How we got into the IB department of a large company and started working in it. Diary of two young and promising professionals

    For three months now, we, two fourth-year students, have been working in the information security department " LANIT-Integration ". We would like to share our impressions of this stage of entering the profession and in a large IT business. This article will be useful to anyone who is going to get a job in a specialty or who is interested in how to start studying the course "Information Security". It will help you understand what will be waiting for you in the first months of work in a large company, what problems will arise on the way, and most importantly - how to solve them.

    A source

    Chapter 1. Information security from scratch or ...


    It is not a secret that in Russia, after graduating from university, it is difficult for students to find work in their specialty, not to mention good practice during their studies. People who are eager to learn and work, are forced to listen to the refusals of each employer, who immediately requires extensive experience. This approach is firmly entrenched in Russia, which is why young minds and really good guys who graduated from the institute should go to work in our favorite bakeries under the control of those who did not complete their education and decided to work in the local canteen as a freshman or after the army. Like it or not, this does not mean that absolutely everyone is waiting for such a fate.

    As third-year students of the specialty Information Security at the Kursk University and while waiting for the next session, our group began searching for organizations that would allow them to have work experience in our specialty. In the process of finding a workplace, we are faced with the typical problems of our training profile and not only. The fact is that we do not have enough work experience and even practice (although we came for it), and the fact that the heads of the organizations themselves do not know where to put us for the best functioning of information security in the company.

    As a result, for three years of study, the knowledge gained does not allow us to vividly describe the picture that will wait for us after graduation. There is a fear that we will find ourselves among people who have not settled down to work in a specialty for which a part of their life has already been spent.

    “Information security” is a phrase that somewhere someone might have heard, but did not attach much importance to it. It turned out that the specialty is important, but training in this specialty is developing poorly.

    In the process of finding a job, we were already desperate, but the desired came to us at the university itself in the person of the head of the information security department of the company LANIT-Integration"with a proposal to attend the Open Day. The purpose of the event was to find decent people for internships in the company he represents. We were delighted at the chance that had appeared, although we thought it looked like a three-legged mopsick track that was barely trodden on the lawn to the highway with an infinite number of lanes.

    I and my group were lucky that the head of the information security department of “LANIT-Integration” refers to those who help and give young people a chance to get a job. we were not required to be masters in the field of information security, we just had to show our sincere desire and determination in learning and development.

    On the Open Day we were greeted with tea and cookies. We listened to the performance of the company's management and began to write the introductory tests. There were three of them: on the knowledge of the technical part, English and IQ test. It was also necessary to write an essay on the topic "Why I want to work here." We were immediately warned that knowledge at this stage is not a panacea, the main thing is to demonstrate our desire to develop in the field of IT. Having written a very specific essay, I hoped that it would hook the readers with its originality. And it went down.

    The next step was waiting. We took the role of Hachiko on the eve of an important response after the meeting. We wanted to be the best among all those who tried to get into LANIT, but were afraid that they would let us pass by the ticket office before the trembling in our knees. When the results of the meeting were announced, we realized that it was not for nothing that they started all this, and that they would give us a chance to prove themselves already on the staff of the information security department.

    On the first day, they filled in everything that was required of us, threw cheap rolls from the nearest tent, as befits poor students, and were ready to explore a new chapter of our life, which is not yet open and can stick together at any moment, like pages with girls from a car magazine in the hands of a fourteen teenager 90s. In the first days of our acquaintance with colleagues, they didn’t have a need to say: “Forget everything you were taught at the institute,” because it’s impossible to forget what was not in our heads, unlike your girl’s thoughts about Ryan Gosling. Maybe there was minimal knowledge, but they certainly did not have enough to adequately perceive what is being discussed in the office, and this has nothing to do with the fact that you have difficulties with Ryan.

    Source The

    main problem of knowledge gained at the university was the uneven flow, without a certain sequence and without an understanding of the main idea of ​​the field of activity. Therefore, it becomes clear that our first task was to study the basics of information security.

    Chapter 2. Double tap on information security after double caps


    In the first week of our work at LANIT-Integration, it was not clear what to grab. In order for us to understand what the company is doing, the curators gathered us in a meeting room, where they explained in general terms where we could go. It was decided to divide us and give knowledge in the style of “One thing, one thing and another thing another”, since the information security department in LANIT-Integration is divided into two main areas: consulting and engineering.

    The first direction implies deep knowledge of the regulatory framework and international standards in the field of information security. In addition, consultants need to be well-versed in modern information technologies in order to communicate with customer technical specialists at the same level. The main activity of this area is interaction with customers, the formation of a set of measures to protect information and the translation of technical requirements to the engineering area. Engineers are working on the data. They need to understand what remedies are best to use in one way or another. So we immediately began to realize how the process works and who has what responsibilities.

    It turned out that I was in the direction of consulting, and my friend - in engineering. We decided that it was too early to choose the specialization, because we had not yet been on the front line. Therefore, we took up different tasks in different directions together. This is where the first difficulties arose.

    The task of consulting was to study the basic laws and the most frequently encountered legal documents in the activities of LANIT-Integration . So the first to fall into our baggage of knowledge:

    • FL-149 “On Information, Information Technologies and Information Protection”, on which the entire legal aspect of information is based,
    • FZ-152 "About personal data",
    • Federal Law 187 "On the Security of Critical Information Infrastructure of the Russian Federation",
    • order FSTEK №21,
    • order FSTEK №17,
    • FSTEC order No. 235,
    • order FSTEK №239,
    • FSB order № 378,
    • Government Decision no 127,
    • Government Resolution No. 1119.

    It was quite easy for us to read, study and understand federal laws, government decrees and other documents in the field of information security, but the technical task was much more difficult. Its essence was that it was necessary to describe in detail all means of information protection (GIS). Examples of such systems are IPS / IDS, SIEM, PAM, DLP, firewalls, etc.

    This is not the entire list, as there are many funds, and they intersect with each other. But even for this small list it was very difficult to find simple and necessary information telling about the principles of work, and not about the main functions. At the institute, we rarely met with such concepts as SZI, so the material went badly on the lame technical base.   

    By the end of the first week, we realized that we need to structure the receipt of information and lay the correct and competent basis. And at the beginning of the second week we met with the curators to discuss the material and the sequence of actions. As a result, we came to the agreement that it is more convenient and productive for us to study the same information. We discussed an individual development plan for a trial period, the first month of which includes Sean Harris’s CISSP All-In-One-Exam Guide.

    Every beginning information security specialist should devote time to this book. It was written in 2011. Some things in it are no longer relevant today, but it is very informative, it affects all aspects of information security in an organization: from physical security and international standards to a detailed description of most protocols and quantum cryptography. We absorbed huge amounts of data written in plain language and well-structured. In parallel with this, they carried out internal tasks. For example, such as compiling questionnaires on various means of information protection. And even attended a meeting with one of the customers. During conversations between colleagues, we heard a lot of incomprehensible words that were immediately hammered into search engines, and the information found was recorded on stickers and pasted wherever possible.

    My workplace in the first month of work

    We continued to study the CISSP All-In-One Exam Guide for the second and third weeks. This lesson did not promise to be more fun and interesting than the local patichard, but we needed it to get up to date. It took us two weeks to read nine hundred pages. Technical material went to the brain in some places very hard, but the essence was clear. The most important thing that we understood is that the idea of ​​information security should come from the management. It bears the greatest responsibility for all information, assets and personnel, and therefore should in every way contribute to the protection of information and the creation of necessary conditions for the functioning of the information security system. Also, the book is well described activity at different levels: administrative, physical, technical. Each level is described in detail with analogies and, most importantly, clear. This book will help everyone who wants to understand what it is IB,

    Chapter 3. The team and communication  


    In any workplace, it is always important to pay attention to the relationships of people within the organization. It is always good when people are open and when it is possible to talk on various topics related not only to work. Especially when it comes to the place where a person is a very long time. It was important for me that I could contact with colleagues and be on the same wavelength with them. In LANIT-Integration, I did not have any problems in communicating with curators and other colleagues, except for a bunch of questions that directly affect a particular job. I would like to thank them all for the help, attention and great patience they give us, because we have to ask, clarify and correct a lot of things. Relationships in our department I can describe as good and free. I remember the episode "Office", I often cite analogies with it.

    Good relationships are not limited to the department. They concern the whole organization. Information that is distributed within the company is always aimed at ensuring efficient and comfortable work both in the office and outside it. Employees receive notifications about how to get home, congratulations on their birthday, holiday reminders, etc. All this makes the atmosphere in the team warmer.

    A source

    Chapter 4. End of the trial period and debriefing


    In accordance with the contract, we had three months for a probationary period, at the end of which, a decision should be made on whether we are suitable for LANIT-Integration or not.

    During these months, we studied regulations, information security tools, attended the BISA Summit conference and Positive Technologies event, analyzed the information security market and IT companies, developed documentation for various projects, and most importantly, absorbed a lot of knowledge and experience. It became clear to us that there is no need to hurry with the choice of the direction in the information security, since there are both interesting activities and dreary filling in documentation in consulting and engineering. It is necessary to have a sufficient knowledge base and experience in one direction or another in order to decide exactly what we like. Consequently, at the moment we are performing tasks and developing in these two directions. Naturally, this is not easy, but we see a complete picture of what IS specialists do in our company.

    At the end of the story, I would like to note that it is difficult to say what colleagues and management think about us: we try and we smile. What does this mean, they know only.

    The result of the trial period will be known after writing these lines. We believe in the best. All good and good luck, which I hope will not leave us.



    The article was written together with RZhuravlev

    P.S.

    Sell ​​VAZ 21011 1986, mileage 180k, color - sport and luxury
    Price is negotiable, bargain at the hood
    8903363283 * Maxim


    Also popular now: