basic configuration of the information system and the inventory of IS components change.
• Changes in the information system are documented and controlled; appropriate officials authorize changes to the IP in accordance with the organization's policies and procedures.
• Configuration Management: Monitoring Configuration Changes. Changes to the information system must be monitored and their security impact analyzed to determine the effect of the changes.
• The organization enforces physical and logical access restrictions associated with changes to the information system and generates, maintains and reviews records reflecting all such changes.
• The information system should be configured to provide only the necessary capabilities and to explicitly prohibit and/or restrict the use of certain functions, ports, protocols and/or services.
• Maintenance: periodic support. A log of information system maintenance is maintained, which records:
  • date and time of service;
  • last name and first name of the person performing the service;
  • last name and first name of the accompanying person, if necessary;
  • description of the actions taken to maintain the IS;
  • list of removed or moved equipment (with identification numbers).
• The organization authorizes, controls and monitors the use of information system support tools and continuously maintains these tools.
• Maintenance: timely service. An organization receives service and spare parts for specified key information system components for a specified period of time.
• System and data integrity: protection against malware. Centralized management of anti-malware mechanisms.
• Integrity of systems and data: means and methods of monitoring an information system. Application of tools and methods for monitoring events in the information system, identifying attacks and identifying unauthorized use of information systems.
• The information system implements anti-spam protection.
• Integrity of systems and data: restrictions on data entry. The organization grants the right to enter data into the information system only to authorized persons.
• Systems and data integrity: accuracy, completeness, reliability and authenticity of data. The information system checks data for accuracy, completeness, reliability and authenticity.
• System and data integrity: error handling. The information system explicitly identifies and processes error situations.
• Systems and data integrity: processing and storing output data. The output of the information system is processed and stored in accordance with the organization's policies and operational requirements.
• Media protection: Media marks. Removable media data and output data of the IS are provided with external labels containing restrictions on the distribution and processing of this data; specified types of media or hardware components are cleared because they remain within the controlled area.
• Media protection: media storage. Physical control and safe storage storage media, paper and digital, based on the maximum category assigned to the data recorded on the media.
• Media protection: Transporting media. Control of storage media, paper and digital, and restriction of sending, receiving, transporting and delivering media to authorized persons.
• The Company trains employees in their roles and responsibilities related to responding to information security breaches and conducts training to maintain practical skills at a specified frequency, but at least once a year.
• At a given frequency, but not less than once a year, means of responding to information security violations of IP are tested, and specified tests and training procedures are used to determine the effectiveness of the response. The results are documented.
• Response to information security violations: response. Automatic mechanisms are used to support the process of responding to information security violations.
• It is necessary to constantly monitor and document violations of information security of IP.
• Responding to information security breaches: breach reports. Use of automated mechanisms to facilitate reports of information security breaches.
• Responding to information security violations: help. Use of automated mechanisms to increase the availability of information and support associated with responding to information security breaches.
• Identification and Authentication: Device identification and authentication. The information system identifies and authenticates certain devices before establishing a connection with them.
• Access control: account management. Application of automatic mechanisms to support account management in the information system; the information system automatically terminates temporary and emergency accounts after the period of time specified for each type of account has expired; the information system automatically disables inactive accounts after a specified period of time.
• Access control: implementation. The information system ensures that access to security functions (implemented in hardware and/or software) and to security data is provided only to authorized persons (for example, security administrators).
• Access Control: Enforcement of information flow control. The information system enforces assigned privileges to manage information flows within the system and between interconnected systems in accordance with the adopted security policy.
• Access control: separation of duties. The information system enforces the separation of duties by assigning access privileges.
• Access control: minimizing privileges. The information system enforces the most restrictive set of access rights/privileges, necessary for users(or processes acting on behalf of these users) to perform their tasks.
• Access control: session blocking. The information system prevents further access to the information system by blocking the session until the user restores access using appropriate identification and authentication procedures.
• Access control: session termination. The information system automatically terminates the session after a specified period of inactivity.
• Access Control: Actions allowed without identification or authentication. The organization permits actions without identification or authentication only if they are necessary to achieve the organization's key objectives.
• Access control: remote access. Use of automatic mechanisms to facilitate monitoring and control of remote access methods, encryption to protect the confidentiality of remote access sessions. All remote access must be controlled at a managed access control point.
• Access Control: Wireless Access Restrictions. Using authentication and encryption for security wireless access to the information system.
• Access control: mobile devices. Organization:
  • establishes restrictions on use and develops guidelines for use mobile devices;
  • documents, monitors and controls access through such devices to IP; appropriate officials authorize the use of mobile devices; removable are used hard disks or cryptography to protect data located in mobile devices.
• Logging and auditing: contents of log records. The information system provides the ability to include additional, more detailed information in registration records for logged events, identified by type, location or subject.
• Registration information should be regularly reviewed/analyzed to identify inappropriate or unusual activity, investigate suspicious activity or suspected violations, report findings to appropriate officials, and take appropriate action.
• The information system provides the ability to reduce registration information and generate reports.
• Logging and auditing: time stamps. The information system provides timestamps for use in generating registration records.
• Protecting systems and communications: application separation. The information system shares user functionality (including services user interface) from the IS management functionality.
• Protection of systems and communications: residual information. The information system prevents unauthorized and unintentional transfer of information through shared system resources.
• Protecting systems and communications: protecting borders. It is advisable to physically place publicly accessible components of an information system (for example, public web servers) in separate subnets with separate physical network interfaces, to prevent public access into the internal network, except for properly controlled access.
• The information system protects the integrity of transmitted data.
• The information system protects the confidentiality of transmitted data.
• Protecting systems and communications: breaking network connections. Information system terminates network connection at the end of a session or after a specified period of inactivity.
• Protection of systems and communications: generation of cryptographic keys and their management. The information system uses automatic mechanisms and auxiliary procedures or manual procedures for generating cryptographic keys and key management.
• Protection of systems and communications: collective applications. The information system prohibits remote activation of collective application mechanisms (for example, video or audio conferencing) and provides clear evidence of their use to local users (for example, indication of the use of video cameras or microphones).
• Security of systems and communications: public key infrastructure certificates. The organization develops and implements a certificate policy and certification practice specification for issuing public key certificates used in an information system.
• Protection of systems and communications: mobile code. Organization:
  • sets application restrictions and develops guidelines for the use of technologies mobile code, based on the possibility of causing damage to the information system through malicious use of these technologies;
  • documents, monitors and controls the use of mobile code in the information system; relevant officials authorize the use of the mobile code.
• Security of systems and communications: VoIP protocol. Organization:
  • establishes restrictions on the use and develops guidelines for the use of VoIP technologies, based on the possibility of causing damage to the information system if these technologies are used maliciously;
  • documents, monitors and controls the use of VoIP in the information system; appropriate officials authorize the use of VoIP.
• Protection of systems and communications: service safe search names (authorized sources). Information systems (authorized domain name servers) that provide name lookup services to external users to access an organization's information resources via the Internet provide attributes for data source authentication and data integrity control to enable users to obtain guarantees of authenticity and message integrity when receiving data within network transactions.

Additional and enhanced security regulators for a high level of information security

For a high level of information security, it is recommended to use the following additional and enhanced (compared to the moderate level) security controls.

Risk assessment: vulnerability scanning. Vulnerability scanning tools include the ability to quickly change the list of scanned information system vulnerabilities.

At a given frequency or after information about new IS-critical vulnerabilities appears, the organization changes the list of scanned information system vulnerabilities.

• Procurement of systems and services: documentation. Documentation from the manufacturer/supplier (if any) should be included as part of the overall documentation package, describing the design and implementation details of the safety controls involved in the information system in sufficient detail to enable analysis and testing of the controls (including functional interfaces between regulator components).
• Procurement of systems and services: configuration management by the developer. The information system developer creates and implements a configuration management plan that controls changes to the system during development, tracks security defects, requires authorization of changes, and provides documentation of the plan and its implementation.
• Physical protection: access control to data transmission channels. Physical access to IP distribution and transmission lines located within secure boundaries is controlled to prevent inadvertent damage, eavesdropping, mid-transmission modification, interruption, or physical distortion of the lines.
• Physical security: physical access monitoring. Automatic mechanisms are used to ensure that potential intrusions are identified and a response is initiated.
• Physical security: access logging. Automated mechanisms are used to make maintaining and viewing logs easier.
• Physical protection: emergency power supply. It is necessary to provide long-term alternative power sources for the information system that are capable of maintaining the minimum required operational capabilities in the event of a long-term failure of the primary power source.
• Physical protection: fire protection. Utilizes and maintains fire extinguishing and fire detection devices/systems that automatically notify the organization and emergency services of their activation.
• Physical protection: flood protection. Automatic mechanisms are used to automatically shut off water in case of severe leakage.
• Business continuity planning: training. Event simulations are included in training courses to help employees respond effectively to possible crisis situations.
• Business continuity planning: Testing your business continuity plan. The business continuity plan is tested at the alternate site to familiarize employees with available capabilities and resources and assess the site's ability to maintain business continuity.
• Continuity planning: spare storage locations. The backup storage location is configured to facilitate timely and effective recovery actions; potential problems with access to backup storage in the event of large-scale accidents or natural disasters are identified and explicit actions are outlined to mitigate the identified problems.
• Continuity planning: backup data processing locations. The spare processing location is fully configurable to maintain the minimum required operational capability and is ready for use as a production site.
• Business continuity planning: telecommunications services. The backup source of telecommunications services must be sufficiently remote geographically from the main one so as not to be exposed to the same dangers; The primary and secondary sources of telecommunications services have adequate business continuity plans.
• Business continuity planning: backup. To restore information system functionality, backup copies are used selectively as part of testing the business continuity plan. Backups operating system and other IC-critical software are stored in a separate location or in a fireproof container located separately from the operational software.
• Business continuity planning: information system restoration. The organization includes a complete recovery of the information system as part of testing its business continuity plan.
• Configuration management: basic configuration and inventory of information system components. Automatic mechanisms are used to maintain a current, complete, accurate and easily accessible basic information system configuration and inventory of IS components.
• Configuration management: control configuration changes. Automatic mechanisms are used to:
  • document proposed changes to the information system;
  • notify relevant officials;
  • draw attention to visa approvals not received in a timely manner;
  • delay changes until necessary visa approvals are received;
  • document changes made to the information system.
• Configuration management: restricting access for changes. Automatic mechanisms are used to enforce access restrictions and maintain logging of restrictive actions.
• Configuration management: settings. Automatic mechanisms are used for centralized management, application and verification of settings.
• Configuration management: minimizing functionality. The information system is reviewed at a specified frequency to identify and eliminate functions, ports, protocols and other services that are not necessary.
• Maintenance: periodic support. Automatic mechanisms are used to ensure that periodic maintenance is planned and carried out in accordance with established requirements, and that records of required and completed maintenance actions are current, accurate, complete and accessible.
• Accompanying: means of accompaniment. All support equipment (for example, diagnostic and test equipment) brought into the organization by maintenance personnel should be inspected for visible inappropriate modifications. All media containing diagnostic test programs (for example, software used to maintain and diagnose systems) should be examined for malware before the media is used on the information system. All equipment used for maintenance purposes and capable of storing information is inspected to ensure that the equipment is not recording proprietary information or that it is properly sanitized before reuse. If equipment cannot be sanitized, it remains on the organization's premises or is destroyed unless expressly authorized by appropriate officials.
• Support: remote support. All remote support sessions are logged and the appropriate officials review the log of remote sessions. The installation and use of remote diagnostic channels are reflected in the information system security plan. Remote diagnostic or support services are only permissible if the service organization maintains in its IS at least the same level of security as the serviced organization.
• System and data integrity: protection against malware. The information system automatically changes protection mechanisms against malicious software.
• System and data integrity: verification of security functionality. Information system within technical capabilities, at startup or restart of the system, at the command of an authorized user and/or periodically with a given frequency, verifies the correct operation of the security functions and notifies system administrator and/or shuts down or restarts the system if any anomalies are detected.
• Systems and Data Integrity: Software and data integrity. The information system detects and protects against unauthorized changes to software and data.
• Integrity of systems and data: protection against spam. The organization centrally manages anti-spam mechanisms.
• Media protection: media access. Either security posts or automatic mechanisms are used to control access to media storage areas, provide protection against unauthorized access, and record access attempts and access granted.
• Response to information security violations: training. Training courses include event simulations to help employees respond effectively to potential crisis situations.
• Response to information security violations: testing. Automated mechanisms are used to test response capabilities more thoroughly and effectively.
• Response to information security violations: monitoring. Automated mechanisms are used to facilitate the tracking of security violations and the collection and analysis of information about violations.
• Identification and Authentication: Identification and authentication of users. The information system uses multi-factor authentication.
• Access control: account management. Automatic mechanisms are used to ensure that account creation, modification, deactivation and termination are recorded and, where appropriate, notified to appropriate persons.
• Access control: Concurrent session management. The information system limits the number of parallel sessions for one user.
• Access Control: Supervision and Review. Automatic mechanisms are used to make it easier to view user activity.
• Access control: automatic marking. The information system labels output data using standard naming conventions to identify any special instructions for disseminating, processing, and distributing the data.
• Logging and auditing: contents of log records. The information system provides the ability to centrally manage the content of registration records generated by individual IS components.
• Logging and auditing: processing of registration information. The information system provides a warning message when the share occupied space allocated for storing registration information reaches the specified value.
• Logging and Auditing: Monitoring, analyzing and reporting registration information. Use of automated mechanisms to integrate monitoring, analysis and reporting of registration information into the overall process of identifying and responding to suspicious activity.
• Logging and auditing: reduction of registration information and generation of reports. The information system provides the ability to automatically process registration information about events requiring attention, based on specified selection criteria.
• Protect systems and communications: isolate security functions. The information system isolates security functions from other functions.
• Protection of systems and communications: integrity of transmitted data. The use of cryptographic mechanisms to ensure that changes in data are recognized during transmission unless the data is protected by alternative physical measures (for example, a security distribution system).
• Protection of systems and communications: confidentiality of transmitted data. The use of cryptographic mechanisms to prevent unauthorized disclosure of information during transmission unless it is protected by alternative physical measures (for example, a secure distribution system).
• Protection of systems and communications: secure name search service (name resolution). Information systems (authorized domain name servers), which provide internal users with a name lookup service for accessing information resources, provide mechanisms for authenticating the source of data and monitoring data integrity, and also carry out these actions upon request of client systems.

Minimum assurance requirements for security regulators

Minimum assurance requirements for security regulators apply to certain processes and activities. Regulator designers and implementers define and apply (execute) these processes and activities to increase confidence that the controls are implemented correctly, function in accordance with specifications, and produce the expected results in terms of meeting information security requirements.

At the minimum level of information security, it is necessary that security regulators be activated and satisfy the functional requirements explicitly specified in their definition.

At a moderate level of information security, the following conditions must additionally be met. Specialists who develop (implement) regulators provide a description of their functional properties that is sufficiently detailed to make it possible to analyze and test the regulators. How integral component of regulators, developers document and provide the distribution of responsibilities and specific actions, thanks to which, after completion of development (implementation), regulators must satisfy the functional requirements imposed on them. The technology used to develop regulators must maintain a high degree of confidence in their completeness, consistency and correctness.

Figure 6. Ensuring information security. Process approach.

On high level information security, in addition to all of the above, it is necessary to provide a description of the design and implementation of the regulators, including the functional interfaces between their components. Developers are required to provide evidence that, once development (implementation) is completed, compliance with regulatory requirements will be continuous and consistent throughout the information system, and the ability to improve regulatory efficiency will be supported.

Conclusion

Ensuring information security is a complex, multidimensional process that requires making many decisions, analyzing many factors and requirements, sometimes contradictory. Availability of categories and minimum requirements security, as well as a predefined catalog of security regulators, can serve as the basis for a systematic approach to ensuring information security, an approach that requires reasonable labor and material costs and can give practically acceptable results for most organizations.

Categorization of information by importance exists objectively and does not depend on the wishes of management, since it is determined by the mechanism of the bank’s activities and characterizes the danger of destruction or modification of information. There are many options for this categorization. Here is the simplest one:

1. Important information- information that is irreplaceable and necessary for the bank’s activities, the process of restoring it after destruction is impossible or is very labor-intensive and associated with high costs, and its erroneous modification or falsification causes great damage.

2. Helpful information- necessary information that can be restored without great expense, and its modification or destruction causes relatively small material losses.

Categorization of confidentiality information is performed subjectively by management or personnel in accordance with the powers allocated to them, depending on the risk of its disclosure. For the activities of a commercial bank, two degrees of gradation are sufficient.

1. Confidential information - information to which access to some personnel or unauthorized persons is undesirable, as it may cause material and moral losses.

2. Open information - information, access to which by outsiders is not associated with any losses.

Management must decide who and how will determine the importance and confidentiality of information. Without such a solution, no meaningful work on creating an electronic banking system is possible.

Protection plan

The risk analysis ends with the adoption of a security policy and the development of a protection plan with the following sections:

1. Current state. Description of the status of the protection system at the time the plan was prepared.

3. Responsibility. List of responsible employees and areas of responsibility.

4. Schedule. Determining the order of operation of protection mechanisms, including controls.

5. Review of plan provisions, which should be reviewed periodically.

The key issue at the initial stage of creating a security system is the appointment of those responsible for the security of the system and the delimitation of their areas of activity. As a rule, when such questions are initially posed, it turns out that no one wants to be responsible for this aspect of the organization’s security. System programmers and system administrators tend to attribute this task to their competence general service security, while the latter, in turn, believes that such a problem should be the responsibility of computer specialists.

Safety provisions

When deciding on the distribution of responsibility for the security of a computer system, the following provisions must be taken into account:

1. no one other than management can make fundamental decisions in the field of computer security policy;

2. no one other than specialists can ensure the correct functioning of the security system;

3. no external organization or group of specialists has a vital interest in the cost-effectiveness of security measures.

The area of ​​strategic decisions when creating a computer security system should include the development general requirements to the classification of data stored and processed computer system. In many cases, there is confusion between the concepts of confidentiality (secrecy) and the importance of information.

Protected information (information subject to protection)- information (information) that is the subject of property and subject to protection in accordance with the requirements of legislative and other regulatory documents or in accordance with the requirements established by the owner of the information (the Bank).

Protected resources of the information banking system (IBS resources subject to protection)- information, functional tasks, information transmission channels, jobs to be protected in order to ensure information security of the Bank, its clients and correspondents.

Protected workplace(RM)- object of protection ( Personal Computer with an appropriate set of software and data), for which the need to establish a regulated information processing regime is recognized and characterized by:

• location, as well as the degree of its physical accessibility for unauthorized persons (clients, visitors, employees not allowed to work with PM, etc.);

  hardware composition;

  composition of software and tasks solved on it (certain categories of accessibility);

  the composition of information stored and processed on the RM (certain categories of confidentiality and integrity).

RM form- a document of the established form (Appendix 3) recording the characteristics of the RM (location, configuration of hardware and software, list of tasks solved on the RM, etc.) and certifying the possibility of operating this RM (certifying the fulfillment of the requirements for the protection of information processed on the RM in accordance with category of this RM).

Protected task- a functional task solved on a separate RM, for which the need to establish a regulated mode of information processing is recognized and characterized by:

• the set of resources used in the solution (software, data sets, devices);

  frequency of the decision;

  the maximum permissible delay time for obtaining the result of solving the problem.

Task form- a document of the established form (Appendix 2), recording the characteristics of the task (its name, purpose, type, resources used in solving it, groups of users of this task, their access rights to the resources of the task, etc.).

Protected information transmission channel- the path along which protected information is transmitted. Channels are divided into physical (from one device to another) and logical (from one task to another).

Confidentiality of information- a characteristic (property) subjectively determined (attributed) to information, indicating the need to introduce restrictions on the circle of subjects (persons) having access to this information, and ensured by the ability of the system (environment) to keep this information secret from subjects who do not have access authority To her.

Information integrity- a property of information, which consists in its existence in an undistorted form (unchanged in relation to some fixed state).

Availability of information (tasks)- a property of the processing system (environment) in which information circulates, characterized by the ability to provide timely unhindered access of subjects to the information they are interested in (if the subjects have the appropriate access powers) and the readiness of the corresponding automated services(functional tasks) to service requests received from subjects whenever there is a need to contact them.

1. General Provisions

1.1. This Regulation introduces categories (gradations of the importance of ensuring protection) of resources and establishes a procedure for categorizing information system resources that are subject to protection (assigning them to the appropriate categories, taking into account the degree of risk of damage to the Bank, its clients and correspondents in the event of unauthorized interference in the process of functioning of the IBS and violation of integrity or confidentiality of the information being processed, blocking of information or disruption of the availability of tasks solved by IBS).

1.2. Categorization of resources (determination of requirements for resource protection) IBS is necessary element organizing work to ensure the information security of the Bank and has as its goals:

creation of a regulatory and methodological basis for a differentiated approach to protecting automated system resources (information, tasks, channels, PM) based on their classification according to the degree of risk in the event of a violation of their availability, integrity or confidentiality;

typification of the organizational measures taken and the distribution of hardware and software resources for protecting resources across the IBS RM and the unification of their settings.

2. Categories of protected information

2.1. Based on the need to provide different levels of protection for different types of information stored and processed in the IBS, as well as taking into account possible ways of causing damage to the Bank, its clients and correspondents, three categories of confidentiality of protected information and three categories of integrity of protected information are introduced.

“HIGH” - this category includes unclassified information that is confidential in accordance with the requirements of current legislation Russian Federation(bank secrecy, personal data);

“LOW” - this category includes confidential information that is not classified in the “HIGH” category, restrictions on the dissemination of which are introduced by a decision of the Bank’s management in accordance with the rights granted to it as the owner (person authorized by the owner) of the information by current legislation;

“NO REQUIREMENTS” - this category includes information for which confidentiality (introducing restrictions on distribution) is not required.

“HIGH” - this category includes information, unauthorized modification (distortion, destruction) or falsification of which can lead to significant direct damage to the Bank, its clients and correspondents, the integrity and authenticity (confirmation of the authenticity of the source) of which must be ensured by guaranteed methods (for example, by means of electronic digital signature) in accordance with the mandatory requirements of current legislation;

“LOW” - this category includes information, unauthorized modification, deletion or falsification of which can lead to minor indirect damage to the Bank, its clients and correspondents, the integrity (and, if necessary, authenticity) of which must be ensured in accordance with the decision of the Bank’s management (methods calculating checksums, digital signature, etc.);

“NO REQUIREMENTS” - this category includes information for which there are no requirements to ensure the integrity (and authenticity) of which.

2.2. In order to simplify operations for categorizing tasks, channels and PM, the categories of confidentiality and integrity of protected information are combined and four general categories of information are established: “vital”, “very important”, “important” and “not important”. Information is assigned to one or another general category based on its confidentiality and integrity categories in accordance with Table 1.

Table 1

1 – “Vital” information

2 – “Very important” information

3 – “Important” information

4 – “Not important” information

3. Categories of functional tasks

3.1. Depending on the frequency of solving functional problems and the maximum permissible delay in obtaining the results of their solution, four required degrees of availability of functional tasks are introduced.

Required degrees of accessibility of functional tasks:

“UNHINDERED ACCESSIBILITY” – access to the task must be provided at any time (the task is solved constantly, the delay in obtaining the result should not exceed several seconds or minutes);

“HIGH AVAILABILITY” – access to the task should be carried out without significant time delays (the task is solved daily, the delay in obtaining the result should not exceed several hours);

“MEDIUM AVAILABILITY” – access to a task can be provided with significant time delays (the task is solved once every few days, the delay in obtaining the result should not exceed several days);

“LOW AVAILABILITY” – time delays when accessing a task are practically unlimited (the task is solved over a period of several weeks or months, the acceptable delay in obtaining the result is several weeks).

3.2. Depending on the general category of protected information used in solving the task and the required degree of accessibility of the task, four categories of functional tasks are established: “first”, “second”, “third” and “fourth” (in accordance with Table 2).

table 2

4. Requirements for ensuring the security of channels for transmitting protected information (categories of channels)

4.1. Security requirements (categories) of the logical channel for transmitting protected information are determined by the maximum category of two tasks, between which this channel installed.

5. Categories of RM

5.1. Depending on the categories of tasks solved on the RM, four categories of RM are established: “A”, “B”, “C” and “D”.

5.3. The group of PMs of category “B” includes PMs that solve at least one functional task of the second category. The categories of other tasks solved in this RM must be no lower than the third and no higher than the second.

5.4. The group of RMs of category “C” includes RMs that solve at least one functional task of the third category. The categories of other tasks solved at this RM should not be higher than the third.

Table 3

5.6. Requirements for ensuring the safety of RM of various categories (for the use of appropriate measures and means of protection) are given in Appendix 5.

6. The procedure for determining the categories of protected IBS resources

6.1. Categorization is carried out on the basis of an inventory of resources of the information banking system (RM, tasks, information) and involves the compilation and subsequent maintenance (maintaining up to date) of lists (sets of forms) of IBS resources to be protected.

6.2. Responsibility for compiling and maintaining lists of IBS resources rests with:

in terms of compiling and maintaining a list of RMs (indicating their location, assignment to the Bank’s divisions, composition and characteristics included in it technical means) - to the Information Technology Department (hereinafter referred to as DIT);

in terms of compiling and maintaining a list of system and applied (special) tasks solved on the RM (indicating lists of resources used in solving them - devices, directories, files with information) - to the department technical support UIT.

6.3. Responsibility for determining the requirements for ensuring confidentiality, integrity, availability and assigning appropriate categories to resources of specific RMs (information resources and tasks) rests with the Bank's divisions that directly solve problems on RM data (information owners), and the information security department.

6.4. Approval of the categories of information resources of the IBS assigned in accordance with this “Regulations on the Categorization of IBS Resources” is carried out by the Chairman of the Board of the Bank.

6.6. Categorization of IBS resources can be carried out sequentially for each RM separately, followed by combining and generating unified lists of IBS resources to be protected:

list of IBS information resources subject to protection (Appendix 2);

a list of tasks to be protected (a set of task forms);

list of RM subject to protection (a set of RM forms).

At the first stage of work on categorizing the resources of a specific RM, all types of information used in solving problems on this RM are categorized. Generalized categories of information are determined based on established categories of confidentiality and integrity of specific types of information. Information resources subject to protection are included in the “List of information resources subject to protection.”

At the second stage, taking into account the general categories of information used in solving problems established earlier and the requirements for the degree of accessibility of tasks, all functional tasks solved on this RM are categorized.

At the fourth stage, based on the categories of interacting tasks, a category of logical channels for transmitting information between functional tasks (on different PMs) is established. 6.7. Recertification (change of category) of IBS information resources is carried out when the requirements for ensuring the protection of the properties (confidentiality and integrity) of the relevant information change.

Re-certification (change of category) of functional tasks is carried out when the general categories of information resources used in solving a given task change, as well as when the requirements for the availability of functional tasks change.

Re-certification (change of category) of logical channels is carried out when the categories of interacting tasks change.

Recertification (change of category) of the RM is carried out when there is a change in the categories or composition of the tasks solved using the RM data.

6.8. Periodically (once a year) or at the request of the heads of the Bank's structural divisions, the established categories of protected resources are reviewed for their compliance with the real state of affairs.

7. Procedure for revising the Regulations

7.1. In case of changes in the requirements for the protection of RM of various categories, Appendix 5 is subject to revision (with subsequent approval).

7.2. If changes and additions are made to the “List of Information Resources Subject to Protection,” Appendix 4 is subject to revision (with subsequent approval).

Appendix 1 - Methodology for categorizing protected resources

This methodology is intended to clarify the procedure for categorizing protected resources in the Bank’s IBS in accordance with the “Regulations on the categorization of resources of the information banking system.” Categorization involves carrying out work to survey the IBS subsystems and structural divisions of the Bank and identify (inventory) all IBS resources that are subject to protection. An approximate sequence and main content of specific actions to implement these works are given below.

1. To conduct an information survey of all subsystems of the Bank’s information system and conduct an inventory of IBS resources subject to protection, a special working group is formed. This group includes specialists from the information security department and the Bank’s Information Technology Department (knowledgeable in issues of automated information processing technology). To give the necessary status to the working group, a corresponding order is issued by the Chairman of the Bank's Management Board, which, in particular, gives instructions to all heads of the Bank's structural divisions to provide assistance and the necessary assistance to the working group in carrying out work on the IBS survey. To provide assistance during the work of the group in the departments, the heads of these departments should allocate employees who have detailed information on the issues of information processing in these departments.

2. During the examination of specific divisions of the Bank and information subsystems, all functional tasks solved using the IBS, as well as all types of information (information) used in solving these tasks in the divisions, are identified and described.

3. Compiled general list functional tasks and for each task a form is drawn up (Appendix 2). It should be taken into account that the same task in different departments may be called differently, and vice versa, different tasks may have the same name. At the same time, records are kept of software tools (general, special) used in solving the functional tasks of the department.

4. When examining subsystems and analyzing tasks, all types of incoming, outgoing, stored, processed, etc. are identified. information. It is necessary to identify not only information that can be classified as confidential (banking and trade secret, personal data), but also information that must be protected due to the fact that a violation of its integrity (distortion, falsification) or availability (destruction, blocking) can cause significant damage to the Bank, its clients or correspondents.

5. When identifying all types of information circulating and processed in subsystems, it is desirable to assess the severity of the consequences that can result from violations of its properties (confidentiality, integrity). To obtain initial assessments of the severity of such consequences, it is advisable to conduct a survey (for example, in the form of a questionnaire) of specialists working with this information. In this case, it is necessary to find out who may be interested this information, how they can influence it or use it illegally, what consequences this can lead to.

6. Information on estimates of probable damage is entered into special forms (Appendix 3). If it is impossible to quantify the probable damage, a qualitative assessment is made (for example: low, medium, high, very high).

7. When compiling a list and forms of functional tasks solved in the Bank, it is necessary to find out the frequency of their solution, the maximum permissible delay in obtaining the results of solving problems and the severity of the consequences that can result from violations of their availability (blocking the ability to solve problems). Estimates of probable damage are recorded in special forms (Appendix 3). If it is impossible to quantify the probable damage, a qualitative assessment is made.

8. Everything identified during the survey, different kinds information is included in the “List of information resources subject to protection.”

9. It is determined (and then indicated in the List) to what type of secret (banking, commercial, personal data that does not constitute a secret) each of the identified types of information belongs (based on the requirements of the current legislation and the rights granted by it).

10. Initial proposals for assessing the categories of ensuring confidentiality and integrity of specific types of information are clarified from the managers (leading specialists) of the Bank's structural unit (based on their personal assessments of the likely damage from a violation of the confidentiality and integrity of information). These assessments of information categories are entered into the “List of information resources subject to protection” (in columns 2 and 3).

11. Then the List is agreed upon with the heads of the Security Department, IT and the Information Security Department and put forward for consideration by the Information Security Management Committee.

12. When considering the List by the Information Security Management Committee, changes and additions may be made to it. The prepared version of the “List of Information Resources Subject to Protection” is submitted for approval to the Chairman of the Bank’s Management Board.

13. In accordance with the categories of confidentiality and integrity specified in the approved “List of Information Resources Subject to Protection,” a generalized category of each type of information is determined (in accordance with Table 1 of the Categorization Regulations).

14. At the next stage, the categorization of functional tasks occurs. Based on the accessibility requirements set by the heads of the Bank’s operational divisions and agreed upon with the Security and IT Departments, all special (applied) functional tasks solved in divisions using IBS are categorized (Table 2 of the Regulations on Categorization of Resources). Information about the categories of special tasks is entered into the task forms. Categorization of general (system) tasks and software tools outside of reference to specific RMs is not carried out.

In the future, with the participation of IT specialists, it is necessary to clarify the composition of the information and software resources of each task and enter into its form information on user groups of the task and instructions for setting up the security tools used in solving it (access rights of user groups to the listed task resources). This information will be used as a standard for the settings of the protection means of the corresponding RMs on which this task will be solved, and to monitor the correctness of their installation.

15. Then all logical channels between functional tasks are categorized. The channel category is set based on the maximum category of tasks involved in the interaction.

16. At the last stage, the RM is categorized. The RM category is established based on the maximum category of special problems solved on it (or the category of information used in solving general problems). One RM can solve any number of problems, the categories of which are lower than the maximum possible on a given RM, by no more than one. Information about the RM category is entered into the RM form.