Ensure the security of information systems in Currently, it is impossible without competent and high-quality creation of information security systems. This determined the work of the world community to systematize and streamline the basic requirements and characteristics of such systems in terms of information security.
One of the main results of such activities was systeminternational and national standardsinformation security, which contains more than a hundred different documents.
This is especially true for the so-called open systems for commercial use, processing restricted information that does not contain state secrets, and rapidly developing in our country.
Under understand open systems a set of all kinds of computing and telecommunications equipment from different manufacturers, the joint functioning of which is ensured by compliance with the requirements of standards, primarily international ones.
The term " open " also implies that if a computing system complies with standards, then it will be open to interconnection with any other system that meets the same standards. This, in particular, applies to mechanisms for cryptographic information protection or protection against unauthorized access ( NSD) to information.
Information security specialists ( IS) today it is almost impossible to do without knowledge of the relevant standards.
Firstly, standards and specifications are one of the forms of knowledge accumulation, primarily about the procedural and software and hardware levels of information security. They document proven, high-quality solutions and methodologies developed by the most qualified specialists.
Secondly , both of them are the main means of ensuring mutual compatibility of hardware-software systems and their components, and in internet:-community This product really works and is very effective.
Recently, a new generation of standards in the field of information security has appeared in different countries, dedicated to practical issues of managing a company’s information security. These are, first of all, international and national information security management standards ISO 15408, ISO 17799 (BS7799), BS.I.; audit standards for information systems and information
on-line security OWLIT,SAC, COSABOUT and some others similar to them.
International standards are of particular importance ISO 15408, ISO 17799 serve as the basis for any work in the field information security, including auditing.
ISO 15408 - defines detailed requirements for software and hardware information security tools.
ISO 17799 - focused on issues organization and security management.
Use of international and national standards ensuring information security helps solve the following five tasks:
- Firstly , determination of goals for ensuring information security of computer systems;
- secondly , creation of an effective information security management system;
- thirdly , calculation of a set of detailed not only qualitative, but also quantitative indicators to assess the compliance of information security with the stated goals;
- fourthly , application of information security tools and assessment of its current state;
- fifthly , the use of security management techniques with a well-founded system of metrics and measures to support information system developers that allow them to objectively assess the security of information assets and manage the company’s information security.
Focus on international standard ISO/ 15408 and his Russian analogue of GOST R ISO/IEC15408 -2002 “Criteria for assessing the security of information technologies” and also specifications "Internet-communities."
Conducting an audit information security is based on the use of numerous recommendations, which are set out mainly in international standards IS.
Starting from the beginning 80s, dozens of international and national standards in the field of information security have been created, which to a certain extent complement each other.
The lecture discusses the most important standards, the knowledge of which is necessary for developers and evaluators of security products, system administrators, heads of information security services, and users according to the chronology of their creation, including:
Criterion for assessing the reliability of computer systems " Orange book"(USA);
Harmonized criteria of European countries;
German standard BSI;
British standard B.S. 7799 ;
Standard " General criteria"ISO 15408;
Standard ISO 17799;
Standard COBIT
These standards can be divided into two different types:
Evaluation Standards , aimed at classifying information systems and means of protection according to security requirements;
Technical Specifications regulating various aspects of the implementation of protective equipment.
It's important to note that between these types of regulatory documents there is no blank wall, on the contrary, there is a logical relationship.
Evaluation Standards highlight the most important aspects of information security from an information security point of view, playing the role of architectural specifications.
Technical Specifications determine how to build an IS of a prescribed architecture. The following describes the features of these standards.
2. Criteria for assessing trusted computer systems
(« Orange Book")
The problem of computer information security is not new - specialists have been dealing with it from the very moment the computer began to process data whose value is high for the user. However, in recent years, due to the development of networks and the growing demand for electronic services, the situation in the field of information security has seriously worsened, and the issue of standardizing approaches to solving it has become especially relevant for both developers and users of IT tools.
Why do you need to know the theory?
Any information security specialist goes through three stages in his professional development. The first of them is “working with your hands.” The newcomer intensively, using specialized tools, searches for and eliminates very specific gaps in system and application software. Scanner, patch, port, connection - these are the entities with which he works at this stage.
The second stage is “working with your head.” Tired of plugging more and more new gaps, the specialist begins to develop plans and methods, the purpose of which is to streamline actions to improve the security of systems and eliminate the consequences of information threats. It is at this stage that the concept of “security policy” arises.
Finally, the time comes for reflection - at this stage, a seasoned specialist understands that he is most likely reinventing the wheel, since security strategies have probably already been developed before him. And in this he is certainly right.
Numerous organizations around the world have been dealing with the problem of information security for a long time; the result of their activities has been weighty volumes of standards, regulations, recommendations, rules, etc. It is hardly advisable to study the entire volume, but it is certainly worth knowing the fundamental documents. Therefore, in this article we will mention only the most important Russian and international provisions that establish standards in the field of information security.
Information security concept
The development of information and telecommunication systems for various purposes (primarily the Internet), as well as the electronic exchange of valuable information in need of protection, required specialists working in this field to systematize and streamline the basic requirements and characteristics of computer systems in terms of security. However, before moving on to the consideration of the formed standards, it is necessary to define what security is.
Considering the importance of the concept, we will try to formulate its expanded definition, which will take into account the latest international and domestic developments in this area. So, information security is a state of data resistance to accidental or intentional influences, excluding unacceptable risks of their destruction, distortion and disclosure, which lead to material damage to the owner or user. This definition most fully takes into account the main purpose of a commercial information computer system - minimizing financial losses, obtaining maximum profits in the face of real risks.
This provision is especially relevant for so-called public open systems that process classified information of limited access that does not contain state secrets. Today, systems of this type are rapidly developing both in the world and in our country.
International Information Security Standard
It is well known that standardization is the basis of all kinds of methods for determining the quality of products and services. One of the main results of such activities in the field of systematization of the requirements and characteristics of secure information systems was the System of international and national information security standards, which contains more than a hundred different documents. An example is the ISO 15408 standard, known as the "Common Criteria".
The basic information security standard ISO 15408, adopted in 1998, is certainly very important for Russian developers. Moreover, in the current year, 2001, Gosstandart plans to prepare a harmonized version of this document. The International Organization for Standardization (ISO) began developing the International Standard for Information Technology Security Assessment Criteria for general use, "Common Criteria" in 1990. Participating in its creation: the National Institute of Standards and Technology and the National Security Agency (USA), the Communications Security Establishment (Canada), the Information Security Agency (Germany), the National Communications Security Agency (Holland), the implementing authorities of the IT Security and Certification Program (England) , Center for Systems Security (France). Once the standard was finalized, it was given the number ISO 15408.
The Common Criteria (CC) were created for the mutual recognition of IT security assessment results on a global scale and represent its basis. They allow you to compare the results of independent assessments of information security and risk tolerance based on a set of general requirements for the security functions of IT tools and systems, as well as the guarantees applied to them during the testing process.
The main advantages of OK are the completeness of information security requirements, flexibility in application and openness for subsequent development taking into account the latest achievements of science and technology. The criteria are designed to meet the needs of all three user groups (consumers, developers and evaluators) when examining the security properties of an IT tool or system (the object of evaluation). This standard is useful as a guide when developing IT security features, as well as when purchasing commercial products with similar features. The main focus of the assessment is threats arising from malicious human actions, but OC can also be used in assessing threats caused by other factors. In the future, it is expected that specialized requirements will be created for the commercial credit and financial sector. Let us recall that previous domestic and foreign documents of this type were tied to the conditions of a government or military system that processes classified information that may contain state secrets.
The release and implementation of this standard abroad is accompanied by the development of a new, standardized architecture, which is designed to ensure the information security of computing systems. In other words, computer hardware and software are created that meet the General Criteria. For example, the international organization "Open Group", which unites about 200 leading computing and telecommunications companies from around the world, has released a new information security architecture for commercial automated systems taking into account these criteria. In addition, "Open Group" creates training programs that facilitate the rapid and high-quality implementation of standardization documents.
Features of the Internet standardization process
The Global Network has long had a number of committees that deal with the standardization of all Internet technologies. These organizations, which form the bulk of the Internet Engineering Task Force (IETF), have already standardized several important protocols, thereby accelerating their adoption on the Internet. The TCP/IP family of protocols for data transfer, SMTP and POP for email, as well as SNMP (Simple Network Management Protocol) for network management are the results of the IETF.
Over the past few years, the online market has witnessed what is known as a fragmented influence on standards formation. As the Internet expanded into consumer and commercial markets, some firms began to look for ways to influence standardization by creating a semblance of competition. Even informal bodies such as the IETF felt the pressure. As Internet-related markets developed, entrepreneurs began to form special groups or consortia to promote their own standards. Examples include OMG (Object Management Group), VRML (Virtual Reality Markup Language) Forum and Java Development Connection. Sometimes serious consumers of Internet services set de facto standards with their purchases or orders.
One of the reasons for the emergence of different standards groups is the contradiction between the ever-increasing pace of technology development and the long cycle of creating standards.
Internet Security Standards
Secure data transmission protocols are popular as means of ensuring security on the Internet, namely SSL (TLS), SET, IP v. 6. They appeared relatively recently and immediately became de facto standards.
SSL (TLS)
The currently most popular network data encryption protocol for secure transmission over the network is a set of cryptographic algorithms, methods and rules for their application. Allows you to establish a secure connection, monitor data integrity and solve various related problems.
SET
SET (Security Electronics Transaction) is a promising protocol that provides secure electronic transactions on the Internet. It is based on the use of digital certificates according to the X.509 standard and is intended for organizing electronic commerce over the network.
This protocol is a standard developed by MasterCard and Visa with the participation of IBM, GlobeSet and other partners. It allows customers to purchase goods online using the most secure payment mechanism available today. SET is an open standard multilateral protocol for making payments on the Internet using plastic cards. It provides cross-authentication between the cardholder's account, the merchant and the merchant's bank to verify payment readiness, as well as message integrity and secrecy, and encryption of valuable and sensitive data. SET can be considered a standard technology or system of protocols for making secure payments based on plastic cards over the Internet.
IPSec
The IPSec specification is included in the IP v standard. 6 and is additional to the current version of the TCP/IP protocols. It is being developed by the IETF IP Security Working Group. IPSec currently includes three algorithm-independent core specifications representing the corresponding RFC standards.
The IPSec protocol provides a standard way to encrypt traffic at the network (third) IP layer and protects information based on end-to-end encryption: regardless of the running application, every data packet passing through the channel is encrypted. It allows organizations to create virtual private networks on the Internet. IPSec runs on top of conventional communications protocols, supporting DES, MD5, and a number of other cryptographic algorithms.
Ensuring information security at the network level using IPSec includes:
- support for unmodified end systems;
- support for transport protocols other than TCP;
- support for virtual networks in unprotected networks;
- protection of the transport layer header from interception (protection from unauthorized traffic analysis);
- protection against denial of service attacks.
In addition, IPSec has two important advantages:
- its use does not require changes in intermediate network devices;
- Desktops and servers do not necessarily need to support IPSec.
Features of the Russian market
Historically, in Russia, IT security problems were studied and promptly resolved only in the area of protecting state secrets. Similar but specific problems in the commercial sector of the economy have not found appropriate solutions for a long time. This fact still significantly slows down the emergence and development of secure IT tools in the domestic market, which is being integrated with the global system. Moreover, information security in a commercial automated system has its own characteristics that simply must be taken into account, because they have a serious impact on information security technology. We list the main ones:
- Priority of economic factors. For a commercial automated system, it is very important to reduce or eliminate financial losses and ensure that the owner and users of this tool make a profit under real risks. An important condition for this, in particular, is the minimization of typical banking risks (for example, losses due to erroneous payment directions, falsification of payment documents, etc.);
- Openness of design, providing for the creation of an information security subsystem from tools that are widely available on the market and work in open systems;
- The legal significance of commercial information, which can be defined as a property of secure information that makes it possible to provide legal force to electronic documents or information processes in accordance with the legal regime of information resources established by the legislation of the Russian Federation. This condition has recently become increasingly important in our country along with the creation of a regulatory framework for IT security (especially with the interaction of automated systems of different legal entities).
It is obvious that the creation of secure IT that processes confidential information that does not contain state secrets is extremely important for the economic and financial life of modern Russia. The application in Russia of the harmonized standard ISO 15408 ("Common Criteria"), reflecting the latest global achievements in assessing information security, will allow:
- introduce Russian IT to modern international information security requirements, which will simplify, for example, the use of foreign products and the export of their own;
- facilitate the development of relevant Russian specialized regulatory and methodological materials for testing, assessment (monitoring) and certification of secure banking and other IT tools and systems;
- create a basis for qualitative and quantitative assessment of information risks necessary for insuring automated systems;
- reduce the overall costs of maintaining an information security regime in banks and corporations by typing and unifying methods, measures and means of protecting information.
State standards
Among the various information technology security standards that exist in our country, a number of documents regulating the protection of the interconnection of open systems should be highlighted (Table 1, lines 1-3). To these you can add regulatory documents on tools, systems and criteria for assessing the security of computer equipment and automated systems (see Table 1, lines 4-8). The last group of documents, like many previously created foreign standards, is focused primarily on protecting state secrets.
Table 1. Regulatory documents governing IT security assessment|
№ p/p |
Document number | Description |
| 1 | GOST R ISO 7498-2-99 | Information technology. Interconnection of open systems. Basic reference model. Part 2. Information security architecture |
| 2 | GOST R ISO/IEC 9594-8-98 | Information technology. Interconnection of open systems. Directory. Part 8: Authentication Basics |
| 3 | GOST R ISO/IEC 9594-9-95 | Information technology. Interconnection of open systems. Directory. Part 9. Duplication |
| 4 | - | Guiding document of the State Technical Commission "RD. SVT. Firewalls. Protection from unauthorized access to information. Indicators of security from unauthorized access to information" (State Technical Commission of Russia, 1997) |
| 5 | GOST R 50739-95 | "Computer technology. Protection against unauthorized access to information. General technical requirements" |
| 6 | GOST 28147-89 | Information processing systems. Cryptographic protection. Cryptographic conversion algorithm |
| 7 | GOST R 34.10-94 | Information technology. Cryptographic information protection. Procedures for generating and verifying an electronic signature based on an asymmetric cryptographic algorithm |
| 8 | GOST R 34.11-94 | Information technology. Cryptographic information protection. Hash Function |
How and where different standards work
All currently available standards are multi-level. This means that their use is limited to a certain level of abstraction in information systems (for example, the “Common Criteria” cannot be used to describe in detail the mechanism for generating a session key in the TLS protocol). Obviously, in order to effectively apply standards, it is necessary to have a good understanding of their level and purpose.
Thus, when developing a security policy and a performance assessment system, as well as when conducting comprehensive security tests, it is best to use the provisions of ISO 15408 (“Common Criteria”). The corresponding GOST standards are intended for the implementation and assessment of the technical perfection of encryption and digital signature systems. If you need to protect a channel for exchanging arbitrary information, then it is advisable to use the TLS protocol. When it comes not just to protecting the communication line, but to the security of financial transactions, SET comes into play, including channel security protocols as one of the lower-level standards.
From theory to practice
To demonstrate the practical importance of the above provisions, we provide a list of security standards used in the complex implementation of InterBank electronic banking services
The SSL (TLS) protocol can be used to protect the information exchange channel in the RS-Portal and Internet Client systems. Standards GOST 28147-89, GOST R 34.10-94 and GOST R 34.11-94, regulating data encryption and the electronic digital signature mechanism, are implemented in all cryptographic protection systems of subsystems of the "client-bank" type ("DOS Client", "Windows Client" , "Internet Client").
Using the IPSec protocol, you can transparently protect any information exchange channel between the client and the bank using the IP network protocol. This applies to both Internet systems (RS-Portal and Internet Client) and the RS-Mail email system, which supports IP operation.
We hope that the information provided in the article will help you assess the reliability of your systems, and the efforts and time of developers will be directed to creating truly the best tools that will become a new step in the development of information security technology.
Articles on this topic
International standards
- BS 7799-1:2005 - British Standard BS 7799 first part. BS 7799 Part 1 - Code of Practice for Information Security Management describes the 127 controls required to build information security management systems(ISMS) of the organization, determined on the basis of the best examples of global experience (best practices) in this area. This document serves as a practical guide to creating an ISMS
- BS 7799-2:2005 - British Standard BS 7799 is the second part of the standard. BS 7799 Part 2 - Information Security management - specification for information security management systems specifies the ISMS specification. The second part of the standard is used as criteria during the official certification procedure for the organization's ISMS.
- BS 7799-3:2006 - British Standard BS 7799 third part of the standard. A new standard in information security risk management
- ISO/IEC 17799:2005 - “Information technology - Security technologies - Information security management practice.” International standard based on BS 7799-1:2005.
- ISO/IEC 27000 - Vocabulary and definitions.
- ISO/IEC 27001:2005 - "Information technology - Security techniques - Information security management systems - Requirements." International standard based on BS 7799-2:2005.
- ISO/IEC 27002 - Now: ISO/IEC 17799:2005. "Information technologies - Security technologies - Practical rules for information security management." Release date: 2007.
- ISO/IEC 27005 - Now: BS 7799-3:2006 - Guidance on information security risk management.
- German Information Security Agency. IT Baseline Protection Manual - Standard security safeguards.
State (national) standards of the Russian Federation
- GOST R 50922-2006 - Information protection. Basic terms and definitions.
- R 50.1.053-2005 - Information technologies. Basic terms and definitions in the field of technical information security.
- GOST R 51188-98 - Information protection. Testing software for computer viruses. Model manual.
- GOST R 51275-2006 - Information protection. Information object. Factors influencing information. General provisions.
- GOST R ISO/IEC 15408-1-2008 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 1. Introduction and general model.
- GOST R ISO/IEC 15408-2-2008 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 2. Functional safety requirements.
- GOST R ISO/IEC 15408-3-2008 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 3. Security assurance requirements.
- GOST R ISO/IEC 15408 - “General criteria for assessing the security of information technologies” - a standard that defines tools and methods for assessing the security of information products and systems; it contains a list of requirements against which the results of independent safety assessments can be compared - allowing the consumer to make decisions about the safety of products. The scope of the application of the “General Criteria” is the protection of information from unauthorized access, modification or leakage, and other methods of protection implemented by hardware and software.
- GOST R ISO/IEC 17799 - “Information technologies. Practical rules for information security management.” Direct application of the international standard with the addition of ISO/IEC 17799:2005.
- GOST R ISO/IEC 27001 - “Information technologies. Security methods. Information security management system. Requirements". The direct application of the international standard is ISO/IEC 27001:2005.
- GOST R 51898-2002: Safety aspects. Rules for inclusion in standards.
Guiding Documents
- RD SVT. Protection against NSD. Security indicators from NSD to information - contains a description of security indicators of information systems and requirements for security classes.
See also
- Undeclared capabilities
External links
Wikimedia Foundation. 2010.
See what “Information Security Standards” are in other dictionaries:
Information security audit is a systematic process of obtaining objective qualitative and quantitative assessments of the current state of a company’s information security in accordance with certain security criteria and indicators... ... Wikipedia
GOST R 53114-2008: Information protection. Ensuring information security in the organization. Basic terms and definitions- Terminology GOST R 53114 2008: Information protection. Ensuring information security in the organization. Basic terms and definitions original document: 3.1.19 automated system in a secure design; Protected speaker:... ... Dictionary-reference book of terms of normative and technical documentation
OCCUPATIONAL SAFETY STANDARDS- documents that, for the purpose of voluntary repeated use, establish product safety characteristics, rules for safe implementation and characteristics of production processes, operation, storage, transportation, sales... Russian encyclopedia of labor protection
Contents 1 Defining a security policy 2 Assessment methods 3 ... Wikipedia
National Security Agency/Central Security Service ... Wikipedia
Audit Types of audit Internal audit External audit Tax audit Environmental audit Social audit Fire audit Due diligence Basic concepts Auditor Material ... Wikipedia
State standards for products, works and services- State standards are developed for products, works and services that have intersectoral significance, and should not contradict the legislation of the Russian Federation. State standards must contain: requirements for products, work... ... Vocabulary: accounting, taxes, business law
Ministry of Emergency Situations of Ukraine (LGUBZhD, LDU BZD) ... Wikipedia
It was classically believed that ensuring information security consists of three components: Confidentiality, Integrity, Availability. The points of application of the information security process to the information system are hardware ... Wikipedia
Books
- Information security standards. Protection and processing of confidential documents. Training manual, Sychev Yuri Nikolaevich. It is impossible for specialists working in the field of information security to do without knowledge of international and national standards and guidance documents. The need to use...
- International foundations and standards of information security of financial and economic systems. Study guide, Yulia Mikhailovna Beketnova. The publication is intended for undergraduate and graduate students studying Information Security, as well as researchers, teachers, graduate students,…
International standards
- BS 7799-1:2005 - British Standard BS 7799 first part. BS 7799 Part 1 - Code of Practice for Information Security Management describes the 127 controls required to build information security management systems(ISMS) of the organization, determined on the basis of the best examples of global experience (best practices) in this area. This document serves as a practical guide to creating an ISMS
- BS 7799-2:2005 - British Standard BS 7799 is the second part of the standard. BS 7799 Part 2 - Information Security management - specification for information security management systems specifies the ISMS specification. The second part of the standard is used as criteria during the official certification procedure for the organization's ISMS.
- BS 7799-3:2006 - British Standard BS 7799 third part of the standard. A new standard in information security risk management
- ISO/IEC 17799:2005 - “Information technology - Security technologies - Information security management practice.” International standard based on BS 7799-1:2005.
- ISO/IEC 27000 - Vocabulary and definitions.
- ISO/IEC 27001 - "Information technology - Security techniques - Information security management systems - Requirements." International standard based on BS 7799-2:2005.
- ISO/IEC 27002 - Now: ISO/IEC 17799:2005. "Information technologies - Security technologies - Practical rules for information security management." Release date: 2007.
- ISO/IEC 27005 - Now: BS 7799-3:2006 - Guidance on information security risk management.
- German Information Security Agency. IT Baseline Protection Manual - Standard security safeguards.
State (national) standards of the Russian Federation
- GOST R 50922-2006 - Information protection. Basic terms and definitions.
- R 50.1.053-2005 - Information technologies. Basic terms and definitions in the field of technical information security.
- GOST R 51188-98 - Information protection. Testing software for computer viruses. Model manual.
- GOST R 51275-2006 - Information protection. Information object. Factors influencing information. General provisions.
- GOST R ISO/IEC 15408-1-2012 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 1. Introduction and general model.
- GOST R ISO/IEC 15408-2-2013 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 2. Functional safety requirements.
- GOST R ISO/IEC 15408-3-2013 - Information technology. Methods and means of ensuring security. Criteria for assessing the security of information technologies. Part 3. Security assurance requirements.
- GOST R ISO/IEC 15408 - “General criteria for assessing the security of information technologies” - a standard that defines tools and methods for assessing the security of information products and systems; it contains a list of requirements against which the results of independent safety assessments can be compared - allowing the consumer to make decisions about the safety of products. The scope of the application of the “General Criteria” is the protection of information from unauthorized access, modification or leakage, and other methods of protection implemented by hardware and software.
- GOST R ISO/IEC 17799 - “Information technologies. Practical rules for information security management.” Direct application of the international standard with the addition of ISO/IEC 17799:2005.
- GOST R ISO/IEC 27001 - “Information technologies. Security methods. Information security management system. Requirements". The direct application of the international standard is ISO/IEC 27001:2005.
- GOST R 51898-2002: Safety aspects. Rules for inclusion in standards.
It is gratifying that the market understands the importance and necessity of information security, and its attention to information security issues is constantly growing.
To explain this trend, you don’t have to go far: we hear about high-profile compromises of information systems that bring significant financial and reputational losses. In some cases, they have become completely irreversible for a particular business. Thus, the security of an organization’s own information becomes not only the key to its uninterrupted operation, but also a criterion of reliability for its partners and clients.
The market plays by the same rules, and the criteria for measuring the level of current security and the effectiveness of information security management processes are the same for all its players. Their role is played by standards that are designed to help the company create the required level of information protection. The most popular in the Russian banking industry include the ISO/IEC 27000 standard, the Bank of Russia standard for ensuring information security of banking system organizations and the PCI DSS payment card infrastructure data security standard.
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have developed and published ISO/IEC 27000 series standards. They contain recommendations for building an information security management system. Accredited auditing companies have the right to carry out certification according to standards, guided by the requirements laid down in them.
The absence of a strict requirement to comply with the Standard for Russian market participants results in its prevalence being quite low. For example, in Japan alone, the number of companies that have successfully passed an audit to meet the requirements of an international standard is almost 200 times greater than the same indicator for Russia and the CIS countries.
It should be noted that this calculation does not include companies that actually comply with the requirements of the Standard, but have not undergone formal certification. In other words, in Russia and the CIS countries there are many companies that have decided to build processes for managing and maintaining the level of information security not for the sake of a “tick” in the form of a certificate of conformity, but for real benefit. The thing is that often the 27000 series standards are the first step in the development of information security systems. And their use as a guideline is the basis that presupposes the further construction and development of an effective information security management system.
IBBS STO BR is a standard quite close to ISO/IEC 27001, created by the Bank of Russia for organizations in the banking sector, designed to ensure an acceptable level of the current level of information security and security management processes of banks. The main goals during its creation were stated to be increasing the level of trust in the banking industry, providing protection against security threats and reducing the level of damage from information security incidents. The standard is advisory and was not particularly popular until the 2010 version.
The active implementation of IBBS STO BR began with the release of a version of the standard that included requirements for ensuring the security of personal data, and a subsequent information letter defining the acceptance of compliance with the requirements of the standard by an alternative way of complying with legislation in the field of ensuring the security of personal data. Currently, according to unofficial statistics, about 70% of banks have accepted the Bank of Russia standard as mandatory.
The IBBS BR standard is a fairly dynamically developing set of documents, with requirements for ensuring and managing information security that are adequate to modern threats. Its use in Banks is already becoming de facto necessary, despite the official advisory status; for non-financial organizations, the documents of the IBBS complex can serve as a set of good practices in ensuring information security.
Finally, another extremely important standard for financial organizations is the Payment Card Industry Data Security Standard (PCI DSS, Payment Card Industry Data Security Standard). It was created on the initiative of the world's five largest payment systems - Visa, MasterCard, JCB, American Express and Discover, who organized the Payment Card Industry Security Council (PCI SSC). Servicing payment cards must be carried out according to uniform rules and comply with a certain level of information security. Obviously, security is a key factor when using money-related technologies. Therefore, protecting payment card data is a priority task of any payment system.
The key difference between the PCI DSS standard and those listed above is its mandatory application for all organizations processing payment cards. At the same time, the requirements for conformity assessment are quite flexible - they depend on the number of transactions processed: from self-assessment to passing a certification audit. The latter is carried out by a company with PCI QSA status.
A key feature of the emergence of the PCI DSS standard was the designation of deadlines for achieving compliance. This has resulted in most of the major players in the payment card industry doing the work to comply. As a result, this affected the overall level of security for both individual participants and the entire cashless payment industry.
Although the emergence of the standard was an initiative of the largest players in the payment system industry, it can find its application and become a guideline for organizations not associated with this industry. The main advantage of using it is constant updates and, as a result, current measures and recommendations to reduce information security threats.
The application of standards and compliance with their requirements is undoubtedly a good practice and a big step forward when building an information security system. But, unfortunately, there are examples of how the mere fact of compliance does not guarantee a high level of security. The validity of the certificate extends for a certain period when procedures made solely for formal compliance cease to work. Thus, it may turn out that the state of the organization’s information security system at the time of the audit does not correspond to the assessment made six months later.
In addition, when analyzing possible risks, the human factor cannot be excluded, which may mean an error by the auditors themselves in determining the scope of the audit, the composition of the components being checked and the general conclusions.
In conclusion, I would like to note that compliance with standards does not replace the ongoing process of ensuring the security of critical information. There is no perfect security, but using different tools allows you to achieve the maximum level of information security. Information security standards are just such a tool.
Rate:
0 4
