Information security levels: the importance of methodology for practice

[Father]

Table of contents

1. 1 level of information protection
2. 2 level of information protection
3. 3 level of information protection
4. 4 information security level
5. Results

Information security from the point of view of methodology is a deeply studied process, which is usually divided into several levels. From global fundamentals to private practices that are accepted in a particular company.

Information security levels are the methodological basis on which the implementation of an organization's information security is based. Without knowledge of these basics and their features, it is impossible to effectively implement security mechanisms in the company's infrastructure.

There are both global problems that affect several layers of information security, and local problems that are specific to a particular level. In this article, we will analyze the problems of implementing information security programs and the main difficulties that companies face.

1 level of information protection​

This is the level of the legal framework. The main initiator, represented by its legislative bodies and relevant departments, is the state,. At the legal level, regulations and minimum requirements that certain companies must meet are formed.

The level of requirements is largely determined by the specifics of the subject of law enforcement. These can be critical information infrastructure objects, data operators, state-owned enterprises, or other entities.

Andrey Timoshenko
Director of Strategic Business Development, Innostage

There is a basic, so-called "gentleman's" set of security measures that any organization should implement, regardless of its size or field of activity. These measures include: antivirus and network protection, secure access tools, firewall, and secure settings for IT platforms such as servers, workstations, database management systems, and network equipment. Equally important are identifying and closing vulnerabilities and backing up data.

Those who actively use Internet services for work purposes need to implement protection against DDoS attacks and web Application Firewall (WAF). Organizations that work with large amounts of personal customer information and production secrets should strengthen access control measures and implement systems to counter information leaks.

At the level of legal frameworks, there are two global risks that can negatively affect the entire information security infrastructure:

1. Bureaucratization. It is often called "paper security", when a set of documents fully meets the requirements of regulators, but the declared level of protection does not correspond to reality. This problem resonates with the administrative level of information security, where local regulations and corporate rules for working with data are formed.
2. Inefficient adaptation. The problem of interpretation of legislative acts and their application to a particular company is usually revealed at the stage of departmental inspections. The risks here directly depend on the professionalism of the contractor and relevant employees.

In addition, there is always a risk of encountering the classic problems of any legislation: bureaucratization of processes, lack of explanations on a particular case, lack of clarity in law enforcement and judicial practice.

Vladimir Aryshev
Expert on complex information security projects, STEP LOGIC

Ensuring security is a process that needs constant maintenance. The security system should be regularly adjusted in accordance with the changing environment: new information assets appear, types of attacks, and models of violators change.

A team of highly qualified specialists is required to continuously register and process security events, identify new vulnerabilities, and teach employees how to work safely.

Not every organization is ready to create such a division, so now various information security outsourcing services are becoming increasingly popular, for example, Security Operations Center (SOC), which allows you to transfer most of your analytical and routine work to an external specialized organization.

The legal level of system protection is followed by the administrative level, where "universal" legal norms and requirements are adapted to the specifics of a particular company.

2 level of information protection​

This is the level of management decisions. The main initiators at the administrative level are the company's top management. Within this level, job descriptions are formed, responsible persons are appointed, and regulations are drawn up for responding, training personnel, and implementing other protective mechanisms.

As at the previous level, the main problem here remains formalism: policies can be downloaded from the Internet to cover up legal holes. In this case, security protocols become formal and have no practical use, because they are not properly implemented.

Alexander Gerasimov
CISO Awillix

To properly assess the level of system security, the first step is to determine the company's threat model and find out who to protect against. Without modeling possible information security threats, it is impossible to build a secure system.

But if described:

1. Security threats are possible attacks or violations of the main principles of information: integrity, availability, and confidentiality.
2. Intruder models are portraits of hackers, for example, an external intruder with scanners in his arsenal, a hacker in a group, an enterprising schoolboy, or an internal intruder.
3. Ways to implement threats – attack scenarios.
4. Possible vulnerabilities are gaps in the company's IT infrastructure: websites, applications, personal accounts, and so on.
5. Consequences of information loss or compromise.

Then it becomes clear exactly how to change systems, processes and security tools to reduce risks and take into account the maximum information security threats.

The success of a company at the administrative level of information security directly depends on the maturity of the management from the position of information security. An important role here is played by awareness of the basic principles of information security, its importance for the functioning of the company.

If the company's management understands, for example, that being vulnerable to DDoS attacks can cause the company's resources to be unavailable for N times and lead to X financial losses, it is more likely to come to an understanding of the need to "close" this problem preemptively, before the first incident.

Dmitry Pudov
CEO of NGR Softlab

I find it hard to believe that many organizations are experiencing information security for the first time. Now many companies are ready to move to a more conscious management of information security risks, realizing that they cannot be ignored.

If the organization's information security issues have reached a strategic level, then it is necessary to create and develop this area. From the point of view of methodology, information security is a fairly mature field of knowledge. There are enough professional companies on the market that can help form an information security strategy and implement it, taking into account all the subtleties and nuances of legislation, the IT landscape, the financial capabilities of the organization and the specifics of its business processes.

Now there are already a number of companies on the market that are ready to provide some security services using the service model. If the organization is at the beginning of its journey, then it is important to try to work with professionals and remember the Pareto rule: 20% of events will give 80% of the result.

The legislative and administrative levels are the stages of theoretical and instrumental justification. Their main task is to standardize information security implementation processes. Creating a complex of familiar and understandable actions allows you to create a sense of predictability. And predictability is one of the main security conditions.

3 level of information protection​

This is the procedural or operational level of information security. That is, the level of practical implementation of the regulations and instructions that were formulated at the previous stages.

This level of information security is one of the most high – risk. There are two main reasons for this:

1. Involving a large number of people. In fact, all employees of the company who have access to corporate information systems participate at this level.
2. Updating. The risk of encountering cyber threats exists at any given time. As a rule, "at a distance, employees show different levels of resistance to social engineering methods.

Roman Laminin
Leading Information Security Specialist, eXpress

Mass training can really help in this situation. First of all, it is necessary to conduct trainings on countering social engineering methods and phishing attacks. Moreover, priority should be given not only to theoretical, but also to practical classes with an interval of no more than 4 weeks. As the experience of HelpSystems training groups shows, within 3-4 weeks after the end of the anti-phishing training, the client's employees began to open openly phishing emails.

Many companies have already come to the conclusion that the success of implementing technical tools and information security procedures directly depends on the level of training of employees. A new trend that the industry is moving towards is ensuring uniform frequency, and at best, continuity of employee training.

Alexander Osipov
Director of Cloud Platforms and Infrastructure Solutions, MegaFon

Indeed, despite the fact that companies are becoming more conscious of ensuring information security every year, the human factor continues to be one of the main problems of security systems.

Hackers actively use social engineering techniques – such as emails containing infected files or phishing links, which, according to our data, are opened by more than 30% of employees. In order for the level of cyber hygiene to grow, companies need to systematically raise employees awareness of security rules: teach them to identify phishing sites, talk about psychological techniques and technologies that fraudsters use to obtain confidential information, and so on.

Training platforms help companies do this. For example, at MegaFon, this is Security Awareness, which has a constantly updated set of courses on various topics in the field of cybersecurity and tools that allow you to check and consolidate your knowledge. Completing the training allows you to reduce the threat of phishing by almost ten times, up to 3-5%.

The relevance of this approach is growing in proportion to the growth in the number of attacks, most of which occur using social engineering methods to obtain an "entry point".

Pavel Yashin
Head of Information Security Service, iiii Tech (Forayz)

Employees are the easiest resource to hack. No matter how we prepare our intrusion detection systems, no matter how we configure DLP, if an attacker has obtained the employee's account data, then the barrier is passed, the attacker is already inside the company's network and many opportunities are open to him.

What does digital hygiene include? Here's a set of simple rules:

• Use complex passwords;
• Do not share passwords and pin codes with anyone;
• Use multi-factor authentication wherever possible;
• Do not store personal data (such as passport scans) in cloud systems;
• Use social networks wisely – don't share too personal information;
• Don't use work email for personal use;\
• Don't connect to open WiFi networks from work computers;
• Contact the security service if a cyberattack is suspected.

It should be remembered that ordinary human greed, curiosity, laziness are "critical vulnerabilities", and they are very fond of being used by intruders. But knowing the rules of digital hygiene can protect and reduce the effectiveness of a scam attack.

Another important point that is often overlooked at the operational level is building effective models of interaction between the information security specialist and other employees. If an employee believes that they have received a phishing email – they should clearly understand how and to whom they need to transmit this information. This approach allows you to develop "collective immunity", and timely warn other employees about the threat that has arisen.

4 information security level​

This is the level of "combat" information systems and technical solutions that a company uses to protect its infrastructure. Depending on the specific company, its capabilities and scale, both SIEM systems and conventional antivirus programs can be used.

Pavel Korostelev
Head of the company's Product Promotion Department, Security Code

First, the company must determine what information it wants to protect. Test questions will help you do this: what information can enrich competitors, what data leaks will lead to the suspension of the company's direct activities, and what penalties may follow from regulators.

Then you should take organizational measures to build an information security system: define security policies, develop standards and guidelines, and appoint those responsible. After that, you need to think about training employees in the basics of cybersecurity.

It should be understood that information protection must be comprehensive – at the level of IT infrastructure, applications, and data. If the company is large, you will most likely need to install a security monitoring and event collection system.

Since one of the main problems in modern cybersecurity is the lack of specialists, the defense strategy should be built in such a way as to spend as little human resources as possible.

At the technical level of information security protection, a certain conflict of interests occurs: the desire of business to minimize costs collides with the desire of information security specialists to saturate the infrastructure with security tools as much as possible.

Within this "conflict", two key factors are relevant:

1. Budget. The information security specialist will have to explain in business terms, for example, why the company needs to connect to the TI platform. The main difficulty lies in the fact that there are no specific metrics, in the style of "return on investment".
2. Threat model. It is important to understand what data needs to be protected and what it needs to be protected from. Based on this information, conclusions are drawn: there are enough measures taken or new ones are needed.

At the same time, it is important to understand that no security system will work in a company where employees neglect the rules of digital hygiene. This increases the relevance of simple solutions related to continuous training of employees.

Dmitry Kovalev
Head of the Information Security Department of Sissoft

The human factor is the weakest link in the company's information security system. It is extremely important for businesses to pay attention to the digital hygiene of employees, allocate resources and time for this.

Otherwise, investments in the purchase of technical information security tools will be jeopardized by a basic ignorance of the basics of cybersecurity. Among the basic knowledge of employees should be: understanding the principles of creating and storing passwords, the ability to recognize phishing emails in time, and understanding the risks that a single click on an unverified link can lead to.

Results​

The main goal of differentiating information security levels is to simplify the understanding of the information security implementation process. Based on this model, the dependence of operational solutions and technologies on paperwork is clearly visible.

Understanding the connections between these levels provides the company with a number of important benefits:

• increases the awareness of all participants in the process;
• allows you to optimize costs by performing analysis and selective attitude to the information security tools;
• improves the quality of information security processes, which reduces the cost of implementing security tools.

At the same time, it is important to understand that the levels do not replace each other, and it will not be possible to cover up the lack of work with employees by implementing protective IS while maintaining the effectiveness of the latter.

Thus, an integrated approach and conscious work at each of the basic levels of information security allows you to reduce the cost of the subsequent level by effectively building processes.