Case study: establish an information security of a government organization

Executive summary

Over passed week I explored domain of information security applied to a state organization like children hospital and prepared a list of 10 steps to do to establish a foundation of organization's information security. Meanwhile I met with several tradeoffs which is not resolved yet and require tight work with several key persons/organizations around this issue.

The potential client is the children state hospital in a provincial city in Russia. A new year-old Russian law obligates each government organization, including hospitals, to establish, maintain and evolve information security of the organization. Due our talk I was asked to help them to implement and maintain it.

Discovery stage of work included investigation of key law documents. Based on them comprehensive, but not yet complete list of questions had been prepared to get the most complete understanding of the issue. Further research covered search of answers based on my own experience, experience of narrow experts and industry's best practices in Russia and worldwide.

Work on this issue shown some things should be done centralized - besides this state hospital there are more hospitals in city and even more others state organizations who are affected by this law.
Another thing to consider is this law requirements are not diversified much depending on size and budget of an organization -- compliance with all law requirements can become an unbearable burden for a small hospitals. All this had been considered in the proposed solution.

It is important to draw attention to look at proposed solution as a first iteration which will evolve in time based on experience gained over implementation of this steps and changes in threats from external world.

Technical doc with all details and the proposed solution is available by this link

Discovery

Which laws are relevant for this scope?

Bill №250 (указ №250) and bill №1272 (постановление правительства РФ №1272) are main bills for this scope shared with me by hospital's representatives. Further research shown hospitals are categorized as a critical informational infrastructure which is regulated by a separate package of bills.

Recent new order №213 by Federal Security Service complement bill №250.

Obviously a federal law about personal data №152 also should be taken under consideration.

What is a criteria of organization's information security?

There is no common metrics to verify organization's information security.

Common sense tells the main criteria is to prevent a malicious user to get remote access to organization network and systems to steal or corrupt data or get down organizational informational infrastructure.

A couple of information security officers shared FSB checks law papers had been prepared by organization to confirm compliance with law's requirements and also checks your set of measures to mitigate malicious intrusion and possible denial of service.

Recent order №213 gives a clue FSB will start automatic or manual penetration testing of organization in addition to this measures.

What are requirements for an information security officer?

There are many of them, but it is important to emphasis this ones:

1. Law requires formal education in one of the centers authorized by the government.

2. Experience in penetration testing: to build secure infrastructure you have to know how to hack it first.

3. Experience in creating legal papers.

How to organize training for staff?

Many attacks not just involves technical actions, but also actively uses social engineering - work with regular employees to get unauthorized access with their help. That's why set of measures taken to establish and maintain organization's information security should include work with employees in addition to hardware and software parts.

The following set of methods is proposed for the first iteration of corporate training:

- Creation and subsequent distribution of video presentations among employees of the organization that provide them a knowledge they need in the field of information security (frequency once a month)

- Analysis of cases emulating information security incidents to develop necessary theoretical ideas about necessary steps in the area of responsibility of each employee (frequency every three months)

- Carrying out activities that emulate information security incidents to develop real skills of each employee in his/her area of responsibility in the field of information security (frequency once every six months)

What should be used as a foundation of building organization's information security?

In my opinion it should be results gained after penetration testing where tools like Burp suite together with comprehensive OWASP testing guide will help a lot.

Platform like root-me.org should help to get basic experience in penetration testing.

It worth to note two things.

1. We have to be careful with international joint initiatives and institutions. In many cases it is always better to use a power of a whole world rather than efforts of just single country or even groups of countries, but unfortunately such initiatives and institutions are often used as an instrument of global politics against country's interests and security (e.g. credit ratings).
2. Law requires to migrate to software which is not belong to or affiliated with at any form with the list of countries with hostile attitude towards Russia by January 2025. It means we have to find or develop alternative tools to security scanner, Burp suite etc.

What is else left?

Technical document covers many others aspects which are not included into this publication. The tech. doc is available by this link

Solution

Decree No. 250 covers the entire list of state organizations, regardless of their size and available budget. However, the implementation of measures aimed to ensuring information security must take into account the available state organization's budget, so that these measures do not become an unbearable burden. Hence, a conflict is possible between the information security system built in the organization and the requirements of regulatory/supervisory authorities.

The main method of testing the state of an organization's information security should be penetration testing. Perhaps it makes sense instead of hiring an individual in the government organization (to each hospital), agree on regular penetration testing by a third party for the entire city-district. This will provide an opportunity to attract more highly qualified specialists and reduce the overall costs for all government organizations (in this case hospitals) of the city.

Thus, the required minimum measures for a children's city hospital are:

1. Organization of penetration testing for the purpose of stealing documents (data) and system failure.
2. Organizing a DDOS attack (an attack on an organization’s systems leading to system failure).
3. Based on the results of this testing, drawing up recommendations for the organization to eliminate vulnerabilities and the necessary training for the organization’s employees.
4. Implementation of measures to eliminate vulnerabilities.
5. Drawing up a test for knowledge of information security fundamentals, taking into account the results of previous penetration testing, for employees of the organization.
6. Testing the organization's employees for knowledge of information security basics.
7. Training of employees of the organization, taking into account the result of previous penetration testing.
8. Repeated testing of the organization's employees for knowledge of the basics of information security in order to understand whether the training at the fifth step gave any results, and how the training needs to be adjusted to get the desired results.
9. Preparation of legal documents confirming that the organization complies with the requirements of laws in the field of information security (Decree No. 250, Russian Government Decree No. 1272, No. 152, and everything related to the cue)
10. Repeat as necessary (at least once a year)

The city children's hospital is included in the list of critical information infrastructure (CII). The legal requirements for CII were formulated much earlier than Decree No. 250 and it is assumed that the hospital has already implemented these requirements.

In the case of a conflict with regulatory and inspection authorities, it is necessary to expand the list of measures above to the required level.
It is worth noting that this list of measures already in this form conflicts with Decree No. 250 and Government Decree of the Russian Federation No. 1272, that the official responsible for the organization’s information security, by signing this document and limiting himself only to it, comes into conflict with the current legislation - breaks the law.
However, full compliance with the law places a heavy burden on the organization and budget - also an extreme that must be avoided. A possible solution should be sought in negotiations with a lawyer and the city administration.