Let's sum it up. The first thing you need to do is initially identify and rank the risks, find out what the management considers or does not consider an incident, and what it is willing to pay for. After that, you need to "go to the places". Talk to employees, study processes and workplaces. Understand how this or that incident can be realized in this company. After that, countermeasures and a report are developed.
So, the management understands the importance of information security, the information is collected, the risks are described, the budgets are allocated, but this does not cancel the fact that everything needs to be done from scratch. Where to start?
From the requirements of regulators or "requests" of business. The first is the requirements of laws or federal services, organizations. For example, if you work with personal data, you must comply with Federal Law 152. If you are a financial organization, the provisions of the Central Bank of the Russian Federation. Working with them requires a clear understanding of regulatory requirements, the listing of which should be detailed. Therefore, in order for the material not to be too large, the topic of regulatory requirements will be moved to the next article. In this one, we will talk about "business requests" to information security.
We start from “business demands”
In order to build an adequate internal belgium mobile database security system based on “business demands”, you need to get answers to the following questions:
What does the company's top management consider to be an important information asset?
What risks do they see and what do they want to protect themselves from?
What can be considered an incident and how critical is it?
In essence, after the preparatory stages described earlier, the "business requests" have already been taken into account. All that remains is to agree on possible control measures. However, the effectiveness of the information security department and data protection measures depends not only on the information security specialists, but also on how employees comply with the rules for safe work with data. Of course, they must be trained in this, and this will be discussed further.
Implementation
Here is a list of actions for building an internal information security system:
1. Inventory of assets. It is necessary to understand the “starting positions”: how many computers are in the company, where the data is stored, which of them are confidential, personal, etc.
For information on the number of computers, the communication system and the IT infrastructure, you need to contact the IT department. Information on where and what files are stored, what content they have, should be obtained automatically using DCAP class systems.
2. Access rights audit. It is necessary to find out who has access to what information and to identify abuse of authority. DCAP is also used for this. The system will show what files users have access to at the moment.
- Board index
- All times are UTC
- Delete cookies
- Contact us