One of the key interests of a business owner is to preserve and, if possible, increase the value of the company he manages. Slow down, reduce or even nullify this value risks, in the conscious management of which lies the talent of a merchant.
Historically, financial and operational risks are significant both for the interests of the owners of financial institutions in general, and for the managers they employ in particular. This forces the latter to pay close attention and great efforts to assess, control and minimize these risks.
')
In the past two decades, new, equally significant, but still falling out of the attention of these people risks - information security risks, which will be discussed under the cat
Status
The activity of almost any modern commercial organization is mostly automated. In essence, an organization is a man-machine system that ensures the performance of functions related to interaction with its customers (individuals and legal entities) and regulatory authorities (both state and international industry regulators).
The machine component of this system is called the organization's automated system: communication channels, computer equipment, system software, application software ... all this stores, processes and transfers intangible information assets, the cost of which often exceeds the cost of the automated system itself by orders of magnitude.
Violation of the properties of confidentiality, integrity or availability of these assets always leads to tangible and sometimes unacceptable damage (material, reputational, etc.) interests of the owner and manager. This makes them vulnerable, and most importantly, they learn about this vulnerability after the fact.
Formulation of the problem
Some time ago, an information security risk assessment was conducted at a commercial bank. In particular, damage was assessed in the event of a data center idle for a wide range of reasons (fire, flooding, equipment / software failure, communication channel failure, actions of service personnel / intruders, etc.). It was found that if the processing center does not work for 2 weeks, the bank inflicts unacceptable damage of such magnitude that it is cheaper to open a new bank than to reanimate the existing one. But we are talking about the violation of only one of the three properties of the information assets of the organization - accessibility.
What damage will be caused by the loss of integrity of critical data if, as a result of an attack on the Internet bank-client system, information about the balances of customers' accounts is distorted? What damage will infringe confidentiality in the event that the supervising authorities gain access to the organization’s operational accounting? Can negligence of hired employees, collusion of personnel serving the automated system or “ordering” of competitors, lead to these events? Answer: of course it can.
It should also be borne in mind that a number of internationally leading companies are subject to national laws (CA-SB1386, European Union Data Protection Directive, Basel II / III, etc.) and the requirements of international regulators (PCI-DSS, etc.)
To a large extent, these are requirements for ensuring the confidentiality, integrity and availability of information assets processed by the organization’s human-computer system. In case of violation of the requirements of some laws / regulators, there is, in addition to penalties for the organization, personal, even criminal, responsibility of the management team. The CIS countries, albeit with a delay, are consistently tightening administrative and criminal legislation, adopting "analogues" of American or European norms - for example, laws on the protection of personal data.
That is why managers look for sources of information about these risks.
Example
Among all the diversity, we highlight the risks to business continuity (Business Continuity) associated with the violation of accessibility properties.
To evaluate them, you need to understand which business processes in our organization are most critical and which are less (Business Impact Analysis). What can stop these processes (threats and their sources in the form of people and natural phenomena) and how to minimize the probability of this threat?
How to minimize damage if they still stop?
It is necessary to apply the methodology - Business Continuity Management, describing:
• how to prepare for these events (backup of critical data, backup data centers, regular employee training, etc.)
• how to continue to operate in a degraded mode (during and immediately after a fire, a power outage / communication channels, loss of personnel as a result of a pandemic, etc.)
• how to guarantee the owner acceptable damage from the implementation of this event (in the worst case, we lose transactions in the last 2 hours)
• how to ensure that the business will be restored within a strictly defined period of time (24 hours after the complete destruction of the data center as a result of a fire, the bank will continue to work)
As an example, take the well-known transnational corporation. Its business continuity management system requires once a month to imitate a catastrophe. There is a main office and data center. Once a month, employees work out the move to the backup office and transfer the functions of the automated system to the backup data center. Thus, they can continue to work and fulfill obligations to counterparties even in the event of complete destruction of the office / data center and the loss of a significant part of the staff. Similarly, the work is organized and its competitors.
Decision
For the past 15 years, a source of risk information for business owners and senior executives is continuous internal and regular external integrated audit (financial, operational risks are evaluated, and with them information security risks), giving a unified assessment of all interrelated risks for an organization.
This makes it possible to economically justify the need to develop and implement a set of security measures in an organization:
• Organizational
• Physical
• Technical
• Technological
• moral and ethical
• Legal
A set of measures allows you to consciously manage the risks:
• accepting them (for example, a business uses unlicensed software, but in the event of a possible raid by the regulatory authorities knows the extent of the damage)
• avoiding them (we will not provide the Internet bank-client service, as we are guaranteed to incur unacceptable damage as a result of the implementation of fraudulent schemes)
• minimizing them (we will build a backup data processing center and will regularly train personnel in case of complete destruction of the main one)
• transferring risks to others (use the services of an insurance company)
To audit, develop and implement a set of measures adequate to the existing risks, managers involve teams of specialists that meet the following set of requirements:
• successful implementation of projects to create automated systems in a protected version
• objectively confirmed qualification
• loyalty to the interests of the customer
• acceptable cost of collective services
The first requirement can be met when dealing with teams involved in streaming the creation of automated systems in a protected version for a variety of customers. As a rule, these are employees of systems integrator companies. They have practical knowledge, skills, and well-developed methods of creating and maintaining protection systems in accordance with the requirements of various laws / regulators.
The second requirement is met by specialists active in the field of information security and having internationally recognized certifications (CISA, CISM, CISSP) of such organizations as ISACA (the largest professional association of auditors) and (ISC) 2 (a leading international consortium of information security specialists).
The third requirement is in conflict with the first, since the loyalty and, as a result, the trust of the owners, which is necessary to gain access to the secret information of the business, is usually achieved only when these employees are included in the staff. Which in turn is economically inexpedient and conflicts with the fourth requirement.
findings
The difficult period in the country has significantly increased all types of risks for companies. Competition is becoming tougher in almost all sectors, and the terms “industrial espionage”, “sabotage” or “cyber threat” become the prose of life even for business owners who are far from information technologies. The state, in turn, is increasingly tightening legislation (primarily tax), and in the face of the regulatory authorities, it is increasingly controlling its implementation, thereby complicating the situation as a whole.
Therefore, an adequate decision is to engage on a contractual basis (with a legally significant non-disclosure agreement) or to educate experts from their employees with the necessary experience in system integration and internationally recognized certification statuses.
Having direct access to the organization’s management, such an expert will be able to adequately assess risks, develop and justify a budget for security measures that will be implemented both by the organization and with contractors (system integrators) attracted from outside, preventing them from organizing the secrets. The expert will be loyal and under the control of the management through a system of objective security indicators of the company, from which he defines his job.
Ultimately, the presence of such a trusted source of information will allow management to make better strategic and tactical decisions in managing the organization and have guarantees that the key interests of business owners are respected.
The author: Kuzma Pashkov
Courses taught by the author;
Catalog of all solutions and services of the distributor MUK;
TC MUK on Facebook ;
A complete catalog of courses based on TC MUK + bonus program.
MUK-Service - all types of IT repair: warranty, non-warranty repair, sale of spare parts, contract service