Every information security expert knows that number of regulatory documents in information security field is tremendous. Many processes are subject to regulations, many information security areas are distinguished, and a great number of tasks are set to provide compliance with information security requirements and procedure of compliance assessment. Moreover, the number of regulatory documents for regulation of personal data security and critical information infrastructure protection grows at an exponential rate.
On the one hand, the regulatory authorities’ attempt to standardize the maximum number of information security processes is aimed at convenience. But on the other hand, organizations that have to build the security system in compliance with requirements of regulatory authorities (for example, Bank of Russia, Federal Service for Technical and Export Control (FSTEC) and Federal Security Service) sometimes have problems because of their discordance and confusion. Some requirements are rather non-explicit and give a lot of food for thought about how to implement them.
So questions arise, such as “Have we considered all the requirements?”, “What security asset should we acquire to comply the maximum number of requirements?”, “What documentation should we finalize or create in order to implement and control observance of information security procedures?” etc.
It is well known that, to build an efficient information security system, one should carry out a series of actions, aimed at process systematization:
- Conduct a survey of the current systems for compliance with requirements;
- Develop or finalize information security procedures;
- Implement information security tools;
- Conduct training of the personnel, who are weakest link in the chain of information transfer and processing;
- Assess the conformity of the measures taken.
Some organizations do everything by their own efforts and involve outside experts only for the last stages of building the system. As for the others, they extensively involve outside experts for information security operations: they either fully outsource information security, or outsource periodic operations aimed at bringing information security system to compliance with the regulatory authorities’ requirements.
Experts from ICL System Technologies have been more than once involved by organizations in assessment of IS systems compliance with requirements of regulatory authorities: they examine the existing information systems and organizational-administrative documentation of an organization, define the pool of requirements from the regulatory authorities’ regulatory documentation that the organization should comply with, question employees, conduct compliance assessment, and write recommendations. All those routine tasks differ from each other in information volume and time spent. However, measures demanded by various regulatory documentation requirements are very numerous (for example, GOST R 57580.1-2017 contains about 408 ones). So, after repeating time consuming operations several times in the semi-automatic mode, one takes a logical decision to automate them without prejudice to the new GOST requirements. And we are just doing it!
We choose the following processes for automation:
- Selection of security tools covering specified requirements of the regulatory documents (whether they are described in GOST R 57580.1, FSTEC Order No 21, FSTEC Order No 17 or FSTEC Order No 239, etc.);
- Selection of measures covering existing information security tools or the ones planned to be procured;
- Regulatory documentation requirements compliance assessment.
This will help reduce time spent for operations and it will also give a tool for answering many customer requests.
The work is divided into four stages.
Find information about the stages in the full version of the article on SecurityLab.