Chapter V. Ensuring the security and protection of information

Information Security Policy.

1. General provisions

This Policy information security (Further - Policy ) defines a system of views on the problem of ensuring information security and is a systematic presentation of goals and objectives, as well as organizational, technological and procedural aspects of ensuring information security of information infrastructure objects, including a set information centers, data banks and communication systems of the organization. This Policy has been developed taking into account the requirements of the current legislation of the Russian Federation and the immediate prospects for the development of information infrastructure facilities, as well as the characteristics and capabilities of modern organizational and technical methods and hardware and software for information security.

The main provisions and requirements of the Policy apply to all structural divisions of the organization.

The policy is a methodological basis for the formation and implementation of a unified policy in the field of ensuring information security of information infrastructure facilities, making coordinated management decisions and developing practical measures aimed at ensuring information security, coordinating the activities of structural divisions of the organization during the creation, development and operation of information infrastructure facilities. infrastructure in compliance with information security requirements.

The policy does not regulate the organization of security of premises and ensuring the safety and physical integrity of information infrastructure components, protection from natural disasters, and failures in the energy supply system, but it assumes the construction of an information security system on the same conceptual basis as the security system of the organization as a whole.

The implementation of the policy is ensured by relevant guidelines, regulations, procedures, instructions, methodological instructions and a system for assessing information security in the organization.

The Policy uses the following terms and definitions:

Automated system ( AC) — a system consisting of personnel and a set of automation tools for their activities, implementing information technology to perform established functions.

Information infrastructure— a system of organizational structures that ensure the functioning and development of the information space and means of information interaction. The information infrastructure includes a set of information centers, data and knowledge banks, communication systems, and provides consumers with access to information resources.

Informational resources ( IR) – these are separate documents and separate arrays of documents, documents and arrays of documents in information systems (libraries, archives, funds, databases and other information systems).

Information system (IP) - information processing system and corresponding organizational resources ( human, technical, financial, etc.) that provide and disseminate information.

Safety - state of protection of interests ( goals) organizations under threat conditions.

Information Security ( IS) — security related to threats in the information sphere. Security is achieved by ensuring a set of information security properties - availability, integrity, confidentiality of information assets. The priority of information security properties is determined by the value of the specified assets for interests ( goals) organizations.

Availability of information assets - property of an organization's information security, which consists in the fact that information assets are provided to an authorized user, in the form and place required by the user, and at the time when he needs them.

Integrity of information assets - the ability of an organization's information security to remain unchanged or correct detected changes in its information assets.

Confidentiality of information assets - property of an organization's information security, which consists in the fact that the processing, storage and transmission of information assets is carried out in such a way that information assets are available only to authorized users, system objects or processes.

Information security system ( NIB) — a set of protective measures, protective equipment and processes for their operation, including resource and administrative ( organizational) provision.

Unauthorized access– access to information in violation of the official powers of an employee, access to information closed to public access by persons who do not have permission to access this information or obtaining access to information by a person entitled to access this information in an amount exceeding that necessary to perform official duties.

2. General requirements for ensuring information security

Information security requirements ( Further -IS ) determine the content and goals of the organization’s activities within the framework of information security management processes.

These requirements are formulated for the following areas:

assignment and distribution of roles and trust in personnel;
stages life cycle information infrastructure facilities;
protection against unauthorized access ( Further - NSD ), access control and registration in automated systems, in telecommunications equipment and automatic telephone exchanges, etc.;
antivirus protection;
use of Internet resources;
use of cryptographic information protection tools;
protection of personal data.

3. Objects to be protected

The main objects to be protected are:

informational resources, presented in the form of documents and arrays of information, regardless of the form and type of their presentation, including confidential and public information;
system of formation, distribution and use of information resources, libraries, archives, databases and data banks, information technologies, regulations and procedures for collecting, processing, storing and transmitting information, technical and service personnel;
information infrastructure, including systems for processing and analyzing information, hardware and software for its processing, transmission and display, including channels of information exchange and telecommunications, systems and means of protecting information, objects and premises in which components of the information infrastructure are located.

3.1. Features of the Automated System

Information of different categories circulates in the AS. Protected information can be shared by different users from different subnets of a single corporate network.

A number of AS subsystems provide for interaction with external ( state and commercial, Russian and foreign) organizations via dial-up and dedicated communication channels using special means transfer of information.

The complex of technical means of the AS includes data processing tools ( workstations, database servers, mail servers, etc.), means of data exchange in local computer networks with the ability to access global networks ( cable system, bridges, gateways, modems, etc.), as well as storage facilities ( incl. archiving) data.

The main features of the operation of the AS include:

the need to combine a large number of different technical means of processing and transmitting information into a single system;
a wide variety of tasks to be solved and types of data processed;
combining information of various purposes, affiliations and levels of confidentiality into single databases;
availability of connection channels to external networks;
continuity of operation;
the presence of subsystems with different requirements for security levels, physically united into a single network;
diversity of categories of users and service personnel.

In general, a single AS is a collection of local computer networks of departments interconnected by means of telecommunications. Each local computer network integrates a number of interconnected and interacting automated subsystems ( technological areas), providing solutions to problems by individual structural divisions of the organization.

Informatization objects include:

technological equipment ( computer equipment, network and cable equipment);
informational resources;
software ( operating systems, database management systems, general system and application software);
automated communication and data transmission systems (telecommunications);
channels of connection;
office premises.

3.2. Types of organizational information assets to be protected

Information of various levels of confidentiality circulates in the organization's AS subsystems, containing information of limited distribution ( official, commercial, personal data) and public information.

The AS document flow contains:

payment orders and financial documents;
reports ( financial, analytical, etc.);
information about personal accounts;
Personal Information;
other restricted information.

All information circulating in the AS and contained in following types information assets:

information constituting commercial and official secrets, access to which is limited by the organization, as the owner of the information, in accordance with the provisions of the Federal Law " About information, informatization and information protection » rights and Federal law « About trade secrets »;
personal data, access to which is limited in accordance with the Federal Law " About personal data »;
open information, in terms of ensuring the integrity and availability of information.

3.3. Categories of users of the Automated System

The organization has a large number of categories of users and service personnel who must have various powers to access AS information resources:

ordinary users ( end users, employees of organizational units);
server administrators ( file servers, application servers, database servers), local computer networks and application systems;
system programmers ( responsible for maintaining general software) on servers and user workstations;
application software developers;
computer hardware maintenance specialists;
information security administrators, etc.

3.4. Vulnerability of the main components of the Automated System

The most vulnerable components of the AS are network workstations - automated workstations ( Further - AWS ) workers. Attempts of unauthorized access to information or attempts of unauthorized actions ( unintentional and intentional) on a computer network. Violations of the hardware and software configuration of workstations and unlawful interference in their functioning processes can lead to blocking of information, the inability to timely solve important problems and the failure of individual workstations and subsystems.

Network elements such as dedicated file servers, database servers and application servers require special protection. Disadvantages of exchange protocols and means of restricting access to server resources may allow unauthorized access to protected information and influence the operation of various subsystems. In this case, attempts may be made as remote ( from network stations), and direct ( from the server console) impact on the operation of servers and their security measures.

Bridges, gateways, hubs, routers, switches and others network devices,communication channels and means also need protection. They can be used by attackers to restructure and disrupt the network, intercept transmitted information, analyze traffic, and implement other methods of interfering with data exchange processes.

4. Basic principles of information security

4.1. General principles of safe operation

Timely detection of problems. An organization must promptly detect problems that could potentially impact its business goals.
Predictability of problem development. The organization must identify cause and effect relationships possible problems and build on this basis an accurate forecast of their development.
Assessing the impact of problems on business goals. The organization must adequately assess the impact of identified problems.
Adequacy of protective measures. The organization must select protective measures that are adequate to the models of threats and intruders, taking into account the costs of implementing such measures and the amount of possible losses from the execution of threats.
Effectiveness of protective measures. The organization must effectively implement the protective measures taken.
Using experience when making and implementing decisions. The organization must accumulate, generalize and use both its own experience and the experience of other organizations at all levels of decision-making and execution.
Continuity of principles of safe operation. The organization must ensure the continued implementation of the principles of safe operation.
Controllability of protective measures. The organization should only implement controls that can be verified to operate correctly, and the organization should regularly evaluate the adequacy of the controls and the effectiveness of their implementation, taking into account the impact of the controls on the organization's business objectives.

4.2. Special principles for ensuring information security

The implementation of special information security principles is aimed at increasing the level of maturity of information security management processes in the organization.
Definition of goals. The organization's functional and information security objectives should be explicitly defined in an internal document. Uncertainty leads to “ vagueness” organizational structure, personnel roles, information security policies and the inability to assess the adequacy of the protective measures taken.
Knowing your customers and employees. The organization must have information about its clients, carefully select personnel ( workers), develop and maintain corporate ethics, which creates a favorable trusting environment for the organization’s asset management activities.
Personification and adequate division of roles and responsibilities. The responsibility of the organization's officials for decisions related to its assets should be personified and carried out primarily in the form of a guarantee. It must be adequate to the degree of influence on the goals of the organization, recorded in policies, controlled and improved.
The adequacy of roles to functions and procedures and their comparability with the criteria and evaluation system. Roles must adequately reflect the functions performed and the procedures for their implementation adopted in the organization. When assigning interrelated roles, the necessary sequence of their implementation must be taken into account. The role must be consistent with criteria for assessing the effectiveness of its implementation. The main content and quality of the role performed are actually determined by the evaluation system applied to it.
Availability of services. The organization must ensure the availability of services and services for its clients and counterparties within the established time frames determined by the relevant agreements ( agreements) and/or other documents.
Observability and assessability of information security support. Any proposed protective measures must be designed so that the result of their application is clearly observable ( transparent) and could be assessed by a department of the organization with appropriate authority.

5. Goals and objectives of providing security information

5.1. Subjects of information relations in the Automated System

The subjects of legal relations when using AS and ensuring information security are:

Organization as the owner of information resources;
divisions of the organization ensuring the operation of the NPP;
employees of structural divisions of the organization, as users and suppliers of information in the AS in accordance with the functions assigned to them;
legal entities and individuals, information about which is accumulated, stored and processed in the AS;
other legal entities and individuals involved in the process of creation and operation of the AS ( developers of system components, organizations involved in providing various services in the field information technologies and etc.).

The listed subjects of information relations are interested in ensuring:

confidentiality of a certain part of information;
reliability ( completeness, accuracy, adequacy, integrity) information;
protection against imposition of false ( unreliable, distorted) information;
timely access to necessary information;
delimitation of liability for violations of legal rights ( interests) other subjects of information relations and established rules handling information;
the possibility of continuous monitoring and management of information processing and transmission processes;
protection of some information from illegal replication ( protection of copyrights, rights of information owner, etc.).

5.2. Purpose of information security

The main goal of ensuring information security is to protect subjects of information relations from possible infliction of material, moral or other damage to them through accidental or intentional unauthorized interference in the process of functioning of the AS or unauthorized access to information circulating in it and its illegal use.

This goal is achieved by ensuring and constantly maintaining the following properties of information and an automated system for its processing:

availability of processed information for registered users;
confidentiality of a certain part of information stored, processed and transmitted via communication channels;
integrity and authenticity of information stored, processed and transmitted via communication channels.

5.3. Information security tasks

To achieve the main goal of ensuring information security, the NPP information security system must provide an effective solution to the following tasks:

protection from interference in the process of operation of the AS by unauthorized persons;
restriction of access of registered users to hardware, software and information resources of the AS, that is, protection from unauthorized access;
recording user actions when using protected AS resources in system logs and periodically monitoring the correctness of system user actions by analyzing the contents of these logs by security department specialists;
protection against unauthorized modification and integrity control ( ensuring immutability) program execution environment and its restoration in case of violation;
protection from unauthorized modification and control of the integrity of software used in the AS, as well as protection of the system from the introduction of unauthorized programs, including computer viruses;
protection of information from leakage through technical channels during its processing, storage and transmission via communication channels;
protection of information stored, processed and transmitted via communication channels from unauthorized disclosure or distortion;
ensuring authentication of users participating in information exchange;
ensuring the survivability of cryptographic information protection measures in case of compromise of part of the key system;
timely identification of sources of threats to information security, causes and conditions conducive to causing damage to interested subjects of information relations, creation of a mechanism for prompt response to threats to information security and negative trends;
creating conditions for minimizing and localizing damage caused by unlawful actions of individuals and legal entities, mitigating the negative impact and eliminating the consequences of information security violations.

5.4. Ways to solve information security problems

Solving the problems of ensuring information security is achieved:

strict consideration of all system resources to be protected ( information, tasks, communication channels, servers, workstations);
regulation of information processing processes and actions of employees of structural divisions of the organization, as well as actions of personnel performing maintenance and modification of software and hardware of the AS, on the basis of organizational and administrative documents on information security issues;
completeness, real feasibility and consistency of the requirements of organizational and administrative documents on issues of ensuring information security;
appointment and training of employees responsible for organizing and implementing practical measures to ensure information security;
vesting each employee with the minimum powers necessary to perform his functional duties to access AS resources;
clear knowledge and strict compliance by all employees using and servicing AS hardware and software with the requirements of organizational and administrative documents on information security issues;
personal responsibility for their actions of each employee participating, within the framework of his functional duties, in the processes of automated information processing and having access to AS resources;
implementation technological processes processing information using complexes of organizational and technical measures to protect software, hardware and data;
taking effective measures to ensure the physical integrity of technical equipment and continuously maintaining the required level of security of NPP components;
application of technical ( software and hardware) means of protecting system resources and continuous administrative support for their use;
delimitation of information flows and prohibition of the transmission of limited distribution information over unprotected communication channels;
effective control over employee compliance with information security requirements;
constant monitoring network resources, identification of vulnerabilities, timely detection and neutralization of external and internal threats to the security of a computer network;
legal protection of the organization’s interests from illegal actions in the field of information security.
conducting continuous analysis of the effectiveness and sufficiency of measures taken and information security means used, development and implementation of proposals to improve the information security system in the AS.

6. Information security threats

6.1. Information security threats and their sources

The most dangerous threats to the security of information processed in the AS are:

violation of confidentiality ( disclosure, leak) information constituting an official or commercial secret, including personal data;
malfunction ( disorganization of work) AS, blocking of information, disruption of technological processes, failure to solve problems in a timely manner;
integrity violation ( distortion, substitution, destruction) information, software and other AS resources.

The main sources of threats to the security of AS information are:

adverse events of natural and man-made nature;
terrorists, criminal elements;
computer attackers carrying out targeted destructive influences, including the use computer viruses and other types of malicious codes and attacks;
suppliers of software and hardware, consumables, services, etc.;
contractors carrying out installation, commissioning of equipment and its repair;
non-compliance with the requirements of supervisory and regulatory authorities, current legislation;
failures, failures, destruction/damage to software and hardware;
employees who are legal participants in the processes in the AS and act outside the scope of the granted powers;
employees who are legal participants in the processes in the AS and act within the framework of the powers granted.

6.2. Unintentional actions leading to information security violations and measures to prevent them

Organizational employees who have direct access to information processing processes in the automated system are a potential source of unintentional accidental actions that can lead to a violation of information security.

Main unintentional actions leading to information security violations (actions committed by people accidentally, out of ignorance, inattention or negligence, out of curiosity, but without malicious intent) and measures to prevent such actions and minimize the damage they cause are given in Table 1.

Table 1

Main actions leading to information security violations
Actions of employees leading to partial or complete failure of the system or malfunction of hardware or software; turning off equipment or changing operating modes of devices and programs; destruction of system information resources ( unintentional damage to equipment, deletion, corruption of programs or files from important information, including system ones, damage to communication channels, unintentional damage to storage media, etc.)	Organizational measures ( ). The use of physical means to prevent the unintentional commission of a violation. Application of technical ( hardware and software) means of restricting access to resources. Reservation of critical resources.
Unauthorized launch of programs that, if used incompetently, can cause loss of system functionality ( freezing or looping) or making irreversible changes in the system ( formatting or restructuring of storage media, deleting data, etc.)	Organizational measures ( removal of all potentially dangerous programs from the workstation). Application of technical ( hardware and software) means of restricting access to programs on automated workstations.
Unauthorized introduction and use of unregistered programs ( gaming, educational, technological and others that are not necessary for employees to perform their official duties) with subsequent unreasonable expenditure of resources ( CPU time, RAM, memory on external media, etc.)	Organizational measures ( introduction of bans). Application of technical ( hardware and software) means that prevent unauthorized implementation and use of unaccounted programs.
Unintentionally infecting your computer with viruses	Organizational measures ( regulation of actions, introduction of prohibitions). Technological measures ( use of special programs for detecting and destroying viruses). The use of hardware and software to prevent infection by computer viruses.
Disclosure, transfer or loss of access control attributes ( passwords, encryption keys or electronic signatures, identification cards, passes, etc.)	Organizational measures ( regulation of actions, introduction of prohibitions, increased responsibility). The use of physical means to ensure the safety of the specified details.
Ignoring organizational constraints ( established rules) when working in the system	Organizational measures ( ). Use of additional physical and technical means of protection.
Incompetent use, configuration or illegal disabling of protective equipment by security personnel	Organizational measures ( personnel training, strengthening responsibility and control).
Entering incorrect data	Organizational measures ( strengthening responsibility and control). Technological measures to control errors of data entry operators.

6.3. Deliberate actions to violate information security and measures to prevent them

Basic intentional actions ( for selfish purposes, under duress, out of a desire for revenge, etc.), leading to a violation of the information security of the plant, and measures to prevent them and reduce possible damage are given in Table 2.

table 2

The main intentional actions leading to a violation of information security	Measures to prevent threats and minimize damage
Physical destruction or failure of all or some of the most important components of an automated system ( devices, media of important system information, personnel, etc.), disabling or disabling subsystems for ensuring the functioning of computer systems ( power supply, communication lines, etc.)	Organizational measures ( regulation of actions, introduction of prohibitions). The use of physical means to prevent the intentional commission of a violation. Reservation of critical resources.
Introducing agents into the system personnel ( including the administrative group responsible for security), recruitment ( through bribery, blackmail, threats, etc.) users who have certain permissions to access protected resources	Organizational measures ( selection, placement and work with personnel, strengthening control and responsibility). Automatic registration of personnel actions.
Theft of storage media ( printouts, magnetic disks, tapes, storage devices and entire personal computers), theft of industrial waste ( printouts, records, written off storage media, etc.)	Organizational measures ( ).
Unauthorized copying of storage media, reading residual information from RAM and external storage devices	Organizational measures ( organization of storage and use of media with protected information). The use of technical means to restrict access to protected resources and automatically register the receipt of hard copies of documents.
Illegal acquisition of passwords and other access control details ( by agent, using the negligence of users, by selection, by simulating the system interface with software bookmarks, etc.) with subsequent disguise as a registered user.	Organizational measures ( regulation of actions, introduction of prohibitions, work with personnel). The use of technical means that prevent the implementation of programs for intercepting passwords, keys and other details.
Unauthorized use of user workstations that have unique physical characteristics, such as the number of a workstation on the network, physical adress, address in the communication system, hardware encoding unit, etc.	Organizational measures ( strict regulation of access to premises and permission to work on these workstations). Application of physical and technical means of access control.
Unauthorized modification of software - introduction of software “bookmarks” and “viruses” ( "Trojan horses" and "bugs"), that is, such sections of programs that are not needed to implement the declared functions, but allow you to overcome the security system, covertly and illegally access system resources for the purpose of recording and transmitting protected information or disrupting the functioning of the system	Organizational measures ( strict regulation of access to work). The use of physical and technical means of access control and preventing unauthorized modification of the hardware and software configuration of the workstation. Application of program integrity monitoring tools.
Interception of data transmitted over communication channels, their analysis in order to obtain confidential information and clarify exchange protocols, rules for entering the network and user authorization, with subsequent attempts to imitate them to penetrate the system	Physical protection of communication channels. Application of cryptographic protection means for transmitted information.
Interference in the process of system functioning from public networks for the purpose of unauthorized modification of data, access to confidential information, disruption of the work of subsystems, etc.	Organizational measures ( regulation of connection and operation in public networks). The use of special technical means of protection ( firewalls, security control tools and detection of attacks on system resources, etc.).

6.4. Leakage of information through technical channels

When operating technical equipment of the NPP, the following channels of leakage or violation of the integrity of information, disruption of the performance of technical equipment are possible:

side electromagnetic radiation of an informative signal from technical means and information transmission lines;
directing an informative signal processed by electronic computer equipment onto wires and lines extending beyond the controlled area of offices, incl. on the grounding and power supply circuits;
various electronic devices interception of information ( incl. "bookmarks"), connected to communication channels or technical means of information processing;
viewing information from display screens and other means of displaying it using optical means;
impact on hardware or software in order to violate the integrity ( destruction, distortion) information, operability of technical means, means of information security and timeliness of information exchange, including electromagnetic, through specially implemented electronic and software tools ( "bookmarks").

Taking into account the specifics of processing and ensuring the security of information, the threat of leakage of confidential information ( including personal data) through technical channels are irrelevant for the organization.

6.5. Informal model of a likely violator

A violator is a person who has attempted to perform prohibited operations ( actions) by mistake, ignorance or knowingly with malicious intent ( out of selfish interests) or without it ( for the sake of play or pleasure, for the purpose of self-affirmation, etc.) and using various possibilities, methods and means for this.

The NPP protection system should be built based on assumptions about the following possible types of intruders in the system ( taking into account the category of persons, motivation, qualifications, availability of special means, etc.):

« Inexperienced (careless) user“- an employee who may attempt to perform prohibited operations, access protected AS resources in excess of his authority, enter incorrect data, etc. actions due to error, incompetence or negligence without malicious intent and using only regular ( available to him) hardware and software.
« Amateur" - an employee trying to overcome the defense system without selfish goals or malicious intent, for self-affirmation or out of " sporting interest" To overcome the defense system and commit prohibited actions, he can use various methods obtaining additional permissions to access resources ( names, passwords, etc. other users), shortcomings in the construction of the protection system and the staff available to it ( installed on a workstation) programs ( unauthorized actions by exceeding one's authority to use authorized means). In addition, he may try to use additional non-standard tools and technological software ( debuggers, utility utilities), independently developed programs or standard additional technical means.
« Scammer"- an employee who may attempt to perform illegal technological operations, enter false data and similar actions for personal gain, under duress or out of malicious intent, but using only regular ( installed on the workstation and accessible to him) hardware and software on your own behalf or on behalf of another employee ( knowing his name and password, using his short-term absence from the workplace, etc.).
« External intruder (attacker)“- an outsider or former employee acting purposefully out of selfish interests, revenge or curiosity, possibly in collusion with other persons. It can use the entire range of methods for violating information security, methods and means of hacking security systems characteristic of public networks ( especially IP-based networks), including remote implementation of software bookmarks and the use of special instrumental and technological programs, using existing weaknesses in exchange protocols and the protection system of the organization’s network nodes.
« Internal Attacker“—an employee registered as a user of the system, acting purposefully out of selfish interests or revenge, possibly in collusion with persons who are not employees of the organization. He can use the entire range of methods and means of hacking a security system, including undercover methods of obtaining access details, passive means (technical means of interception without modifying system components), methods and means of active influence ( modification of technical means, connection to data transmission channels, implementation of software bookmarks and the use of special instrumental and technological programs), as well as combinations of influences from both inside and from public networks.

An internal offender may be a person from the following categories of personnel:

registered end users of AS ( employees of departments and branches);
employees not allowed to work with nuclear power plants;
personnel servicing technical equipment of the NPP ( engineers, technicians);
employees of software development and maintenance departments ( application and systems programmers);
technical personnel servicing the buildings and premises of the organization ( cleaners, electricians, plumbers and other workers who have access to buildings and premises where AS components are located);
managers at various levels.

laid off workers;
representatives of organizations interacting on issues of ensuring the life of the organization ( energy, water, heat supply, etc.);
representatives of companies supplying equipment, software, services, etc.;
members of criminal organizations and competing commercial structures or persons acting on their behalf;
persons who accidentally or intentionally entered networks from external networks ( "hackers").

Users and service personnel among employees have the greatest opportunities to carry out unauthorized actions, due to the fact that they have certain powers to access resources and good knowledge of information processing technology. The actions of this group of violators are directly related to the violation of current rules and regulations. This group of violators poses a particular danger when interacting with criminal structures.

Displaced workers can use their knowledge of work technology, protective measures and access rights to achieve their goals.

Criminal structures represent the most aggressive source of external threats. To implement their plans, these structures can openly violate the law and involve the organization’s employees in their activities with all the forces and means available to them.

Hackers have the highest technical qualifications and knowledge of the weaknesses of the software used in the AS. They pose the greatest threat when interacting with working or dismissed employees and criminal organizations.

Organizations involved in the development, supply and repair of equipment and information systems pose an external threat due to the fact that they occasionally have direct access to information resources. Criminal structures can use these organizations to temporarily employ their members in order to gain access to protected information.

7. Technical policy in the field of information security

7.1. Basic provisions of technical policy

The implementation of technical policy in the field of information security should be based on the premise that it is impossible to ensure the required level of information security not only using one separate tool ( Events), but also with the help of their simple combination. It is necessary to systematically coordinate them with each other ( complex application), and individual AS elements being developed should be considered as part of a unified information system in a secure design with an optimal balance of technical ( hardware, software) funds and organizational measures.

The main directions of implementation of the technical policy for ensuring the security of AS information is to ensure the protection of information resources from theft, loss, leakage, destruction, distortion or forgery due to unauthorized access and special influences.

Within the framework of the specified areas of technical policy for ensuring information security, the following are carried out:

implementation of a permitting system for admitting performers ( users, service personnel) to works, documents and information of a confidential nature;
restricting the access of performers and unauthorized persons to buildings and premises where confidential work is carried out and information and communication means are located on which ( stored, transmitted) information of a confidential nature, directly to the means of information and communications;
differentiation of access of users and service personnel to information resources, software for processing and protecting information in subsystems of various levels and purposes included in the AS;
accounting of documents, information arrays, registration of actions of users and service personnel, control over unauthorized access and actions of users, service personnel and unauthorized persons;
preventing the introduction of virus programs and software bookmarks into automated subsystems;
cryptographic protection of information processed and transmitted by means of computer technology and communications;
reliable storage of computer storage media, cryptographic keys ( key information) and their circulation, excluding theft, substitution and destruction;
necessary redundancy of technical means and duplication of arrays and storage media;
reducing the level and information content of spurious emissions and interference created by various elements of automated subsystems;
electrical isolation of power supply, grounding and other circuits of information objects extending beyond the controlled area;
counteracting optical and laser surveillance systems.

7.2. Formation of an information security regime

Taking into account the identified threats to the safety of the plant, the information security regime should be formed as a set of methods and measures to protect information circulating in the plant and its supporting infrastructure from accidental or intentional impacts of a natural or artificial nature, entailing damage to owners or users of information.

The set of measures to create an information security regime includes:

establishment of an organizational and legal regime for information security in the AS ( regulatory documents, work with personnel, office work);
implementation of organizational and technical measures to protect information of limited distribution from leakage through technical channels;
organizational, software and technical measures to prevent unauthorized actions ( access) to AS information resources;
a set of measures to control the functioning of means and systems for protecting information resources of limited distribution after accidental or intentional impacts.

8. Measures, methods and means of ensuring information security

8.1. Organizational measures

Organizational measures- these are measures of an organizational nature that regulate the functioning of nuclear power plants, the use of their resources, the activities of maintenance personnel, as well as the order of interaction of users with the system in such a way as to most complicate or eliminate the possibility of the implementation of security threats and reduce the amount of damage in the event of their implementation.

8.1.1. Formation of security policy

The main goal of organizational measures is to formulate an information security policy that reflects approaches to information security, and to ensure its implementation by allocating the necessary resources and monitoring the state of affairs.

From a practical point of view, it is advisable to divide the nuclear safety policy into two levels. The top level includes decisions affecting the activities of the organization as a whole. An example of such solutions could be:

formation or revision of a comprehensive information security program, identification of those responsible for its implementation;
formulating goals, setting tasks, determining areas of activity in the field of information security;
making decisions on issues related to the implementation of the security program, which are considered at the level of the organization as a whole;
provision of regulatory ( legal) database of security issues, etc.

The lower-level policy defines the procedures and rules for achieving goals and solving information security problems and details (regulates) these rules:

what is the scope of the information security policy;
what are the roles and responsibilities of the officials responsible for implementing the information security policy;
who has access rights to restricted information;
who and under what conditions can read and modify information, etc.

The lower level policy should:

provide for regulations on information relations that exclude the possibility of arbitrary, monopolistic or unauthorized actions in relation to confidential information resources;
determine coalition and hierarchical principles and methods for sharing secrets and limiting access to restricted information;
choose software and hardware for cryptographic protection, counteracting unauthorized access, authentication, authorization, identification and other security mechanisms that provide guarantees for the implementation of the rights and responsibilities of subjects of information relations.

8.1.2. Regulation of access to technical means

Operation of the Bank's protected workstations and servers must be carried out in premises equipped with reliable automatic locks, alarm systems and constantly under guard or surveillance, excluding the possibility of uncontrolled entry into the premises by unauthorized persons and ensuring the physical safety of the protected resources located in the premises ( AWS, documents, access details, etc.). The placement and installation of technical means of such workstations should exclude the possibility of visual viewing of the input ( output) information by persons not related to it. Cleaning of premises with equipment installed in them must be carried out in the presence of the person in charge, to whom these technical means are assigned, or the person on duty for the unit, in compliance with measures to prevent unauthorized persons from accessing the protected resources.

Only personnel authorized to work with this information should be present on the premises during the processing of restricted information.

At the end of the working day, premises with installed protected automated workstations must be placed under guard.

To store official documents and computer media with protected information, employees are provided with metal cabinets, as well as means of document destruction.

Technical means that are used to process or store confidential information must be sealed.

8.1.3. Regulation of employees’ access to the use of information resources

Within the framework of the permitting access system, it is established: who, to whom, what information and for what type of access can provide and under what conditions; access control system, which involves determining for all users of the AS information and software resources available to them for specific operations ( read, write, modify, delete, execute) using specified software and hardware access tools.

The permission of workers to work with nuclear power plants and access to their resources must be strictly regulated. Any changes in the composition and powers of users of AS subsystems must be made in accordance with the established procedure.

The main users of information in the AS are employees of the organization's structural divisions. The level of authority of each user is determined individually, observing the following requirements:

open and confidential information is located on different servers whenever possible;
each employee enjoys only the rights prescribed to him in relation to the information with which he needs to work in accordance with his job duties;
the boss has the right to view the information of his subordinates;
the most critical technological operations must be carried out according to the rule "two hands"— the correctness of the entered information is confirmed by another official who does not have the right to enter information.

All employees admitted to work at the plant and the plant maintenance personnel must bear personal responsibility for violations of the established procedure for automated information processing, rules for storage, use and transfer of protected system resources at their disposal. Each employee, when hired, must sign an Obligation to comply with requirements for maintaining confidential information and liability for their violation, as well as to comply with the rules for working with protected information in the AS.

Processing of protected information in AS subsystems must be carried out in accordance with approved technological instructions ( orders) for these subsystems.

For users protected by workstations, the necessary technological instructions must be developed, including requirements for ensuring information security.

8.1.4. Regulation of the processes of maintaining databases and modifying information resources

All operations for maintaining databases in the AS and the admission of employees to work with these databases must be strictly regulated. Any changes in the composition and powers of users of AS databases must be made in accordance with the established procedure.

Distribution of names, generation of passwords, maintenance of rules for restricting access to databases is the responsibility of employees of the Information Technology Department. In this case, both standard and additional DBMS protection tools can be used and operating systems.

8.1.5. Regulation of maintenance processes and modification of hardware and software resources

System resources to be protected ( tasks, programs, workstations) are subject to strict accounting ( based on the use of appropriate forms or specialized databases).

The hardware and software configuration of automated workstations on which protected information is processed or from which access to protected resources is possible must correspond to the range of functional responsibilities assigned to users of this workstation. All unused (extra) input/output devices ( COM, USB, LPT ports, floppy drives, CDs and other storage media) on such workstations must be disabled (deleted), software tools and data unnecessary for work must also be deleted from the disks of the workstation.

To simplify maintenance, maintenance and organization of protection, automated workplaces must be equipped with software and configured in a unified manner ( in accordance with established rules).

Commissioning of new workstations and all changes in the configuration of hardware and software, existing workstations in the organization's automated systems must be carried out only in the established manner.

All software ( developed by the organization’s specialists, received or purchased from manufacturing companies) must be tested in accordance with the established procedure and transferred to the organization's program depository. In AS subsystems, only software received in the prescribed manner from the depository should be installed and used. The use of software in the AS that is not included in the software depository should be prohibited.

Software development, testing of developed and purchased software, transfer of software into operation must be carried out in accordance with the established procedure.

8.1.6. User training and education

Before providing access to the system, its users, as well as management and maintenance personnel, must be familiar with the list of confidential information and their level of authority, as well as organizational, regulatory, technical and operational documentation defining the requirements and procedure for processing such information.

Protecting information in all of the above areas is possible only after users have developed a certain discipline, i.e. standards that are mandatory for everyone who works at the plant. Such norms include the prohibition of any intentional or unintentional actions that violate normal work AS, cause additional resource costs, violate the integrity of stored and processed information, and violate the interests of legitimate users.

All employees who use specific NPP subsystems during work must be familiar with the organizational and administrative documents on NPP protection as they relate to them, must know and strictly follow technological instructions and general responsibilities for ensuring information security. Communication of the requirements of these documents to persons authorized to process protected information must be carried out by the heads of departments against signature.

8.1.7. Responsibility for violation of information security requirements

For every serious violation of information security requirements by employees of an organization, an internal investigation should be conducted. Adequate measures must be taken against those responsible. The extent of personnel liability for actions committed in violation of the established rules for ensuring secure automated processing of information should be determined by the damage caused, the presence of malicious intent and other factors.

To implement the principle of personal responsibility of users for their actions, it is necessary:

individual identification of users and processes initiated by them, i.e. establishing an identifier behind them, on the basis of which access will be differentiated in accordance with the principle of reasonableness of access;
user authentication ( authentication) based on passwords, keys on various physical bases, etc.;
registration ( logging) the operation of mechanisms for controlling access to information system resources, indicating the date and time, identifiers of the requester and the requested resources, the type of interaction and its result;
response to unauthorized access attempts ( alarm, blocking, etc.).

8.2. Technical means of protection

Technical ( hardware and software) protective equipment - various electronic devices and special programs, included in the NPP and performing (independently or in combination with other means) protection functions ( identification and authentication of users, restriction of access to resources, event registration, cryptographic information protection, etc.).

Taking into account all the requirements and principles for ensuring the security of information in the automated system in all areas of protection, the following means must be included in the protection system:

means of authentication of users and AS elements ( terminals, tasks, database elements, etc.), corresponding to the degree of confidentiality of information and processed data;
means of restricting access to data;
means of cryptographic protection of information in data lines and databases;
means of registering treatment and monitoring the use of protected information;
means of responding to detected unauthorized access or attempted unauthorized access;
means of reducing the level and information content of spurious emissions and interference;
means of protection against optical surveillance equipment;
protection against viruses and malware;
means of electrical isolation of both the AS elements and the structural elements of the premises in which the equipment is located.

Technical means of protection against unauthorized access are responsible for solving the following main tasks:

identification and authentication of users using names and/or special hardware ( Touch Memory, Smart Card, etc.);
regulation of user access to physical devices workstations ( disks, I/O ports);
selective (discretionary) access control logical drives, directories and files;
authoritative (mandatory) restriction of access to protected data on the workstation and on the file server;
creation of a closed software environment of programs allowed to run, located both on local and network drives;
protection against penetration of computer viruses and malware;
monitoring the integrity of protection system modules, system disk areas and arbitrary lists of files in automatic mode and by administrator commands;
registration of user actions in a secure log, the presence of several levels of registration;
protecting data from the security system on the file server from access by all users, including the network administrator;
centralized management of access control settings on network workstations;
registration of all NSD events occurring on workstations;
operational control over the work of network users, changing operating modes of workstations and the ability to block ( if necessary) any network station.

The successful use of technical means of protection assumes that the fulfillment of the requirements listed below is ensured by organizational measures and the physical means of protection used:

the physical integrity of all AS components is ensured;
every employee ( system user) has a unique system name and the minimum authority necessary to perform its functional duties to access system resources;
use of instrumental and technological programs on workstations ( test utilities, debuggers, etc.), allowing attempts to hack or bypass security measures, is limited and strictly regulated;
there are no programming users in the protected system, and the development and debugging of programs is carried out outside the protected system;
all changes to the configuration of hardware and software are made in a strictly established manner;
network hardware ( hubs, switches, routers, etc.) is located in places inaccessible to outsiders ( special rooms, closets, etc.);
The information security service provides continuous management and administrative support for the functioning of information security tools.

8.2.1. User identification and authentication tools

In order to prevent access to the AS by unauthorized persons, it is necessary to ensure that the system can recognize each legitimate user (or limited groups of users). To do this in the system ( in a protected place) a number of characteristics of each user must be stored by which this user can be identified. In the future, when logging into the system, and, if necessary, when performing certain actions in the system, the user is required to identify himself, i.e. indicate the identifier assigned to it in the system. In addition, various types of devices can be used for identification: magnetic cards, key inserts, floppy disks, etc.

Authentication ( authentication) of users should be carried out based on the use of passwords (secret words) or special authentication means to verify the unique characteristics (parameters) of users.

8.2.2. Means of restricting access to Automated System resources

After recognizing the user, the system must authorize the user, that is, determine what rights are granted to the user, i.e. what data and how it can use, what programs it can execute, when, for how long and from what terminals it can work, what system resources it can use, etc. User authorization must be carried out using the following access control mechanisms:

selective access control mechanisms based on the use of attribute schemes, permission lists, etc.;
authoritative access control mechanisms based on resource sensitivity labels and user permission levels;
mechanisms for ensuring a closed environment of trusted software ( individual lists of programs allowed to run for each user), supported by mechanisms for identifying and authenticating users when they log into the system.

Areas of responsibility and tasks of specific technical means of protection are established based on their capabilities and operational characteristics described in the documentation for these means.

Technical means of access control must be an integral part of a unified access control system:

to controlled territory;
to separate rooms;
to AS elements and information security system elements ( physical access);
to AS resources ( program-mathematical access);
to information repositories ( storage media, volumes, files, data sets, archives, references, records, etc.);
to active resources ( application programs, tasks, request forms, etc.);
to the operating system, system programs and protection programs, etc.

8.2.3. Tools for ensuring and monitoring the integrity of software and information resources

Monitoring the integrity of programs, processed information and security means, in order to ensure the immutability of the software environment determined by the provided processing technology, and protection against unauthorized correction of information, must be ensured:

means of calculating checksums;
means electronic signature;
means of comparing critical resources with their reference copies ( and restoration in case of integrity violation);
means of access control ( prohibiting access with modification or deletion rights).

In order to protect information and programs from unauthorized destruction or distortion, it is necessary to ensure:

duplication of system tables and data;
duplexing and mirroring of data on disks;
transaction tracking;
periodic monitoring of the integrity of the operating system and user programs, as well as user files;
anti-virus protection and control;
data backup according to a predetermined scheme.

8.2.4. Security Event Controls

Controls must ensure that all events are detected and recorded ( user actions, unauthorized access attempts, etc.), which may entail a violation of security policy and lead to crisis situations. Controls should provide the ability to:

constant monitoring of key network nodes and network-forming communication equipment, as well as network activity in key network segments;
monitoring the use of corporate and public network services by users;
maintaining and analyzing security event logs;
timely detection of external and internal threats to information security.

When logging security events, the following information should be recorded in the system log:

date and time of the event;
subject id ( user, program) carrying out the registered action;
action ( if an access request is logged, the object and type of access are noted).

Controls must be capable of detecting and recording the following events:

user login;
user login to the network;
failed attempt to login to a system or network ( incorrect password entry);
connection to a file server;
launching the program;
completion of the program;
an attempt to launch a program that is not available to run;
an attempt to gain access to an inaccessible directory;
an attempt to read/write information from a disk that is inaccessible to the user;
an attempt to launch a program from a disk that is inaccessible to the user;
violation of the integrity of programs and data of the security system, etc.

The following basic methods of responding to detected facts of illegal activity should be supported ( possible with the participation of a security administrator):

notification of the owner of information about the non-compliance with his data;
canceling the program ( tasks) from further execution;
notification to the database administrator and security administrator;
disabling the terminal ( workstation), from which unauthorized access attempts to information or illegal actions on the network were made;
exclusion of the offender from the list of registered users;
giving an alarm signal, etc.

8.2.5. Cryptographic means of information protection

One of the most important elements of the AS information security system should be the use of cryptographic methods and means of protecting information from unauthorized access when it is transmitted via communication channels and stored on computer storage media.

All means of cryptographic information protection in the AS must be built on the basis of a basic cryptographic core. To have the right to use cryptographic media, an organization must have licenses established by law.

The key system of cryptographic protection means used in the AS must provide cryptographic survivability and multi-level protection against compromise of key information, separation of users by levels of protection and areas of their interaction with each other and users of other levels.

Confidentiality and imitation protection of information during its transmission over communication channels must be ensured through the use of subscriber and channel encryption means in the system. The combination of subscriber and channel encryption of information should ensure its end-to-end protection along the entire transmission path, protect information in the event of its erroneous forwarding due to failures and malfunctions of hardware and software of switching centers.

The AS, which is a system with distributed information resources, must also use means of generating and verifying electronic signatures, ensuring the integrity and legally provable confirmation of the authenticity of messages, as well as authentication of users, subscriber points and confirmation of the time of sending messages. In this case, standardized electronic signature algorithms must be used.

8.3. Information security system management

Management of the information security system in the AS is a targeted impact on the components of the security system ( organizational, technical, software and cryptographic) in order to achieve the required indicators and standards of security of information circulating in the AS in the context of the implementation of major security threats.

The main goal of organizing the management of an information security system is to increase the reliability of information protection during its processing, storage and transmission.

Management of the information security system is implemented by a specialized management subsystem, which is a set of controls, technical, software and cryptographic tools, as well as organizational measures and control points of various levels interacting with each other.

The functions of the control subsystem are: information, control and auxiliary.

The information function consists of continuous monitoring of the state of the protection system, checking the compliance of security indicators acceptable values and immediately informing security operators about situations arising in the plant that could lead to a violation of information security. There are two requirements for monitoring the state of the protection system: completeness and reliability. Completeness characterizes the degree of coverage of all means of protection and parameters of their functioning. The reliability of control characterizes the degree of adequacy of the values of the controlled parameters of their true meaning. As a result of processing control data, information about the state of the protection system is generated, which is summarized and transmitted to higher control points.

The control function is to formulate plans for the implementation of technological operations of the plant, taking into account the requirements for information security in the conditions prevailing at a given point in time, as well as to determine the location of the situation of information vulnerability and prevent its leakage by promptly blocking areas of the plant where threats to information security arise . Management functions include accounting, storage, and issuance of documents and information media, passwords and keys. At the same time, the generation of passwords, keys, maintenance of access control tools, acceptance of new software included in the AS software environment, monitoring the compliance of the software environment with the standard, as well as monitoring the progress of the technological process of processing confidential information is assigned to employees of the information technology department and the economic security department.

The auxiliary functions of the control subsystem include recording all operations performed in the AS with protected information, generating reporting documents and collecting statistical data for the purpose of analyzing and identifying potential channels of information leakage.

8.4. Monitoring the effectiveness of the protection system

Monitoring the effectiveness of the information security system is carried out with the aim of timely identifying and preventing information leakage due to unauthorized access to it, as well as preventing possible special influences aimed at destroying information and destroying information means.

The effectiveness of information security measures is assessed using organizational, technical and software controls for compliance with established requirements.

Control can be carried out both using standard information security system tools and using special control tools and technological monitoring.

8.5. Features of ensuring information security of personal data

Classification of personal data is carried out in accordance with the severity of the consequences of the loss of security properties of personal data for the subject of personal data.

About personal data ” to special categories of personal data;
personal data classified in accordance with the Federal Law “ About personal data ” to biometric personal data;
personal data that cannot be classified as special categories of personal data, biometric personal data, publicly available or anonymized personal data;
personal data classified in accordance with the Federal Law “ About personal data ” to publicly available or anonymized personal data.

The transfer of personal data to a third party must be carried out on the basis of Federal law or the consent of the subject of personal data. If an organization entrusts the processing of personal data to a third party on the basis of an agreement, an essential condition of such an agreement is the obligation of the third party to ensure the confidentiality of personal data and the security of personal data during their processing.

The organization must stop processing personal data and destroy the collected personal data, unless otherwise established by the legislation of the Russian Federation, within the time limits established by the legislation of the Russian Federation in the following cases:

upon achievement of the processing purposes or when there is no longer a need to achieve them;
at the request of the subject of personal data or the Authorized Body for the Protection of the Rights of Subjects of Personal Data - if the personal data is incomplete, outdated, unreliable, illegally obtained or is not necessary for the stated purpose of processing;
when the subject of personal data withdraws consent to the processing of his personal data, if such consent is required in accordance with the legislation of the Russian Federation;
if it is impossible for the operator to eliminate violations committed during the processing of personal data.

The organization must define and document:

procedure for destruction of personal data ( including material carriers of personal data);
procedure for processing requests from personal data subjects ( or their legal representatives) regarding the processing of their personal data;
procedure for action in case of requests from the Authorized Body for the Protection of the Rights of Personal Data Subjects or other supervisory authorities exercising control and supervision in the field of personal data;
approach to classifying AS as personal data information systems ( Further - ISPDn );
list of ISPDn. The list of ISPD must include AS, the purpose of creation and use of which is the processing of personal data.

For each ISPD, the following must be identified and documented:

purpose of processing personal data;
volume and content of personal data processed;
list of actions with personal data and methods of processing them.

The volume and content of personal data, as well as the list of actions and methods of processing personal data must correspond to the purposes of processing. In the event that in order to carry out the information technology process, the implementation of which is supported by the ISPD, there is no need to process certain personal data, this personal data must be deleted.

Requirements for ensuring the security of personal data in ISPD are generally implemented by a set of organizational, technological, technical and software measures, means and mechanisms for protecting information.

Organization of execution and ( or) implementation of requirements for ensuring the security of personal data must be carried out by a structural unit or official (employee) of the organization responsible for ensuring the security of personal data, or on a contractual basis by an organization - a counterparty of the organization that has a license to operate in the technical protection of confidential information.

The creation of an organization's ISPD must include the development and approval ( statement) organizational, administrative, design and operational documentation for the system being created provided for in the technical specifications. The documentation must reflect issues of ensuring the security of processed personal data.

Development of concepts, technical specifications, design, creation and testing, acceptance and commissioning of ISPD must be carried out with the approval and under the control of a structural unit or official (employee) responsible for ensuring the security of personal data.

All information assets belonging to the organization's information systems must be protected from the effects of malicious code. The organization must define and document requirements for ensuring the security of personal data using anti-virus protection and the procedure for monitoring the implementation of these requirements.

The organization must have an access control system in place to control access to communication ports, input/output devices, removable storage media, and external drives ISPDn information.

The heads of the organization's operating and servicing ISPD units ensure the security of personal data when processed in the ISPD.

Employees processing personal data in ISPD must act in accordance with instructions ( management, regulations, etc.), included in the operational documentation on the ISPD, and comply with the requirements of the information security documents.

Responsibilities for administering security tools and security mechanisms that implement the requirements for ensuring the organization’s information security ISPD are assigned by orders ( orders) for specialists from the information technology department.

The procedure for the actions of specialists of the Department of Information Technology and personnel involved in the processing of personal data must be determined by instructions ( manuals), which are prepared by the ISPD developer as part of the operational documentation for the ISPD.

The instructions given ( manuals):

establish requirements for personnel qualifications in the field of information security, as well as a current list of protected objects and rules for updating it;
contain in full the current ( by time) data on user permissions;
contain data on information processing technology to the extent necessary for an information security specialist;
establish the procedure and frequency of analysis of event logs ( magazine archives);
regulate other actions.

The configuration parameters of security tools and mechanisms for protecting information from unauthorized access data used in the area of responsibility of the specialists of the Information Technology Department are determined in the operational documentation on the ISPD. The procedure and frequency of checking the installed configuration parameters are established in the operational documentation or regulated by an internal document, and checks must be carried out at least once a year.

The organization must define and document the procedure for access to the premises in which ISPD technical equipment is located and personal data carriers are stored, providing for control of access to the premises by unauthorized persons and the presence of obstacles to unauthorized entry into the premises. The specified procedure must be developed by a structural unit or official ( employee), responsible for ensuring the physical security regime and agreed upon by a structural unit or official ( employee), responsible for ensuring the security of personal data, and the Department of Economic Security.

Users and service personnel of ISPD must not carry out unauthorized and ( or) not registered ( uncontrolled) copying personal data. For this purpose, organizational and technical measures should prohibit unauthorized and ( or) not registered ( uncontrolled) copying personal data, including using alienated ( replaceable) storage media, mobile devices for copying and transferring information, communication ports and input/output devices that implement various interfaces ( including wireless), mobile storage devices ( for example, laptops, pocket personal computers, smartphones, mobile phones ), as well as photo and video recording devices.

Control over the security of personal information is carried out by an information security specialist, both using standard information security system tools and using special control tools and technological monitoring.

Download ZIP file (65475)

If the documents are useful, please like or:

Ensuring information security of the Russian Federation is a developing and promising sector that plays a huge role in storing and transmitting data.

Information security system of the Russian Federation

In recent times, any organization or individual has a very large amount of generalized information that is stored on the Internet or on computers, such a large amount of information has become the reason that it is leaked very often, but no one would want classified and confidential information about something came to the attention of strangers, in fact, for this purpose it is necessary to take precautions to ensure information security.

Statistics in this area show that a number of countries have already begun to apply certain information security measures that have become generally accepted, but there are other statistics that show us that fraudsters not only have not stopped trying to get to sensitive information, on the contrary, with improvement , attackers find new ways to bypass or hack it, so this moment we may be seeing an increasing trend in fraudulent activity rather than a decreasing trend. I would like to add that now the information support of the Russian Federation is developing quite rapidly and has a positive growth trend, previously this high level there was no provision of information in the Russian Federation.

Absolutely any organization or enterprise understands perfectly well that the threat of losing classified information is quite high, so they try with all their might to prevent leakage and make sure that classified information remains classified as such, but the scheme is not professional, it protects a large amount of information and closes many passages for scammers, but gaps still remain in it, so it happens that competent programmers bypass security systems and get to secret information, which they then use for illegal purposes.

Functions and conditions of the information security system

The main functions of the information security system of the Russian Federation, which must be present in any security system:

Instant detection of intrusion threats. Eliminating this threat and closing the channel of access to information with the help of which attackers can harm an enterprise and an individual in material and moral terms;
Creating a mechanism for quickly identifying violations in the operation of the enterprise and responding to situations in which information security is in a weakened state or under the threat of hacking;
Conditions are created to compensate for possible damage caused to the enterprise by an individual or legal entity as quickly as possible, and conditions for the speedy restoration of the enterprise’s operation so that lost information cannot affect its operation and the achievement of the objectives set for the enterprise.

Video about media monitoring:

Information base and principles of ISMS

The above tasks already provide a sufficient information base for a person to understand why information security systems are needed and how it functions in real conditions.

Principles for building an information security system that should guide organizations and enterprises when protecting confidential information from intruders.

It has long been known that in order to ensure a high level of your own information, you need to be guided by certain principles, since without them the scheme information support will be easily bypassed, thus you cannot always be sure that the information is truly classified.

So, the first and most important principle of the information security system of the Russian Federation is continuous work to improve and improve the system, since development technologies do not stand still, and neither does the development of fraudulent activities aimed at hacking and obtaining secret data, therefore such a scheme should be constantly improved. It is necessary to check and test the current security system as often as possible - this aspect is included in the first principle of building an information security system; one should analyze the system and, if possible, identify its defense gaps and weaknesses, which attackers will actually use. When you find gaps or any ways of information leakage, you should immediately update the security system mechanism and modify it so that the gaps found are immediately closed and inaccessible to fraudsters. Based on this principle, it is worth learning that you cannot simply install a security system and be calm about your secret information, since this system must be constantly analyzed, improved and improved;
The second principle is to use the full potential of system security, all functions for each individual file that is responsible for one or another aspect of the enterprise’s operation, that is, the security system must be used in its entirety and comprehensively, so that the entire arsenal available to this system must be in service;
The third and final principle is the holistic use of the security system; you should not break it into separate parts, consider individual functions, thereby ensuring different levels of security important files and less important. It works like one huge mechanism, which has a large number of gears that perform different functions, but make up one system.

Video about ensuring the safety of industrial systems:

Legislation and ISPS

A very important aspect of an information security system is cooperation with government law enforcement agencies and the legality of this system. An important role is played by the high level of professionalism of the employees of the company providing you with information security; do not forget that an agreement on non-disclosure of the company’s secret information must be concluded with this company and its employees, since all employees ensuring the full operation of the security system will have access to information company, thus you must have guarantees that employees will not transfer this information to third parties interested in obtaining it for personal gain or to undermine the work of your enterprise.

If you neglect these principles and conditions, then your security will not be able to provide you with the required high level of protection, thereby there will be no guarantee that the data is constantly out of the reach of attackers, and this can have a very bad effect on the operation of the enterprise.

Requirements for ensuring information security of any object

You need to not only know the principles, but also be able to put them into practice; this is why there are a number of requirements for the information security protection system that must be met, just like the principles themselves.

An ideal security scheme should be:

Centralized. The security system must always be managed centrally, therefore the information security system of the enterprise must be similar to the structure of the enterprise itself, to which it is attached this method ensuring information security (ISIS);
Planned. Based on the general goals of ensuring information security, each individual employee responsible for a specific aspect of the system should always have a detailed plan for improving the security system and using the current one. This is necessary in order for information protection to work as one holistic scheme, which will ensure the highest level of protection of confidential information of the protected object;
Concretized. Each security scheme must have specific protection criteria, since different enterprises have different preferences, some need to protect specific files that the enterprise's competitors can use in order to undermine the production process. Other companies need holistic protection for each file, regardless of its importance, so before you install information protection, you should decide what exactly you need it for;
Active. It is always necessary to ensure the protection of information very actively and purposefully. What does it mean? This means that a company providing a security base must have a department containing experts and analysts. Because your security principle should not only eliminate existing threats and find gaps in the database, but also know in advance a possible development of an event in order to prevent possible threats even before they appear, therefore the analytical department is a very important part in the information security structure, Don’t forget about this and try to pay special attention to this aspect. "Forewarned is forearmed";
Universal. Your scheme should be able to adapt to absolutely any conditions, that is, it does not matter on what medium your database is stored, and it should not matter in what language it is presented and in what format it is contained. If you want to transfer it to another format or to another medium, this should not cause information leakage;
Unusual. Your information security plan must be unique, that is, it must be different from similar schemes that other enterprises or firms use. For example, if another enterprise that has a data protection scheme similar to yours was attacked, and attackers were able to find a hole in it, then the likelihood that the resource will be hacked increases significantly, so in this regard you should show individuality and establish for your enterprise, a security scheme that has never appeared or been used anywhere before, thereby increasing the level of protection of your enterprise’s confidential data;
Open. It should be open in terms of changes, adjustments and improvements made, that is, if you find a gap in the defense of your own security system or want to improve it, you should not have problems with access, since access to the system may take some time, during which the database can be hacked, so make it open to your own company and the company providing information security for the Russian Federation, on which the preservation of your information systems depends;
Economical. Cost-effectiveness is the last requirement for any security system; you must calculate everything and make sure that the costs of information support for information security systems of the Russian Federation in no case exceed the value of your information. For example, no matter how expensive and advanced a security design is, there is still a possibility that it can be hacked or bypassed, since a gap can be found in any security if desired, and if you spend a lot of money on such a security design, but in At the same time, the data itself is not worth that kind of money, then it is simply pointless spending that can negatively affect the enterprise’s budget.

Video about IDM solutions:

Secondary information security requirements

The basic requirements necessary for the full operation of the security system were listed above; below, requirements that are not mandatory for the system will be given:

The security scheme should be quite easy to use, that is, any employee who has access to protected information, if necessary, should not spend a lot of time on this, as this will interfere with the main work; the scheme should be convenient and “transparent”, but only within your company;
Each employee or authorized representative must have some privileges to access protected information. Again, I’ll give an example: you are the director of an enterprise and there are a number of employees working at your facility whom you trust and can provide access, but you do not do this, and only you and the company employees providing the information security system have access, it turns out that your accountant and other employees, having to look at reports or other protected files, will have to look up from work, tear you or the company's employees providing security away from work, in order to gain access to one file, thereby compromising the work of the enterprise and its efficiency reduced. Therefore, provide privileges to your employees to make work easier for them and for yourself;
The ability to easily and quickly disable protection, since there are situations when information protection will significantly hinder the operation of the enterprise, in this case you should be able to easily disable and, when necessary, enable the information protection system;
The information security scheme must function separately from each security subject, that is, they should not be interconnected;
The company providing you with an information security system should itself periodically try to hack it, it can ask its programmers working on other projects to do this, if they succeed, then they need to immediately find out exactly how this happened and where the weakness in the security system exists, to neutralize it as quickly as possible;
Your enterprise should not have detailed reports and detailed description mechanisms for protecting your information, such information should only be available to the owner of the enterprise and the company providing information security.

Information support system - stages

An important element is the phasing of actions in the development and installation of a system for ensuring information security of the Russian Federation.

Initially, when creating a protection system, you need to determine what exactly is intellectual property for you. For example, for an enterprise, intellectual property is knowledge and accurate information about each product produced, its improvements, the manufacture and development of new products and ideas for improving the enterprise, in general, everything that ultimately brings you profit. If you cannot determine what intellectual property is for you, then no matter how good the information systems support scheme is, it will not be able to provide you with a high level of protection, and you also risk losing unprotected information, which will subsequently lead to moral and material losses, so that this point should initially be given special attention.

After you determine what constitutes intellectual property for you, you should proceed to the following stages, generally accepted for absolutely any organization, regardless of its size and specification:

Establishing certain boundaries within which the information systems support plan has its validity;
Constantly studying and identifying weaknesses in the security system;
Setting a specific security policy and quickly taking countermeasures when a threat is identified;
Continuous verification of the information security system;
Drawing up a detailed plan for the protection system;
Accurate implementation of a previously drawn up plan.

The creator of cybernetics, Norbert Wiener, believed that information has unique characteristics and cannot be attributed to either energy or matter. The special status of information as a phenomenon has given rise to many definitions.

The dictionary of the ISO/IEC 2382:2015 “Information technology” standard provides the following interpretation:

Information (in the field of information processing)- any data presented in electronic form, written on paper, expressed at a meeting or located in any other medium, used by a financial institution to make decisions, move funds, set rates, make loans, process transactions, etc., including components processing system software.

To develop the concept of information security (IS), information is understood as information that is available for collection, storage, processing (editing, conversion), use and transmission in various ways, including in computer networks and other information systems.

Such information is highly valuable and may become the target of attacks by third parties. The desire to protect information from threats underlies the creation of information security systems.

Legal basis

In December 2017, Russia adopted the Information Security Doctrine. The document defines information security as the state of protecting national interests in the information sphere. Under national interests in in this case understands the totality of interests of society, the individual and the state, each group of interests is necessary for the stable functioning of society.

Doctrine is a conceptual document. Legal relations related to ensuring information security are regulated federal laws“On state secrets”, “On information”, “On the protection of personal data” and others. On the basis of fundamental regulations, government regulations and departmental regulations are developed on private issues of information protection.

Definition of information security

Before developing an information security strategy, it is necessary to adopt a basic definition of the concept itself, which will allow the use of a certain set of methods and methods of protection.

Industry practitioners propose to understand information security as a stable state of security of information, its media and infrastructure, which ensures the integrity and resistance of information-related processes to intentional or unintentional impacts of a natural and artificial nature. Impacts are classified in the form of information security threats that can cause damage to subjects of information relations.

Thus, information security will be understood as a set of legal, administrative, organizational and technical measures aimed at preventing real or perceived information security threats, as well as eliminating the consequences of incidents. The continuity of the information protection process must guarantee the fight against threats at all stages of the information cycle: in the process of collecting, storing, processing, using and transmitting information.

Information security in this understanding becomes one of the characteristics of system performance. At each moment in time, the system must have a measurable level of security, and ensuring the security of the system must be a continuous process that is carried out at all time intervals during the life of the system.

The infographic uses data from our own"SearchInform".

In information security theory, information security subjects are understood as owners and users of information, and users not only permanent basis(employees), but also users who access databases in isolated cases, for example, government agencies requesting information. In some cases, for example, in banking information security standards, shareholders - legal entities that own certain data - are considered owners of information.

Supporting infrastructure, from the point of view of information security fundamentals, includes computers, networks, telecommunications equipment, premises, life support systems, and personnel. When analyzing security, it is necessary to study all elements of systems, paying special attention to personnel as the carrier of the majority of internal threats.

To manage information security and assess damage, the acceptability characteristic is used, thus determining the damage as acceptable or unacceptable. It is useful for each company to establish its own criteria for acceptable damage in monetary form or, for example, in the form of acceptable damage to reputation. In government institutions, other characteristics may be adopted, for example, influencing the management process or reflecting the degree of damage to the life and health of citizens. The criteria for the materiality, importance and value of information may change during the life cycle of the information array, and therefore must be revised in a timely manner.

An information threat in the narrow sense is recognized as an objective opportunity to influence the object of protection, which can lead to leakage, theft, disclosure or dissemination of information. In a broader sense, information security threats will include targeted influences of an informational nature, the purpose of which is to cause damage to the state, organization, or individual. Such threats include, for example, defamation, intentional misrepresentation, and incorrect advertising.

Three main issues of the information security concept for any organization

What to protect?

What types of threats prevail: external or internal?

How to protect, by what methods and means?

Information security system

Information security system for the company - legal entity includes three groups of basic concepts: integrity, availability and confidentiality. Underneath each lie concepts with multiple characteristics.

Under integrity refers to the resistance of databases and other information arrays to accidental or intentional destruction and unauthorized changes. The concept of integrity can be seen as:

static, expressed in the immutability, authenticity of information objects to those objects that were created according to a specific technical specification and contain the volumes of information necessary for users for their main activities, in the required configuration and sequence;
dynamic, implying the correct execution of complex actions or transactions without causing harm to the safety of information.

To control dynamic integrity, special technical means are used that analyze the flow of information, for example, financial, and identify cases of theft, duplication, redirection, and changes in the order of messages. Integrity as a basic characteristic is required when decisions to take actions are made on the basis of incoming or available information. Violating the order of commands or the sequence of actions can cause great damage in the case of descriptions of technological processes, program codes, and in other similar situations.

Availability is a property that allows authorized subjects to access or exchange data of interest to them. The key requirement of legitimation or authorization of subjects makes it possible to create different levels access. System failure to provide information becomes a problem for any organization or user groups. An example is the inaccessibility of government service websites in the event of a system failure, which deprives many users of the opportunity to obtain the necessary services or information.

Confidentiality means the property of information to be accessible to those users: subjects and processes to which access is initially granted. Most companies and organizations perceive confidentiality as a key element of information security, but in practice it is difficult to fully implement it. Not all data on existing information leakage channels is available to the authors of information security concepts, and many technical means of protection, including cryptographic ones, cannot be purchased freely; in some cases, circulation is limited.

Equal information security properties have different values for users, hence the two extreme categories when developing data protection concepts. For companies or organizations associated with state secrets, confidentiality will be a key parameter; for public services or educational institutions, the most important parameter is accessibility.

Information Security Digest

Objects of protection in information security concepts

Differences in subjects give rise to differences in objects of protection. Main groups of protected objects:

information resources of all types (a resource is understood as a material object: HDD, other media, document with data and details that help to identify it and assign it to a specific group of subjects);
the rights of citizens, organizations and the state to access information, the opportunity to obtain it within the framework of the law; access can be limited only by regulations; the organization of any barriers that violate human rights is unacceptable;
system for creating, using and distributing data (systems and technologies, archives, libraries, regulatory documents);
system for the formation of public consciousness (mass media, Internet resources, social institutions, educational institutions).

Each facility requires a special system of protection measures against threats to information security and public order. Ensuring information security in each case should be based on a systematic approach that takes into account the specifics of the object.

Categories and media

The Russian legal system, law enforcement practice and existing social relations classify information according to accessibility criteria. This allows you to clarify the essential parameters necessary to ensure information security:

information to which access is restricted based on legal requirements (state secrets, commercial secrets, personal data);
information in open access;
publicly available information that is provided under certain conditions: paid information or data that requires permission to use, for example, a library card;
dangerous, harmful, false and other types of information, the circulation and dissemination of which is limited either by legal requirements or corporate standards.

Information from the first group has two security modes. State secret, according to the law, this is state-protected information, the free dissemination of which could harm the security of the country. This is data in the field of military, foreign policy, intelligence, counterintelligence and economic activities of the state. The owner of this data group is the state itself. Bodies authorized to take measures to protect state secrets are the Ministry of Defense, the Federal Security Service (FSB), the Foreign Intelligence Service, the Federal Service for Technical and Export Control (FSTEK).

Confidential information- a more multifaceted object of regulation. The list of information that may constitute confidential information is contained in Presidential Decree No. 188 “On approval of the list of confidential information.” This is personal data; secrecy of investigation and legal proceedings; official secret; professional confidentiality (medical, notarial, lawyer); trade secret; information about inventions and utility models; information contained in personal affairs convicted persons, as well as information on the forced execution of judicial acts.

Personal data exists in open and confidential mode. The part of personal data that is open and accessible to all users includes first name, last name, and patronymic. According to Federal Law-152 “On Personal Data”, subjects of personal data have the right:

for information self-determination;
to access personal personal data and make changes to them;
to block personal data and access to it;
to appeal against unlawful actions of third parties committed in relation to personal data;
for compensation for damage caused.

The right to is enshrined in regulations on government bodies, federal laws, and licenses to work with personal data issued by Roskomnadzor or FSTEC. Companies that professionally work with personal data of a wide range of people, for example, telecom operators, must enter the register, which is maintained by Roskomnadzor.

A separate object in the theory and practice of information security are information carriers, access to which can be open or closed. When developing an information security concept, protection methods are selected depending on the type of media. Main storage media:

print and electronic media, social media, other resources on the Internet;
employees of the organization who have access to information based on their friendly, family, and professional connections;
communication means that transmit or store information: telephones, automatic telephone exchanges, other telecommunications equipment;
documents of all types: personal, official, state;
software as an independent information object, especially if its version was modified specifically for a specific company;
electronic storage media that process data automatically.

For the purpose of developing information security concepts, information security means are usually divided into regulatory (informal) and technical (formal).

Informal means of protection are documents, rules, measures; formal means are special technical means and software. The distinction helps to distribute areas of responsibility when creating information security systems: with general management of protection, administrative personnel implement regulatory methods, and IT specialists, accordingly, implement technical ones.

The fundamentals of information security presuppose a division of authority not only in terms of using information, but also in terms of working with its protection. Such a separation of powers also requires several levels of control.

Formal remedies

A wide range of technical information security protection means includes:

Physical means of protection. These are mechanical, electrical, electronic mechanisms that operate independently of information systems and create obstacles to access to them. Locks, including electronic ones, screens, and blinds are designed to create obstacles to the contact of destabilizing factors with systems. The group is supplemented by security systems, for example, video cameras, video recorders, sensors that detect movement or excess levels of electromagnetic radiation in the area where technical means of collecting information and embedded devices are located.

Hardware protection. These are electrical, electronic, optical, laser and other devices that are built into information and telecommunication systems. Before implementing hardware into information systems, it is necessary to ensure compatibility.

Software- these are simple and systemic, comprehensive programs designed to solve specific and complex problems related to providing information security. Examples of complex solutions include: the former serve to prevent leaks, reformat information and redirect information flows, the latter provide protection against incidents in the field of information security. Software tools are demanding on the power of hardware devices, and during installation it is necessary to provide additional reserves.

You can try it for free for 30 days. Before installing the system, SearchInform engineers will conduct a technical audit at the customer’s company.

TO specific means Information security includes various cryptographic algorithms that allow you to encrypt information on disk and redirected via external communication channels. Information conversion can occur using software and hardware methods operating in corporate information systems.

All means guaranteeing the security of information must be used together, after preliminary assessment the value of information and comparing it with the cost of resources spent on protection. Therefore, proposals for the use of funds should be formulated already at the stage of system development, and approval should be made at the management level that is responsible for approving budgets.

In order to ensure security, it is necessary to monitor all modern developments, software and hardware protection, threats and promptly make changes to your own protection systems against unauthorized access. Only an adequate and prompt response to threats will help achieve a high level of confidentiality in the company’s work.

The first release was released in 2018. This unique program compiles psychological portraits of employees and distributes them into risk groups. This approach to information security allows you to anticipate possible incidents and take action in advance.

Informal remedies

Informal means of protection are grouped into normative, administrative and moral and ethical. At the first level of protection there are regulatory means regulating information security as a process in the activities of the organization.

Regulatory means

In world practice, when developing regulatory tools, they are guided by information security protection standards, the main one being ISO/IEC 27000. The standard was created by two organizations:

ISO - International Commission for Standardization, which develops and approves most internationally recognized methods for certifying the quality of production and management processes;
IEC - International Energy Commission, which introduced into the standard its understanding of information security systems, means and methods of ensuring it

The current version of ISO/IEC 27000-2016 offers ready-made standards and proven techniques necessary for the implementation of information security. According to the authors of the methods, the basis of information security lies in the systematic and consistent implementation of all stages from development to post-control.

To obtain a certificate that confirms compliance with information security standards, it is necessary to implement all recommended practices in full. If there is no need to obtain a certificate, it is possible to accept any of the earlier versions of the standard, starting with ISO/IEC 27000-2002, or Russian GOSTs, which are advisory in nature, as a basis for developing your own information security systems.

Based on the results of studying the standard, two documents are being developed that relate to information security. The main, but less formal one is the concept of enterprise information security, which determines the measures and methods of implementing an information security system for the organization’s information systems. The second document that all company employees are required to comply with is the information security regulation, approved at the level of the board of directors or executive body.

In addition to regulations at the company level, lists of information constituting trade secrets, annexes to employment contracts establishing responsibility for the disclosure of confidential data, and other standards and methodologies should be developed. Internal norms and rules must contain implementation mechanisms and measures of responsibility. Most often, the measures are disciplinary in nature, and the violator must be prepared for the fact that a violation of the trade secret regime will be followed by significant sanctions, including dismissal.

Organizational and administrative measures

As part of the administrative activities for information security protection, security officers have scope for creativity. These include architectural and planning solutions that make it possible to protect meeting rooms and management offices from eavesdropping, and the establishment of different levels of access to information. Important organizational measures will be certification of the company’s activities according to ISO/IEC 27000 standards, certification of individual hardware and software systems, certification of subjects and objects for compliance with the necessary security requirements, obtaining licenses necessary to work with protected information arrays.

From the point of view of regulating the activities of personnel, it will be important to formalize a system of requests for access to the Internet, external e-mail, other resources. A separate element will be receiving electronic digital signature to enhance the security of financial and other information transmitted to government agencies via email.

Moral and ethical measures

Moral and ethical measures determine a person’s personal attitude towards confidential information or information restricted in circulation. Increasing the level of employee knowledge regarding the impact of threats on the company’s activities affects the degree of consciousness and responsibility of employees. To combat information violations, including, for example, the transfer of passwords, careless handling of media, and the dissemination of confidential data in private conversations, it is necessary to emphasize the personal consciousness of the employee. It will be useful to establish personnel performance indicators, which will depend on the attitude towards the corporate information security system.

Information Security, like information protection, is a complex task aimed at ensuring security, implemented by the implementation of a security system. The problem of information security is multifaceted and complex and covers a number of important tasks. Information security problems are constantly aggravated by the penetration of technical means of data processing and transmission and, above all, computer systems into all spheres of society.

To date, three basic principles have been formulated that information security should ensure:

data integrity - protection from failures leading to loss of information, as well as protection from unauthorized creation or destruction of data;

confidentiality of information;

When developing computer systems, failure or errors in the operation of which can lead to serious consequences, computer security issues become a top priority. There are many measures aimed at ensuring computer security, the main ones being technical, organizational and legal.

Ensuring information security is an expensive business, not only because of the cost of purchasing or installing security measures, but also because it is difficult to adequately define the boundaries of reasonable security and ensure that the system is properly maintained.

Information security products should not be designed, purchased, or installed until appropriate analysis has been performed.

The site analyzes information security and its place in the national security system, identifying vital interests in the information sphere and threats to them. Issues of information warfare, information weapons, principles, main tasks and functions of ensuring information security, functions state system to ensure information security, domestic and foreign standards in the field of information security. Considerable attention is also paid to legal issues of information security.

Also considered general issues information protection in automated data processing systems (ADS), subject and objects of information protection, tasks of information protection in ADS. The types of intentional security threats and methods of protecting information in ASOD are considered. Methods and means of confirming the authenticity of users and limiting their access to computer resources, access control to equipment, use of simple and dynamically changing passwords, methods for modifying the circuit simple passwords, functional methods.

Basic principles of building an information security system.

When building an information security system for a facility, one should be guided by the following principles:

The continuity of the process of improving and developing the information security system, which consists of justifying and implementing the most rational methods, methods and ways of protecting information, continuous monitoring, identifying bottlenecks and weaknesses and potential channels for information leakage and unauthorized access.

Integrated use of the entire arsenal of available means of protection at all stages of production and information processing. At the same time, all the means, methods and activities used are combined into a single, holistic mechanism - an information security system.

Monitoring the functioning, updating and supplementing protection mechanisms depending on changes in possible internal and external threats.

Proper training of users and their compliance with all established rules of confidentiality. Without fulfilling this requirement, no information security system can provide the required level of protection.

The most important condition for ensuring security is legality, sufficiency, maintaining a balance of interests of the individual and the enterprise, mutual responsibility of personnel and management, interaction with government law enforcement agencies.

10) Stages of building information security

Construction stages.

1. Comprehensive analysis of the information system

enterprises at various levels. Risk analysis.

2. Development of organizational, administrative and

regulatory documents.

3. Training, advanced training and

retraining of specialists.

4. Annual reassessment of the state of information

enterprise security

11) Firewall

Firewalls and antivirus packages.

A firewall (sometimes called a firewall) helps make your computer more secure. It limits the information that comes into your computer from other computers, allowing you to better control the data on your computer and providing your computer with a line of defense against people or programs (including viruses and worms) that unauthorizedly try to connect to your computer. You can think of a firewall as a border post that inspects information (often called traffic) coming from the Internet or local network. During this scan, the firewall rejects or allows information to enter the computer based on the settings you set.

What does a firewall protect against?

The firewall CAN:

1. Block computer viruses and worms from accessing your computer.

2. Prompt the user to choose to block or allow certain connection requests.

3. Keep records (security log) - at the user's request - recording allowed and blocked attempts to connect to the computer.

What doesn't a firewall protect against?

He can not:

1. Detect or neutralize computer viruses and worms if they have already entered the computer.

3. Block spam or unauthorized mailings so that they do not arrive in your inbox.

HARDWARE AND SOFTWARE FIREWALLS

Hardware firewalls- individual devices that are very fast, reliable, but very expensive, so they are usually used only to protect large computer networks. For home users, firewalls built into routers, switches, wireless access points, etc. are optimal. Combined routers-firewalls provide double protection against attacks.

Software firewall is a security program. It operates in a similar way to a hardware firewall, but is more user-friendly: it has more ready-made settings and often has wizard programs that help with configuration. With its help, you can allow or deny other programs access to the Internet.

Antivirus program (antivirus)- any program for detecting computer viruses, as well as unwanted (considered malicious) programs in general and restoring files infected (modified) by such programs, as well as for prevention - preventing infection (modification) of files or the operating system with malicious code.

12) Classification of computing systems

Depending on the territorial location of subscriber systems

Computer networks can be divided into three main classes:

global networks (WAN - Wide Area Network);

regional networks (MAN - Metropolitan Area Network);

Local networks (LAN - Local Area Network).

Basic LAN topologies

LAN topology is a geometric diagram of connections of network nodes.

Computer network topologies can be very different, but

For local area networks, only three are typical:

Ring,

Star-shaped.

Any computer network can be considered as a collection

Knot- any device directly connected to

transmission medium of the network.

Ring topology provides for the connection of network nodes in a closed curve - a transmission medium cable. The output of one network node is connected to the input of another. Information is transmitted along the ring from node to node. Each intermediate node between the transmitter and the receiver relays the sent message. The receiving node recognizes and receives only messages addressed to it.

Ring topology is ideal for networks that occupy a relatively small space. There is no central node, which increases the reliability of the network. Relaying information allows you to use any type of cable as a transmission medium.

Consistent discipline in servicing the nodes of such a network reduces its performance, and the failure of one of the nodes violates the integrity of the ring and requires special measures to be taken to preserve the information transmission path.

Bus topology- one of the simplest. It is associated with the use of coaxial cable as a transmission medium. Data from the transmitting network node is distributed along the bus in both directions. Intermediate nodes do not broadcast incoming messages. Information arrives at all nodes, but only the one to which it is addressed receives the message. The service discipline is parallel.

This provides high performance LAN with bus topology. The network is easy to expand and configure, as well as adapt to various systems. The bus topology network is resistant to possible failures of individual nodes.

Bus topology networks are the most common today. It should be noted that they are short in length and do not allow the use of different types of cable within the same network.

Star topology is based on the concept of a central node to which peripheral nodes are connected. Each peripheral node has its own separate communication line with the central node. All information is transmitted through a central node, which relays, switches and routes information flows in the network.

The star topology greatly simplifies the interaction of LAN nodes with each other and allows the use of simpler network adapters. At the same time, the performance of a LAN with a star topology depends entirely on the central node.

In real computer networks, more developed topologies can be used, which in some cases represent combinations of those considered.

The choice of a particular topology is determined by the scope of the LAN, the geographical location of its nodes and the size of the network as a whole.

Internet– a worldwide information computer network, which is an association of many regional computer networks and computers that exchange information with each other via public telecommunications channels (dedicated telephone analog and digital lines, optical communication channels and radio channels, including satellite communication lines).

Provider- network service provider - a person or organization providing services for connecting to computer networks.

Host (from the English host - “host who receives guests”)- any device that provides services in the “client-server” format in server mode over any interfaces and is uniquely defined on these interfaces. In a more specific case, a host can be understood as any computer, server connected to a local or global network.

Network protocol- a set of rules and actions (sequence of actions) that allows connection and data exchange between two or more devices connected to the network.

IP address (IP address, short for Internet Protocol Address)- a unique network address of a node in a computer network built using the IP protocol. The Internet requires globally unique addresses; in the case of working on a local network, the uniqueness of the address within the network is required. In the IPv4 protocol version, the IP address is 4 bytes long.

Domain name - a symbolic name that helps to find Internet server addresses.

13) Peer-to-peer network tasks

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

Introduction

1. Classification of information
2. Information security

2.1 Information threats
2.2 Threats to confidential information.
2.3 Areas of information protection
2.4 Information security system

Conclusion
List of sources used
Introduction
Every information resource, be it a user's computer, an organization's server or network equipment, must be protected from all kinds of threats. File systems, network, etc. must be protected. We will not consider methods for implementing protection in this article due to their huge variety.
However, it should be understood that it is impossible to provide 100% protection. At the same time, you need to remember: the higher the level of security, the more expensive the system, the more inconvenient it becomes for the user to use, which accordingly leads to a deterioration in protection against the human factor. As an example, let us remember that overcomplicating a password leads to the fact that the user is forced to write it down on a piece of paper, which he sticks to the monitor, keyboard, etc.
There is a wide range of software aimed at solving information security problems. This antivirus programs, firewalls, built-in operating system tools and much more. However, it is worth remembering that the most vulnerable link in defense is always the person! After all, the performance of any software depends on the quality of its writing and the literacy of the administrator who configures this or that security tool.
In this regard, many organizations create information protection services (departments) or set corresponding tasks for their IT departments. At the same time, you need to understand that you cannot load the IT service with functions that are unusual for it. This has already been said and written about more than once. So, suppose your organization has created an information security department. What to do next? Where to begin?
You need to start with employee training! And in the future make this process regular. Training staff in the basics of information security should be an ongoing task of the information security department. And this should be done at least twice a year.
1. Classification of information
Historically, as soon as the question of classification of information is raised (primarily this applies to information belonging to the state), it immediately begins to be classified according to the level of secrecy (confidentiality). If they remember the requirements for ensuring availability, integrity, observability, then in passing, in a row general requirements to information processing systems.
If such a view can still be somehow justified by the need to ensure state secrets, then transferring it to another subject area looks simply ridiculous. For example, according to the requirements of Ukrainian legislation, the owner of the information himself determines the level of its confidentiality (if this information does not belong to the state).
In many areas, the proportion of confidential information is relatively small. For open information, the damage from disclosure of which is small, the most important properties may be such properties as availability, integrity or protection from unauthorized copying. Let's take the website of an online publication as an example. In my opinion, the first place will be the availability and integrity of information, not its confidentiality. Evaluating and classifying information only from position and secrecy is, to say the least, unproductive.
And this can only be explained by the narrowness of the traditional approach to information protection, the lack of experience in ensuring the availability, integrity and observability of information that is not secret (confidential).
Scheme for classifying information by importance
INFORMATION

A. Of Special Importance (OV)

B. Top Secret (SS)

C. secret (c)

D. for official use

F. And open character (O)

From a security point of view, “Information” has a number of significant properties:

1. Confidentiality is a property of information, the value of which is established by the owner of the information, reflecting the restriction of access to it, in accordance with existing legislation.

2. Availability - a property of information that determines the degree of possibility of obtaining information.

3. Reliability is a property of information that determines the degree of confidence in it.

4. Integrity is a property of information that determines the structural suitability of information for use.

Confidentiality categories of protected information

· completely confidential - information recognized as confidential in accordance with the requirements of the law, or information the distribution of which is restricted by a decision of management due to the fact that its disclosure could lead to severe financial and economic consequences for the organization, including bankruptcy;

· confidential - this category includes information that is not classified as “completely confidential”, restrictions on the dissemination of which were introduced by a decision of management in accordance with the rights granted to him as the owner of the information by current legislation due to the fact that its disclosure may lead to significant damages and loss competitiveness of the organization (causing significant damage to the interests of its clients, partners or employees);

· open - this category includes information that is not required to be kept confidential.

Categories of integrity of protected information

· high - information, unauthorized modification or falsification of which could lead to significant damage to the organization;

· low - this category includes information, unauthorized modification of which could lead to minor damage to the organization, its clients, partners or employees;

· no requirements - this category includes information for which there are no requirements to ensure the integrity and authenticity.

2. Information security

While information security is a state of security of the information environment, information protection is an activity to prevent leakage of protected information, unauthorized and unintentional impacts on protected information, that is, a process aimed at achieving this state.

Information security of an organization is the state of security of the organization's information environment, ensuring its formation, use and development.

In modern society, the information sphere has two components: information and technical (the world of technology, artificially created by man, etc.) and information and psychological (the natural world of living nature, including man himself). Accordingly, in the general case, the information security of society (state) can be represented by two components: information and technical security and information and psychological (psychophysical) security.

Security of information (data) is a state of security of information (data) in which its (their) confidentiality, availability and integrity are ensured.

Information security -- protecting the confidentiality, integrity and availability of information.

Information security - all aspects related to the definition, achievement and maintenance of confidentiality, integrity, availability, non-repudiation, accountability, authenticity and reliability of information or means of processing it.

2.1 Information threats

By threats to information, we mean potential or actually possible actions in relation to the information sphere, leading to unauthorized changes in the properties of information (confidentiality, availability, reliability, integrity).

Based on their final manifestation, the following threats to information can be identified:

1. Introduction.

2. Modification.

3. Destruction.

4. Blocking.

Specific implementations of information threats are called information threat scenarios.

Familiarization with confidential information can take place in various ways and methods, but it is essential that the information itself does not change.

Violation of confidentiality or secrecy of information is associated with familiarization with it by those for whom it was not intended. What information is confidential or secret is decided by the owner or holder of this information. They also determine the circle of people who have access to it. Violation of the confidentiality of information can occur through familiarization with it by persons who do not have the right to do so and unauthorized modification of the classification of secrecy (significance).

Modification of information is aimed at changing such properties as confidentiality, reliability, integrity, which implies a change in the composition and content of information. Modification of information does not imply its complete destruction.

The destruction of information is aimed, as a rule, at the integrity of the information and leads to its complete destruction. Violation of information integrity involves the loss of information. If information is lost, it is lost forever and cannot be restored by any means. Loss can occur due to destruction or destruction of the storage medium or its loss, due to the erasure of information on media with multiple recordings, due to a power failure in devices with volatile memory. When information is destroyed, the property of information availability is also violated.

Blocking information leads to loss of access to it, i.e. to the inaccessibility of information. Availability of information lies in the fact that the subject who has the right to use it must be able to receive it in a timely manner in a form convenient for him. If you lose access to information, it still exists, but you cannot use it. Those. the subject cannot familiarize himself with it, copy it, transfer it to another subject, or present it in a form convenient for use. Loss of access may be due to the absence or malfunction of some equipment of automated systems (AS), the absence of any specialist or his insufficient qualifications, the absence or inoperability of some software, the use of AS resources for processing extraneous information, the failure of AS support systems etc. Since the information is not lost, access to it can be obtained after eliminating the reasons for the loss of access.

The listed threats to information can manifest themselves in the form of a complex of sequential and parallel implementations. The implementation of threats to information associated with a violation of the properties of information leads to a violation of the control regime and ultimately to moral and (or) material losses.

The information threats listed above can be classified in the following areas:

by objects:

· Staff,

· material and financial assets,

· information;

by damage:

· Ultimate,

· Significant,

· Insignificant;

for reasons of appearance

· Natural,

· Intentional;

in relation to the object:

· Internal,

· External;

by nature of action:

· Active,

· Passive.

Sources of information threats can be both internal and external. Most often, such division occurs on a territorial basis and on the basis of belonging to an information protection object.

Sources of information threats

The ratio of external and internal threats at an average level can be characterized as follows:

· 82% of threats are committed by the company’s own employees or with their direct or indirect participation;

· 17% of threats are made from outside - external threats;

· 1% of threats are committed by random individuals.

Information threats are of a vector nature, i.e. always pursue specific goals and are aimed at specific objects.

Sources of confidential information are people, documents, publications, technical media, technical means of supporting production and labor activities, products and production waste.

The most important objects of ensuring information security in law enforcement and judicial spheres include:

· information resources of federal executive authorities implementing law enforcement functions, judicial authorities, their information and computing centers, research institutions and educational institutions, containing special information and operational data of an official nature;

· information and computing centers, their information, technical, software and regulatory support;

· information infrastructure (information computing networks, control points, nodes and communication lines).

2.2 Threats to confidential information.

For information communication systems there is one general position, very important for understanding information security in general. Information is always addressed and always has an owner. Moreover, targeting is not arbitrary, but is determined by the owner of the information. If this right is emphasized in the message (the classification is indicated), then the information becomes confidential. Having received this information, the user cannot dispose of it arbitrarily; it does not belong to him (unless there has been a transfer of ownership).

Ownership rights are determined by the legislation in force in the country. Depending on the type of property, confidential information can be classified as state, commercial, or personal information. This correlation is made subordinately, with a descending hierarchy.

The list of information constituting state secrets is formed by the state represented by its institutions and institutions. This information is a mandatory secret for individual, lower-ranking legal entities and individuals of the country.

The list of information defining a trade secret is formed by a commercial enterprise. It also ensures their safety and protection.

Personal secrets are determined by an individual. Naturally, the safety and protection of this information is his concern, although legal protection behind the state.

Illegal acquisition of confidential information is possible due to its disclosure by sources of information, due to information leakage through technical means and due to unauthorized access to protected information.

Actions leading to illegal acquisition of confidential information:

· Disclosure,

· A leak,

· Unauthorized access.

1. Disclosure is intentional or careless actions with confidential information that led to the familiarization with it of persons who were not allowed to know it.

Disclosure is expressed in communication, transmission, provision, forwarding, publication, loss and other forms of exchange and actions with confidential information. Disclosure is carried out through formal and informal channels of information dissemination.

Formal communications include business meetings, conferences, negotiations and similar forms of communication: exchange of official business and scientific documents by means of transmitting official information (mail, telephone, telegraph, etc.).

Informal communications include personal communication, exhibitions, seminars, conferences and other public events, as well as the media (print, newspapers, interviews, radio, television, etc.).

As a rule, the reason for the disclosure of confidential information is that employees do not know enough about the rules for protecting secrets and do not understand (or misunderstand) the need to carefully comply with them. It is important to note here that the subject in this process is the source (owner) of the protected secrets.

It is worth noting the informational features of this action. The information is meaningful, meaningful, ordered, reasoned, voluminous and is often delivered in real time. There is often an opportunity for dialogue. The information is focused on a specific topic area and is documented. To obtain information of interest to the attacker, the latter spends almost minimal effort and uses simple, legal technical means.

2. Leakage is the uncontrolled release of confidential information outside the organization or circle of persons to whom it is entrusted through technical channels of information leakage.

Information is leaked through various technical channels. It is known that information is generally carried or transmitted either by energy or matter. This is either acoustic (sound), or electromagnetic radiation, or a sheet of paper, etc.

Taking this into account, it can be argued that, by physical nature, the following ways of transferring information are possible: light rays, sound waves, electromagnetic waves, materials and substances.

Accordingly, information leakage channels are classified into visual-optical, acoustic, electromagnetic and material. An information leakage channel is usually understood as a physical path from a source of confidential information to an attacker, through which the latter can gain access to protected information.

For the formation of an information leakage channel, certain spatial, energy and temporal conditions are required, as well as the presence on the attacker’s side of the appropriate equipment for receiving, processing and recording information.

3. Unauthorized access is the unlawful deliberate acquisition of confidential information by a person who does not have the right to access protected secrets.

To implement these actions, the attacker has to penetrate the protected object using various technical means. With the development of computer technology, remote unauthorized access to protected information or, in other words, computer hacking has become available.

Taking into account the above, it remains to consider the question of what conditions contribute to the unlawful acquisition of confidential information:

b Disclosure (excessive talkativeness of employees) - 32%;

ь Unauthorized access through bribery and inducement to cooperation on the part of competitors and criminal groups - 24%;

b Lack of proper control and strict conditions for ensuring information security at the company - 14%;

b Traditional exchange of production experience - 12%;

b Uncontrolled use of information systems - 10%;

ь Prerequisites for the emergence of conflicts among employees - 8%.

2.3 Areas of information protection

The literature offers the following classification of information security tools.

· Means of protection against unauthorized access (NSD):

· Mandatory access control;

· Selective access control;

· Role-based access control;

· Logging (also called Auditing).

· Systems for analysis and modeling of information flows (CASE systems).

· Network monitoring systems:

· Intrusion detection and prevention systems (IDS/IPS).

· Protocol analyzers.

· Antivirus products.

· Firewalls.

· Cryptographic means:

· Encryption;

· Digital signature.

· Backup systems.

· Systems uninterruptible power supply:

· Uninterruptible power supplies;

· Load backup;

· Voltage generators.

· Authentication systems:

· Password;

· Certificate;

· Biometrics.

· Means to prevent break-ins and equipment theft.

· Access control equipment to premises.

· Security systems analysis tools:

· Monitoring software product.

Taking into account the current practice of ensuring information security, the following areas of information protection are distinguished:

1. Legal protection is special laws, other regulations, rules, procedures and measures that ensure the protection of information on a legal basis;

2. Organizational protection is the regulation of the activities and relationships of performers on a legal basis that excludes or significantly complicates the unlawful acquisition of confidential information and the manifestation of internal and external threats.

3. Engineering and technical protection is a set of special bodies, technical means and measures for their use in the interests of protecting confidential information.

To implement information protection, a security system is created.

By Security System we mean an organizational set of special bodies, services, means, methods and measures that ensure the protection of the vital interests of individuals, enterprises, and the state from internal and external threats.

As part of the security system, there is an information protection system.

Organizational and engineering support of information security.

Organizational protection is the regulation of production activities and relationships between performers on a legal basis that excludes or significantly complicates the unlawful acquisition of confidential information and the manifestation of internal and external threats.

Organizational protection provides:

· organization of security, regime, work with personnel, with documents;

· use of technical security means and information and analytical activities to identify internal and external security threats.

Organizational measures play a significant role in creating a reliable mechanism for protecting information, since the possibility of unauthorized use of confidential information is largely determined not by technical aspects, but by malicious actions, negligence, negligence and negligence of users or security personnel. The influence of these aspects is almost impossible to avoid using technical means. This requires a set of organizational, legal and organizational and technical measures that would eliminate (or at least minimize) the possibility of danger of confidential information.

Organizational measures are measures of a restrictive nature, boiling down mainly to regulating access and use of technical means of information processing. They are usually carried out by the organization itself through the use of simple organizational measures.

The main organizational activities include:

· organization of regime and security. Their goal is to exclude the possibility of secret entry into the territory and premises of unauthorized persons; ensuring the convenience of controlling the passage and movement of employees and visitors;

· creation of separate production zones based on the type of confidential work with independent access systems;

· control and compliance with the temporary regime of work and stay on the territory of the company’s personnel;

· organizing and maintaining reliable access control and control of employees and visitors, etc.;

· organizing work with employees, which includes the selection and placement of personnel, including familiarization with employees, their study, training in the rules of working with confidential information, familiarization with penalties for violating information security rules, etc.;

· organizing work with documents and documented information, including organizing the development and use of documents and media of confidential information, their accounting, execution, return, storage and destruction;

· organizing the use of technical means of collecting, processing, accumulating and storing confidential information;

· organizing work to analyze internal and external threats to confidential information and develop measures to ensure its protection;

· organizing work to carry out systematic monitoring of personnel’s work with confidential information, the procedure for recording, storing and destroying documents and technical media.

In each specific case, organizational measures have a specific form and content for a given organization, aimed at ensuring the security of information in specific conditions.

· determination of the boundaries of the protected zone (territory);

· identification of technical means used to process confidential information within the controlled territory;

· definition of “dangerous”, from the point of view of the possibility of the formation of information leakage channels, technical means and design features of buildings and structures;

· identifying possible ways for attackers to penetrate sources of confidential information;

· implementation of measures to detect, identify and monitor the protection of information by all available means.

Organizational measures are expressed in certain restrictive measures. We can distinguish such restrictive measures as territorial, spatial and temporal.

Territorial restrictions come down to the skillful location of sources on the ground or in buildings and premises, excluding eavesdropping on conversations or interception of signals from radio-electronic means.

Spatial restrictions are expressed in the choice of directions of radiation of certain signals towards least possible their interception by attackers.

Time restrictions are manifested in reducing the operating time of technical means to a minimum, using hidden communication methods, encryption and other security measures.

One of the most important tasks of organizational activity is to determine the state of technical security of an object, its premises, preparation and implementation of organizational measures that exclude the possibility of unlawful acquisition of confidential information, prohibiting its disclosure, leakage and unauthorized access to protected secrets.

A specific area of organizational measures is the organization of protection of personal computers, information systems and networks.

Engineering and technical protection is a set of special bodies, technical means and measures for their use in the interests of protecting confidential information.

Engineering and technical protection means according to their functional purpose, engineering and technical protection means are classified into the following groups:

b physical means, including various means and structures that prevent physical penetration (or access) of attackers to protected objects and to material carriers of confidential information and protect personnel, material assets, finances and information from illegal influences;

b hardware. Instruments, devices, devices and other technical solutions used in the interests of information security;

b software tools covering special programs, software systems and information security systems in information systems for various purposes and means of processing (collection, accumulation, storage, processing and transmission) of data;

b cryptographic tools, special mathematical and algorithmic means of protecting information transmitted over communication systems and networks, stored and processed on a computer using a variety of encryption methods.

Obviously, this division of information security tools is quite arbitrary, since in practice they very often interact and are implemented in a complex in the form of software and hardware modules with the widespread use of information closure algorithms.

Physical means are a variety of devices, fixtures, structures, apparatus, and products designed to create obstacles in the way of attackers.

Physical means include mechanical, electromechanical, electronic, electro-optical, radio and other devices to prohibit unauthorized access (entry, exit), carrying (removal) of funds and materials and other possible types of criminal acts.

These tools are used to solve the following problems:

Security of the enterprise territory and surveillance of it;

Security of buildings, internal premises and control over them;

Protection of equipment, products, finances and information;

Provide controlled access to buildings and premises.

All physical means of protecting objects can be divided into three categories: warning means, detection means and threat elimination systems. Security alarms and CCTV, for example, are threat detection tools. Fences around objects are a means of preventing unauthorized entry into the territory, and reinforced doors, walls, ceilings, bars on windows and other measures serve as protection against penetration and other criminal activities (eavesdropping, shelling, throwing grenades and explosives, etc.) . Fire extinguishing equipment refers to threat elimination systems.

In general terms, according to their physical nature and functional purpose, all products in this category can be divided into the following groups:

Security and fire protection systems;

Security television;

Security lighting;

Means of physical protection.

Hardware information security devices include a wide range of technical designs in terms of operating principle, design and capabilities, ensuring suppression of disclosure, protection against leakage and countering unauthorized access to sources of confidential information.

Hardware information security tools are used to solve the following tasks:

Conducting special studies of technical means of supporting production activities for the presence of possible channels of information leakage;

Identification of information leakage channels at different objects and premises;

Localization of information leakage channels;

Search and detection of industrial espionage means;

Counteracting unauthorized access to sources of confidential information and other actions.

A special group includes hardware for protecting computers and communication systems based on them.

Hardware protection is used both in individual PCs and at various levels and sections of the network: in the central processors of the computer, in their operational storage (RAM), input-output controllers, external storage devices, terminals, etc.

For guard central processing units(CPU) code reservation is used - the creation of additional bits in the formats of machine instructions (secrecy bits) and reserve registers (in CPU devices). At the same time, two possible processor operating modes are provided, which separate auxiliary operations from operations that directly solve user problems. For this purpose, a special interrupt system implemented in hardware is used.

One of the measures for hardware protection of computers and information networks is to limit access to RAM by establishing boundaries or fields. For this purpose, control registers and data protection registers are created. Additional parity bits are also used - a variation of the code reservation method.

To indicate the degree of confidentiality of programs and data, categories of users, bits are used, called confidentiality bits (these are two or three additional bits, with the help of which the categories of privacy of users, programs and data are encoded).

To prevent the data remaining after processing from being read into RAM, a special erasure circuit is used. In this case, a command is generated to erase RAM and the address of the memory block that must be freed from information is indicated. This circuit writes zeros or some other sequence of characters to all cells of a given memory block, ensuring that previously loaded data is securely erased.

Hardware protection is also used in user terminals. To prevent information leakage when connecting an unregistered terminal, before issuing the requested data, it is necessary to identify (automatically determine the code or number) the terminal from which the request came. In multi-user mode, this identification terminal is not enough. It is necessary to authenticate the user, that is, to establish his identity and authority. This is also necessary because different users registered in the system can only have access to separate files and strictly limited powers of their use.

To identify the terminal, a code generator included in the terminal hardware is most often used, and for user authentication, hardware such as keys, personal code cards, personal identifier, devices for recognizing the user’s voice or the shape of his fingers is used. But the most common means of authentication are passwords, which are checked not by hardware, but by software authentication tools.

Software protection tools.

The means of protecting your computer from foreign intrusion are very diverse and can be classified into groups such as:

b Self-protection measures provided by the general software. Elements of protection inherent in itself software or accompanying its sale.

ь Protection means as part of a computer system. Protection of equipment, disks and standard devices. The execution of programs depends on certain actions and special precautions.

ь Protection tools with request for information. Require input additional information for the purpose of identifying user authority.

ь Active protection means. Triggered when special circumstances arise (enter incorrect password etc.).

ь Passive protection means. Aimed at warning, control, searching for evidence, etc.

The following areas of using programs to ensure the security of confidential information can be distinguished:

Protection of information from unauthorized access;

Protection of information and programs from copying;

Protection of information and programs from viruses;

Software protection of communication channels.

For each of these areas there is a sufficient number of high-quality software products developed by professional organizations and distributed on the markets.

Software protection tools have the following types of special programs:

Identification of hardware, files and user authentication;

Registration and control of the operation of technical equipment and users;

Maintenance of restricted information processing modes;

Protection of computer operating facilities and application programs users;

Destruction of information in storage after use;

Control of resource use;

Auxiliary protection programs for various purposes.

Cryptographic protections

Transformation by mathematical methods of a secret message, telephone conversation or computer data transmitted over communication channels in such a way that they become completely incomprehensible to outsiders.

Organizational and technical measures ensure blocking of disclosure and leakage of confidential information through technical means of supporting production and labor activities, as well as counteracting technical means of industrial espionage with the help of special technical means installed on structural elements of building premises and technical means that potentially form channels for information leakage.

For these purposes it is possible to use:

Technical means of passive protection, for example, limiter filters and similar means of decoupling acoustic electrical and electromagnetic network protection systems telephone communication, power supply, radio, etc.

Technical means of active protection: sensors for acoustic noise and electromagnetic interference.

Organizational and technical measures to protect information can be divided into spatial, regime and energy.

Spatial measures are expressed in reducing the width of the radiation pattern, weakening the side and rear lobes of the radiation pattern of radio-electronic equipment (RES).

Regime measures come down to the use of hidden methods of transmitting information via communications: encryption, quasi-variable transmission frequencies, etc.

Energy - this is a decrease in radiation intensity and operation of the RES at reduced powers.

Technical measures are measures that ensure the acquisition, installation and use in the process of production activities of special, protected from side radiation (safe) technical means or means whose PEMI do not exceed the border of the protected area.

Technical measures to protect confidential information can be divided into hiding, suppression and disinformation.

Hiding is expressed in the use of radio silence and the creation of passive interference with the receiving means of attackers.

Suppression is the creation of active interference with the means of attackers.

Disinformation is the organization of false operation of technical means of communication and information processing; changes in frequency use modes and communication regulations; display of false unmasking signs of activity and identification.

Protective measures of a technical nature can be aimed at a specific technical device or specific equipment and are expressed in such measures as turning off the equipment during confidential conversations or the use of certain protective devices such as limiters, buffer filters and noise devices.

2.4 Information security system

information security integrity

Safety system

b Development of plans and measures to protect information;

ь Formation, provision and development of bodies, forces and means of ensuring security;

ь Restoring protected objects

b Identification of the threat;

ь Preventing the threat;

ь Neutralization of the threat;

ь Suppression of the threat;

b Localization of the threat;

ь Repelling the threat;

ь Destruction of the threat

An information security system (IPS) is an organized set of special bodies of means, methods and measures that ensure the protection of information from internal and external threats.

From the standpoint of a systematic approach to information protection, certain requirements are imposed. Information protection should be:

1. Continuous.

2. Planned. Each service develops an information protection plan in its area of competence.

3. Purposeful. What is protected is what must be protected in the interests of a specific goal.

4. Specific. Specific data that is objectively subject to protection is protected.

5. Active.

6. Reliable.

7. Universal. Applies to any channels of information leakage.

8. Comprehensive. All necessary types and forms of protection are applied.

To implement these requirements, the information security system may have the following support:

1. Legal.

2. Organizational. Various types of services.

3. Hardware. Technical means of information security.

4. Informational. Information, data, indicators.

5. Software. Programs.

6. Mathematical. Mathematical methods.

7. Linguistic. Language means of communication.

8. Normative and methodological. Regulations for the activities of services, practical methods.

Methods are the order and methods of using forces and means to achieve the goal of protecting confidential information.

Information protection methods are a set of techniques, forces and means that ensure the confidentiality, integrity, completeness and availability of information, and counteract internal and external threats.

Ensuring information security is achieved by a system of measures aimed at:

· threat prevention. Threat prevention is preventive measures to ensure information security in order to forestall the possibility of their occurrence;

· identifying threats. Identification of threats is expressed in the systematic analysis and control of the possibility of the emergence of real or potential threats and timely measures to prevent them;

· threat detection. Detection aims to identify real threats and specific criminal activities;

· localization of criminal acts and taking measures to eliminate the threat or specific criminal acts;

· eliminating the consequences of threats and criminal acts and restoring the status quo.

Prevention of possible threats and illegal actions can be ensured by a variety of measures and means, ranging from creating a climate of deeply conscious attitude of employees towards the problem of security and information protection to creating a deep, layered protection system using physical, hardware, software and cryptographic means.

Prevention of threats is also possible by obtaining (if you want - and obtaining) information about impending illegal acts, planned thefts, preparatory actions and other elements of criminal acts. For these purposes, it is necessary for security officers to work with informants in the interests of monitoring and objectively assessing the situation both within the team of employees, especially the main areas of its company, and outside, among competitors and criminal groups.

In preventing threats, a very significant role is played by the information and analytical activities of the security service based on an in-depth analysis of the crime situation and the activities of competitors and attackers.

Identification is aimed at carrying out activities for the collection, accumulation and analytical processing of information about the possible preparation of criminal actions by criminal structures or competitors in the market for the production and sale of goods and products.

Threat detection is the act of identifying specific threats and their sources that cause one or another type of damage. Such actions may include detection of theft or fraud, as well as disclosure of confidential information or cases of unauthorized access to sources of trade secrets.

Threat suppression or containment are actions aimed at eliminating an ongoing threat and specific criminal activities. For example, suppression of eavesdropping on confidential conversations due to the acoustic channel of information leakage through ventilation systems.

Elimination of consequences is aimed at restoring the state that preceded the onset of the threat.

It is natural to assume that each type of threat has its own specific methods, forces and means.

Conclusion

Since the human factor is key to ensuring the proper level of security, all employees must have an understanding of possible threats and problems and must implement the company’s information security policy in their work. To achieve this, training must be provided to employees who have access to critical information.

The company's security service must ensure physical security and access control to resources:

· Workplaces of employees, laboratories and server rooms should be located in separate rooms;

· Access to resources, as well as security within the company's development center, must be effectively controlled to ensure the continuity of production processes;

· Access to premises with expensive systems and confidential information media must be controlled around the clock.

The company must also develop and implement a plan to ensure business continuity. This plan should identify the main risks and safety threats, methods for preventing the shutdown of key production processes and their restoration after emergency situations. The plan should include regular internal audits, disaster recovery and emergency response exercises.

Technical measures to prevent information leakage include the introduction of ILDP (Information Leakage Detection and Prevention) class information systems in the company. These are tools designed to implement information security policies. Technical means must analyze information transmitted through possible channels and, if confidential information is detected, prevent its leakage in accordance with the company’s information security rules and policies.

It is important to remember that universal 100% protection against information leakage does not exist anywhere and will never exist. Consequently, the degree of information protection from leakage can be determined as the ratio of the costs of protection and the cost of the protected information itself.

List andwe useoh literature

1. Bartender Scott. Development of information security rules. M.: Williams, 2002. -- 208 p. -- ISBN 5-8459-0323-8, ISBN 1-5787-0264-X.

2. Bastrikov, M.V. Information technologies of management: Textbook / M.V. Bastrikov, O.P. Ponomarev; Institute "KVSHU". - Kaliningrad: Publishing House of the Institute "KVSHU", 2005

3. Domarev V.V. Security of information technologies. Systems approach- K.: LLC TID Dia Soft, 2004. - 992 p.

4. Zapechnikov S.V., Miloslavskaya N.G., Tolstoy A.I., Ushakov D.V. Information security open systems. In 2 vols.

5. Information security and information protection: Textbook. - Rostov-on-Don: Rostov Law Institute of the Ministry of Internal Affairs of Russia, 2004. - 82 p.

6. Shangin V. F. Defense computer information. Effective methods and means. M.: DMK Press, 2008. - 544 p. -- ISBN 5-94074-383-8.

7. Shcherbakov A. Yu. Modern computer security. Theoretical basis. Practical aspects. - M.: Book World, 2009. - 352 p. -- ISBN 978-5-8041-0378-2.

8. “Information Security Service: First Steps” // ComputerPress 9 "2008 (http://www.compress.ru/Index.aspx)

Posted on Allbest.ru

...