Information security - Where to start?

Information security - Where to start? Picture 1 When it comes to information security (ATTT), the first thing people often think about is building a firewall (Firewall) or something similar to prevent attacks and illegal intrusion. Such an approach is not entirely correct because the nature of ATTT is not merely using some tools or some solutions, but also to ensure safety for a system that needs a general and scientific view. than.

So what is information security?

100% safety cannot be guaranteed, but we can reduce unwanted risks under the impact of all aspects of socio-economic activities. When organizations and units conduct risk assessments and carefully consider countermeasures on traffic safety, they always come to the conclusion that individual (technical) technology solutions cannot provide enough. safety. Anti-virus, Firewalls and other tools cannot provide the necessary security for most organizations. ATTT is a link that links two factors: technological factors and human factors.

1. Technological factors: including products such as Firewall, anti-virus software, encryption solution, network products, operating system and applications such as Internet browser and email receiving software from workstations .

2. Human factors: People who use computers, who work with information and use computers in their work.

These two factors are linked through the safety policies.

According to ISO 17799, Information Security is the ability to protect the environment of socio-economic information, ensuring the formation, use and development for the benefit of every citizen, every organization and the nation. family. Through policies on safety and leadership, leaders demonstrate their will and capacity in managing information systems. ATTT is built on the basis of a system of policies, rules, processes and technical solutions aimed at securing the information resources that the organization owns as well as the information resources of partners, customers in a global information environment. Thus, with its important position, it is possible to affirm the problem that ATTT must start from the policies in which people are the most important link.

People - the weakest stage in the whole process of ensuring information security. Most of the attack methods used by hackers are to exploit the weaknesses of the information system and most of them are unfortunately made by humans. Poor awareness and non-compliance with policies on safety and hygiene are the main cause of this situation. For example, the issue of using passwords has been clearly defined in the policies on traffic safety, but compliance with regulations is not strictly implemented. Placing a poor password, not changing your password periodically, and lacking password management are the weakest steps that hackers can take advantage of to invade and attack.

Method of assessing quality of safety system

Perhaps no leader dares to insist that the company is truly safe and reliable. In the current market economy context, competition is fierce even among employees within the company: competition for customers, promotion purposes or other unhealthy purposes. In some organizations, taking advantage of the loose in management of safety and hygiene, employees had dishonest behaviors such as stealing confidential information, appropriating customer accounts, stealing money through credit systems . According to statistics, about 70% of risks of traffic safety are derived from internal organizations. One of the questions is always asked before the leaders and administrators information is: 'How safe is the organization's information system?' This question is the biggest concern and also the most sensitive issue in the management of information systems.

Answering this question is not simple, but it is not without answer. To solve the above problem, mainly based on the two methods of ATTT assessment as follows:

+ Method of assessing the quality of safety system of the system by giving points. For example: the system reaches 60/100 points or 60%
+ Method of evaluating according to the number of devices - security technology.

In fact, quality assessment is the only method to assess the safety of resources in the information system. In Vietnam, the evaluation of ATTT according to quality is completely new. It is easy to recognize that equipping with an ATT tool (Firewall, Anti-virus .) is to ensure safety for the system. The quality of traffic safety must be evaluated on all factors to ensure the safety of the system from organization, people, physical security, resource management . to the use of technical tools. In other words, safety quality is assessed on the basis of implementing policies on safety in the system. These policies are standardized and recognized as safety standards applicable worldwide.

Evaluation method by quantity is not used.

Criteria for assessing the quality of personal safety.

The assessment of the level of safety of organizations is usually conducted according to experience and based on the local and emotional regulations of the organization without taking into account the world-recognized standards. A few years ago, the British Standards Institute (BSI), along with a number of other commercial organizations such as Shell, National Westminster Bank, and Midland Bank . have studied and proposed a standard of safety. By 1995, this standard was recognized as the national standard for ATTT management - BS7799. This standard is independent of the operating model of companies. Company leaders, CSO / CIO . based on these standards to establish safety policies for their units. Immediately after its birth, BS7799 has been used in 27 countries including British Union countries as well as some other countries such as Switzerland and the Netherlands . By 2000, ISO World Organization Organization Based on BS7799, ISO 17799 standard has been developed and this standard has become the international standard for safety management (ISO / IEC 17799). As of February 2005, there were more than 1000 organizations that received ISO 17799 certification, including Hitachi, Nokia, Fujitsu, Siemens and many other names.

Basic parts of ISO 17799:

1. General policy
2. Personnel Security (Personel Security)
3. Identify, decentralize and manage resources (Asset Identification, Classification & Control).
4. Physical Security (Physical Security).
5. Security Organization (Security Organization).
6. IT and network management (IT operations and network management).
7. Access management and methods (Access control & methods).
8. HT development and maintenance (System development & maintenance).
9. Business continuity and incident recovery plan (Business Continuation & Disaster Recovery Planning)
10. Fit the system with elements of law, morality (Low, Inestigation and Ethics).

Information security - Where to start? Picture 2

Information security policy is organized in a pyramid model. This organization helps leaders manage information security quality in a scientific and effective way.


On the top of the pyramid describes the policies applied in the organization. Why should we set this policy? Scope and object of policy impact? . There is no one policy that applies to all units. In an organization with many parts, each part has different functions, different characteristics and organization of information. The business department has its own system design model with the database bearing business characteristics, production department, research department also has its own system and database structure. Information security awareness level is also very different. Therefore, when establishing policies, managers need to clearly define the purpose of the established policy, the object of enforcement, the scope of impact .

The second layer on the model describes the rules and regulations for implementing policies. What do we have to do to implement policies? The system of traffic safety rules is shown in 10 major areas including regulations from organizations, people, physical security to information security technical tools. Rules are built on the model. IT standards of the organization and embody the specificity of the organization. Through the implementation of the rules, it is possible to assess the quality of information security of an organization through auditing (Audit).

The third layer is the final layer of the model. These are the processes and solutions that support the implementation of the above rules and regulations. It answers the question of how to enforce the above rules? Information security administrators (CSOs) and IT administrators set up these processes and disseminate them to all employees in the organization, for example 'Password change process', 'Installation procedures' anti-virus programs, anti-malicious programs' etc. These processes may involve many different policies and users.

What are the benefits of applying ISO 17799 to the organization?

The application of ATTT standards according to ISO 17799 raises awareness for employees on workplace safety. Build a safe environment, immunity to risks, reduce the risks posed by humans. The ISO 17799 standard sets out the general principles in the design process, builds a scientific information system, making the management of the system brighter, safer and more transparent. We build a 'Secure People Wall' in the organization. A safe and clean information environment will have a significant impact on reducing the physical cost of investment for ATTT, which is inherently expensive. In the long run, getting ISO 17799 certification is a convincing affirmation to partners, customers about a safe and clean information environment. Create favorable conditions for the integration of a healthy information environment. This will strongly impact the competitive advantage of the organization.

Human resource training problem

According to IDG in 2006, there will be a new profession in the field of IT - information security profession. CSO title (Chief Security Officer) becomes familiar in IT field.

Updating and improving knowledge of ATTT and awareness of its role in IT system is a very important and urgent thing because considering human actions is the decisive factor. Although safety awareness is widely known, human factors are often less interested in by organizations. For executives, they need a safety policy and an awareness program as well as a quality assessment of safety, but unfortunately there are not many solutions that really care about how to strengthen solidity for this inherently weak link in the chain of ATTT.

Currently, a number of businesses in Vietnam have made positive changes in the awareness of safety and hygiene. They are willing to invest human resources training budget to create a solid foundation of awareness and knowledge of ATT for employees of the enterprise. Typically, Dong Nai Department of Science and Technology, Bao Minh Insurance Company, Fujitsu Vietnam, Asia Bank .

In addition, there are still many businesses, especially small and medium enterprises, who have not yet approached and fully understand the importance of establishing safety policies and managing quality standards of ATTT according to ISO 17799. strange and new to them.

Information security in general and quality assessment of information security in particular is still a new issue in Vietnam. Hope the article helps managers and policy makers have more information about quality control of traffic safety as well as approach to information security issues - a very sensitive issue at the moment. At the same time, the article also clarifies the role of people - the weakest stage in security information as well as the importance of human resource training in this area

Dr. Dao The Long - Misoft ISTC
Email: tan.document@gmail.com