Organizational measures for the control and management of information security

In systems with a high degree of security, specialists who maintain a complex of information system automation tools during operation are divided into three categories:

  • users, ie representatives of the organization that owns the information system, performing operational tasks when working with information;
  • technical personnel supporting the normal functioning of the information system;
  • officials of the information security service subordinate to the management of the organization that owns the information system.

If a complex of information processing automation tools, an automated control system, an information network or the information system itself is generally used to serve the population, then a different type of users appears and the risk of unauthorized access to information is significantly increased (for example, in automated banking control systems).

To ensure the security of information, access to it is delimited both vertically and horizontally of the structure of the organization that owns the information system as a whole, a set of information processing automation tools, an automated control system or a network, including the categories of specialists and users.

A special category is the specialists and officials of the information security service, which, possessing the means of controlling the protection, can have access to the protected information. However, here, too, there are opportunities for delimiting and restricting access, which must be implemented whenever possible.

The adopted system of distribution of duties between individual employees can greatly contribute to increasing the level of information security on the part of personnel.

The following principles of work organization are recommended.

Minimization of information available to personnel. Each employee should know only the information that is necessary for him to successfully fulfill his duties.

Minimizing staff connections. The organization of the technological process for collecting and processing information and planning the premises should, as far as possible, exclude or minimize personnel contacts during the execution of work. System programmers and engineers should be allowed, when necessary, into the information processing room and should never enter the information and data preparation area, etc.

Separation of powers (privileges). In systems with high security requirements, some responsible procedure is performed after confirmation of its need by two employees. For example, a change in user authority is carried out only when the manager and the information security officer simultaneously send their passwords to the system from their terminals.