protection which are specific for the definite object. Therefore, SISP is being correlated
to the challenges of the constantly renewing information system.
The description of methods of information protection of a definite information
system is usually reflected in an Information Security Policy (ISP) or in a Security
Policy of a Definite System (Organizational Security Policy (OSP)). The OSP is a set
of documented rules, procedures, practical tools or main principles in the field of
information security which is used by a legal entity.
An Information Communication Technologies Security Policy (ICTSP) is a set of
rules, directives and existing practices which determine the ways of management,
protection and allocation of assets, including critical information. For architecting the
OSP one should consider separately the description of legal provision of information
system protection, particularly legal support of Information System Objects’
Protection,
Processes,
Procedures
and
Processing
Software
Protection,
Communication (acoustic, infrared, optic, radio etc.) Channels Protection; jamming of
spurious electromagnetic emissions; management of protection system. Each of the
mentioned aspects should be described in the ISP considering the following stages of
information protection:
1.
definition of information and technical resources to be protected;
2.
detection of potential threats and information drain channels;
3.
evaluation of information vulnerabilities and risks within possible information
drains;
4.
definition of requirements to the protection system;
5.
selection of information protection means and their characteristics;
6.
implementation of the selected instruments (tools means and methods) of
information protection;
7.
system integrity control and protection system management.
Information Security Policy is a documented list of information system
requirements. The detailing of its content usually depends on the description levels of
the protection process. ISP represents the microlevel of the information security
legislation system, which consists of three sublevels which are determined by ISO /
MEC 17799-2005 “Information technology - Security techniques - Code of practice
for information security management” [14].
The internal documents of legal entities of the first, upper sublevel of the micro
level, reflecting the main notions of the ISP, declare the organization policy in
information security, its intentions to meet state and international requirements and
standards in the field. Documents of such a kind and content may be called “Conception
of ISP”, “Regulation on ISP”, “ISP”, “Technical Standards of ISP” etc. These
documents may be widely used by all the structural units of the legal entity though
there might be two version s of them – more general and more detailed – for definite
- 1042 -