Blyzniuk A.G.
National Technical University of Ukraine “Kyiv Polytechnic Institute”,
Ukraine
Methods
for Providing Information Security
There are two approaches to the
problem of ensuring the security of computer systems and networks (CS):
“fragmented” and “complex”.
"Fragmented" approach
aimed at countering threats clearly defined in the given conditions. As with
examples of such approach, you can specify individual access controls,
autonomous means of cipher of specialized anti-virus software, and so on.
The advantage of this approach is
the high selectivity to a specific threat. A significant drawback - the lack of
single secure information processing environment. Fragmentary data protection
measures provide protection for specific objects only from the CS specific
threat. Even a slight modification of the threat leads to loss of protection efficiency.
Complex approach
is focused on the creation of a protected information processing environment in
the CS, uniting in a single complex heterogeneous measures to counter threats.
Organization of secure information processing environment helps to ensure a
certain
CS security level, which is an advantage of complex
approach. The disadvantages of this approach include: restrictions on the
freedom of action of the CS users, sensitivity to errors of installation and
setting means of protection, management complexity.
Violation of information security in
the CS large organizations can do a huge material damage both by organizations
and their clients. Therefore, these organizations have given special attention
to security assurances and implement comprehensive security. Complex approach
adopted by most government and large commercial companies and institutions.
This approach is reflected in the different standards.
Complex approach of security
developed basin on specific CS Security Policy. The security policy regulates
the effective operation of the protection CS agents. It includes all the
features of the information processing, defining behavior of the system in
different situations. Secure network security system is not created without the
effective network security policy.
For protection of interests of the
subjects of information relations steps need to combine the follow levels:
• legislative (standards, laws,
regulations, etc.);
• administrative and organizational
(acts of general nature, made by management, and specific security measures
dealing with people);
• software and hardware (specific
technical measures).
Legislative level measures are
important to ensure information security. This level refers a complex of
measures aimed for creating and maintaining in society the negative (including
punitive) related to violations and violators of information security.
Information security - a new sphere
of activity, it is important not only to prohibit and sanction, but teach,
explain and help. Society must understand the importance of this problem, understand
the basic ways of solving of appropriate problems. The state can do it in
optimal way. There is no need in high material costs, but a need in
intellectual investments.
The organization administration must
realize the need in maintain of the regime security, and allocate the
appropriate resources for these aims.
Let’s come to the complex of
organizational measures including security measures implemented by people.
There are the following groups of organizational measures:
• human resource management ;
• physical security;
• keeping of efficiency;
• responding to security breaches;
• planning reconstruction.
For each group each organization
should have a set of regulations that define the actions of personnel.
To maintain the mode of information
security, it is particularly important to measure of software and hardware
level, as the main threat to computer systems comes from themselves: hardware
failures, software errors, blunders of users and administrators, etc. In the
framework of modern information systems should be available the following
security mechanisms:
• identification and authentication
of users;
• access control;
• logging and auditing;
• cryptography;
• shielding;
• ensuring high availability.
Information systems (IS) companies
almost always are based on software and hardware products from different
manufacturers. While there is no company-developer, which would provide the
consumer a complete list of resources (from hardware to software) for building
modern IS. To ensure reliable data protection are required the highly qualified
specialists, who should be responsible for the security of each IS component in
a heterogeneous IS: correct them tune, keep a track of the changes, control the
user experience. It’s obviously that for heterogeneous IS
it’s more difficult to ensure its safety. Abundance in
corporate networks and systems, security devices, firewalls screens, and VPN
gateway, as well as the growing demand for access to corporate data by employees,
partners and customers lead to the creation of complex protection of the
environment, difficult to control, and sometimes incompatible.
Interoperability protection products
are an essential requirement for the ICC. For most heterogeneous environments
it is important to ensure consistent interaction with products from other
manufacturers. Adopted by the organization security, solution must guarantee
protection for all platforms within the organization. Therefore, it is evident
the need to apply a single set of standards as a means of protection providers
as well as companies - system integrators and organizations in their capacity
as customers security for their corporate networks and systems.
Standards form the conceptual basis
on which to build all the work on information security, and define the criteria
that should be followed by management
security. Standards are a necessary foundation,
ensuring interoperability of products from different manufacturers, it is
extremely important to create network security systems in heterogeneous
environments.
Complex
approach to solving the problem of providing security, rational combination of
legislative, administrative, organizational and program-technical measures and
mandatory follow industrial, national and international standards - is the
foundation on which the whole system of protection corporate networks is built.
Literature
1. Vladimir Shangin (2013). Protecting information in computer systems and
networks. Moscow: Litres.
- 265.
2. Vladimir Melnikov (1997). Protection of information in computer systems.
M.: Finance and statistics, Elektroninform, - 368.