Application of international standards in information security activities of Russian commercial organizations
Consideration of various information security standards in the Russian commercial organizations. Methods of data protection. Potential application of international standards in information security activities of the Russian commercial organization.
Рубрика | Программирование, компьютеры и кибернетика |
Вид | статья |
Язык | английский |
Дата добавления | 13.02.2016 |
Размер файла | 25,7 K |
Отправить свою хорошую работу в базу знаний просто. Используйте форму, расположенную ниже
Студенты, аспиранты, молодые ученые, использующие базу знаний в своей учебе и работе, будут вам очень благодарны.
Размещено на http: //www. allbest. ru/
National Research University -
Higher School of Economics
DRAFT
Of the paper
“Application of international standards in information security activities of Russian commercial organizations”
Student: Platonov Andrey Alekseevich
Group: 476
Argument Consultant: Elin Vladimir Mihailovich
Style and Language Consultant: Kashkarova Tatiana Petrovna
2013
ABSTRACT
At present, there are different standards of information security. They are divided into European and Russian standards. Some European standards are used in Russia, but it has their own GOST standards. The main purpose of the work is to answer the question what standards are using in Russia and how they should be changed to be «ideal».
In this paper, I will answer this question, comparing GOST and ISO standards. I will analyze them and develop recommendations for «ideal» standards.
TABLE OF CONTENTS
ABSTRACT
- INTRODUCTION
- CHAPTER 1. THEORETIC AND METHODOLOGICAL PART.
- 1.1 Key definitions
- 1.2 Methods of information protection
- CHAPTER 2. PRACTICAL PART
- 2.1 Development of recommendations for «ideal» standards
- CONCLUSION
- BIBLIOGRAPHY
INTRODUCTION
This paper is dedicated to the topic of standards of the information security and the structure of my graduation work entitled «Application of International Standards in Information Security Activities of Russian Commercial Organizations».
Since the early days of writing, commanders, soldiers understood that it was necessary to protect the secret correspondence. Information security era began in 1816's, when information communication rose. During that period, the main task of information security was to protect information, facts, property, location, and other data. Nowadays, the area of application information security has expanded and has its own standards.
The main purpose of this paper is to give some definitions concerning information security, discuss potential application of international standards in information security activities of the Russian commercial organization, give the justification of my graduation work's topic, compare European and Russian standards and say a few words about the methods of protection information.
CHAPTER 1. THEORETIC AND METHODOLOGICAL PART
commercial standard information security
1.1 Key definitions
In order to make clear the points discussed later in this paper, it is needed to give some definitions concerning information security. So this paragraph will be devoted to the definitions of such key terms as «information», «information security», «GOST» and some others.
Information - in its most restricted technical sense, is a sequence of symbols that can be interpreted as a message. Let's define the meaning of information security.
· State of a particular object (in the object is the information, data, enterprise information system, society, state, etc.)
· Activity aimed at providing the security of the state of the object.
To ensure information security, we need to implement standards. Standard - a document for the voluntary multiple use of the products, the implementation of the rules and characteristics of the processes of production, operation, storage, transportation, marketing and utilization. Standards can be divided into territory of distribution. The main Russian standard is called GOST. GOST refers to a set of technical standards maintained by the Euro-Asian Council for Standardization, Metrology and Certification(EASC). Originally the abbreviation GOST stands for the State Union Standard.
Nowadays the following Russian standard systems are valid:
· USCD -- The Uniform System of Constructor Documentation;
· USTD -- The Uniform System of Technological Documentation;
· SIBD -- The System of Information-Bibliographical Documentation;
· SSM - The State System of Providing the Uniformity of Measuring;
· SSLS-- The System of Standards of Labor Safety;
· USPD -- The Uniform System of Program Documentation;
· SSERTE -- The System of Standards of Ergonomic Requirements and Technical Esthetic
Nowadays, a large number of the GOST standards are developed and adopted. There are also international standards. The first European standard is called ISO. The abbreviation ISO stands for International Organization for Standardization. The three official languages of the ISO are English, French, and Russian. The organization's logos in two of its official languages, English and French, include the word ISO, and it is usually referred to by this short-form name.
The second standard is named IEC. This abbreviation stands for International Electrotechnical Commission. IEC standards have numbers in the range 60000-79999 and their titles take a form such as IEC 60417: Graphical symbols for use on equipment.
The final standard which is referred to international standard is named Common Criteria for Information Technology Security Evaluation. Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements, vendors can then implement or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims. In other words, Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.
There are many information security standards, but the above mentioned ones are considered to be enough for a clear understanding of the points discussed later in this paper.
1.2 Methods of information protection
Now I would like to describe different methods of information protection. Information can be divided into 3 levels of privacy.
· Public data
· Internal Use Only Data (IUO)
· Confidential Data
Each of these types of information must be protected differently.
Public data is available to all members of the society. For example, it can be published injournal articles, press releases, films. No special protections are required for transmission or disclosure purposes. There are some methods of protection Public Data:
· Public Data should be backed up;
· Access to Public Data should be appropriate to prevent unauthorized modifications.
IUOD( Internal Use Only Data) is defined as information for regular internal company use only, with minimal risk exposure. Most electronic data falls into this category. This information is protected from general unauthorized access. By way of illustration only, some examples of Internal Use Only Data might include:
· New employee orientation guides;
· Some de-identified research data.
Internal Use Only Data should not be posted on any public website. It should be housed and handled such that it is protected against loss, theft, unauthorized access and unauthorized disclosure:
· Should be stored in an appropriate physical environment where physical controls are in place to prevent disclosure;
· May be emailed and saved on company computers
Confidential Data is defined as information with significant exposure risk to a person or a company. Exposure of Confidential Data could have an adverse impact on the company's business operations or reputation. Confidential Data should only be disclosed on a limited basis to individuals. By way of illustration only, some examples of Confidential Data might include:
· Research data;
· Employee Social Security numbers;
· Passwords and encryption keys;
· Credit card numbers and bank account numbers;
· Benefits information;
· Confidential legal information.
Most of attackers very often try to steal this type of information. That's why the information should be well protected. There are some methods of protecting Confidential data:
· It must not be disclosed to parties without explicit authorization from the Data Owner;
· It must not be posted on any public website;
· It must be backed up;
· It should be housed on servers, with accounts protected by private key pairs;
· The most sensitive elements of databases should be encrypted;
· Data must be transferred to Internet-isolated systems or networks.
CHAPTER 2. PRACTICAL PART
2.1 Development of recommendations for «ideal» standards
In this paragraph I would like to turn to my graduation work by presenting the justification of the chosen topic and the potential of the system, which will be used for executing the practical part of my graduation work.
My graduation work will describe how to use international standards in information security activities of Russian commercial organizations. The aim of the study will be to create an algorithm of information security of business entities and combine European and Russian standards of information security to create an ideal standard.
Statistics shows, that more than 140 international standards of information technology are used in Russia. More than 30 of them refer to information security. Russia has no GOST standard depending to information security which is valid nowadays. Some international standards of the protection of the information are adopted and put into operation in Russia, but these standards do not constitute a coherent framework for solving security problems. For example, let's distinguish the main principles of information security in Russia:
· A policy document on information security;
· Allocation of responsibilities for information security;
· Education and training for the maintenance of the security;
· Notification of violations of protection;
· Virus protection;
· Business operation planning organization;
· Control of the copying software that is protected by copyright law;
· Protection of an organization's documentation;
· The protection of data.
There were the main principles of Russian information, which had not changed until 2005. There no information about human resources and instructions in the case of an incident. In 2005 Russia adopted an international standard ISO/IEC 27002. The adoption of this standard helped Russia to handle information security. This standard includes:
· Security policy;
· Organization of information security;
· Asset management;
· Human resources security;
· Physical and environmental security;
· Communications and operations management;
· Access control;
· Information systems acquisition, development and maintenance;
· Information security incident management;
· Business continuity management.
If we compare ISO information security standard with the main principles of Russian information security, we can see many differences. Firstly, there is no information about access control. Secondly, human resources are not stipulated in Russian principles. This example shows that Russian standards must be elaborated. Moreover the algorithm of information security should be changed in general. Depending on the algorithm, applying the standards of information security can protect not only the enterprise, but even the lives of people.
CONCLUSION
Concluding the discussion of information security and security standards, it is necessary to remind that information security standards are divided into Russian and European Russia has a high potential for accepting international standards. But the algorithm of information security must be changed in general. In my graduation work I showed the process of creating an algorithm of information security, discussed Russian and European standard problems and possible future developments in this area. I developed and presented recommendation for «ideal» standards.
BIBLIOGRAPHY
1. An Overview of Information Security Standards, 2008
2. http://davydych.blogspot.ru/2011/04/blog-post_21.html
3. www.wikipedia.org
Размещено на Allbest.ru
...Подобные документы
Information security problems of modern computer companies networks. The levels of network security of the company. Methods of protection organization's computer network from unauthorized access from the Internet. Information Security in the Internet.
реферат [20,9 K], добавлен 19.12.2013IS management standards development. The national peculiarities of the IS management standards. The most integrated existent IS management solution. General description of the ISS model. Application of semi-Markov processes in ISS state description.
дипломная работа [2,2 M], добавлен 28.10.2011A database is a store where information is kept in an organized way. Data structures consist of pointers, strings, arrays, stacks, static and dynamic data structures. A list is a set of data items stored in some order. Methods of construction of a trees.
топик [19,0 K], добавлен 29.06.2009Practical acquaintance with the capabilities and configuration of firewalls, their basic principles and types. Block specific IP-address. Files and Folders Integrity Protection firewalls. Development of information security of corporate policy system.
лабораторная работа [3,2 M], добавлен 09.04.2016Data mining, developmental history of data mining and knowledge discovery. Technological elements and methods of data mining. Steps in knowledge discovery. Change and deviation detection. Related disciplines, information retrieval and text extraction.
доклад [25,3 K], добавлен 16.06.2012The material and technological basis of the information society are all sorts of systems based on computers and computer networks, information technology, telecommunication. The task of Ukraine in area of information and communication technologies.
реферат [29,5 K], добавлен 10.05.2011Сrime of ciber is an activity done using computers and internet. History of cyber crime. Categories and types of cyber crime. Advantages of cyber security. The characteristic of safety tips to cyber crime. Application of cyber security in personal compute
презентация [203,5 K], добавлен 08.12.2014NANO Security - сплоченная команда молодых специалистов: программистов, аналитиков, тестировщиков, менеджеров. Предметная область, назначение разработки, требования к программному изделию, системы управления обучением. Обзор языков программирования.
отчет по практике [1,1 M], добавлен 22.07.2012Consideration of a systematic approach to the identification of the organization's processes for improving management efficiency. Approaches to the identification of business processes. Architecture of an Integrated Information Systems methodology.
реферат [195,5 K], добавлен 12.02.2016Overview history of company and structure of organization. Characterization of complex tasks and necessity of automation. Database specifications and system security. The calculation of economic efficiency of the project. Safety measures during work.
дипломная работа [1009,6 K], добавлен 09.03.2015Web Forum - class of applications for communication site visitors. Planning of such database that to contain all information about an user is the name, last name, address, number of reports and their content, information about an user and his friends.
отчет по практике [1,4 M], добавлен 19.03.2014Сравнительная характеристика антивирусных программ. Фирма-разработчик и характеристика программы Eset Smart Security, форма продажи лицензий и структура модулей защиты информации. Назначение утилиты Eset SysInspector. Правила корректного обновления.
контрольная работа [28,8 K], добавлен 10.03.2011Классификация вирусов, методы защиты от них. Виды и типы антивирусных программ. Антивирус Kaspersky Internet Security 2012, компоненты защиты и мониторинг сети, достоинства. Динамика изменения возможностей антивирусов по лечению активного заражения.
курсовая работа [467,8 K], добавлен 06.09.2013Technical and economic characteristics of medical institutions. Development of an automation project. Justification of the methods of calculating cost-effectiveness. General information about health and organization safety. Providing electrical safety.
дипломная работа [3,7 M], добавлен 14.05.2014International Business Machines (IBM) — транснациональная корпорация, один из крупнейших в мире производителей и поставщиков аппаратного и программного обеспечения. Прозвище компании — Big Blue. Основание IBM в период 1888—1924. Начало эры компьютеров.
презентация [1023,3 K], добавлен 14.02.2012Реализация информационной системы для компаний по продаже недвижимости. Обзор методов решения поставленной задачи. Описание программы для программиста. Диаграмма классов: FlatBase, Flat, House, Commercial, Human, ContH. Способы и алгоритмы решения задачи.
курсовая работа [1,6 M], добавлен 18.08.2014Программа обработки одномерного массива средствами Visual Basic for Application (VBA) на предмет преобразования, печати, удаления, сортировки, поиска сумм, положительных, чётных элементов, их кратности и дополнения другими элементами и значениями данных.
контрольная работа [12,3 K], добавлен 07.10.2012Theoretical aspects of the application digital education resources in teaching computer science according to the capabilities of electronic programs. Capabilities of tools Microsoft Office and Macromedia Flash. Application of the program Microsoft Excel.
контрольная работа [1,5 M], добавлен 07.07.2013Visual Basic for Application. Объекты и коллекции. Использование VBA в среде Access. Основы современной технологии проектирования АИС. Автоматизированное проектированиеCASE-технологий. Реинжиниринг бизнес-процессов и проектирование корпоративной ИС.
курсовая работа [2,1 M], добавлен 22.02.2008Установка с помощью технологии SELinux ограничения для демона, запущенного суперпользователем. Понятие и структура процессов в системе UNIX. Вариант редактирования исходных кодов политик, компилирования, просмотра логов и внесение изменений в код.
курсовая работа [109,3 K], добавлен 24.06.2009