Security, instructions and integrators
Good day, dear habrovchane!
Recently I had to deal with one local integrator in terms of the work on the Federal Law 152 and, in general, on information security. Expediency for our small office, I will not describe (I would do it alone, except a little longer, but much cheaper), because by the time I started working in our organization, the question of working with this integrator was resolved and I could only observe and reap the results.
About the results and reflections, "why it is so," under habrakatom.
')
Instruction of actions in an emergency situation
So called their most interesting document. I will make a reservation right away - I did not work in the integrator companies, I did not make instructions for the customer. It was difficult for me to understand the logic of creating this document, from the person who wrote this document there was a comment only: we successfully implemented it in many organizations and no one had any problems!
We now turn to excerpts from the text with my comments (omit section 1 - general provisions, as there is a description of the laws, etc.):
2. The general procedure for action in case of emergency situations.
2.1. If abnormal situations occur during operation, the employee who detects an abnormal situation immediately notifies the information security administrator.
2.2. The information security administrator conducts a preliminary analysis of the situation and, in case of impossibility to correct the situation, notifies the head of the department.
2.3. Upon the occurrence of an emergency situation, an act is drawn up describing the situation. Explanatory materials (copies of the screen, a printout of the event log, etc.) are attached to the act, if any.
2.4. If necessary, an official investigation is conducted into the occurrence of a contingency situation and clarifying its causes.
The first thing that causes questions is: what exactly are these abnormal situations? How can an ordinary employee, for example, of the marketing department, find out if this is an abnormal situation, or a result of regular actions?
Why bother with instructions for users (according to the same employee of the integrator) description of actions of ZI administrator?
Next comes Section 3. Features of action in the event of the most common abnormal situations. It is large and consists of 14 points, it does not make sense to bring them all, because there virtually every section represents an abnormal situation and what the sysadmin and admin ZI should do in this case (I repeat, the instruction was created for users).
As an example:
3.2. Power outage. The information security administrator, together with the employee (specify) of the department, analyzes for the presence of losses and (or) data and software destruction, as well as checks equipment operability. If necessary, software and data are restored from the latest backup with an act compiled.
3.3. Failure in the local area network (LAN). The information security administrator, together with the employee (specify) of the department, analyzes for the presence of losses and (or) data and software destruction. If necessary, software and data are restored from the latest backup with an act compiled.
Kopipast just taxis!
3.7. Information leakage detected (security hole). If information leakage is detected, the information security administrator and the head of the department will be notified. An official investigation is underway. If information leakage occurred due to technical reasons, an analysis of the system security is carried out and, if necessary, measures are taken to eliminate vulnerabilities and prevent their occurrence.
Remarkable wording explaining what information leakage is. Moreover, the NSD and information leakage (a hole in the protection of the system) they divided into two separate points:
3.8. Hacking of the system (Web server, file server, etc.) or unauthorized access (unauthorized access). Upon detection of a server hacking, the information security administrator and the head of the department will be notified. If possible, the server is temporarily disconnected from the network for virus checking and Trojan bookmarks. Possible temporary transition to a backup server. Considering that software bookmarks may not be detected by antivirus software, you should especially carefully check the integrity of executable files in accordance with the hash functions of the reference software, as well as analyze the status of script files and server logs. It is necessary to change all passwords that were related to this server. If necessary, the software and data are restored from the reference archive and backup copies with the drawing up of an act. According to the results of the situation analysis, it is necessary to check the probability of unauthorized programs penetrating into the LLC "Vector" information system, and then carry out similar work on checking and restoring software and data on other workstations at the LLC "Vector" information systems. On the fact of hacking the server conducted an internal investigation.
3.9. Attempt of unauthorized access (NSD). When an unauthorized access control is attempted, an analysis of the situation is carried out on the basis of information from the unauthorized access logging logs and previous unauthorized access attempts. According to the results of the analysis, if necessary, measures are taken to prevent unauthorized access, if there is a real threat to unauthorized access. It is also recommended to conduct an unscheduled password change. If software updates are available that address security vulnerabilities, you should apply such updates.
Another interesting point in this section that simply and easily describes the time-consuming work of creating, testing and debugging a business continuity system:
3.13. Disaster. In the event of natural disasters should be guided by the documents (specify) for the relevant divisions of LLC "Vector". Upon the occurrence of an emergency situation, an act is drawn up describing the situation. Explanatory materials (copies of the screen, a printout of the event log, etc.) are attached to the act, if any.
Again, copy-paste, and from the 2nd section. People wrote clearly far from the business continuity. I would see how at the time of the disaster a statement is made on the fact of the act, copies of the screen, printouts of logs and so on are attached.
Well, this section completes the standard clause:
3.14. If necessary, an official investigation is conducted into the occurrence of a contingency situation and clarification of its causes.
The fourth section of this folio (again, instructions for users) is called: Prevention against abnormal situations
4.1. At least (specify the period), the analysis of the registered emergency situations should be carried out to develop measures to prevent them.
4.2. In general, in order to prevent abnormal situations, it is necessary to strictly comply with the requirements of the regulatory documents of Vektor LLC and the operating instructions for the equipment and software.
The first paragraph of this section is a sort of problem management in miniature.
The second point is puzzling. This paragraph could replace all the previous 3 pages of text with the 12th font. Well, or is it a hint of the same document, that is, recursion.
Reflections on the topic
The integrator that created this document for us, quite large in our region, has been working for a long time and is well known.
That is, the following situation is most likely created: a young professional who has just graduated from a university in the prestigious specialty Information Security gets a job with this integrator. He writes a similar document for the customer. The customer has not dealt with documents on information security before (we still have a shovel look at this industry) and accepts this document, introduces his employees to the painting and somehow fulfills the requirements.
Again, I have never worked for integrators. I was engaged in IB for those organizations in which I worked, I did instructions for myself and my employees.
Why create such a hard to digest and illiterate document, full of blind copy-paste?
Surely the young specialists did not hear about best practice and various foreign safety standards?
During his time in the field of information security, he understood 2 main things:
1. Information security is first of all people, only then technology.
2. Instructions must be carried out on the machine, for this they must be written in an accessible way and with as few items as possible (ideally, the user's actions are described in steps with the persons in charge and their contacts).
Dear integrators! Please follow the quality of recommendations and recommended documents. Create them, as for yourself, and not on the "fuck off"!
PS I hope the employees of integrator companies can be noted in the comments.
PPS All links with real LLC "Vector" - random.
UPD: if you merge a topic or karma, unsubscribe, pliz, in comments for what. I will know and improve.
Recently I had to deal with one local integrator in terms of the work on the Federal Law 152 and, in general, on information security. Expediency for our small office, I will not describe (I would do it alone, except a little longer, but much cheaper), because by the time I started working in our organization, the question of working with this integrator was resolved and I could only observe and reap the results.
About the results and reflections, "why it is so," under habrakatom.
')
Instruction of actions in an emergency situation
So called their most interesting document. I will make a reservation right away - I did not work in the integrator companies, I did not make instructions for the customer. It was difficult for me to understand the logic of creating this document, from the person who wrote this document there was a comment only: we successfully implemented it in many organizations and no one had any problems!
We now turn to excerpts from the text with my comments (omit section 1 - general provisions, as there is a description of the laws, etc.):
2. The general procedure for action in case of emergency situations.
2.1. If abnormal situations occur during operation, the employee who detects an abnormal situation immediately notifies the information security administrator.
2.2. The information security administrator conducts a preliminary analysis of the situation and, in case of impossibility to correct the situation, notifies the head of the department.
2.3. Upon the occurrence of an emergency situation, an act is drawn up describing the situation. Explanatory materials (copies of the screen, a printout of the event log, etc.) are attached to the act, if any.
2.4. If necessary, an official investigation is conducted into the occurrence of a contingency situation and clarifying its causes.
The first thing that causes questions is: what exactly are these abnormal situations? How can an ordinary employee, for example, of the marketing department, find out if this is an abnormal situation, or a result of regular actions?
Why bother with instructions for users (according to the same employee of the integrator) description of actions of ZI administrator?
Next comes Section 3. Features of action in the event of the most common abnormal situations. It is large and consists of 14 points, it does not make sense to bring them all, because there virtually every section represents an abnormal situation and what the sysadmin and admin ZI should do in this case (I repeat, the instruction was created for users).
As an example:
3.2. Power outage. The information security administrator, together with the employee (specify) of the department, analyzes for the presence of losses and (or) data and software destruction, as well as checks equipment operability. If necessary, software and data are restored from the latest backup with an act compiled.
3.3. Failure in the local area network (LAN). The information security administrator, together with the employee (specify) of the department, analyzes for the presence of losses and (or) data and software destruction. If necessary, software and data are restored from the latest backup with an act compiled.
Kopipast just taxis!
3.7. Information leakage detected (security hole). If information leakage is detected, the information security administrator and the head of the department will be notified. An official investigation is underway. If information leakage occurred due to technical reasons, an analysis of the system security is carried out and, if necessary, measures are taken to eliminate vulnerabilities and prevent their occurrence.
Remarkable wording explaining what information leakage is. Moreover, the NSD and information leakage (a hole in the protection of the system) they divided into two separate points:
3.8. Hacking of the system (Web server, file server, etc.) or unauthorized access (unauthorized access). Upon detection of a server hacking, the information security administrator and the head of the department will be notified. If possible, the server is temporarily disconnected from the network for virus checking and Trojan bookmarks. Possible temporary transition to a backup server. Considering that software bookmarks may not be detected by antivirus software, you should especially carefully check the integrity of executable files in accordance with the hash functions of the reference software, as well as analyze the status of script files and server logs. It is necessary to change all passwords that were related to this server. If necessary, the software and data are restored from the reference archive and backup copies with the drawing up of an act. According to the results of the situation analysis, it is necessary to check the probability of unauthorized programs penetrating into the LLC "Vector" information system, and then carry out similar work on checking and restoring software and data on other workstations at the LLC "Vector" information systems. On the fact of hacking the server conducted an internal investigation.
3.9. Attempt of unauthorized access (NSD). When an unauthorized access control is attempted, an analysis of the situation is carried out on the basis of information from the unauthorized access logging logs and previous unauthorized access attempts. According to the results of the analysis, if necessary, measures are taken to prevent unauthorized access, if there is a real threat to unauthorized access. It is also recommended to conduct an unscheduled password change. If software updates are available that address security vulnerabilities, you should apply such updates.
Another interesting point in this section that simply and easily describes the time-consuming work of creating, testing and debugging a business continuity system:
3.13. Disaster. In the event of natural disasters should be guided by the documents (specify) for the relevant divisions of LLC "Vector". Upon the occurrence of an emergency situation, an act is drawn up describing the situation. Explanatory materials (copies of the screen, a printout of the event log, etc.) are attached to the act, if any.
Again, copy-paste, and from the 2nd section. People wrote clearly far from the business continuity. I would see how at the time of the disaster a statement is made on the fact of the act, copies of the screen, printouts of logs and so on are attached.
Well, this section completes the standard clause:
3.14. If necessary, an official investigation is conducted into the occurrence of a contingency situation and clarification of its causes.
The fourth section of this folio (again, instructions for users) is called: Prevention against abnormal situations
4.1. At least (specify the period), the analysis of the registered emergency situations should be carried out to develop measures to prevent them.
4.2. In general, in order to prevent abnormal situations, it is necessary to strictly comply with the requirements of the regulatory documents of Vektor LLC and the operating instructions for the equipment and software.
The first paragraph of this section is a sort of problem management in miniature.
The second point is puzzling. This paragraph could replace all the previous 3 pages of text with the 12th font. Well, or is it a hint of the same document, that is, recursion.
Reflections on the topic
The integrator that created this document for us, quite large in our region, has been working for a long time and is well known.
That is, the following situation is most likely created: a young professional who has just graduated from a university in the prestigious specialty Information Security gets a job with this integrator. He writes a similar document for the customer. The customer has not dealt with documents on information security before (we still have a shovel look at this industry) and accepts this document, introduces his employees to the painting and somehow fulfills the requirements.
Again, I have never worked for integrators. I was engaged in IB for those organizations in which I worked, I did instructions for myself and my employees.
Why create such a hard to digest and illiterate document, full of blind copy-paste?
Surely the young specialists did not hear about best practice and various foreign safety standards?
During his time in the field of information security, he understood 2 main things:
1. Information security is first of all people, only then technology.
2. Instructions must be carried out on the machine, for this they must be written in an accessible way and with as few items as possible (ideally, the user's actions are described in steps with the persons in charge and their contacts).
Dear integrators! Please follow the quality of recommendations and recommended documents. Create them, as for yourself, and not on the "fuck off"!
PS I hope the employees of integrator companies can be noted in the comments.
PPS All links with real LLC "Vector" - random.
UPD: if you merge a topic or karma, unsubscribe, pliz, in comments for what. I will know and improve.
Source: https://habr.com/ru/post/153581/
All Articles