For IBShnikov
If there is no company in the city - IT system integrator (Pilot + 1C is not counted), IT specialists have to either work for themselves, or if they are “lucky” by profile in a non-core organization. As for information security, here the rule “security is determined by the degree of threat” acts 100% or even 101%, but is sometimes leveled by the legislation of the Russian Federation, for which an extra unit appears in the structure, somewhere in the personnel department or guard. Immediately, I’ll make a reservation that this article is based solely on my own observations in the city of my residence, no HR analytics (it simply does not exist). It is worth noting that if they take IBShnik to the above-mentioned departments, then in 70% of cases to bring the boring documentation in order. As a result, in fact, the work consists in writing various types of instructions, regulations, and regulations, which are rarely observed in fact, or for obtaining various kinds of licenses, in order to successfully pass inspections by supervisors, which requires an information security officer on staff.
And what does an IS specialist do when he is not an “extra” unit ?! I do not pretend to the truth in the final instance, but still ...
In this direction, a certain step forward has been made in the last 5 years. His knowledge is now necessary to competently perform their functions (not to be a part-time lawyer, but to know where to dig from the technical side), but basically this, of course, concerns state structures: Federal Law No. 152 and others like him are required to read , RD FSTEK and the RKN portal, laws on CT and insider information are less common, but also occur. With the widespread introduction of the portal of public services and the interdepartmental interaction of the authorities - “Electronic Government”, the study of the laws on electronic signature (EDS) and the single payment system of the Russian Federation becomes relevant.
GOSTs, STO IBSS: shhh ... no one heard about them. And who heard, they say why?
ISO27000x, PCI DSS - mmm ... until better times.
In 95% of the main fleet of machines running Windows XP, some are now moving to Windows 7. The situation is similar with servers. Surface knowledge of Windows Server 2003 will be quite enough. Why superficial? Because all servers are: AD, Exchange, ISA, TMG, SCCM managed by the IT department, and no one will allow IBBS to access them, I think it is not necessary to say why. Security policies, proxies, and the IBshnik firewall do not correlate in any way, but during the external audit, for some reason, IBshniki have to apply this knowledge.
Well, here the story is generally dark. I agree that L2, L3 devices are engaged in IT or signalers. But I can not understand why ASA, PIX, Check Point, Juniper, CSP VPN Gate relate to information security officers as “cat and dog”. I don’t understand how the security officers will build a secure perimeter network, VPN, DMZ, etc. This is done by experts serving switches and routers. Here also the rule “security is determined by the degree of threat” also works. It may be that OIB is responsible for something like “Continent”, and if you are lucky, “FPSU-IP”, but you do not need an in-depth knowledge of the OSI model, the protocol stack and the addressing rules for their proper configuration. Yes, the antivirus and the centralized management are sometimes left to IBshnikam, such as AdminKit.
Due to the vastness of applied GIS, there is where to roam ...
Practically everywhere, a crypto provider is used: CryptoPro, Bikript, VipNet, etc. Also often used is a hardware / software MDZ: sable, chord, secret-net, guard, block host, zlock, dallaslock, devicelock, “something else” lock, etc. If the OIB is an OPA operator, then the PKI must also be known. The responsibilities may include banking software: willow, client-bank. For all this, you need to be able to handle the key information carriers: tokens, smart cards, TM tablets and software that records on them. And the most delicious thing is that if something is not working on a computer, then according to IT, it is always the fault of GIS. As a result, IBshnik needs to have helpdesk skills, to be able to use remote assistance and a desktop.
Everything is simple, nobody is engaged in their security, and knowing the security mechanisms of SQL Server, Oracle, mySQL, IBshnik is needed only for their own development.
Backup issues are similar: RAID, SAN, NAS not for IB.
Certificates of vendors (if there is a certification authority in the city, otherwise they still have to go) - no one needs them, means nothing to the personnel department, for the manager, as an irritant. Exclusively for themselves and for a bright future.
One more important role of IBshnik is to correctly, from a technical point of view, state his position recorded on a hard medium: “write more papers, more papers - fewer problems”.
As a result, even if a person wants to acquire new skills, develop professionally, disappointment awaits him in the form of the disposition I described above, since Security management perceives it as an unnecessary appendage and waste of money, although they may lose much more.
35 people graduated from my course, 4 of them work in the specialty, according to their impressions and this post was written. If someone is different, write your comments, it will be very interesting.
And what does an IS specialist do when he is not an “extra” unit ?! I do not pretend to the truth in the final instance, but still ...
Legislation of the Russian Federation
In this direction, a certain step forward has been made in the last 5 years. His knowledge is now necessary to competently perform their functions (not to be a part-time lawyer, but to know where to dig from the technical side), but basically this, of course, concerns state structures: Federal Law No. 152 and others like him are required to read , RD FSTEK and the RKN portal, laws on CT and insider information are less common, but also occur. With the widespread introduction of the portal of public services and the interdepartmental interaction of the authorities - “Electronic Government”, the study of the laws on electronic signature (EDS) and the single payment system of the Russian Federation becomes relevant.
Standards
GOSTs, STO IBSS: shhh ... no one heard about them. And who heard, they say why?
ISO27000x, PCI DSS - mmm ... until better times.
Operating system level
In 95% of the main fleet of machines running Windows XP, some are now moving to Windows 7. The situation is similar with servers. Surface knowledge of Windows Server 2003 will be quite enough. Why superficial? Because all servers are: AD, Exchange, ISA, TMG, SCCM managed by the IT department, and no one will allow IBBS to access them, I think it is not necessary to say why. Security policies, proxies, and the IBshnik firewall do not correlate in any way, but during the external audit, for some reason, IBshniki have to apply this knowledge.
Telecommunication level
Well, here the story is generally dark. I agree that L2, L3 devices are engaged in IT or signalers. But I can not understand why ASA, PIX, Check Point, Juniper, CSP VPN Gate relate to information security officers as “cat and dog”. I don’t understand how the security officers will build a secure perimeter network, VPN, DMZ, etc. This is done by experts serving switches and routers. Here also the rule “security is determined by the degree of threat” also works. It may be that OIB is responsible for something like “Continent”, and if you are lucky, “FPSU-IP”, but you do not need an in-depth knowledge of the OSI model, the protocol stack and the addressing rules for their proper configuration. Yes, the antivirus and the centralized management are sometimes left to IBshnikam, such as AdminKit.
Application Software
Due to the vastness of applied GIS, there is where to roam ...
Practically everywhere, a crypto provider is used: CryptoPro, Bikript, VipNet, etc. Also often used is a hardware / software MDZ: sable, chord, secret-net, guard, block host, zlock, dallaslock, devicelock, “something else” lock, etc. If the OIB is an OPA operator, then the PKI must also be known. The responsibilities may include banking software: willow, client-bank. For all this, you need to be able to handle the key information carriers: tokens, smart cards, TM tablets and software that records on them. And the most delicious thing is that if something is not working on a computer, then according to IT, it is always the fault of GIS. As a result, IBshnik needs to have helpdesk skills, to be able to use remote assistance and a desktop.
Database
Everything is simple, nobody is engaged in their security, and knowing the security mechanisms of SQL Server, Oracle, mySQL, IBshnik is needed only for their own development.
Other
Backup issues are similar: RAID, SAN, NAS not for IB.
Certificates of vendors (if there is a certification authority in the city, otherwise they still have to go) - no one needs them, means nothing to the personnel department, for the manager, as an irritant. Exclusively for themselves and for a bright future.
One more important role of IBshnik is to correctly, from a technical point of view, state his position recorded on a hard medium: “write more papers, more papers - fewer problems”.
As a result, even if a person wants to acquire new skills, develop professionally, disappointment awaits him in the form of the disposition I described above, since Security management perceives it as an unnecessary appendage and waste of money, although they may lose much more.
Total
35 people graduated from my course, 4 of them work in the specialty, according to their impressions and this post was written. If someone is different, write your comments, it will be very interesting.
')
Source: https://habr.com/ru/post/168253/
All Articles