Information security (IS) is a set of techniques and practices for protecting information from external and internal influences at an informatization facility.
The main purpose of information security is to protect information and the infrastructure that processes it from data loss or leakage to third parties.
The creation of an information security system at an informatization facility is based on three principles.
Information security
Principles
The first principle is confidentiality. Access to the data is provided according to the rule of “minimum necessary awareness”. In other words, the user should have the right to access only that part of the information that he needs to perform his official duties.
One of the methods of implementing this principle is the ranking (categorization) of data. For example, information within an organization is divided into 3 types: public, internal and strictly confidential.
The second principle is integrity. The information must be protected from changes or distortions. It must be stored, processed and transmitted through reliable communication channels.
To ensure integrity at the user level, the “separation of powers” rule is used, that is, any change is made by one user, and confirmation or refusal is made by another. It is mandatory to keep records of any operations in the information system.
The third principle is accessibility. This means that the information should be available to the user as needed. The ideal option 24*7*365 .
This item includes not only the human factor, but also the natural one (for example, a tsunami or hurricane). The information system must ensure accessibility under all conditions.
Tools
The following are used as information security tools:
- Legal. Special documents are being developed at the informatization facility, which are guided to ensure information security. The main one is the information security policy, on the basis of which protection is based.
- Organizational. These include employee workplaces (computers, UPS, etc.), data centers (switching, data storage systems, computing power, etc.), redundancy (creation of duplicate communication channels, data backup).
- Software. Software that helps to control the actions of employees, store information, and provide reliable access to data.
- Technical. Specialized equipment that protects information from leakage or hacking. For example, encryption, two-step authentication procedure, virtual work environments, etc.
Ensuring information security in the company consists in an integrated approach to building a reliable and fault-tolerant system. The above points are recommended for implementation at any informatization facility.