Computer Crime Research Center


Organization of Information Security at Enterprises

Date: May 23, 2004
Source: Computer Crime Research Center
By: Andrey Belousov

The majority of crimes committed using computers or related to computer information bear mercenary motives and thus they represent danger to financial and industrial spheres.

Analysis of criminal cases and other available information showed that mechanism of committing crimes on the whole lies in the following:

- criminals were related to development of software and operation of computers, and used these capabilities to add necessary codes;
- unauthorized access was committed during a short period of time (less than 1 minute) under the guise of a legal user from a terminal connected to computer network;
- a special program was developed and included for further operations, then it created accounts with zero balance for some clients (a legal entity or an individual, real or inverted) with subsequent fraudulent operations using them;
- withdrawals or conversion into cash were conducted according to the predetermined order and without any traces.

Methods of hacking or unauthorized access used by criminals, on the whole, come to two kinds:
1. Inside hacking: a criminal has physical access to the terminal whereat he can access any needed information and he can work there for some time without any control.
2. Outside hacking: a criminal has no direct access to computer system, but has capability, in some way (usually by remote access through networks), to penetrate in protected system with the purpose to input special programs, to manipulate with the processed or stored information or to commit other illegal actions.

Analysis of the state of affairs in the sphere of computer security shows that quite a stable infrastructure of information security system (ISS) was formed and is successfully functioning currently in a number of the developed countries. ISS is a system of means that assures a state of confidential information when its disclosure, leakage, unauthorized access (outside threats) and also the damaging, deletion, deterioration, alteration or suppression of this information without right (inside threats).

Nevertheless, malevolent actions with information do not even end and have enough stable increasing trends. Experience shows that, in order to counteract to these trends, countries need a harmonious and operated system of information security assurance (ISA).

Information security is a state of safety of information resources, technologies of their forming and using, and also rights of subject of informational activity. It is important to note:

1. Object of protection is not information as some data but an information resource, i.e. information stored in tangible mediums (documents, data bases, technical documentation and so on), the right to access it is assigned to the owner and is regulated by himself as well.

2. Information security of users, as distinct from physical security, assures safety of their rights to access to information resources to satisfy own informational needs.

3. From a point of view of economic expediency it is necessary to protect only the information, disclosure (leakage, loss, etc.) of which will inevitably lead to material and moral damage.

The most important principles of assuring security of information systems are:

- legality of means to reveal and prevent crimes in the informational sphere;
- continuity of realization and improvement of means and methods to control and protect information system;
- economic expediency, i.e. comparability of possible damage and costs to provide information security;
- complexity of using all arsenal of available means of protection in all departments of the company and at all stages of informational process.

The structure of information security system may vary depending on a scale and kind of the commercial organization and basing on economic expediency. Though obligatory elements in accordance with main directions of protection in its structure should be as the following:

1. Legal protection - law department (lawyer, patent engineer, valuator of intellectual property, etc.) cooperates with accounts and planning department.
2. Organizational protection - security department (superintendent, inspectors, firemen, etc.) and regime departments (protecting state, service secrets, confidential information, etc.) cooperates with personnel department.
3. Technical protection - technical departments (computer operators, telecommunications and cryptographic workers, technicians, etc.) cooperate with functional departments.

Functionally, system of information security is built in the form of overlapping "concentric" circuits of protection from outside threats with an object of protection in the center of this system. At that, outside circuit (of the bigger radius) is a circuit of legal protection, assuring legality and lawfulness of the object and means of its defense. Then comes a circuit of organizational protection assuring the order of access to an object being protected by an outside circuit of technical protection by controlling and preventing leakages, unauthorized access, modifications and losses of information.

Such structure of information security systems allows localizing of technical protection and reducing its costs owing to legal selection of objects of protection and by way of organizing limited access to them. Realization of information protection processes in each mentioned circuits is happening according to the following stages:

1. Definition of the object of protection:
- rights to protect information resources;
- cost evaluation of information resources and their basic elements;
- duration of life cycle of an information resource;
- circulation of documents through departments of the company.

2. Revealing threats:
- sources of threats (competitors, criminals, employees, etc.);
- targets of threats (examination, modification, deletion, etc.);
- possible ways of realizing threats (disclosure, leakage, unauthorized access, etc.).

3. Definition of necessary protection measures.
4. Estimation of their efficiency and economic expediency.
5. Realization of measures taken owing to elaborated criteria (priorities).
6. Bringing taken measures to personnel, control of their efficiency and removal (preventing) sequels of threats.

Development of structure of information security management system as any other management system is based on three main principles of management:

1. "Open management" principle. Pre-formed requirements are realized by executive units of information security system influencing on the object of protection. Advantage: simplicity, disadvantage: low efficiency of protection, as it is difficult to foresee the time of attack and a kind of a threat.

2. "Compensation" principle. Information on a revealed threat is operationally brought in the management circuit, executive units of information security system focus their efforts on localizing and preventing this threat. Advantage: high-level efficiency, disadvantage: it is difficult to correctly detect threats and impossible to remove after-effects of internal threats.

3. "Feedback" principle. Reaction of the system and the degree of the caused damage are detected, but not the threat. Advantage: concreteness and exactness of working-off of threats' sequels (economic expediency), including internal threats. Disadvantage: lateness (sluggishness) of the taken measures.

We can achieve an optimum proportion of efficiency and cost of the information security system by combining various principles of management.

Thus proposed approach to develop information security systems from the position of management theory allows using its approved mathematical mechanisms to analyze and synthesize an information security management system applying basic quality performance of management theory to improve it:
- minimum of informational damage and management (protection) costs;
- controllability and observability;
- velocity and stability of management.

Having increased corporate culture, having forced users to act more seriously and intelligently we can increase information security. Therein top managers and security officers of the companies should not save on investments in training personnel, measures to form a corporate spirit, to increase informational culture, social and professional responsibility of each employee for observance of information security regulations.

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo