Get best of the week

How to write a technical standard for information security for a large company



Over time, any large company is faced with the problem of confusion in the applied methods, methods and means of protecting information.

Each company solves the chaos problem in its own way, but usually one of the most effective measures is to write the technical standard of information security. Imagine, there is a large production association, which includes several enterprises in different places of the country, plus service infrastructure: a hotel, an IT company, a transport depot, a NPP, a foreign representative office and canteens.

The first task is to figure out what needs to be protected and how. So that each leader, as our “father,” knew what specific protection measures should be taken with respect to which assets. It is important that the set of protective measures applied should be necessary and sufficient. That is safe and at the same time on a budget.

The second task is to standardize technical solutions. Each technical protection measure is ideally carried out in a certain way using one or more specific means. If, for example, you use antiviruses of one vendor to protect hosts, then you can purchase licenses at a greater discount (due to the large volume), you do not need to keep a staff of specialists with experience working with different solutions. And if you standardize many information security solutions, you can create similar architecture groups in different companies and centralize their management, thereby practically abandon local units.

Let’s tell you how we did it. You may have already written something similar on your own, and our story will help you structure such things. Well, or just give a couple of ideas on how to do this.

The issue of what is taken as a basis, and what happened in terms of protection


What was at the very beginning, or what was the problem:

  1. The company wanted to implement protective measures for one single "source of truth." Roughly speaking, we needed a single table for the entire holding with a list of what needs to be done in order to provide information security and comply with all the necessary requirements coming down from the regulators. And so that there are no situations that each daughter implements IS as she pleases, sometimes going against the position of the head.
  2. — , . , , , RDP ( ). HR . . , , « », . . , , , .
  3. . — .
  4. , . , .
  5. — , - , . , . . .

In general, sooner or later, everyone comes to the need to develop an IS technical standard. Someone does it himself, someone uses well-known methodologies, proven by practice and petroleum jelly. In any case, one of the first questions in the development of the technical standard will be: "Where to take protective measures?" Of course, you can invent it yourself, taking into account the peculiarities of your organization. But no one does it: after all, there are many ready-made sets of measures. You can take the documents of the FSTEC of Russia (orders 21, 17, 239, 31), you can take the GOST Central Bank. We had an international industrial company, and we decided to take as a basis the NIST Standards " Framework for Improving Critical Infrastructure Cybersecurity"And NISTIR 8183" Cybersecurity Framework Manufacturing Profile ". You can follow the link, download a hefty PDF and be inspired by what the bureaucracy can reach in the desire to hide behind a bunch of papers. In fact, you don’t need to be afraid of the size of the template: everything is there and everything is needed.

Everything would be too simple, if you could just spend time translating the above nists and pass the translation as a finished technical standard. Our company, although international, but most of the business is still located in the Russian Federation. Accordingly, Russian regulations must also be taken into account. In addition, not all protection measures from NIST are applicable and necessary (why implement something that is not necessary, we do not want the misuse of financial resources). The fact that we have a large company added to the complexity, the holding also has industrial enterprises, recreation centers, hotels, accounting and service companies. Accordingly, there are personal data, and trade secrets, and KII objects, and industrial control systems.

What have we done? First, we made a free translation of the above NIST, removing from there measures that are not necessary to implement. These are, for example, measures aimed at providing information security in technologies that are not applicable in our holding, or measures that are not necessary to implement according to the Risk and Threat Matrix approved by the holding (we also developed it and, perhaps, we will write about this someday fast). Then we mapped up protection measures from Russian regulatory documents with measures from NIST. Some measures (for obvious reasons) ideally fit into the measures from NIST, some did not fit in, and it was necessary to expand the scope of measures. Measures were added from the following documents:

  • Federal Law of July 26, 2017 No. 187- “On the Safety of Critical Information Infrastructure of the Russian Federation”;
  • Federal Law of July 27, 2006 No. 152-FZ “On Personal Data”;
  • 29.07.2004 â„– 98- « »;
  • 08.02.2018 â„– 127 « , »;
  • 01.11.2012 â„– 1119 « »;
  • 18.02.2013 â„– 21 « »;
  • 25.12.2017 â„– 239 « »;
  • 21.12.2017 â„– 235 « »;
  • 14.03.2014 â„– 31 « , , , ». , , . . - — . . ? , , , . , , .

Well, after all the translation and mapping, we added measures that are not described anywhere, but are necessary to neutralize the threats from the above Risk and Threat Matrix, as well as measures that are useful and interesting to implement from the point of view of the Customer’s IS personnel (for example , cyber-orders appeared).

As a result, we had a huge table with measures (in fact, two: a brief and detailed one with instructions for implementing each measure), which also indicated which document what measures correspond to the requirements of which document.

Below is a picture with a detailed description of a specific measure:



And here is a short table with a list of measures and an indication of what types of systems these measures should be applied:



Thus, we have the very same table for all holding companies, choosing measures from which they could implement a protection system.

So what measures are included in this table? There are five functional areas:



Each of the five functional areas of information security is divided into three to six categories. 22 categories are allocated in total:

Functional direction of information security



Category Name



Category designation



Identification



Asset Management



ID.UA



Business context



ID.BK



Guide



ID.RU



Risk assessment



ID.OR



Risk management strategy



ID.UR



Protection



Access control



ZI.KD



Awareness and training



ZI.OO



Data security



ZI.BD



Information Security Processes and Procedures



ZI.PP



Maintenance



ZI.TO



Protection technology



ZI.TZ



Detection



Anomalies and events



OB.AS



Continuous security monitoring



OB.NM



Discovery processes



OB.PO



Response



Response plans



RG.PR



Communications



RG.KM



Analysis



RG.AN



Minimization of consequences



RG.MP



Improvement



WG.SV



Recovery



Recovery plans



VS.PV



Improvement



VS. SV



Communications



VS.KM



Each category, in turn, contains up to 16 organizational and technical information protection measures that may be necessary for implementation in holding companies. In total, the set consists of more than 100 information security measures. Depending on the types of systems in the company, part of the protective measures is mandatory for implementation, and some measures are recommended.

Selection process


Saying, of course, is easier than doing. And so far I have only talked about a set of protective measures, but they also need to be selected / eliminated somehow. Below is a flowchart of the process of choosing protection measures:



Let's go through each step.

Definition of types of IP and industrial control systems
, ( ) , , , :

  • ;
  • , , ;
  • , ;
  • ( );
  • .

, , . , , (). ( ).

:



Selection of protection measures
, . :

  • ;
  • ;
  • , ;
  • .

— , , .

— , , , , , , ( ).

: , , , . , , , , .

, - ( , , , .). ( , , .).

Defining a profile for each protection measure
, : , , . , . , .

. . . / /, . , ( , , , , -). , , ( ). , , , .

Formation of the final set of protective measures
, , / / ( ). — :



The process for selecting remedies


So, we have chosen protection measures, half the job is done. Now you need to choose the means of protection that will allow these measures to be implemented. The choice of protective equipment includes the following sequence of actions:

  • determination of the type of site (IT infrastructure facility) to which the holding company belongs;
  • determination of the types of protection tools needed for use (antiviruses, intrusion detection and attack prevention tools, firewalls, SIEM, etc.);
  • determination of the area of ​​applicability (area of ​​implementation) of the selected protective equipment;
  • identification of specific manufacturers (vendors) for the selected protective equipment.

Since we have a large holding, it is logical that such a holding can have several types of IT infrastructure objects (types of sites). There are data centers, typical production sites, typical remote sites, typical production or remote sites outside the Russian Federation. At different types of sites, various components of centralized and local information protection tools can be introduced.
For obvious reasons, I will not tell you what types of protective equipment are used in the holding and what their components are deployed on which sites.

I can only say that, as part of the technical standard, we have performed the mapping of security measures to information security tools. So any holding company, applying our technical standard, can not only formulate a list of protective measures necessary for its implementation, but also understand which protective equipment of which manufacturers should be applied. Moreover, since centralized solutions are used in many areas of protection, significant savings in purchases are possible. That is, it will be enough for the holding company to purchase only agent solutions and connect them (upon request to the service company) to the management servers in the data center. At a minimum, you won’t have to spend money on a management component, and you won’t be able to manage the protection means yourself, but entrust the holding company’s service with this task, which will save on search,hiring and paying salaries to specialized specialists.

And I’ll separately note that in the Technical Standard we explicitly indicated the manufacturers of protective equipment themselves (about 20 classes of solutions). To select specific manufacturers, a whole technique was developed (a technique for choosing technical solutions) that allows you to compare solutions within specific classes. Main criteria: functional stack, user-friendliness assessment for the holding (technical support, presence of holding companies in the countries of location, etc.), the possibility of sanctions (country risk), how long on the market, how easy it is to find service specialists, etc.

The result of the work according to the standard


So what do we get? And we get that we have a single “source of truth”, according to which any holding company can choose the protection measures necessary for implementation, taking into account the specifics of its information systems (ICS) and IT infrastructure. Moreover, by choosing measures, the company will be able to understand what means of protection to implement these measures. At the same time, the company can save on the purchase of protective equipment, as it understands on which sites which components of centralized protective equipment are deployed (i.e., understands which components you can simply connect to without spending money on their purchase).
As for the security guards, their life was also simplified. First, everyone should now implement the requirements of the Technical Standard (including when creating new systems). Secondly, it is easier to conduct checks when protection measures are identified.

In the Technical Standard, there are a lot of templates for reporting forms, that is, holding companies do not need to figure out how to document the results of work according to the standard, everything is already there. For example, one of the applications is the form of the Declaration of Applicability of Protective Measures. This is a document in which all the results of work according to the standard are entered. It is a table indicating which protection measures for which IP and industrial control systems are applied, what technical solutions are implemented (for technical measures) and in which internal regulatory documents are described (for organizational measures).

It turned out to be easy to use the standard, the steps are described there. Example. Let's say we have a hotel. According to the requirements of the inventory process, it should conduct an inventory of assets and determine a list of functioning IPs and their criticality. Knowing this, the representative of IS takes, looks at what systems are (for example, ISPD with security level 4 and CT), selects the necessary protection measures, adapts and supplements them (knowing the actual threats). Gets the final set of security measures. Then he looks at another table and receives a set of protective equipment necessary for implementation on his site. That's all. Many will ask: “What about documents?” We tried to make IS processes centralized; we also developed standard local IS documents for sites. Of course, specific companies will need to adapt documents,lowered from the head, but it is much easier than writing from scratch.

Instead of a conclusion


For lovers of numbers: the standard contains 30 pages of the main part with a description of the approach and the algorithm of work, and more than 100 pages of applications - with a detailed description of protection measures, various selections, templates of reporting forms.

We ourselves have tested the resulting standard on a number of sites.

As a result of chaos, it slightly decreased, control increased. The effect will increase as purchasing information security tools (after all, 20 vendors standardized, and not everything was purchased at the time of the release of the Technical Standard for Information Security) and the final implementation of information security processes. When creating new systems, we expect that everything will do without surprises for information security.

I think you have similar documentation too. Many standardize only specific security solutions without any methodology for choosing such solutions. Some standardize specific measures (mainly based on the approaches of the FSTEC of Russia or the Central Bank of the Russian Federation).

To adapt the applicability of a single standard to subsidiaries, there are also many different approaches. Someone introduces special security levels (not to be confused with security levels in ISPDn), then divides the companies in the holding into these levels, and they implement security measures at the appropriate levels. Someone applies all the requirements to all companies. Someone - selectively for legal entities or types of companies. But we decided to try playing with the criticality and types of IT infrastructure facilities.

Regarding protection measures, the approach with choosing measures from NIST, mapping with the requirements of Russian regulators, adding a block on the criticality of systems seemed to us good practice.

If you have questions on such tasks that can be answered only in private correspondence, then here is my mail - MKoptenkov@technoserv.com.

Koptenkov Mikhail, Head of Audit and Consulting.

More articles:


All Articles