The principles of corporate information security arise from a corporation, or organization, whose members may be one. Such an IS entity may be a large company with its own values tailored to the needs of the organization, a holding structure, or a public organization. The main difference from the normal IS structure is the increased role of the personnel or members of the corporation in providing data protection.
The peculiarity of corporation as an association of economic entities is the presence of many systems and local corporate networks of different levels, for which it is necessary to develop unified regulations and security methods. The task requires the diversion of a large amount of efforts and resources – human, time and financial – and is not always successfully solved. Only reliance on human factor and creation of understanding of information security as a single value of the company can eliminate risks by 70%. But the level of threats is growing every year, which requires especially high qualification of IS specialists.
It is difficult to predict the source of threats if the corporation is engaged in trade and manufacturing activities, is not a personal data operator, does not own the key information infrastructure objects. For these market actors, external threats are always more dangerous than competitors or insiders. And for a corporation or a mid-level company, competitors are more dangerous than global hacker groups. But having an electronic payment service, for example, when selling goods over the Internet will make them a target company for people who want to get hold not only of information of uncertain value, but also of money. The main risk for confidential information is the human factor, the level of protection of networks from insiders is often extremely low.
The key tasks of an IS specialist in these conditions will be:
- availability of applications, providing business processes for users, absence of risks of system failure and malfunction;
- availability of Internet applications and sites with stores for customers, minimizing the risk of DDoS-attacks;
- protection of key confidential information from theft as a result of external attacks or as a result of the activities of insiders. The most vulnerable asset is considered to be the customer database, which usually goes from company to company along with the sales manager;
- The integrity of information, its safety and integrity as a result of external attacks or the work of insiders who want to change the data in order to hide unreliable transactions A breach of information integrity becomes a problem during an audit, if the auditing organization identifies facts of interference in the structure of the accounting or financial accounting data.
Information security risks according to the mechanism of their manifestation are divided into:
- malicious programs (Trojans, crypto-ransomware);
- phishing emails;
- DDoS-attacks and denial of service;
- external connections to communication channels in order to intercept data packets;
- spoofing of the first page of the site.
There are different cures for these ailments – organizational, technical and software. In a corporation with a large staff, where insider threats become a high priority, special attention should be paid to organizational measures. They help avoid an incident rather than minimize its consequences and conduct internal investigations with not always predictable results without the ability to obtain evidence sufficient to hold the culprit accountable.
Corporate protection methods
Organizational and procedural solutions turn out to be the most demanded for the corporate information security system. But their implementation should be accompanied by professional work of HR departments and security service of the company The main task is not to impose regulations that distract from the support of business processes, but to explain the value of confidential information and the general interest in its protection.
Organizational means of protecting corporate information security usually begin with the implementation of regulations and policies, which, if not supported by the authority of senior management, are either silently ignored or, in the case of enforcement, cause aggression. Sometimes it is manifestations like this that indicate that sensitive data is at risk, someone in management or top employees is using it to their advantage and has no intention of giving up their privileges. The first step in combating this problem is to create unified ethical values, in which each employee of the corporation should feel personally responsible for the safety of data and compliance with all requirements of regulations.
As it is mentioned in the reports of large consulting companies, the question of the reality of corporate information security threats is still not very serious for the Russian business community. That part of the business, faced with cyber-threats, has already installed DLP- and SIEM-systems, audited the network health and has a system of monitoring threats and response to incidents of cyber-security. Others believe, in the old fashioned way, that the only issue that needs to be addressed is limiting employee Internet use and, on rare occasions, blocking USB logins to computers. Everything else is handled by the standard anti-virus and Windows firewall, sometimes even unlicensed. The result is a massive theft of client databases and personal customer information that instantly appears on the darknet black market.
Some companies pc data protection are being pushed by regulators who have requirements for personal data operators.
Such requirements include:
- Use of technical means of information protection and software that has been tested and certified and guarantees the necessary level of data protection;
- Compliance of information infrastructure with laws and bylaws;
- Development of a strategy for timely updates of critical software;
- availability of a mechanism for responding to information security incidents, such as OTT solutions;
- combating viruses using certified anti-virus protection tools;
- data encryption;
- Adoption of a documentation package regulating all aspects of work with the IS that processes personal data.
But even in order to comply with the requirements of regulators, staff must understand that when risks arise on their part, threatening fines, monetary losses as a result of lawsuits from customers, they also find themselves at risk in terms of payment of motivational bonuses and retention of employment. It is necessary to conduct training, acquainting employees with the models of risks and the basic ways of reaction to them. The need to develop company regulations to meet IS requirements is created by the needs of the risk model and the work of regulators.
Common Threat Model
In every organization, the business threat model should be part of the corporate documentation package that employees are introduced to when they are hired.
For employees to understand, the threat structure should look like this:
1. Threats to Business. If these are threats to reputation – black PR, negative publications in the media, caused by leaks and data leaks, they will affect the employees, because a company with a negative reputation on its CV will make it difficult for them to find a job. If these are threats to investment – decisions are made based on inaccurate or fake information and they are ineffective, then these risks will affect employee bonuses.
2. Threats to data per se – both personal and confidential information. Intentional leaks of information can lead to criminal liability, and a possible suspension of a company’s operations threatens the loss of employment.
3. Threats to employees. In addition to enticing employees or offering them monetary compensation for providing information, competitors may apply more rigid methods of struggle, for example, openly stealing mobile devices, i.e. the carriers of information. Eliminating the risk of finding data on mobile devices will reduce the extent of such threats.
4. Threats to the company’s IP, causing application failures, server unavailability entails the suspension of activities and losses, which affects the salaries of all employees, not just those who are careless in the use of email and accidentally initiate malicious programs.
5. Financial threats. Intentional misrepresentation of reporting triggers fines from the Federal Tax Service, and actions that allow attackers to steal company funds also Clarifying why compliance with information security rules is primarily needed by employees themselves is the best preventive measure to ensure a high degree of IS. They should be supported by requirements not to disclose confidential information, reflected in job descriptions and employment contracts. This will make it possible to hold the violator accountable, if necessary.
Software and hardware
In addition to the explanatory work, the technical aspect of the corporate information security should be elaborated just as thoroughly. Regulators recommend preparing two fundamental documents – the IS Strategy and Risk Model, which reflect:
- The type of threats and the image of a hypothetical attacker;
- The system architecture, its main nodes and elements;
- objects of protection;
- classification of information confidentiality levels;
- rules of access differentiation and assignment of privileges;
- requirements for software and its updates;
- requirements for software and hardware.
Next comes the stage of information security program implementation. To create protection against insider risks the following elements of information security are implemented:
- an access control system. It should exist at a physical level, restricting access to servers and workstations by unauthorized persons, and recording all visits to the server room in the logbook.
- At the software level, it differentiates access to information of different levels of confidentiality for employees of different ranks;
- authentication system, with a two-factor system reducing the risk of unauthorized access;
- email filtering to protect against spam, viruses, phishing;
- means of trusted download;
- data leakage control. The task is solved by installing a DLP system.
The following solutions are used to protect against external threats:
- anti-virus protection tools;
- firewalls (firewalls);
- means of protection against intrusions;
- scanners and other means to monitor network vulnerabilities;
- means of cryptographic protection of data.
When transmitting information over external channels, traffic encryption and protected data transfer protocols, VPN technologies are used. Of technical devices, routers are used.