Download presentation
Presentation is loading. Please wait.
Published byTimothy Norman Modified over 8 years ago
2
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or processes Protecting accuracy and completeness of assets Accessibility and applicability attributes set by authorized user
3
Information Security Objectives enforce and constantly maintain the following properties: Accessibility Accessibility of information being processed; Integrity and authenticity Integrity and authenticity of information; Confidentiality Confidentiality of information; Legal regime Legal regime of using information, assets and IT resources of the Ministry; Normal operating mode and operating procedures Normal operating mode and operating procedures of hardware and software complexes, information systems and networks
4
Information Security Objectives Prevent or reduce risk of unauthorized use of information; Prevent or reduce risk of unauthorized modification of protected information; Efficient development, operation and management of information systems, assets, resources, telecommunication hardware and software of the Ministry Build a Ministry information security system to govern, implement and control information security measures.
5
Information Security Requirements Defined by international standards: ISO/IEC 27001:2005 — international information security standard “Information technologies. Security methods. Information security management systems. Requirements” ISO/IEC 27002:2007 — “Information technologies. Security technologies. Information security management practices” ISO/IEC 27005 — “Information technologies, Protection methods. Information security risk management” Defined by regulatory documents: Laws of the Republic of Belarus Passed November 10, 2008, No. 455-З “On information, IT and information security” Passed December 28, 2009, No. 113-З “On electronic documents and electronic digital signature” Orders of the President of the Republic of Belarus Issued April 16, 2013, No. 196, issued February 1, 2010, No. 60, issued September 30, 2010, No. 515, issued October 25, 2011, No. 486, issued November 8, 2011, No. 515, issued January 23, 2014, No. 46
6
Information Security Requirements Orders of the Republic of Belarus President Issued February 1, 2010, No. 60, issued September 30, 2010, No. 515, issued October 25, 2011, No. 486, issued November 8, 2011, No. 515, issued April 16, 2013, No. 196, issued January 23, 2014, No. 46 Decrees of the Republic of Belarus Council of Ministers Issued April 29, 2010, No. 644 Issued May 15, 2013, No. 375 Orders of the Operative and Analytical Center of the Republic of Belarus President Issued December 20, 2011, No. 96, issued August 30, 2013, No. 62, issued July 30, 2013, No. 51 Defined by organization Automated Financial Payment System information security concept Information security policy of the Republic of Belarus Finance Ministry Information security management system of the Republic of Belarus Finance Ministry Firewalling policy of the Automated Financial Payment System
7
Information Security Requirements Defined by Instructions of the Republic of Belarus Finance Ministry: Procedure of providing and using Internet access. Procedure of using electronic documents in the Automated Financial Payment System. LAN virus protection. Regulation of user activities in LAN to ensure compliance with information security requirements. User password protection in LAN. Working with LAN server and network equipment. Procedure of technical and encryption protection in Automated Financial Payment System, other information systems, as well as information systems designed for processing restricted dissemination and/or restricted access information not classified as state secret, on critical IT facilities.
8
Legality Sufficiency Flexibility of security system Open algorithms and protection mechanisms Personal accountability Manageability Least privilege principle Obligatory control Continuous monitoring and optimization Principles implemented in the Finance Ministry:
9
Effective information security Assets Threat Risk mitigation decision Asset value Potential damage Information security financing
10
Ministry of Finance ISMS Audits ISMS improvement and development Performance monitoring and review Risk management Personnel management Incident management Continuity management Other Asset management Define scope and limits Review and monitoring (check) Support and improve(act) Planning(plan) Implementation and and functioning (do)
11
Risk management at the Finance Ministry Risk control 3 3 Select risk control method 2 2 Evaluate control efficiency 4 4 Risk assessment 1 1
12
Several security perimeters have been put in place at the Finance Ministry and its structural units. Server rooms are inside two security perimeters. Access to server rooms is provided with two-factor authentication. Physical protection and environment protection
13
Access Management The Finance Ministry uses “mandatory access control” based on the access matrix. Information subjects are vested with predefined access rights to different information resources.
14
Telecommunication and network security A secure data transmission area has been established based on firewalls between remote structural units of the Finance Ministry; Third-party information systems are connected via firewalls; The Finance Ministry network is split into separated logical domains, each protected by a specific security perimeter.
15
The following solutions are used for centralized management and reporting: FortiManager- used for centralized management of Fortinet devices. FortiAnalyzer – used for collecting, analyzing and recording events from network security devices. Telecommunication and network security
16
Malware Protection Provided by anti-virus product “Kaspersky Endpoint Security for Business”, certified by the Operative and Analytical Center of the President of the Republic of Belarus to conform with requirements ТР 2013/027/BY and STB 34.101.08-2006 (sections 6.3, 6.4).
17
Encryption The Finance Ministry has established an open-key infrastructure consisting of: - Certifying center - 5 open-key certificate registers -137 registration centers
18
The Finance Ministry uses electronic digital signatures for: Confirming integrity of transmitted and stored data; Authentication of transmitted and stored data. Electronic document management system; Local treasury client; Consolidated reports Tasks where electronic digital signatures are used:
19
Objective assessment of current information security level Annual information security audit; Annual internal check of critical IT facilities; Scheduled risk assessment; Vulnerability control; Annual penetration test into Finance Ministry services.
20
Thank you
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.