IS security. What do you need to know?
Informational security. Does the IS Policy work in your company?
Information security in the company is a very important element of any business. What do we know about it, what tools do we use to achieve it and are there enough of them?
What is the Company’s Information Security Policy?
Information security policy is a set of requirements, rules, restrictions and recommendations that regulate the order of information activities in the organization and are aimed at achieving and maintaining the state of information security of the organization.
In simple language, the IS Policy is an instruction on the use of a defense shield, which is built at the enterprise, namely an instruction, because the shield is a system of technical means of information security and users themselves, if they are well informed and perform their functions properly.
The lack of a properly designed and implemented Information Security Policy is often the reason for the success of attackers in cases of cyberattacks.
It would seem that the company has a person responsible for information security, but the fact is that it is not a weak link in the chain of information security. This link is an ordinary worker with a computer who does not have a basic knowledge of information security.
Information security policy is part of the overall security policy of the organization and should inherit its basic principles.
The concept of building an information security system should be based on the principles specific to the enterprise security system, ie each employee must identify himself when logging in, by analogy with the entry in the logbook, assign different levels of access to information (such as restricted or confidential information). information) similar to the ban on access to certain premises, there should be a ban on certain actions, and much more.
When developing an IS Policy, you need to balance on the edge of risk reduction and user-friendliness.
A very common problem of Information Security Policy is the use in their development of an approach similar to the development of instructions from the TV: “press the” enable “button, everything will be fine, there will be problems – call technical support.”
The company’s information system is not a TV, it requires much wider functionality, and therefore the IS policy should be much flexible and “usable”.
Write simply and clearly
Keep in mind that in most cases, the average user will not understand the real risks of their actions, even if it is clearly explained that simply opening a letter from an unknown e-mail can break the entire network of the enterprise.
Therefore, write simply and clearly, and most importantly – your Regulations should have a structure of clear recommendations, so that when someone does not understand why it is needed, he could still follow his recommendations.
It should also be remembered that the IS Policy is only a general document (a kind of IS Constitution), in general, Information Security should be divided at the level of:
- Information Security Policy;
- specialized documents in various areas of information security (Privacy Policy, Cyber Incident Response Policy);
- narrow-profile documents that regulate the commission of specific actions by employees under the Information Security Policy (Procedures, regulations, job descriptions of persons responsible for IS).
What is the situation with the legal regulation of IS Politicians?
Today in Ukraine there is no clear regulation of information security requirements at enterprises. At the same time, there are requirements for companies that work with personal data of citizens of the European Union in accordance with the requirements of the General data protection regulation (GDPR) and some other regulations.
Recent norm-setting trends, in particular, the draft Resolution of the NBU “On Approval of the Regulation on Cyber Security and Information Security in Payment and Payment Systems”, certain provisions of the Law of Ukraine “On Basic Principles of Cyber Security of Ukraine” and some others indicate that in the near future We will have clear legislative regulation with strict requirements for the Information Security Policy of enterprises.
Conclusions
To ensure a sufficient level of information security, the company needs to develop an information security policy, taking into account that it is part of the security system of the enterprise, and remember that it should be targeted at each employee, and not burden the main document with information aimed at individual employees. . To do this, you need to develop lower-level documents.
If we talk about whether it is a technical or legal document, you need to combine technical knowledge with legal skills to write understandable to the end user documents similar in form, rather to user-friendly manuals than to technical manuals.