All articles

ISsoft’s Information Security Department: Development History, Plans, and Popular Incidents

March 1, 2021

The Information Security Department is one of the essential departments in an IT company. It’s crucial to protect customer and employee data, processes, and equipment from intrusion attacks. Various specialists covered data security at ISsoft, but the Information Security Department was created in 2016 when Alexey Evmenkov joined the company and became Information Security Director. Alexey told us how he started to work in the information security domain, about the department’s structure, its plans, and the most prevalent incidents.

– Alexey, could you tell us how did you start working in the information security domain?

– When I was a student, there was no Information Security program. At the end of the 1990s, I graduated from BNTU with a degree in Robots and Robotics Systems. Unfortunately, there were no jobs to work in my profession, but I enjoyed computer things. For example, at the university, I programmed a database for the Dean’s office. As far as I remember, there were two IT companies, and I got a job in one of them as a QA engineer. I started with manual testing and continued with automated testing. I always liked processes, including order and consistency, so I retrained as a process fellow – Quality Director.

I didn’t expect to get into information security because I certified a company where I worked according to ISO 9001 (this concerns quality management system). Then its CEO asked me to get ISO 27001 certification, which is the standard for information security. I gave it my full attention and dived deep into the information security domain, and I liked it. Thus, I retrained as an Information Security specialist. Since 2008, I have been doing ISO 27001 certification for an international company, Tieto, with offices in 27 countries and a staff of 15,000 people. I visited the offices and set up processes to meet the information security requirements. And in 2016, I joined ISs as the 600th employee.

In 2008-2009, where I was involved in certification at tieto. It was the first official ISO 27001 certification in Belarus.

– What do you like about information security?

– It’s impossible to reach an average level without structured and transparent processes in information security. This is an area where you have requirements, and you have to implement them. It isn’t easy to do because most of the requirements and processes are based on people forgetting something, not wanting something, etc. On the one hand, there’s straightforward, structured information security, but on the other hand, there’s a constant human factor, which appeals to me. It’s also great that information security is extensive, in some ways even infinite. Information security is divided into 12 domain zones; a lifetime is not enough to delve into each of them. Besides, my work will always be up-to-date. The world without privacy and information security isn’t safe. Sometimes I’m afraid of increasing risks and responsibilities.

– Sure, it’s hard to imagine your job’s responsibility. Are your tasks more about interaction with people or documents?

– Based on the specifics of information security projects, I work mostly with people. Employees primarily perform the processes. Therefore, we worked through the Information Security Policy in constant communication with the critical group of employees. I start to work with the employees from their first days in the company. They join ISsoft and take my training on Information Security. There’s also constant interaction daily, as I have operational tasks, including a flow of issues and questions to solve. For example, someone creates a HelpDesk ticket with a request for access or asks: “Can I use certain software?”, etc.

Here’s an example of a typical information security project. During the WFH period, we enabled a firewall on corporate devices located at home for additional protection (for Windows OS). We had to develop a prototype that includes selecting the settings, thinking through the implementation process. We had to create a pilot group for the developed solution (to implement it, we had to negotiate so that it wouldn’t interfere with the business). Then we checked if everything is alright, and then we launched it for the whole company.

– Do you have to interact with customers?

– Relatively rarely. Only when they need our help. For example, customers sometimes send checklists to make sure that everything is alright with your information security. And then I fill them out. Sometimes we schedule meetings with customers when they want to talk in person and find out some details. Sometimes we need to implement a specific customer’s requirement on the project, and then we also meet with them and find a solution. This doesn’t happen very often, but I’m aware of the importance of such tasks for the business, and they are always a priority.

– What’s your typical working day?

– My tasks depend on the day of the week, and some responsibilities are repeated weekly. Monday, for example, is always busy because we have a lot of meetings to plan tasks for the week.

In addition to the operational tasks mentioned above, we work on our projects. We have an annual work plan outlining all of our projects.

Projects are something new that we have decided to do and are doing. For example, we recently implemented a Vulnerability scanning process for scanning our assets (computers, equipment) for vulnerabilities. We have a tool for running on specific areas and in a particular order to perform it. It’s a considerable effort; we have the whole process lined up in this area.

I want to add more about the so-called “operational tasks”. In addition to handling employee requests, we do regular analysis of passwords, two-factor authentication, unwanted software, network activity, and other things. We regularly monitor dozens of aspects.

Nikita is on the left; Alexey is on the right. Photo taken during ISsoft 2020 corporate party.

– Who works with you on the team?

– As soon as the department officially appeared, I worked on my own. After a couple of years, Security engineers Nikita Bakulya and Andrei Polunosik joined my team. This year our team will grow by one more employee. They are my core team.

There’s also an extended InfoSec team that includes the company’s key people: the company’s CTOs, IT director, Helpdesk director, and a representative of the Minsk executive team. We interact with them to plan and implement tasks.

By the way, at my Information Security training for newcomers, I always talk about our InfoSec team. The fact that InfoSec employs top managers permanently shows that our company is earnest about information security.

– How has the department evolved in the last five years?

– When I joined the company, the first thing I did was an audit. Then I built a basic plan and began to move it forward. From the very beginning, I created a system of information security management, where we don’t just “put out fires”, but establish a process and systematically build protection. We have a crucial model based on ISO 27001. It has all the domain zones, and each of them has its own technical and organizational protection measures.

– Has the pandemic affected your work?

– Of course, it has as our employees started working from home. When we originally built the InfoSec system, WFH was an exception, one of the remote work sections. Now remote work has become the rule, and unknown risks have arisen. For example, what kind of equipment does an employee work: personal or corporate? If he works on a corporate one, does he connect to it from his home PC, or does he transferred his work equipment home? If shared, where does he keep his work equipment, and who can access it? There are many nuances, and because the infrastructure has spread out, it’s harder for us to control it. Of course, we try to put it all together.

– So, it turns out there is more work now.

– The amount of work has increased :). Firstly, there are more tasks due to its growth, because more processes take more effort. Secondly, we introduce new approaches, which take time. Besides, the new processes need to be supported. For example, in 2020, we implemented the SIEM system that collects information from multiple company systems, correlates, and gives events and alerts based on specific criteria. It’s an excellent system that not all companies have. There’s more to worry about. We are becoming more mature in information security, but it also takes more effort to support it.

– Could you tell us about prevalent employee incidents?

– Talking about it is even vital. One of the repeated serious incidents is working on personal equipment. Code, documents, and other work data are confidential information that shouldn’t be stored on personal equipment outside the company’s infrastructure as we don’t monitor or control it. This incident is difficult to watch because the employees are out of the office, and everyone solves their problems as they think it would be right. Let me remind you of the decision about personal equipment. You can provide it for the so-called “IT check”, and after this procedure, you can use it for work.

The second violation is the use of unauthorized cloud solutions on the project. For example, an employee sent a link to an unauthorized questionnaire from an obscure website, where it is not clear how and by whom the data are controlled. Sometimes people send production data via email or Skype, which our Information Security Policy forbids. We have a particular system and approach to monitoring such incidents.

Another infrequent but “cool” incident includes triggered phishing. You get an email, you open it, but you also enter your credentials in the open window. Your mail is a cloud, the people who got your information can get into your mail. They create a forwarding rule according to specific criteria. For example, emails that contain keywords like “credentials” or “password” are forwarded to the “left” mailbox. This data can be used for all sorts of malicious things. Fortunately, we haven’t had the phishing chain go all the way to the end, but there have been cases where people have reached the middle of the process. It’s a vast area that we are working with and will continue to work with. This year, we plan to launch an anti-phishing training project.

Work is work, but I always have time for family and children.

– It sounds interesting. I hope employees will remember these cases. Well, how much of your job involves being available 24/7?

– Unfortunately, incidents don’t choose work hours; they happen when they happen. If something happens, everyone gets involved in the issue, and me first. We have an incident management process, so everything is done according to the instruction.

– What are the InfoSec Department’s plans and yours?

– We’ll continue to build a mature information security management system. And we are also planning to obtain ISO 27001 certification. Many clients ask about it. Although we already have all the processes described there, they aren’t certified by an external party. It would be nice to get such a confirmation (certificate) to simplify communication with clients and mobilize various departments.

I plan further to develop information security in a large international company. I mean Сoherent Solutions, in case someone didn’t guess it right away. 🙂

I plan to develop the process side, as I lacked technical knowledge in it. For the past five years, I’ve been restoring the gaps. I took various courses in System Administration and working with different systems. I have, for example, CompTIA Network+, Security+ certificates, etc. I know my weaknesses and strengths and try to bring everything into harmony.

– Great! Could you tell us how to get into the information security domain now?

– It depends on what you are and what your goals are. Suppose you are a student, it’s better to get a degree in Information Security. All you have to do is to choose the direction and the field and develop.

If you are an established specialist, it depends on your background. The easiest way to enter the domain with a system or network administrator’s experience might be DevOps. About half of information security tasks are related to technical tasks with infrastructure (we are talking about system administration essentially). By the way, system administrators usually don’t like to communicate. In information security, you continuously communicate with people, and you have to be ready for it. You’d better love communication. Next, you have to study the selected domain area of information security and the related standards. How? There are many ways, for example, certification. It’s not just to get a piece of paper but systematically study the information, being given the direction so that you continue to learn on your own. I have a little presentation about personal development in information security. If anyone is interested, please follow this link.

Thank you for the interview! We’re sure that ISsoft’s information security is in good hands.