How to assess information security risks. Management of risks

This Plan has been developed in accordance with the requirements of recommendations in the field of information security standardization.

Information security risk — the risk of direct or indirect losses as a result of non-compliance by the employees of the organization with the established procedures and procedures for ensuring information security, failures and failures in the operation of information systems and equipment, accidental or deliberate actions of individuals or legal entities directed against the interests of the organization.

Information security risk treatment is the process of selecting and implementing safeguards that reduce the risk of an information security breach, or measures to transfer, accept or avoid risk.

The plan defines the necessary actions and procedures to be followed by the organization when dealing with information security risks.

1. Information security risk treatment
   

2.1. The degree of influence of information security risk

Depending on the degree of influence of the information security risk on the financial result of the organization's activities, the following levels of information security risks are distinguished:

• minimal risk : financial losses are absent or insignificant, violation of the information structure is localized within the workstation and does not lead to the suspension of the organization's activities, recovery time is up to one hour;
• medium risk : financial losses are insignificant, violation of a significant part of the information structure and suspension of the organization's activities, recovery time up to three hours, financial costs for recovery are insignificant;
• high risk : financial losses are significant, violation of the entire information structure and suspension of the organization's activities, recovery time up to one day, financial costs for recovery are average;
• critical risk : critical financial losses, violation of the entire information structure, recovery time up to several weeks, financial costs for recovery are average.

2.2. Risk treatment options

2.2.1. Risk reduction

Action : The level of risk must be reduced through the selection of protection and control measures so that the residual risk can be reassessed as tolerable.

Implementation Guide : Appropriate and reasonable safeguards and controls must be selected to meet the requirements identified through the risk assessment and risk treatment process. Such selection should take into account risk acceptance criteria as well as legal, regulatory and contractual requirements. This choice should also take into account the cost and period of implementation of protection and control measures, or technical and environmental aspects. Protections and controls can provide one or more of the following types of protection: remediation, exclusion, prevention, mitigation, containment, detection, recovery, monitoring, and awareness.

When choosing means of protection and control, it is important "weigh" the cost of acquiring, selling, administering, operating, monitoring and maintaining funds in relation to the value of the assets being protected.

Restrictions in the implementation of the method " Risk reduction» are:

• temporary restrictions;
• financial restrictions;
• technical limitations;
• operating restrictions;
• legal restrictions;
• ease of use;
• personnel restrictions;
• restrictions regarding the integration of new and existing controls.

2.2.2. Risk retention

Implementation Guide : If the risk level meets the risk acceptance criteria, then there is no need to implement additional safeguards and controls and the risk can be maintained.

2.2.3. Risk Prevention

Action : The activity or condition causing the particular risk should be abandoned.
Implementation Guide : When the identified risks are high or critical and the costs of implementing other risk treatment options outweigh the benefits, a decision may be made to avoid the risk entirely by terminating the program or abandoning a planned or existing activity, or set of activities, or changing the conditions under which the activity is conducted. ( actions).

2.2.4. Risk transfer

Action : The risk must be transferred ( rescheduled) the party that can most effectively manage the specific risk.
Implementation Guide : Risk transfer involves the decision to share certain risks with external parties.

The transfer can be done:

• insurance that will support the consequences;
• through the conclusion of a subcontract ( outsourcing) with a “partner”, whose role will be to monitor the information system and take immediate action to stop the attack before it leads to a certain level of damage.

2.2.5. Acceptance of Information Security Risk

Input data : The risk treatment plan and residual risk assessment is subject to the risk acceptance decision of the organization's management.

Action A: A decision must be made and formally recorded to accept the risks and responsibility for that decision.

Implementation Guide : Risk acceptance criteria can be more multifaceted than simply determining whether residual risk is above or below a single threshold.

In some cases, the level of residual risk may not meet the risk acceptance criteria because the criteria applied do not take into account the prevailing circumstances. For example, it can be argued that it is necessary to take risks because the benefits associated with risks can be very attractive, or because the costs associated with risk reduction are very high. It is not always possible to revise risk acceptance criteria in a timely manner. In such cases, decision makers are required to accept risks that do not meet standard acceptance criteria. If appropriate, the decision maker should explicitly comment on the risks and include a rationale for a decision that exceeds the standard risk acceptance criteria.

Output : A list of accepted risks, with justification for those risks that do not meet the organization's standard risk acceptance criteria.

2.2.6. Information security risk communication

Input data : All risk information obtained as a result of risk management activities.

Action : Decision makers and other stakeholders should exchange and/or share risk information.
Implementation Guide : Risk communication is the activity of reaching an agreement on how to manage risk by exchanging and/or sharing risk information between decision makers and other stakeholders ( for example, making agreements with other involved parties on the possibility of recalling (replacing, correcting) erroneous information within an acceptable period of time).
Effective communication between stakeholders is essential as it can have a significant impact on the decisions to be made. Communication will provide assurance that those responsible for risk management and stakeholders understand the basis on which decisions are made and the reasons for taking certain actions. Communication is bi-directional.
Output: Continuous understanding of the organization's information security risk management process.

1. Distribution of roles for the implementation of the risk treatment plan

3.1. Organization leadership:

• determines the rules and procedures for risk management;
• considers and makes decisions on improving the security of the organization and its customers;
• evaluates the risks that affect the achievement of the set goals and takes measures to respond to changing circumstances and conditions in order to ensure the effectiveness of the risk assessment;
• determines the organizational structure of the organization.

3.2. Department of Economic Security:

• participates in the development and testing of methods for assessing the risk of information security;
• monitors, analyzes and assesses information security risks;
• participates in the preparation of information on the results of monitoring the information security risk as part of the operational risk;
• prepares proposals for correcting the methodology for assessing information security risks;
• prepares proposals for the development and implementation of measures, procedures, mechanisms and technologies to limit and reduce information security risks;
• participates in the implementation implementation) protective measures;
• exercises control over the implemented protective measures;
• develops internal regulations of the organization on information security risks.

3.3. Risk Analysis and Control Department:

• collects and enters into the analytical database information on the state of information security risk as part of operational risk;
• assesses operational risk;
• monitors compliance with the established limits of indicators used to monitor operational risk;
• regularly submits reports to the Risk Committee;
• develops and implements measures, procedures, mechanisms and technologies to limit and reduce operational risk.

3.4. Organization employee:

• assists in monitoring, analyzing and assessing information security risks;
• reports to the immediate supervisor on the identified information security risk factors.

1. Conclusion

This Plan is exemplary and in each case should take into account the specifics of the current situation.

Download ZIP file (22660)

Documents came in handy - put "like" or .

Basic principles of information security risk management

Despite different operations, products and services, organizations use five principles of information security risk management:

Assess risk and identify needs

· Set centralized management

Implement necessary policies and appropriate controls

Promote employee awareness

Monitor and evaluate the effectiveness of policies and controls

An essential factor in the effective implementation of these principles is a bridging cycle of activities to ensure that information security management is constantly focused on current risks. It is important that the top management of the organization recognizes the risks of business process disruption associated with the security of information systems. The basis for developing and implementing policies and selecting the necessary controls is the risk assessment of individual business applications. The steps taken will increase user awareness of the risks and associated policies. The effectiveness of controls is subject to evaluation through various studies and audits. The results obtained provide an approach to the subsequent risk assessment and determine the necessary changes in policies and controls. All these actions are centrally coordinated by the security service or a staff of specialists, consisting of consultants, representatives of business units and management of the organization.

Risk assessment is the first step in implementing an information security program. Security is not seen "on its own" but as a set of policies and related controls designed to secure business processes and mitigate related risks. Thus, the identification of business risks associated with information security is the starting point of the risk (information security) management cycle.

Recognition of information security risks by the organization's management, as well as a set of measures aimed at identifying and managing these risks, is an important factor in the development of an information security program. This management approach will ensure that information security is taken seriously at the lower organizational levels of the organization, and information security professionals are provided with the resources necessary to effectively implement the program.

There are various risk assessment methodologies, ranging from informal discussion of risk to rather complex methods involving the use of specialized software tools. However, the world experience of successful risk management procedures describes a relatively simple process involving the participation of various departments of financial institutions with the involvement of specialists with knowledge of business processes, technical specialists and information security specialists. It is worth emphasizing that understanding risks does not provide for their precise quantification, including the likelihood of an incident or the cost of damage. Such data is not available as losses may not be detected and management may not be informed. In addition, there is limited data on the full costs of repairing the damage caused by weak security controls, as well as the operating costs of these mechanisms (controls). Due to constant changes in technology, as well as software tools and tools available to attackers, the application of statistics collected in previous years is questionable. As a result, it is difficult to accurately compare the cost of controls with the risk of loss in order to determine which control is the most cost-effective. In any case, business unit managers and information security specialists should rely on the best information available to them when deciding on the choice of necessary controls (methods).

Business unit managers should be primarily responsible for determining the level of security (confidentiality) of information resources that support business processes. It is business unit managers who are best able to determine which of the information resources is the most critical, as well as the possible impact on the business, in case of violation of its integrity, confidentiality or availability. In addition, business unit managers may point out controls that can harm business processes. Thus, by involving them in the selection of controls, it can be ensured that the controls meet the requirements and will be successfully implemented.

Information security should be given ongoing attention to ensure the adequacy and effectiveness of controls. Modern information and related technologies, as well as factors related to information security, are constantly changing. Such factors include threats, technologies and system configurations, known vulnerabilities in software, the level of reliability of automated systems and electronic data, and the criticality of data and operations. The steering group acts primarily as an adviser or consultant to business units, and cannot impose methods (means) of information security. In general, the steering group should be (1) a catalyst (accelerator) of the process, ensuring that information security risks are considered continuously; (2) a central consulting resource for organizational units; (3) a means of communicating to the management of the organization information about the state of information security and the measures taken. In addition, the steering group allows you to centrally manage the assigned tasks, otherwise these tasks may be duplicated by various departments of the organization. Employees of the organization should be involved in various aspects of the information security program and have the appropriate skills and knowledge. The required level of professionalism of employees can be achieved through trainings, which can be carried out by both specialists of the organization and external consultants.

Policies in the field of information security are the basis for the adoption of certain procedures and the choice of means (mechanisms) of control (management). Policy is the primary mechanism by which management communicates its opinions and requirements to employees, customers and business partners. For information security, as well as for other areas of internal control, the requirements of policies directly depend on the results of risk assessment. A comprehensive set of adequate policies that are accessible and understandable to users is one of the first steps in establishing an information security program. It is worth emphasizing the importance of continuous maintenance (adjustment) of policies for a timely response to identified risks and possible disagreements.

The competence of users is a prerequisite for successful information security, and also helps to ensure that controls work properly. Users cannot follow a policy they do not know or understand. Unaware of the risks associated with an organization's information resources, they may not see the need to implement policies designed to mitigate risks.

Like any kind of activity, information security is subject to control and periodic re-evaluation to ensure the adequacy (compliance) of policies and means (methods) of control with the goals set.

Control should focus primarily on (1) the availability of controls and methods and their use aimed at reducing risks and (2) evaluating the effectiveness of the information security program and policies that improve user understanding and reduce the number of incidents. Such checks include testing the means (methods) of control, assessing their compliance with the policies of the organization, analyzing security incidents, as well as other indicators of the effectiveness of the information security program. The performance of the steering group can be assessed based on, for example, the following indicators (but not limited to):

number of trainings and meetings held;

number of risk assessment(s) performed;

the number of certified specialists;

the absence of incidents that impede the work of employees of the organization;

· decrease in the number of new projects implemented with a delay due to information security problems;

full compliance or agreed and recorded deviations from the minimum information security requirements;

· decrease in the number of incidents involving unauthorized access, loss or distortion of information.

Monitoring certainly brings an organization into compliance with accepted information security policies, but the full benefits of monitoring will not be achieved unless the results are used to improve the information security program. Analysis of control results provides information security professionals and business unit managers with the means to (1) re-evaluate previously identified risks, (2) identify new problem areas, (3) re-evaluate the sufficiency and appropriateness of existing controls and methods of control (management) and actions to ensure information security, (4) determining the need for new means and mechanisms of control, (5) redirecting control efforts (controlling actions). In addition, the results can be used to evaluate the performance of business managers responsible for understanding and mitigating risk across business units.
It is important to ensure that (1) information security professionals keep up with the development of methods and tools (applications) and have the latest information about the vulnerability of information systems and applications, (2) top management ensures that it has the necessary resources for this.

Analysis Methods

PEST is an abbreviation of four English words: P - Political-legal - political and legal, E - Esopomis - economic, S - Sociocultural - sociocultural, T - Technological forces - technological factors.

PEST-analysis consists in identifying and evaluating the influence of macro-environment factors on the results of the current and future activities of the enterprise .

There are four groups of factors that are most significant for the strategy of the enterprise:

Political and legal;

Economic;

Sociocultural;

Technological.

The purpose of the PEST analysis is to track (monitor) changes in the macro environment in four key areas and identify trends and events that are not under the control of the enterprise, but that affect the results of strategic decisions made.

Table 1. PEST analysis

Political factor the external environment is studied primarily in order to have a clear idea of ​​the intentions of public authorities in relation to the development of society and the means by which the state intends to implement its policies.

Analysis economic aspect the external environment allows us to understand how economic resources are formed and distributed at the state level. For most enterprises, this is the most important condition for their business activity.

Study of social component of the external environment is aimed at understanding and evaluating the impact on business of such social phenomena as people's attitude to the quality of life, people's mobility, consumer activity, etc.

Analysis technological component makes it possible to foresee the opportunities associated with the development of science and technology, to timely adjust to the production and sale of a technologically promising product, to predict the moment of abandonment of the technology used.

The procedure for conducting PE5T - analysis.

There are the following stages of external analysis:

1. A list of external strategic factors is being developed that have a high probability of implementation and impact on the functioning of the enterprise.

2. The significance (probability of implementation) of each event for a given enterprise is assessed by assigning it a certain weight from one (most important) to zero (insignificant). The sum of the weights must be equal to one, which is ensured by normalization.

3. An assessment is given of the degree of influence of each factor-event on the company's strategy on a 5-point scale: "five" - ​​strong impact, serious danger; "unit" - the absence of impact, threat.

4. Weighted estimates are determined by multiplying the weight of the factor by the strength of its impact and the total weighted estimate for the given enterprise is calculated.

The total assessment indicates the degree of readiness of the enterprise to respond to current and predicted environmental factors.

Table 2. Results of the analysis of external strategic factors

In this case, the score of 3.05 shows that the company's response to strategic environmental factors is at an average level.

The SWOT method used for environmental analysis is a widely recognized approach that allows for a joint study of the external and internal environment.

By applying the SWOT analysis method, it is possible to establish links between the strengths and weaknesses that are inherent in the organization and external threats and opportunities. The methodology involves first identifying strengths and weaknesses, as well as threats and opportunities, and after that the establishment of chains of links between them, which can later be used to formulate the strategy of the organization.

Thompson and Strickland proposed the following rough set of characteristics, the conclusion of which should allow a list of the organization's weaknesses and strengths, as well as a list of threats and opportunities for it, concluded in the external environment.

Strengths:

Outstanding Competence;

Adequate financial resources;

High qualification;

Good reputation among buyers;

Renowned market leader;

Inventive strategist in the functional areas of the organization;

The possibility of obtaining savings from the growth of production volume;

Security (at least somewhere) from strong competitive pressure;

Suitable technology;

Cost advantages;

Advantages in the field of competition;

The presence of innovative abilities and the possibility of their implementation;

Proven management.

Weak sides:

There are no clear strategic directions;

Deteriorating competitive position;

outdated equipment;

Lower profitability because…;

Lack of managerial talent and depth of problem management;

Lack of certain types of key qualifications and competencies;

Poor tracking of the strategy implementation process;

Anguish with internal production problems;

Vulnerability to competitive pressure;

Backlog in research and development;

Very narrow production line;

Poor understanding of the market;

Competitive disadvantages;

Below average marketing ability;

Failure to fund necessary changes in strategy.

Opportunities:

Entering new markets or market segments;

Expansion of the production line;

Increase, diversity in related products;

Adding related products;

Vertical integration;

The ability to move to a group with a better strategy;

Complacency among competing firms;

Market growth acceleration.

The possibility of new competitors;

Growth in sales of the replacement product;

Market growth slowdown;

Unfavorable government policy;

Increasing competitive pressure;

Recession and business cycle fading;

Increasing the bargaining power of buyers and suppliers;

Changing needs and tastes of customers;

Unfavorable demographic changes.

Subtitle: Methodology for conducting analysis and building a SWOT analysis matrix

The organization can supplement each of the four parts of the list with those characteristics of the external and internal environment that reflect the specific situation in which it is located.

After a specific list of the organization's strengths and weaknesses, as well as threats and opportunities, is drawn up, the stage of establishing links between them begins. To establish these links, a SWOT matrix is ​​compiled, which has the following form (Fig. 1).

Rice. 1. SWOT Analysis Matrix

On the left, there are two blocks (strengths, weaknesses), in which, respectively, all the sides of the organization identified at the first stage of the analysis are written out.

In the upper part of the matrix, there are also two blocks (opportunities and threats), in which all identified opportunities and threats are written. At the intersection of the blocks, four fields are formed:

SIV (strength and opportunities); SIS (strength and threats); WLS (weakness and opportunities); SLN (weakness and threats). In each of the fields, the researcher must consider all possible pair combinations and highlight those that should be taken into account when developing an organization's behavior strategy.

For those couples that have been selected from the SIV field, a strategy should be developed to use the strengths of the organization in order to get a return on the opportunities that have appeared in the external environment.

For those couples who have found themselves in the field of SLV, the strategy should be built in such a way that, due to the opportunities that have appeared, they try to overcome the weaknesses in the organization.

If the couple is on the SIS field, then the strategy should involve the use of the strength of the organization to eliminate the threat.

Finally, for couples in the field of SLN, the organization must develop a strategy that would allow it to both get rid of the weakness and try to prevent the threat looming over it.

When developing strategies, it should be remembered that opportunities and threats can turn into their opposite. Thus, an untapped opportunity can become a threat if a competitor exploits it. Or vice versa, a successfully prevented threat may open up additional opportunities for the organization if competitors were not able to eliminate the same threat.

Subtitle: Building a Matrix of Opportunities

For a successful analysis of the organization's environment using the SWOT analysis method, it is important not only to be able to uncover threats and opportunities, but also to be able to evaluate them in terms of their importance and degree of influence on the organization's strategy.

To assess opportunities, the method of positioning each specific opportunity on the opportunity matrix is ​​used (Fig. 2).

Rice. 2. Opportunity Matrix

The matrix is ​​built as follows:

- from above, horizontally, the degree of influence of the opportunity on the organization's activities is postponed (strong, moderate, small);

- on the left vertically, the probability that the organization will be able to seize the opportunity is postponed (high, medium, low).

Within the matrix, the nine capability fields have different meanings for the organization.

Opportunities that fall on the fields BC, B, Y and CC are of great importance for the organization, and they must be used.

Opportunities that fall into the fields of SM, NU and NM practically do not deserve the attention of the organization.

Subtitle: Building a matrix of "threats"

A similar matrix is ​​compiled for hazard assessment (Fig. 3):

- from above, horizontally, the possible consequences for the organization that the implementation of the threat can lead to (destruction, critical condition, serious condition, “light bruises”) are postponed.

- the probability that the threat will be realized (high, medium, low) is plotted vertically to the left.

Rice. 3. Threat Matrix

Those threats that fall on the fields of BP, VC and SR pose a very great danger to the organization and require immediate and mandatory elimination.

Threats that have fallen into the field of BT, NC and NR should also be in the field of view of top management and be eliminated as a matter of priority.

As for the threats located in the fields of NK, ST and VL, a careful and responsible approach is required to eliminate them. Although this does not set the task of their primary elimination. Threats that have fallen into the remaining fields should also not fall out of sight of the organization's leadership. Their development must be carefully monitored.

Subtitle: Environment profiling

Along with the methods of studying the threats, opportunities, strengths and weaknesses of the organization, the method of compiling its profile can be used to analyze the environment. This method is convenient to apply to compiling a profile separately of the macro-environment, the immediate environment and the internal environment. Using the method of compiling an environmental profile, it is possible to assess the relative importance for the organization of individual environmental factors.

The environment profiling method is as follows. Individual environmental factors are listed in the environment profile table (Fig. 4). Each of the factors is assessed in an expert way:

Importance for the industry on a scale: 3 - large, 2 - moderate, 1 - weak;

Impact on the organization on a scale: 3 - strong, 2 - moderate, 1 - weak, 0 - no impact;

Directions of influence on the scale: +1 - positive, -1 - negative.

Rice. 4. Environment profile table

Further, all three expert assessments are multiplied, and an integral assessment is obtained, showing the degree of importance of the factor for the organization. From this assessment, management can conclude which of the environmental factors are relatively more important to their organization and therefore deserve the most serious attention, and which factors deserve less attention.

Environmental analysis is a very important and very complex process for developing an organization's strategy, requiring careful monitoring of the processes taking place in the environment, assessing factors and establishing a connection between the factors and the strengths and weaknesses of the organization, as well as the opportunities and threats that are contained in the external environment.

Obviously, without knowing the environment, the organization will not be able to exist. However, it does not float around like a boat without a rudder, oars, or sail. The organization studies the environment in order to ensure its successful progress towards its goals. Therefore, in the structure of the strategic management process, the analysis of the environment is followed by the establishment of the mission of the organization and its goals.

9.3. Product/Service Life Cycle

Any product (service) goes through its life cycle from inception (appearance on the market) to termination (release of the last sample).

The following main stages of the life cycle can be distinguished (Fig. 5):

Rice. 5. The usual graph of the life cycle of a product in time

BCG matrix

The most popular procedure for analyzing a company's position in the market is the construction of portfolio matrices. Typically, such matrices are constructed on the basis of a couple of strategically important variables, such as industry growth rate, market size, long-term attractiveness of the industry, competitive status, etc. Such two-dimensional matrices are relatively simple and provide a clear market environment. The most widely used matrices are BCG (BCG - Boston Consulting Group) and General Electric.

The Boston Matrix is ​​based on a product life cycle model, according to which a product goes through four stages in its development: market entry (a product is a “wild cat”), growth (a product is a “star”), maturity (a product is a “cash cow”). ”) and recession (the product is “dog”).

To assess the competitiveness of certain types of business, two criteria are used: the growth rate of the industry market; relative market share.

The market growth rate is defined as weighted average growth rates of various market segments in which the enterprise operates, or is taken equal to the growth rate of the gross national product. Industry growth rates of 10% or more are considered high.

Relative market share is determined by dividing the market share of the business in question by the market share of the largest competitor.

Rice. 6. BCG matrix for a hypothetical firm

A market share value of 1 separates products—market leaders—from followers. Thus, the division of business types (individual products) into four different groups is carried out (Fig. 6).

The BCG matrix is ​​based on two assumptions:

1. A business with a significant market share acquires a competitive advantage in terms of production costs as a result of the effect. It follows that the largest competitor has the highest profitability when selling at market prices and for him the maximum financial flows.

2. Presence in a growing market means an increased need for financial resources for its development, i.e. renewal and expansion of production, intensive advertising, etc. If the market growth rate is low, such as a mature market, then the product does not need significant financing.

In the case when both hypotheses are fulfilled, four groups of product markets can be distinguished, corresponding to different priority strategic goals and financial needs:

Wildcats (fast growth/low share): This group of products could prove very promising as the market expands, but require significant capital to sustain growth. With regard to this group of products, it is necessary to decide whether to increase the market share of these products or stop financing them.

Stars (fast growth/high share) are market leaders. They generate significant profits due to their competitiveness, but also need funding to maintain a high share of a dynamic market.

Cash Cows (Slow Growth/High Share): Products capable of generating more profit than is necessary to sustain their growth. They are the main source of funding for diversification and research. The priority strategic goal is “harvesting”.

"Dogs" (slow growth/low proportion) are products that are at a disadvantage in terms of costs and have no room for growth. The preservation of such goods is associated with significant financial costs with little chance of improvement. The priority strategy is deinvestment and a modest existence.

Ideally, a balanced product portfolio of an enterprise should include:

2-3 cows, 1-2 stars, a few cats as a head start, and maybe a small number of dogs. An excess of aging goods (“dogs”) indicates the danger of a downturn, even if the current performance of the enterprise is relatively good. An excess of new products can lead to financial hardship.

In a dynamic corporate portfolio, the following development trajectories (scenarios) are distinguished (Fig. 7).

Rice. 7. Main development scenarios

"Product trajectory". By investing in R&D funds received from "cash cows", the company enters the market with a fundamentally new product that takes the place of a star.

"Trajectory of the follower". Funds from "cash cows" are invested in a product - "cat", the market of which is dominated by the leader. The company follows an aggressive strategy of increasing market share, and the product - "cat" turns into a "star".

"Trajectory of failure". Due to insufficient investment, the star product loses its leading position in the market and becomes a “cat” product.

"Trajectory of mediocrity". Product - "cat" fails to increase its market share, and it enters the next stage (product - "dog").

At the moment, information security risks pose a great threat to the normal operation of many enterprises and institutions. In this age of information technology, getting any data is practically not difficult. On the one hand, this, of course, brings many positive aspects, but for the face and brand of many companies it becomes a problem.

Protecting information in enterprises is now becoming almost a priority. Experts believe that only by developing a certain conscious sequence of actions can this goal be achieved. In this case, it is possible to be guided only by reliable facts and use advanced analytical methods. A certain contribution is made by the development of intuition and the experience of the specialist responsible for this unit in the enterprise.

This material will tell about the management of information security risks of an economic entity.

What types of possible threats exist in the information environment?

There are many types of threats. An enterprise information security risk analysis begins with a consideration of all possible potential threats. This is necessary in order to determine the methods of verification in the event of these unforeseen situations, as well as to form an appropriate protection system. Information security risks are divided into certain categories depending on various classification features. They are of the following types:

• physical sources;
• inappropriate use of a computer network and the World Wide Web;
• leakage from sealed sources;
• leakage by technical means;
• unauthorized intrusion;
• attack of information assets;
• data modification integrity violation;
• emergencies;
• legal violations.

What is included in the concept of "physical threats to information security"?

Types of information security risks are determined depending on the sources of their occurrence, the method of implementation of illegal intrusion and purpose. The most technically simple, but still requiring professional execution, are physical threats. They represent unauthorized access to sealed sources. That is, this process is in fact an ordinary theft. Information can be obtained personally, with one's own hands, simply by invading the territory of the institution, into offices, archives to gain access to technical equipment, documentation and other information carriers.

The theft may not even lie in the data itself, but in the place of their storage, that is, directly in the computer equipment itself. In order to disrupt the normal activities of the organization, attackers can simply cause a failure in the operation of storage media or technical equipment.

The purpose of physical intrusion may also be to gain access to the system, on which the protection of information depends. An attacker can change the settings of the network responsible for information security in order to further facilitate the introduction of illegal methods.

The possibility of physical threat can also be provided by members of various groups that have access to classified information that is not public. Their goal is valuable documentation. Such persons are called insiders.

The activity of external malefactors can be directed to the same object.

How can the employees of the enterprise themselves cause threats?

Information security risks often arise due to inappropriate use of the Internet and the internal computer system by employees. Malefactors perfectly play on inexperience, inattention and ignorance of some people concerning information security. In order to eliminate this option of stealing confidential data, the management of many organizations has a special policy among its staff. Its purpose is to educate people on how to behave and use networks. This is a fairly common practice, since the threats that arise in this way are quite common. The programs for obtaining information security skills by employees of the enterprise include the following points:

• overcoming the inefficient use of audit tools;
• reducing the degree of use by people of special means for data processing;
• reducing the use of resources and assets;
• accustoming to gaining access to network facilities only by established methods;
• allocation of zones of influence and designation of the territory of responsibility.

When each employee understands that the fate of the institution depends on the responsible performance of the tasks assigned to him, he tries to adhere to all the rules. Before people it is necessary to set specific tasks and justify the results obtained.

How are privacy conditions violated?

Risks and threats to information security are largely associated with the illegal receipt of information that should not be available to unauthorized persons. The first and most common channel of leakage is all sorts of ways to communicate and communicate. At a time when, it would seem, personal correspondence is available only to two parties, it is intercepted by interested parties. Although reasonable people understand that it is necessary to transfer something extremely important and secret in other ways.

Since a lot of information is now stored on portable media, attackers are actively mastering the interception of information through this type of technology. Listening to communication channels is very popular, only now all the efforts of technical geniuses are aimed at breaking the protective barriers of smartphones.

Confidential information may be unintentionally disclosed by employees of the organization. They may not directly give out all the "appearances and passwords", but only lead the attacker on the right path. For example, people, without knowing it, report information about the location of important documentation.

Only subordinates are not always vulnerable. Contractors can also give out confidential information in the course of partnerships.

How is information security violated by technical means of influence?

Ensuring information security is largely due to the use of reliable technical means of protection. If the support system is efficient and effective, at least in the equipment itself, then this is already half the success.

Basically, information leakage is thus provided by controlling various signals. Such methods include the creation of specialized sources of radio emission or signals. The latter can be electrical, acoustic or vibratory.

Quite often, optical devices are used that allow reading information from displays and monitors.

A variety of devices determines a wide range of methods for introducing and extracting information by intruders. In addition to the above methods, there are also television, photographic and visual intelligence.

Due to such wide opportunities, an information security audit primarily includes checking and analyzing the operation of technical means for protecting confidential data.

What is considered unauthorized access to company information?

Information security risk management is impossible without the prevention of unauthorized access threats.

One of the most prominent representatives of this method of hacking someone else's security system is the assignment of a user ID. This method is called "Masquerade". Unauthorized access in this case consists in the use of authentication data. That is, the goal of the violator is to get the password or any other identifier.

Malefactors can influence from within the object or from the outside. They can get the information they need from sources such as an audit log or audit tools.

Often, the attacker tries to apply the injection policy and use seemingly legal methods.

Unauthorized access applies to the following sources of information:

• website and external hosts;
• enterprise wireless network;
• data backups.

Ways and methods of unauthorized access are countless. Attackers are looking for miscalculations and gaps in the configuration and architecture of the software. They get data by modifying the software. To neutralize and lull vigilance, violators launch malware and logic bombs.

What are the legal threats to the company's information security?

Information security risk management works in various areas, because its main goal is to provide comprehensive and holistic protection of the enterprise from third-party intrusion.

No less important than the technical direction is the legal one. Thus, which, it would seem, on the contrary, should defend the interests, it turns out to get very useful information.

Violations regarding the legal side may relate to property rights, copyright and patent rights. This category also includes illegal use of software, including import and export. You can only violate legal regulations if you do not comply with the terms of the contract or the legal framework as a whole.

How to set information security goals?

Ensuring information security begins with the establishment of the area of ​​protection. It is necessary to clearly define what needs to be protected and from whom. To do this, a portrait of a potential criminal is determined, as well as possible methods of hacking and infiltration. In order to set goals, the first step is to talk to management. It will suggest priority areas for protection.

From this moment, the information security audit begins. It allows you to determine in what proportion it is necessary to apply technological methods and business methods. The result of this process is a final list of activities, which consolidates the goals facing the unit to ensure protection against unauthorized intrusion. The audit procedure is aimed at identifying critical moments and weaknesses of the system that interfere with the normal operation and development of the enterprise.

After setting goals, a mechanism for their implementation is also developed. Tools for controlling and minimizing risks are being formed.

What role do assets play in risk analysis?

The information security risks of an organization directly affect the assets of the enterprise. After all, the goal of attackers is to obtain valuable information. Its loss or disclosure will inevitably lead to losses. The damage caused by an unauthorized intrusion can have a direct impact, or it can only indirectly. That is, illegal actions against the organization can lead to a complete loss of control over the business.

The amount of damage is estimated according to the assets at the disposal of the organization. Affected resources are all resources that contribute in any way to the achievement of management objectives. Under the assets of the enterprise means all tangible and intangible values ​​that bring and help generate income.

Assets are of several types:

• material;
• human;
• informational;
• financial;
• processes;
• brand and prestige.

The last type of asset suffers from unauthorized intrusion the most. This is due to the fact that any real information security risks affect the image. Problems with this area automatically reduce respect and trust in such an enterprise, since no one wants his confidential information to become public. Every self-respecting organization takes care of protecting its own information resources.

Various factors influence how much and which assets will suffer. They are divided into external and internal. Their complex impact, as a rule, concerns simultaneously several groups of valuable resources.

The entire business of the enterprise is built on assets. They are present in any volume in the activities of any institution. It's just that for some, some groups are more important, and others are less important. Depending on what type of assets the attackers managed to influence, the result depends, that is, the damage caused.

Information security risk assessment allows you to clearly identify the main assets, and if they were affected, then this is fraught with irreparable losses for the enterprise. Management itself should pay attention to these groups of valuable resources, since their safety is in the interests of the owners.

The priority area for the information security division is occupied by auxiliary assets. A special person is responsible for their protection. Risks regarding them are not critical and affect only the management system.

What are the information security factors?

The calculation of information security risks includes the construction of a specialized model. It represents nodes that are connected to each other by functional links. Nodes are the very assets. The model uses the following valuable resources:

• people;
• strategy;
• technology;
• processes.

The ribs that bind them are the very risk factors. In order to identify possible threats, it is best to contact directly the department or specialist who deals with these assets. Any potential risk factor can be a prerequisite for the formation of a problem. The model highlights the main threats that may arise.

Regarding the team, the problem lies in the low educational level, lack of personnel, lack of moment of motivation.

The risks of processes include the variability of the external environment, poor automation of production, and unclear separation of duties.

Technologies can suffer from outdated software, lack of control over users. Problems with the heterogeneous information technology landscape may also be the cause.

The advantage of this model is that the threshold values ​​of information security risks are not clearly established, since the problem is considered from different angles.

What is an information security audit?

An important procedure in the field of information security of an enterprise is an audit. It is a check of the current state of the intrusion protection system. The audit process determines the degree of compliance with the established requirements. It is obligatory for some types of institutions, for others it is advisory in nature. The examination is carried out in relation to the documentation of the accounting and tax departments, technical means and the financial and economic part.

An audit is necessary in order to understand the level of security, and in case of its inconsistency, optimization to normal. This procedure also allows you to evaluate the feasibility of financial investments in information security. Ultimately, the expert will give recommendations on the rate of financial spending to maximize efficiency. Audit allows you to adjust the controls.

Expertise in relation to information security is divided into several stages:

1. Setting goals and ways to achieve them.
2. Analysis of the information needed to reach a verdict.
3. Processing of collected data.
4. Expert opinion and recommendations.

Ultimately, the specialist will issue his decision. The recommendations of the commission are most often aimed at changing the configurations of hardware, as well as servers. Often a troubled business is asked to choose a different security method. Perhaps, for additional strengthening, experts will appoint a set of protective measures.

Post-audit work is aimed at informing the team about problems. If necessary, it is worthwhile to conduct additional briefing in order to increase the education of employees regarding the protection of information resources of the enterprise.

One of the most important tasks of managing the information security of an organization and its CIS is risk management, or risk management - coordinated activities to manage the organization with respect to risk. In the context of information security risks, only negative consequences (losses) are considered.

In terms of achieving the business goals of an organization, risk management is the process of creating and dynamically developing an economically viable information security system and an effective information security management system. Therefore, risk management is one of the main tasks and responsibilities of the organization's management.

Risk management uses its own conceptual apparatus, which is currently standardized and is given in the standards GOST R ISO/IEC 13335-1-2006, GOST R ISO/IEC 27001-2006. ISO/IEC 27005:2008 “Information technology. Methods and means of ensuring security. Information Security Risk Management” provides conceptual guidance on information security risk management and supports the general concepts and ISMS model defined in GOST R ISO / IEC 27001-2006. It is built on the basis of the British standard BS 7799-3:2006 and, to a certain extent, echoes the American standard NIST SP 800-30:2002, which also provides guidance on risk management for information technology systems, and is intended to help adequately ensure the information security of an organization and its KISS based on a risk management approach. A draft Russian national standard GOST R ISO/IEC 27005-2008, harmonized with ISO/IEC 27005:2008, has been prepared.

In these standards, risk is defined as the potential for harm to an organization as a result of some threat being realized using vulnerabilities in an asset or group of assets. Information security risk - the possibility that this threat will exploit the vulnerabilities of an information asset (group of assets) and, thereby, harm the organization. It is measured by a combination of the probability of an undesirable event and its consequences (possible harm).

Information security risk management covers several processes, the most important of which are risk assessment, including risk analysis and assessment, and risk treatment - the selection and implementation of risk modification measures using the assessment results. Information security risk management is an iterative process that requires monitoring and periodic review.

Depending on the scope, object and goals of risk management, various approaches to managing and assessing information security risk can be applied - a high-level and detailed risk assessment. The approach may also be different for each iteration.

The analysis (identification and measurement) of risk can be carried out with varying degrees of detail depending on the criticality of the assets, the prevalence of known vulnerabilities and previous incidents affecting the organization. The form of the analysis should be consistent with the selected risk assessment criteria. The measurement methodology may be qualitative or quantitative, or a combination of the two, as appropriate. In practice, qualitative assessment is often used first to obtain an overview of the level of risk and to identify the main risk values. Later, it may be necessary to carry out a more specific or quantitative analysis of the underlying risk values, since it is usually less difficult and less costly to perform a qualitative analysis than a quantitative one.

When choosing an approach to managing and assessing risks, three groups of main criteria are taken into account - risk assessment criteria, influence criteria, risk acceptance criteria. They must be developed and defined.

Criteria for evaluating the information security risks of an organization should be developed taking into account the following:

• - the strategic value of processing business information;
• - criticality of affected information assets;
• — legal and regulatory requirements and contractual obligations;
• — the operational and business importance of the availability, confidentiality and integrity of information;
• - stakeholder perception expectations, as well as negative consequences for "intangible capital" and reputation.

In addition, risk evaluation criteria can be used to prioritize risk treatment.

Impact criteria are identified with criteria for the possible loss of confidentiality, integrity and availability of assets and reflect an adverse change in the level of business goals achieved.

Impact criteria should be developed and determined based on the degree of harm or cost to the organization caused by an information security event, taking into account the following:

• - classification level of the affected information asset;
• - violations of information security (for example, loss of confidentiality, integrity and availability);
• - degraded operations (internal or third parties);
• - loss of business and financial value;
• - violation of plans and deadlines;
• - damage to reputation;
• - Violation of legal, regulatory or contractual requirements.

The risk acceptance criteria correspond to the "Risk Acceptance Criteria and Acceptable Risk Identification" defined in GOST R ISO/IEC 27001-2006. They must be developed and defined. Risk acceptance criteria often depend on the policies, intentions, goals of the organization and the interests of the stakeholders.

The organization shall determine its own scales for levels of risk acceptance. When designing, consider the following:

• - risk acceptance criteria may include many thresholds, with a desired target level of risk, but with the proviso that, under certain circumstances, top management will accept risks that are above the specified level;
• - risk acceptance criteria can be expressed as the ratio of the quantified benefit (or other business benefit) to the quantified risk;
• - different risk acceptance criteria may apply to different risk classes, for example, risks of non-compliance with directives and laws cannot be accepted, while high-level risk acceptance may be allowed if specified in a contractual requirement;
• - risk acceptance criteria may include requirements for future additional processing, for example, a risk can be accepted if there is approval and agreement to take action to reduce it to an acceptable level within a certain period of time.

Risk acceptance criteria may differ depending on how long the risk is expected to exist, for example, the risk may be associated with a temporary or short-term activity. Risk acceptance criteria should be set based on business criteria; legal and regulatory aspects; operations; technologies; finance; social and humanitarian factors.

According to ISO/IEC 27005:2008, information security risk management covers the following processes: context setting, risk assessment, risk treatment, risk acceptance, risk communication, and risk monitoring and review.

As can be seen from fig. 3.5, the information security risk management process can be iterative for activities such as risk assessment and/or risk treatment. An iterative approach to risk assessment can increase the depth and detail of the assessment with each iteration. An iterative approach strikes a good balance between the time and effort spent on defining controls (safeguards and security), while still providing confidence that high-level risks are being properly addressed.

In S&B and the four-phase CAAP model, setting the context, assessing the risk, developing a risk treatment plan, and accepting the risk are all part of the "plan" phase. In the "do" phase

Rice. 3.5.

and the controls required to reduce the risk to an acceptable level are implemented in accordance with the risk treatment plan. In the "check" phase, managers determine the need to revise risk treatment in the light of incidents and changing circumstances. In the act phase, any necessary work is carried out, including the re-initiation of the information security risk management process.

In table. 3.3 lists the types of activities (processes) associated with risk management that are significant for the four phases of the ISMS process based on the PDAP model.

Table 3.3

Correlation between the phases of the ISMS process and the processes and sub-processes of information security risk management

Establishing an information security risk management context includes establishing the main criteria (evaluating risks, influencing or accepting risks), defining the scope and boundaries, and establishing an appropriate organizational structure for risk management.

The context is first established when a high-level risk assessment is carried out. A high-level assessment enables the prioritization and chronology of actions. If it provides sufficient information to effectively determine the actions required to reduce the risk to an acceptable level, then the task is completed and risk treatment follows. If information is insufficient, then another iteration of the risk assessment is carried out using the revised context (e.g., risk assessment criteria, risk acceptance, or impact criteria), possibly on limited parts of the overall scope (see Figure 3.5, risk decision point). No. 1).

This part addresses the following questions:

• Security Management
• Allocation of Responsibilities for Security Management
• Top-down approach
• Security Administration and Protective Measures
• Basic Safety Principles (AIC Triad)
• Availability
• Integrity
• Confidentiality
• Security definitions (vulnerability, threat, risk, impact, countermeasures)
• Security through obscurity

Updated: 21.02.2010

The security management process is continuous. It starts with risk assessment and needs identification, followed by monitoring and evaluation of systems and practices. This is followed by an awareness raising of the company's employees, which provides an understanding of the issues that should be taken into account. The final step is to implement policies and safeguards to mitigate the risks and meet the needs identified in the first step. Then the cycle starts over. Thus, this process constantly analyzes and controls the security of the company, allows it to adapt and develop taking into account the needs for security and the conditions in which the company exists and operates.

Security management changes over time as the network environment, computers and applications that process information change. The Internet, extranets (business partner networks), and intranets make security not only more difficult, but more critical. The core of the network architecture has changed from localized autonomous computing to a distributed computing environment, which has greatly increased its complexity. Although access from the internal network to the Internet provides users with a number of important features and conveniences, it increases the vulnerability of the company from the Internet, which can become a source of additional security risks.

Today, most organizations cannot function without computers and their computing capabilities. Many large corporations have already realized that their data is a critical asset that needs to be protected along with buildings, equipment and other physical assets. Security must change as networks and environments change. Security is more than just a firewall and an access control list router. These systems are certainly important, but much more important to security is the management of user actions and the procedures they follow. This brings us to the practice of security management, which is focused on the constant protection of the company's assets.

In the world of security, the function of a leader is to set goals, boundaries, policies, priorities, and strategies. Management needs to define clear boundaries and relevant goals that are expected to be achieved as a result of the implementation of the safety program. Management also needs to evaluate business objectives, security risks, user productivity, functional requirements, and goals. Finally, management must determine the steps to ensure that these tasks are properly distributed and addressed.

Many companies look at business as part of the equation and assume that information and computer security is the responsibility of an IT administrator. The management of such companies does not take information and computer security seriously, as a result of which security in such companies looks underdeveloped, poorly maintained, underfunded and unsuccessful. Safety must be considered at the top management level. An IT administrator (or security administrator) can advise management on security issues, but company security should not be fully delegated to an IT administrator (security administrator).

Security management is based on clearly identified and valued company assets. Once assets are identified and valued, security policies, procedures, standards, and guidelines are implemented to ensure the integrity, confidentiality, and availability of those assets. Various tools are used to classify data, perform analysis, and assess risks. These tools help identify vulnerabilities and show their severity level, which allows you to implement effective countermeasures to mitigate risks in the most optimal way. It is the responsibility of management to ensure that the resources of the company as a whole are protected. These resources are people, capital, equipment and information. Management must be involved to ensure that the security program is in place, that threats that affect company resources are addressed, and to ensure that the necessary safeguards are effective.

The necessary resources and funding must be made available and responsible persons must be prepared to participate in the security program. Management should allocate responsibilities and define the roles needed to initiate a security program and ensure that it develops successfully and evolves as the environment changes. Management must also integrate the security program into the existing business environment and monitor their performance. Management support is one of the most important parts of a security program.

In the process of planning and implementing a security program, the security professional should determine the functions to be performed and the expected end result. Often companies simply start locking down computers and installing firewalls without understanding the overall security requirements, goals, and levels of trust they would like to gain from security across the entire environment. The team involved in this process should start at the top, with very broad ideas and terms, and work their way down to detailed configurations and system parameters. At each stage, team members should keep the main security goals in mind so that each new component adds more detail to the corresponding goal.

The security policy is a kind of foundation for the company's security program. This policy should be taken seriously from the outset, and should incorporate the ideas of continuous updating to ensure that all security components continue to function and work to achieve goals consistent with business goals.

The next step is the development and implementation of procedures, standards and guidelines that support the security policy and define the countermeasures and methods that should be applied to ensure security. Once these elements have been developed, the security program should be detailed by developing baselines and configurations for the selected security tools and methods.

If security is built on a solid foundation and designed with goals and objectives in mind, a company will not have to make significant changes to it. In this case, the process can be more methodical, requiring less time, money and resources, while still striking the right balance between functionality and security. This is not a requirement, but understanding this can make your company's approach to security more manageable. You can explain to companies how to plan, implement, and maintain security in an organized way that avoids a giant pile of security tools that are scattered and full of flaws.

For a security program, use top-down approach , meaning that the initiative, support and direction comes from top management and goes through middle managers to employees. Opposite bottom-up approach refers to a situation where the IT department tries to develop a security program on its own, without proper guidance and support from management. The bottom-up approach is usually less efficient, narrower, and doomed to fail. The top-down approach ensures that the driving force behind the program are the people (top management) who are truly responsible for protecting the company's assets.

If the security administrator role does not exist, management must create it. The security administrator role is directly responsible for overseeing key aspects of the security program. Depending on the organization, its size, and security needs, security administration can be handled by one person or by a group of people working centrally or decentralized. Regardless of size, security administration requires a clear reporting structure, an understanding of responsibilities, and audit and monitoring capabilities to ensure there are no security breaches caused by lack of communication or understanding.

Information owners must specify which users can access their resources and what they can do with those resources. The task of the security administrator is to ensure that this process is implemented. The following protective measures should be used to comply with the instructions in the safety manual:

• Administrative measures include the development and publication of policies, standards, procedures and guidelines, risk management, recruitment, security training, implementation of change management procedures.
• TTechnical (logical) measures include the implementation and maintenance of access control mechanisms, password and resource management, identification and authentication methods, security devices, and infrastructure settings.
• Fphysical measures include control of people's access to the building and various premises, use of locks and removal of unused disk drives and CD-ROM drives, protection of the building perimeter, intrusion detection, environmental control.

Figure 1-1 The administrative, technical and physical layers of safeguards must work together to protect company assets

There should be ongoing communication between the security administration team and senior management to ensure that the security program receives sufficient support and that management makes the necessary decisions for its implementation. Often top management completely excludes their participation in security matters, not taking into account that in case of serious security incidents, it is the top management who will explain them to business partners, shareholders and the public. After such an incident, the attitude changes radically, the leadership is involved in security issues as much as possible. There should be an ongoing communication process between the security administration team and senior management that ensures a two-way relationship.

Inadequate leadership can undermine a company's security efforts. Possible reasons for inadequate management may be a lack of understanding by management of the company's needs for safety, competition of safety with other management goals, management's view of safety as an expensive and unnecessary undertaking, support for safety by company management only in words. Powerful and useful technologies, devices, software, procedures and methodology provide some level of security, but without full security management and management support, they are of no value.

There are several small and big objectives of a security program, but there are 3 main principles in all programs: availability, integrity and confidentiality. It is called AIC triad (Availability, Integrity, Confidentiality). The level of security required to implement these principles varies from company to company, as each company has its own unique combination of business and security goals and needs. All safeguards and security mechanisms are implemented to implement one (or more) of these principles, and all risks, threats and vulnerabilities are measured by their potential to violate one or all of the AIC principles. The AIC triad is shown in Figure 1-2.

Figure 1-2 AIC triad

Availability

Systems and networks must provide a sufficient level of predictability, combined with an acceptable level of performance. They need to be able to recover from failures quickly and safely without negatively impacting company productivity. "Single points of failure" should be avoided, backups should be made, if necessary, a certain level of redundancy should be provided, and negative impact from the external environment should be prevented. It is necessary to implement protection mechanisms against internal and external threats that can affect the availability and performance of the network, systems and information. Availability provides authorized persons with reliable and timely access to data and resources.

DoS attacks are a popular technique used by hackers to disrupt a company. Such attacks reduce the ability of users to access system resources and information. To protect against them, you should limit the number of available ports, use IDS systems, control network traffic and computer operation. Properly configuring firewalls and routers can also reduce the threat of DoS attacks.

Integrity

Integrity provides guarantees for the accuracy and reliability of information and information systems that provide it, prevents the possibility of unauthorized changes. Hardware, software, and communications equipment must work together to properly store and process data, and properly move it to its destination intact. Systems and networks must be protected from outside interference.

Users typically affect the integrity of systems or data through errors (although internal users can also commit fraudulent or malicious acts). For example, accidental deletion of configuration files, entering an erroneous transaction amount, etc.

Security measures should limit the ability of users to only the minimum required set of functions, which will reduce the likelihood and consequences of their mistakes. Access to critical system files should be limited to users. Applications should provide control mechanisms for incoming information that check its correctness and adequacy. The rights to change data in databases should be granted only to authorized persons, data transmitted over communication channels should be protected by encryption or other mechanisms.

Confidentiality

Confidentiality provides the necessary level of secrecy at each point of data processing and prevents their unauthorized disclosure. Confidentiality must be ensured both in the storage of information and in the process of its transmission.

Confidentiality can be ensured by encrypting data during storage and transmission, implementing a strict access control system, classifying data, and training personnel in the proper handling of confidential information.

It is important to understand the meaning of the words "vulnerability", "threat", "risk", "impact", as well as the relationship between them.

Vulnerability is a flaw in software, hardware, or procedure that could allow an attacker to gain access to a computer or network and gain unauthorized access to company information resources. Vulnerability is the absence or weakness of safeguards. The vulnerability can be a service running on the server, an "unpatched" application or operating system, unlimited modem pool login, an open port on the firewall, weak physical security allowing anyone to enter the server room, lack of password management on servers and workstations.

Threat is a potential danger to information or a system. A threat is when someone or something discovers the existence of a certain vulnerability and uses it against a company or person. Something that allows exploitation of a vulnerability is called source of threat (threat agent). The source of the threat can be a hacker who has gained access to the network through a port open on the firewall; a process that accesses data in a way that violates the security policy; a tornado that destroyed a building; an employee who made a mistake that could lead to the leakage of confidential information or violation of the integrity of files.

Risk is the likelihood that a threat source will exploit a vulnerability, resulting in a negative business impact. If the firewall has several open ports, there is a high chance that an attacker will use one of them to gain unauthorized access to the network. If users are not trained in the correct processes and procedures, there is a high probability that they will make intentional and unintentional errors that can lead to data destruction. If the network has not implemented an IDS system, there is a high probability that the fact of the carried out attack will remain undetected until it is too late.

Impact (exposure) - this is something that leads to losses due to the actions of the threat source. Vulnerabilities affect the company, leading to the possibility of damage to it. If password management is weak and password requirements are not implemented, the company is exposed to the potential for user passwords to be compromised and used for unauthorized access. If a company does not monitor its electrical wiring and take steps to prevent fire, it is exposed to the potential effects of fire.

Countermeasures (or protective measures ) are measures, the implementation of which reduces the level of potential risk. Countermeasures can be tweaks to software, hardware, or procedures that fix vulnerabilities or reduce the likelihood that a threat source can exploit a vulnerability. Examples of countermeasures are strong password management, security, operating system access control mechanisms, setting BIOS passwords, and providing user security training.

If a company uses antivirus software but does not update its virus signature databases, this is a vulnerability. The company is vulnerable to virus attacks. The threat is that the virus will penetrate the company's network and paralyze its work. The risk in this case is the probability of a virus penetrating the company's network and causing damage to it. If the virus enters the company's network, the vulnerability will be exploited and the company will be affected by the damage caused by it. The countermeasures in this situation would be to install anti-virus software on all company computers and keep their virus signature databases up to date. The relationship between risks, vulnerabilities, threats and countermeasures is shown in Figure 1-3.

Figure 1-3 Relationship between various security components