Why implementation of information protection systems is often more difficult than delivery
An information security tool may be certified, well-known and correctly selected, but still not work as protection if it is simply installed “according to the instructions.” In a corporate infrastructure, the information security system must take into account the network, domains, servers, workstations, virtualization, clouds, APIs, DevOps, accounts, logs, business-critical systems, update schedules and actual operational processes.
Therefore, the implementation of information security is not the final technical step after procurement, but a separate project. It answers practical questions: what assets are we protecting, who administers it, where do the events go, how does the investigation proceed, who accepts exceptions, what happens in case of false positives, how not to stop the business process and how to prove to the auditor that the protection measure really works.
For whom is this work critical?
CISO and information security service
What you need is not a set of licenses, but working protection measures: policies, events, response, evidence, change control and clear responsibility.
CIO and IT Operations
It is important to implement protection without chaos in the infrastructure: with compatibility, work windows, rollback plan, monitoring, support and SLA.
Architects and infrastructure teams
We need HLD/LLD, network diagrams, integration matrix, requirements for logs, accounts, redundancy and performance.
Adjustable environments
ISPD, GIS, CII, banks, industry and the public sector require not only technology, but also correct measures, documents, logs and acceptance.
SOC and response teams
Information security must feed events, context, and statuses into SIEM/SOAR/ITSM so that alerts turn into investigations and actions.
Purchasing and Project Office
We need clear specifications, stages, acceptance criteria, delimitation of responsibilities and control that the delivery has reached the desired result.
Key Terms, Plainly Explained
| Term | Decoding | What does it mean when implemented? |
|---|---|---|
| SZI | Information security tool | A product or set of measures to protect systems, data, users, networks, applications or infrastructure. |
| CIPF | Cryptographic information protection tool | VPN, TLS, HSM, PKI, crypto gateways and other means where FSB requirements, certificates, key infrastructure and operation are important. |
| HLD | High-Level Design, top-level architecture | It shows what we are implementing, in what environments, how the systems are connected and what safety principles are laid down. |
| LLD | Low-Level Design, detailed project | Captures specific settings, rules, network zones, ports, accounts, logs, integrations, and failure scenarios. |
| ISPDn | Personal data information system | The environment where personal data is processed and measures are needed in accordance with Federal Law No. 152-FZ, Resolution 1119 and FSTEC Order No. 21. |
| CII | Critical information infrastructure | Systems and networks that are significant for industries and processes regulated by Federal Law No. 187-FZ and FSTEC requirements for significant facilities. |
| NGFW / WAF | Next-Generation Firewall / Web Application Firewall | NGFW protects the network perimeter and segments, WAF protects web applications and APIs from application attacks. |
| DLP / DBF / DAM | Data Loss Prevention / Database Firewall / Database Activity Monitoring | Leak control, database protection and monitoring of user and administrator actions in data. |
| EDR / XDR | Endpoint Detection and Response / Extended Detection and Response | Detect and investigate suspicious activity on workstations, servers and related sources. |
| SIEM / SOAR / SGRC | Security Information and Event Management / Security Orchestration, Automation and Response / Security Governance, Risk and Compliance | Event collection, response automation, risk management, controls, exceptions and reporting. |
| PAM / IDM / IAM | Privileged Access Management / Identity Management / Identity and Access Management | Manage privileged access, accounts, roles and rights lifecycle. |
| VM | Vulnerability Management | Vulnerability management: scanning, prioritization, remediation, exclusions and patch control. |
| UAT | User Acceptance Testing | Acceptance testing with the participation of users, IT and information security before production launch. |
World and Russian practice
Mature cybersecurity programs link the implementation of security information not only to product installation, but also to risk management, controls, evidence, and continuous improvement. NIST Cybersecurity Framework 2.0 helps describe the functions of governance, identify, protect, detect, respond and recover; CIS Controls provide a prioritized set of practical measures; NIST SP 800-53 is useful as a catalog of controls; MITER ATT&CK helps check which attack techniques are actually covered by the implemented measure.
In the Russian context, implementation must take into account Federal Law No. 152-FZ and ISPDn, Federal Law No. 187-FZ and CII, GIS, FSTEC and FSB requirements, product certification, security classes, threat models, logs, organizational and administrative documents and operation. Therefore, RESTART does not promise “compliance in one product”: compliance emerges from a combination of architecture, measures, settings, documents, processes and verified operation.
Classes of solutions that we implement
The composition of the project depends on the customer’s outline. Sometimes you need one targeted measure, for example, a WAF in front of your personal account. Sometimes it’s a combination of several classes: NGFW, VPN/CIPF, endpoint, DLP, PAM, SIEM, SOAR, VM, WAF, AntiDDoS and operating regulations.
Perimeter and network
NGFW, VPN, CIPF, segmentation, DMZ, AntiDDoS, WAF, Bot Protection, web/API and branch network protection.
Workstations and servers
Endpoint protection, EDR/XDR, trusted boot, device control, OS protection, virtualization and administration.
Data
DLP, DBF/DAM, masking, tokenization, upload control, database protection and preparation of secure dev/test loops.
access rights
IDM/IAM, PAM, MFA, administrator accounts, service users, review of access rights and control of separation of powers.
SOC-ready environment
SIEM, SOAR, SGRC, VM, TIP, UEBA, NDR, response scenarios, detection scenarios, reports, escalation routes and ITSM bundles.
DevSecOps and AppSec
SAST, DAST, SCA, secret scanning, container security, WAF, CI/CD control and remediation processes.
Vendors and products that can be included in the project
RESTART selects products based on the architecture, regulations, budget, compatibility and operational maturity of the customer. The project may include solutions from Security Code, Confident, InfoTEX, UserGate, ServicePipe, Kaspersky, Positive Technologies, R-Vision, Security Vision, DAMASCUS, Garda, InDEED, AppSec, F6 and other partners from the vendor map.
Security code
regulatory information security, NGFW, VPN, endpoint, virtualization
Confidential
NSD, trusted download, VI, WAF, regulatory projects
InfoTEX
CIPF, VPN, crypto gateways, HSM, PKI, CII
UserGate
NGFW, SUMMA, SIEM, LogAn, Client, SecaaS
ServicePipe
AntiDDoS, Bot Protection, Cloud WAF, web/API protection
Kaspersky
endpoint, EDR/XDR, KATA, threat intelligence
Positive Technologies
VM, SIEM, AppSec, NDR, WAF, cyber resilience
R-Vision
SOAR, SGRC, VM, TIP, UEBA, SIEM
Security Vision
SOAR, NG SOAR, SGRC, SIEM, VM, TIP, UEBA
DAMASCUS
masking, tokenization, dynamic data protection
Garda
DLP, DBF, Data Masking, NDR, WAF, Anti-DDoS
Partners are listed as the technology backbone of the solution class. The specific composition of products, versions, licenses, certificates, delivery conditions and compatibility are confirmed before the project.
How we implement it: from project to production environment
Diagnostics
We record assets, systems, data, users, network zones, current security information, regulatory requirements, operating restrictions and expected results.
Architecture
We are preparing or clarifying HLD/LLD: where the solution is installed, what flows it protects, what roles are needed, where events are written and what fault tolerance looks like.
Pilot and specification
We check compatibility, performance, accuracy, integration, load on administrators and acceptance criteria.
Delivery and preparation
We coordinate licenses, versions, certificates, keys, access rights, stands, work windows, rollback plan and responsibility matrix.
Setup and integrations
We deploy the product, configure policies, roles, logs, connectors, alerts, routes in SIEM/SOAR/ITSM and monitoring.
Trial operation
We fine-tune the rules based on real traffic, events and users, remove noise, check for false positives, and train administrators.
Acceptance
We carry out UAT, acceptance tests, verification of requirements, transfer of documentation, protocols, instructions and a list of open improvements.
Escort
We help with updates, changes, incidents, reporting, setting up new sources and developing the maturity of the environment.
Integrations, without which the information security system remains an island
The information security system should be part of the overall operating picture, and not a separate console that no one logs into. Therefore, in RESTART projects, integrations with catalogs, logs, SOC, ITSM, monitoring, DevOps and business systems are designed in advance.
| Integration | Why is it needed? | What we check |
|---|---|---|
| AD / LDAP / IdP | Single users, groups, roles, MFA and access lifecycle. | Service accounts, groups, administrator rights, locks and auditing. |
| SIEM / SOAR | Events, correlation, response scenarios, analysis, response automation and investigation. | Log format, event completeness, normalization, criticality, routing and noise. |
| ITSM / Service Desk | Elimination tasks, incidents, SLAs, owners, statuses and execution control. | Categories, escalation routes, task templates, required fields and reports. |
| Monitoring / Observability | Monitoring the availability of the information security system itself and the impact on the infrastructure. | Metrics, alerts, reservations, capacity, updates and degradations. |
| DevOps / CI/CD | Secure releases, configuration verification, WAF, AppSec, containers and security checkpoints. | Build pipelines, secrets, approvals, exceptions, mitigation and rollback of changes. |
| BI / SGRC / reporting | Management picture: risks, controls, exceptions, dynamics and evidence base. | Data quality, control owners, reporting frequency and audit trail. |
How the result is accepted
Good acceptance of information and information systems is not limited to the phrase “product installed.” It is necessary to check that the product protects the necessary assets, does not break the business process, sends events, is managed by assigned roles, has documentation and a clear operating mode.
Functional tests
Policies, blocks, exceptions, notifications, reports, events and response scripts work according to agreed upon criteria.
Infrastructure checks
Performance, fault tolerance, backups, updates, network routes and impact on services are tested.
Information security checks
Roles, access rights, administrators, logs, event storage, hardening and change control correspond to the design model.
Operation
The team knows who is doing what when there is an incident, false positive, update, failure, policy change, or audit request.
Documents
Schemes, instructions, settings, access matrices, test protocols, regulations and a list of open improvements were transferred.
Development plan
Once launched, it is clear which sources, rules, policies and integrations need to be added in the next stages.
Where the RESTART experience is especially useful
| Situation | What RESTART Delivers |
|---|---|
| There is HLD/LLD, but no implementation | We check the project for feasibility, clarify the settings, prepare a work plan, implement and transfer the environment into operation. |
| It is necessary to close the requirements of Federal Law No. 152-FZ, CII or GIS | We link security measures, certified products, documents, logs, roles and operational procedures. |
| Licenses have been purchased, but the product is not used | We conduct a technical and process analysis: what is installed, what is not configured, where there are no integrations, owners or application scenarios. |
| We need to build a SOC-ready environment | We connect sources, use cases, SIEM/SOAR/ITSM, escalation routes, playbook, SLA and management reporting. |
| Many vendors and no single picture | We are collecting a technological map: which solutions are responsible for what, where are the intersections, what events are needed, what to leave, replace or adjust. |
| Need to be implemented without stopping business | We plan work windows, pilot groups, staged rollout, rollback, communications with users and load testing. |
The role of AI in the implementation and maintenance of information security
AI does not replace the information security engineer, architect or administrator. But it can significantly reduce the manual workload in an implementation project: compare requirements and settings, look for omissions in documentation, summarize trial operation logs, prepare draft runbooks and playbooks, analyze configuration changes, help with evidence pack and explain to management what has already been closed and what remains a risk.
For RESTART, a safe mode for using AI is important: internal sources, access rights, logging, verification by a specialist and a ban on automatically changing policies without approval. In a mature environment, AI helps to quickly implement and maintain information security, but the final decisions remain with the responsible people.
What does the business get?
Protection you can use
SZI works in a real landscape, has owners, settings, logs, instructions and clear support.
Reduced regulatory risk
Measures, documents, logs and evidence pack help to pass inspections and internal audits without emergency manual restoration of the picture.
Less downtime and surprises
Pilot, trial operation, staged rollout and rollback plan reduce the risk of stopping users or critical services.
Faster investigations
Events from information security systems fall into SIEM/SOAR/ITSM with context, owners and reaction routes.
Cost of ownership control
The customer understands who administers the solution, what resources are needed, how to update, what to customize, and what licenses are not used.
Development plan
After the launch, the roadmap remains: new sources, rules, policies, reports, integrations and automation.
Deliverables
- map of protected assets, systems, users, roles and areas of responsibility;
- updated HLD/LLD or set of design schemes for implementation;
- specification of information protection information/cryptographic information protection system, versions, licenses, certificates and delivery restrictions;
- configured policies, rules, integrations, accounts, logs and notifications;
- access matrix for administrators and users, including service accounts;
- test plan, pilot, trial operation and acceptance protocols;
- administrator instructions, runbook, playbook, maintenance and update regulations;
- evidence pack for information security, compliance, internal audit and procurement landscape;
- development roadmap: new sources, rules, reports, integrations and automation.
First practical step
It is rational to start with a short diagnostic: what systems are protected, what requirements are applicable, what information security systems already exist, what has been purchased, what does not work, what integrations are needed and who will operate the environment after launch.
If the target architecture has not yet been described, HLD/LLD is useful first. If the products are selected, you can move on to pilot, specification, delivery and implementation. If the task is regulatory, it is worth linking the implementation with the diagnosis of CII/Federal Law No. 152-FZ, GIS or a comprehensive IS audit.
Frequently asked questions
How does implementation differ from the delivery of information security?
The delivery closes the commercial and licensing environment. Implementation is responsible for configuration, integrations, logs, roles, testing, documents, acceptance and handover to production.
Is it possible to implement without HLD/LLD?
For a small point task, sometimes a technical plan is enough. For enterprise, ISPD, GIS, CII, SOC-ready and several vendors, HLD/LLD greatly reduces the risk of errors.
What is trial operation?
This is the period when the solution works on real data and users, but the team is still fine-tuning policies, events, exceptions, reports and instructions before production acceptance.
How not to break business processes during implementation?
Through pilot groups, staged rollout, work windows, exception rules, impact monitoring, rollback plan and coordination with system owners.
Is it possible to implement already purchased solutions?
Yes. RESTART can start with a survey of current licenses, versions, configurations and integrations, then come up with a realistic plan for an upgrade or relaunch.
What information protection systems can be linked to SIEM/SOAR?
Almost any mature solutions that send events: NGFW, WAF, EDR/XDR, DLP, PAM, VM, CIPF, DBF/DAM, endpoint, NDR and infrastructure sources.
Who will accompany you after the launch?
The model is determined on the project: customer, RESTART, vendor or joint scheme. The main thing is to describe roles, SLAs, updates, incidents and changes in advance.
Is it possible to start with an adjustable environment?
Yes. For ISPD, GIS and CII, we link the implementation of information security with the requirements of regulators, threat models, documents, logs and evidence pack.
Let's discuss your environment
Describe the task, current systems, constraints, and expected results. We will offer a practical first step: diagnostics, pilot, audit, roadmap or project team.
