Yuri Podgorbunsky, Security Vision
What is a security system?
A security system is an organized set of forces, means, methods, and measures aimed at protecting information from unauthorized access, use, disclosure, distortion, blocking, or destruction.
Security systems are created by subjects of critical information infrastructure (hereinafter referred to as CII subjects) and include legal, organizational, technical and other measures aimed at ensuring information security.
The subjects of CII are various state organizations and enterprises, legal entities of the Russian Federation, which own or lease critical information infrastructure facilities (hereinafter referred to as CII facilities).
In turn, the CII objects include:
• automated control systems (hereinafter referred to as automated control systems);
• information systems (hereinafter referred to as IS);
• and information and telecommunication networks (hereinafter referred to as ITCS);
which legally belong to the subjects of the CII.
Why is it necessary to create security systems?
The purpose of creating security systems is to ensure the stable functioning of significant critical information infrastructure facilities (hereinafter referred to as significant CII facilities) when computer attacks are carried out against them.
Why should security systems be created for significant CII facilities? To begin with, in order for the CII object to become significant, categorization of such objects is carried out. As a result of the procedure, they are divided into significant and objects that are not assigned a significance category. Further, various security requirements are imposed on significant CII facilities, in particular, the creation of security systems, and facilities that are not assigned this category remain at the mercy of the CII subject, i.e. the organization.
So, significant CII objects are CII objects that have been assigned one of the categories of significance and that are included in the register of significant CII objects of the FSTEC of Russia.
A computer attack is a targeted impact of software and (or) hardware and software on CII objects, telecommunication networks used to organize the interaction of such objects, in order to disrupt and (or) terminate their functioning and (or) create a threat to the security of information processed by such objects.
Security systems include the security forces of significant CII facilities and the means they use to ensure the security of significant CII facilities.
Security forces
The security forces of significant CII facilities include:
• units (employees) responsible for ensuring the safety of significant CII facilities;
• divisions (employees) operating significant CII facilities;
• divisions (employees) that ensure the functioning (maintenance, maintenance, repair) of significant CII facilities;
• if necessary, other departments (employees) involved in ensuring the safety of significant CII facilities.
The structural unit for security, security specialists should perform the following functions:
• develop proposals for improving organizational and administrative documentation (hereinafter referred to as ARD) for the security of significant facilities and submit them to the head of the organization or the designated responsible person;
• analyze information security threats (it sounds like a threat assessment somewhere, in fact, it is conducting threat modeling, and it is necessary to focus on the methodological document - the Methodology for Assessing Information Security Threats of the FSTEC of Russia) in relation to significant CII facilities, as well as identify vulnerabilities in them;
• ensure the implementation of safety requirements for significant CII facilities based on certain categories of significance:
• planning, developing, improving and implementing measures to ensure the security of significant CII facilities – here the requirement already looks like a full-fledged information security management system;
• taking organizational and technical measures to ensure the safety of significant CII facilities;
• establishment of parameters and characteristics of software and hardware used to ensure the safety of significant CII facilities;
• ensure, in accordance with security requirements, the implementation of organizational measures and the use of information security tools, the operation of information security tools;
• respond to computer incidents in accordance with the procedure established in accordance with FSB Order No. 547 dated 12/25/2025 "On Approval of the Procedure for Informing the FSB of Russia about Computer Attacks and Computer Incidents, Responding to Them, and Taking measures to Eliminate the Consequences of computer attacks Carried out against Significant objects of the CII of the Russian Federation and Other Information Resources of the Russian Federation, owned by bodies and organizations charged with the duties provided for in Part 4 of Article 9 of the Federal Law of July 26, 2017. No. 187-FZ "On the Security of the Critical Information Infrastructure of the Russian Federation";
• organize an assessment of the compliance of significant CII with safety requirements;
• prepare proposals to improve the functioning of security systems, as well as to increase the security level of significant CII facilities.
Information security tools
The means of ensuring the security of significant CII facilities include software and hardware used to ensure the security of significant CII facilities.
To ensure the safety of significant CII facilities, information protection equipment certified for compliance with security requirements (hereinafter referred to as SPI) or equipment that has passed a conformity assessment in the form of tests or acceptance in accordance with Federal Law No. 184–FZ of December 27, 2002 "On Technical Regulation" (hereinafter referred to as 184-FZ) must be used.
Certified SPI are used in cases established by the legislation of the Russian Federation (it is necessary to understand when only certified funds should be used), as well as in the case of a decision by the subject of the CII.
That is, if there is no explicit indication for the use of certified SPI, it is possible, on the basis of 184-FZ, to independently assess compliance in the form of tests, but at the same time it is necessary to have some knowledge or involve an organization licensed for the technical protection of confidential information.
It is important to keep in mind that the applied SPS must be provided with technical support from developers (manufacturers) and that after the termination of support, vulnerabilities will appear over time – especially critical ones, no one will fix them, and this will be a security breach. And if for now you can't just abandon SPS that have run out of support? In this case, organizational and technical measures should be implemented to ensure that information security threats are blocked (neutralized).
When choosing a CII, the possible presence of restrictions on the part of developers (manufacturers) or other persons on the use of these funds at any of the significant CII facilities owned by the subject should be taken into account.
The procedure for the application of SPI is determined by the subject of the CII in the Order for the safety of significant facilities, taking into account the specifics of the activity of the subject of the CII.
Documentation in the security system
In order for the forces to understand what to do in a given situation, it is necessary to develop a Code of conduct governing the rules, processes and procedures for the safety of significant CII facilities.
So, we understand that without HORDES, any security system or information security system will not go far, the forces will "float", that is, they will not understand what to do. Therefore, it is necessary to develop an ARD, and as a rule, on their own (by the head and information security specialists) in the organization.
With a good database and well-established security processes, but without the means to ensure it, it is also not very good, and here it turns out that the security system must be built in a comprehensive manner: forces, processes and means, and there is no way without it.
In order not to generate a large number of HORDES, which may be general in information security, related to the security of significant CII facilities or personal data protection, it is necessary to formulate all information security requirements related to the organization and identify those documents that are necessary and cover the general requirements, and all others will be individual. This way, you can reduce (optimize) identical documents. For example, why do we need two private anti-virus protection policies for CII facilities and personal data information systems? After all, the point is not in the number of HORDES and the volume of sheets, but in their quality, conciseness and relevance.
Documentation on the safety of significant facilities is approved by the head of the organization or the responsible person. By decision of the head, individual safety orders for significant facilities may be approved by other authorized persons in the organization.
That's what's important – the composition and forms of safety orders (which are not available from the regulator) for significant facilities are determined by the CII subject, taking into account the specifics of its activities – this is not an easy task for many organizations and security specialists.
Information security system
The security system should ensure:
• prevention of unauthorized access to information processed by significant CII objects, destruction of such information, its modification, blocking, copying, provision and dissemination, as well as other illegal actions in relation to such information;
• preventing the impact on the technical means of information processing, as a result of which significant CII facilities may be disrupted and/or terminated;
• restoration of the functioning of significant CII facilities, including through the creation and storage of backup copies of the necessary information;
• continuous interaction with the state system for detecting, preventing and eliminating the consequences of computer attacks on information resources of the Russian Federation (hereinafter referred to as GosSOPKA) in the event of attacks or incidents at significant and not only CII facilities, as well as receiving recommendations and security bulletins.
What are the information resources of the Russian Federation in this context? Information, data, databases – no! The information resources of the Russian Federation are automated control systems, IS, and ITCS (CII facilities) located on the territory of the Russian Federation.
The above-mentioned requirement for continuous interaction with GosSOPKA uses software or hardware, for example, the Security Vision GosSOPKA product, which allows:
• integrate computer incident management with Security Orchestration, Automation and Response (Security Vision SOAR), monitoring of information security events - Security Information and Event Management (Security Vision SIEM) and management of information technology services, automation of service requests (ITSM/SD) for two-way exchange with the State Security Committee (NCCC);
• receive information messages and newsletters from the NCC;
• send incidents in the form of a regulator to comply with legal requirements (automatically or manually using the "button").
The interaction of the Security Vision GosSOPKA with the GosSOPKA infrastructure is carried out through integration with the personal account of the GosSOPKA entity through the Application Programming Interface (API).
There is a lot of work behind these above–mentioned security system requirements, both in preparation and in operation - this is a huge process, not a one-time task. Let's take a closer look below.
Information security processes
As part of the functioning of the security system, the organization must implement the following processes:
• planning and development of measures to ensure the safety of significant CII facilities;
• implementation (implementation) of measures to ensure the safety of significant CII facilities;
• monitoring the security status of significant CII facilities;
• Improving the safety of significant CII facilities.
Based on the above processes within the framework of the security system, we come to an information security management system.
For effective information security management, for example, the Governance product, which is part of the Security Vision SGRC, may be suitable, which provides an integrated approach:
• creating a list of key information security management roles;
• defining the organizational context of the organization, which includes the scope of information security, as well as external and internal stakeholders;
• Developing a cybersecurity strategy (if necessary);
• definition of information security management processes;
• formation of information security policies and procedures;
• planning of measures for the implementation of organizational and technical security measures;
• monitoring the implementation of information security tasks and activities;
• Improvement of information security management processes and procedures;
• assessment of the current and target state of information security.
Planning
Assign those responsible to key information security roles.
To analyze the current security status of significant CII facilities, and after that, it is possible to proceed to planning security measures.
As part of the planning of measures to ensure the safety of significant CII facilities, an annual action plan for ensuring the safety of significant CII facilities (hereinafter referred to as the action plan) is being developed and approved.
The action plan is developed by the structural security unit, security specialists with the participation of departments (employees) operating significant CII facilities and departments (employees) ensuring the functioning of significant CII facilities.
The action plan should include measures to ensure the safety of significant CII facilities operating in separate divisions (branches, representative offices) of the organization.
The action plan should contain the names of measures to ensure the safety of significant CII facilities, the deadlines for their implementation, and the names of the departments (employees) responsible for the implementation of each event. This plan is approved by the head of the organization or a person authorized by him and is communicated to the departments (employees) in the part concerning them.
In the units operating significant CII facilities and the units ensuring the functioning of significant CII facilities, appropriate separate action plans can be developed based on the approved action plan.
Just as in the planning process, it is necessary to develop the main part of the Safety Management System for Significant Facilities, which should determine:
• the goals and objectives of ensuring the safety of significant CII facilities;
• The composition and structure of the security system and the functions of its participants;
• the main organizational and technical measures to ensure the safety of significant CII facilities carried out in the organization;
• how to respond to computer incidents;
• Information security awareness raising procedure.
Goals and objectives are set out in the basic security policy of significant CII facilities, private policies on certain areas of security of significant CII facilities, as well as in other ODS.
Threats and actual information security violators are identified during threat modeling.
Information security threats can be assessed using the Security Vision CII product, which allows you to:
• create a CII object from impact objects and components;
• use multiple threat modeling approaches;
• based on the results, create a model of information security threats in accordance with the methodological document of the FSTEC of Russia.
Realization
The implementation (implementation) of measures to ensure the safety of significant CII facilities is the result of the implementation of the action plan and is carried out, including in accordance with the Order for the safety of significant facilities.
During the implementation of measures to ensure the security of significant facilities, organizational measures should be taken and (or) SPI should be implemented at significant CII facilities aimed at blocking (neutralizing) threats to information security.
The results of the implementation of measures to ensure the safety of significant CII facilities are subject to documentation in accordance with the procedure established by the organization in the Order for the safety of significant facilities.
Control
As part of monitoring the safety status of significant CII facilities, internal control of the organization of work to ensure the safety of significant CII facilities and the effectiveness of organizational and technical measures should be carried out.
The control is carried out by a commission appointed by the organization. The commission includes employees of the structural security unit, security specialists, employees of departments operating significant CII facilities, and departments ensuring the functioning of significant CII facilities. By decision of the responsible persons, employees of other departments of the organization may be included in the commission.
Security monitoring (analysis) tools can be used to assess the effectiveness of organizational and technical measures taken to ensure the safety of significant CII facilities.
The results of the control are formalized by an act, which is signed by the members of the commission and approved by the head of the organization or the responsible person.
The implementation of the action plan is also monitored. The security department and security specialists must prepare an annual report on the implementation of the action plan, which is submitted to the head of the organization or a person authorized by him (for example, the deputy head of information Security).
Improvement
The structural security unit and specialists should analyze the functioning of the security status of significant CII facilities, based on the results of which they should develop proposals for the development and measures to improve the security system of significant CII facilities.
The analysis of the functioning of the security system, as well as the development of proposals to improve the security of significant CII facilities, are carried out by the structural security unit, security specialists with the participation of units (employees) operating significant CII facilities and units (employees) ensuring the functioning of significant CII facilities.
Suggestions for improvement are submitted to the head of the organization or the responsible person.
And since a process approach is used in security systems (significant CII facilities) and not only, the results of the "Implementation and Control" processes go into the "Improvement" process to analyze information security processes and procedures in order to improve and improve the effectiveness of the security system, and accordingly, the results of the "Improvement" process go into the "Planning" input – as a cycle. water in nature!
.jpg)
