Protection of IT systems of the region: interview with the head of department of IT of the Novosibirsk region

TAdviser: What attacks and incidents in the field of information security are most characteristic in executive bodies of the government in the Novosibirsk region?

Anatoly Dyubanov: Incidents of unauthorized access (NSD) to information and its collecting for the purpose of implementation of the attacks using vulnerabilities applied the system and application software are the most characteristic.

The relevance is not lost also by the attacks of the distributed failure in service (DDoS attack). Now at information security market there is a set of solutions that allows to minimize risks for the organizations and organizations from DDoS attacks. However the market of "hacker" services does not stand still.

Unfortunately, today the popularity is gained by the target attacks connected with search and operation of vulnerabilities in the application software. The cost of such services is not high. I will note that the effectiveness of actions of malefactors constantly grows, including it is caused by a large number of the application software used in authorities and organizations.

TAdviser: How do you use analysis results of incidents?

Anatoly Dyubanov: Analysis results of incidents is a basis for review of approaches to data protection on the basis of which we enter changes into the operating protection system.

TAdviser: What analytical systems help you to minimize risks?

Anatoly Dyubanov: In network of the government of the Novosibirsk region several types of the analytical systems are used. However uniform tools for risk minimization are absent so far. It is caused by heterogeneity used system both the software and existence of differentiation of powers between regional executive bodies of the government.

TAdviser: Whether use of personal devices in the working purposes (the principle of BYOD) is authorized. How personal data protection and other data is provided?

Anatoly Dyubanov: Yes, now in the government of the Novosibirsk region it is allowed to use personal mobile devices in the working purposes. The order of use of the personal device in the office purposes defines the special agreement between the employee of public authority and employer.

The department of informatization and development of telecommunication technologies of the Novosibirsk region provides to the applicant access to an electronic document management system and office-works (SEDD) and ensures information security. On its personal device SEDD iDocs InterTrust is established and access to information systems and software opens. Security of information is performed by means of the systems of the class Mobile Device Management (MDM) and only via a secure channel. Means of cryptographic information protection, certified by FSB of Russia are for this purpose used.

TAdviser: What dynamics of your budget on information security in 2015 in comparison with 2014?

Anatoly Dyubanov: In 2014, taking into account considerable restrictions of financial opportunities of the regional budget, the structure of actions of many regional state and departmental programs was reviewed. The decision on transfer of a part of costs for 2015 was made, it concerned also actions for information security.

In the current year means, first of all, will be aimed at providing personal data protection and confidential information in the social sphere of the region, for example, in departments of benefits and social payments and also in the medical organizations subordinated to the Ministry of Health of the Novosibirsk region.

TAdviser: What large projects in the field of information security did you implement in 2014?

Anatoly Dyubanov: Creation of the protected server segment of a local network of the government of the Novosibirsk region became the largest project. The department of informatization and development of telecommunication technologies of the Novosibirsk region acted as the initiator.

I will select several main stages of creation and implementation of the protected segment. First, we estimated infrastructure and the list of information systems of the region and created requirements to the system of protection taking into account relevant threats. Further selected information security tools, proceeding from market research. The next stage – assessment profitability of the project and start in trial operation of a system of protection. Development of uniform approach to protection became the final stage.

The main difficulties when implementing the project faced when forming requirements to the system of protection and the choice of the used means and technologies, in connection with heterogeneity of the existing information systems and absence in the market of the complete solutions allowing to implement uniform functionality in heterogeneous environments of information infrastructure.

Updating of measures and formation of uniform approach to data protection of limited distribution became the main premises for project implementation. The realization value of the project was 0.2% of the total costs provided by the long-term target program "Development of the State Information Systems, Information Society and Formation of the Electronic Government of the Novosibirsk Region for 2012-2016".

So far to speak about project deliverables prematurely. I will note only that formation of uniform complex approach to ensuring data protection and uniform requirements for creation of the state information systems became the main achievement.