Размещено на http: //www. allbest. ru/

National Research University -

Higher School of Economics

DRAFT

Of the paper

“Application of international standards in information security activities of Russian commercial organizations”

Student: Platonov Andrey Alekseevich

Group: 476

Argument Consultant: Elin Vladimir Mihailovich

Style and Language Consultant: Kashkarova Tatiana Petrovna

2013

ABSTRACT

At present, there are different standards of information security. They are divided into European and Russian standards. Some European standards are used in Russia, but it has their own GOST standards. The main purpose of the work is to answer the question what standards are using in Russia and how they should be changed to be «ideal».

In this paper, I will answer this question, comparing GOST and ISO standards. I will analyze them and develop recommendations for «ideal» standards.

TABLE OF CONTENTS

ABSTRACT

• INTRODUCTION
• CHAPTER 1. THEORETIC AND METHODOLOGICAL PART.
• 1.1 Key definitions
• 1.2 Methods of information protection
• CHAPTER 2. PRACTICAL PART
• 2.1 Development of recommendations for «ideal» standards
• CONCLUSION
• BIBLIOGRAPHY

INTRODUCTION

This paper is dedicated to the topic of standards of the information security and the structure of my graduation work entitled «Application of International Standards in Information Security Activities of Russian Commercial Organizations».

Since the early days of writing, commanders, soldiers understood that it was necessary to protect the secret correspondence. Information security era began in 1816's, when information communication rose. During that period, the main task of information security was to protect information, facts, property, location, and other data. Nowadays, the area of application information security has expanded and has its own standards.

The main purpose of this paper is to give some definitions concerning information security, discuss potential application of international standards in information security activities of the Russian commercial organization, give the justification of my graduation work's topic, compare European and Russian standards and say a few words about the methods of protection information.

CHAPTER 1. THEORETIC AND METHODOLOGICAL PART

commercial standard information security

1.1 Key definitions

In order to make clear the points discussed later in this paper, it is needed to give some definitions concerning information security. So this paragraph will be devoted to the definitions of such key terms as «information», «information security», «GOST» and some others.

Information - in its most restricted technical sense, is a sequence of symbols that can be interpreted as a message. Let's define the meaning of information security.

· State of a particular object (in the object is the information, data, enterprise information system, society, state, etc.)

· Activity aimed at providing the security of the state of the object.

To ensure information security, we need to implement standards. Standard - a document for the voluntary multiple use of the products, the implementation of the rules and characteristics of the processes of production, operation, storage, transportation, marketing and utilization. Standards can be divided into territory of distribution. The main Russian standard is called GOST. GOST refers to a set of technical standards maintained by the Euro-Asian Council for Standardization, Metrology and Certification(EASC). Originally the abbreviation GOST stands for the State Union Standard.

Nowadays the following Russian standard systems are valid:

· USCD -- The Uniform System of Constructor Documentation;

· USTD -- The Uniform System of Technological Documentation;

· SIBD -- The System of Information-Bibliographical Documentation;

· SSM - The State System of Providing the Uniformity of Measuring;

· SSLS-- The System of Standards of Labor Safety;

· USPD -- The Uniform System of Program Documentation;

· SSERTE -- The System of Standards of Ergonomic Requirements and Technical Esthetic

Nowadays, a large number of the GOST standards are developed and adopted. There are also international standards. The first European standard is called ISO. The abbreviation ISO stands for International Organization for Standardization. The three official languages of the ISO are English, French, and Russian. The organization's logos in two of its official languages, English and French, include the word ISO, and it is usually referred to by this short-form name.

The second standard is named IEC. This abbreviation stands for International Electrotechnical Commission. IEC standards have numbers in the range 60000-79999 and their titles take a form such as IEC 60417: Graphical symbols for use on equipment.

The final standard which is referred to international standard is named Common Criteria for Information Technology Security Evaluation. Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements, vendors can then implement or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.

There are many information security standards, but the above mentioned ones are considered to be enough for a clear understanding of the points discussed later in this paper.

1.2 Methods of information protection

Now I would like to describe different methods of information protection. Information can be divided into 3 levels of privacy.

· Public data

· Internal Use Only Data (IUO)

· Confidential Data

Each of these types of information must be protected differently.

Public data is available to all members of the society. For example, it can be published injournal articles, press releases, films. No special protections are required for transmission or disclosure purposes. There are some methods of protection Public Data:

· Public Data should be backed up;

· Access to Public Data should be appropriate to prevent unauthorized modifications.

IUOD( Internal Use Only Data) is defined as information for regular internal company use only, with minimal risk exposure. Most electronic data falls into this category. This information is protected from general unauthorized access. By way of illustration only, some examples of Internal Use Only Data might include:

· New employee orientation guides;

· Some de-identified research data.

Internal Use Only Data should not be posted on any public website. It should be housed and handled such that it is protected against loss, theft, unauthorized access and unauthorized disclosure:

· Should be stored in an appropriate physical environment where physical controls are in place to prevent disclosure;

· May be emailed and saved on company computers

Confidential Data is defined as information with significant exposure risk to a person or a company. Exposure of Confidential Data could have an adverse impact on the company's business operations or reputation. Confidential Data should only be disclosed on a limited basis to individuals. By way of illustration only, some examples of Confidential Data might include:

· Research data;

· Employee Social Security numbers;

· Passwords and encryption keys;

· Credit card numbers and bank account numbers;

· Benefits information;

· Confidential legal information.

Most of attackers very often try to steal this type of information. That's why the information should be well protected. There are some methods of protecting Confidential data:

· It must not be disclosed to parties without explicit authorization from the Data Owner;

· It must not be posted on any public website;

· It must be backed up;

· It should be housed on servers, with accounts protected by private key pairs;

· The most sensitive elements of databases should be encrypted;

· Data must be transferred to Internet-isolated systems or networks.

CHAPTER 2. PRACTICAL PART

2.1 Development of recommendations for «ideal» standards

In this paragraph I would like to turn to my graduation work by presenting the justification of the chosen topic and the potential of the system, which will be used for executing the practical part of my graduation work.

My graduation work will describe how to use international standards in information security activities of Russian commercial organizations. The aim of the study will be to create an algorithm of information security of business entities and combine European and Russian standards of information security to create an ideal standard.

Statistics shows, that more than 140 international standards of information technology are used in Russia. More than 30 of them refer to information security. Russia has no GOST standard depending to information security which is valid nowadays. Some international standards of the protection of the information are adopted and put into operation in Russia, but these standards do not constitute a coherent framework for solving security problems. For example, let's distinguish the main principles of information security in Russia:

· A policy document on information security;

· Allocation of responsibilities for information security;

· Education and training for the maintenance of the security;

· Notification of violations of protection;

· Virus protection;

· Business operation planning organization;

· Control of the copying software that is protected by copyright law;

· Protection of an organization's documentation;

· The protection of data.

There were the main principles of Russian information, which had not changed until 2005. There no information about human resources and instructions in the case of an incident. In 2005 Russia adopted an international standard ISO/IEC 27002. The adoption of this standard helped Russia to handle information security. This standard includes:

· Security policy;

· Organization of information security;

· Asset management;

· Human resources security;

· Physical and environmental security;

· Communications and operations management;

· Access control;

· Information systems acquisition, development and maintenance;

· Information security incident management;

· Business continuity management.

If we compare ISO information security standard with the main principles of Russian information security, we can see many differences. Firstly, there is no information about access control. Secondly, human resources are not stipulated in Russian principles. This example shows that Russian standards must be elaborated. Moreover the algorithm of information security should be changed in general. Depending on the algorithm, applying the standards of information security can protect not only the enterprise, but even the lives of people.

CONCLUSION

Concluding the discussion of information security and security standards, it is necessary to remind that information security standards are divided into Russian and European Russia has a high potential for accepting international standards. But the algorithm of information security must be changed in general. In my graduation work I showed the process of creating an algorithm of information security, discussed Russian and European standard problems and possible future developments in this area. I developed and presented recommendation for «ideal» standards.

BIBLIOGRAPHY

1. An Overview of Information Security Standards, 2008

2. http://davydych.blogspot.ru/2011/04/blog-post_21.html

3. www.wikipedia.org

Размещено на Allbest.ru