- - a commercial;
- - official;
- - personal (personal) with the exception of state secrets (Articles 727, 771, 1032 of the Civil Code of the Russian Federation, Article 16 of the Customs Code of the Russian Federation, Decree of the President of the Russian Federation of March 6, 1997 No. 188 "On Approving the List of Confidential Information”).
Legal signs of confidential information are documentation, restriction of access to information in accordance with the law and lack of free access to it legally.
"Commercial secrets - a type of secrecy, including information established and protected by its owner in any area of \u200b\u200bhis business, access to which is limited in the interests of the owner of the information." Commercial secrets are one of the main types of secrets, since the success of the enterprise producing products or services is determined by the ability to compete, and therefore, be able to see how to increase profits compared to competitors.
The information constituting commercial secrets includes any business information, except for the restrictions imposed by the decree of the Government of the Russian Federation “On the list of information that cannot constitute commercial secrets” dated 05.12.91, No. 35.
In Russia, legislation in the field of protecting the rights to confidential commercial information is just beginning to take shape. New in the regulation of relations in this area was the adoption of Federal Law of July 29, 2004 No. 98-FZ “On Commercial Secrets”.
The overall impression that remains after reading the text of the Law can be defined as contradictory. On the one hand, a single regulatory act has appeared that defines in detail the regime and procedure for protecting information that constitutes a trade secret. On the other hand, the Law is far from perfect. When it was created by the legislator, norms were introduced, in the opinion of researchers, that made it difficult to protect trade secrets and restore violated rights.
The law does not exclude the application of the general rules on trade secrets provided for by Art. 139 of the Civil Code of the Russian Federation, and calls the Civil Code of the Russian Federation and other federal laws as sources. Thus, the Law supplements the existing regulatory framework and only partially replaces it.
However, when reading the definition of trade secrets, we see the terminological inconsistencies of the Law with the Civil Code of the Russian Federation. The law defines the concept of trade secret through the property of information: trade secret is "confidentiality of information" (Clause 1, Article 3 of the Law) (English confidence - secrecy). The Civil Code of the Russian Federation considers trade secrets primarily as a kind of information having "commercial value due to its unknownness to third parties", in relation to which measures are taken to protect its confidentiality (Article 139 of the Civil Code of the Russian Federation). Despite the insignificance at first glance, the concept mismatch, we got two different definitions competing in their legal force.
The law distinguishes between the form in which valuable information exists and the content of the information itself. It includes "scientific, technical, technological, industrial, financial and economic or other information, including the components of production secrets (know-how)" (paragraph 2 of article 3 of the Law.
A list of types of information that may be of commercial value is open.
The law still gives the owner (owner) of information the right to independently determine its value.
The definition of trade secrets contained in the Law reflects the nature of the Law itself. The main emphasis is placed on the procedures for protecting commercial information. According to the Law, they are the ones that provide the necessary minimum conditions for the protection of violated rights in court, as well as distinguish between legal and illegal access as an element of the offense.
In this regard, it is difficult to understand the definition of the owner of information constituting a trade secret given in the Law. In accordance with paragraph 4 of Art. 3 of the Law is a person who possesses such information "legally." Thus, proving the violation of law, it will be necessary to establish the legality of ownership of it. Documentary rights to trade secrets can be documented if, for example, they are subject to state registration (patents, certificates). In this case, the interests of the owner are protected by patent, copyright. If the trade secrets are agreements fixed on an audio medium, or these are unpatented ideas, it will be quite difficult to prove the primacy and legality of possession of such information.
Obviously, it will be necessary to confirm the objective connection of information with its owner. For example, information about the owner organization, its transactions, etc., should contain an indication of the owner organization and be protected by special links on the media about confidentiality, as provided for in paragraph 5 of paragraph 1 of Art. 10 of the Law.
The Law says about the transfer of information only on a tangible medium (Clause 6, Article 3 of the Law) and on the terms of a special agreement. In this part, the Law limits the amount of information protected in secret mode in comparison with the definition given in the Civil Code of the Russian Federation, in Art. 139 of which material carriers are not mentioned, but it is a matter of protecting confidential information.
Therefore, guided by the Law, cases, for example, disclosure of information not recorded on tangible media, are excluded from legal protection. In particular, this may be information about any decisions taken by the organization to promote its product, and similar information.
On the one hand, this approach simplifies the process of proving, on the other hand, it limits the possibilities of protecting the interests of the information owner.
The law introduces for the first time a definition of the term “trade secret regime”. When considering the legal basis for protecting trade secrets, the regime of trade secrets should be given special attention. Its non-observance entails the loss of the opportunity to protect the violated right to trade secret (part 1 of article 7 and part 2 of article 10 of the Law).
The system of conditions constituting a trade secret regime is very voluminous and requires significant costs on the part of the owner or recipient of trade secret.
In particular, part 1 of article 10 of the Law provides:
- - determination of the list of information constituting a trade secret;
- - restricting access to information constituting a trade secret by establishing a procedure for handling this information and monitoring compliance with this order;
- - registration of persons who have gained access to information constituting a trade secret and (or) persons to whom such information has been provided or transmitted;
- - regulation of relations on the use of information constituting a trade secret, by employees on the basis of employment contracts and counterparties on the basis of civil contracts;
- - drawing on tangible media (documents) that contain information constituting a trade secret, the heading "Commercial secret" indicating the owner of this information (for legal entities - full name and location, for individual entrepreneurs - last name, first name, patronymic of an individual citizen entrepreneur, and place of residence).
The owner of commercial secrets should establish a certain procedure for the circulation of confidential information, as well as provide for additional staffing units to control such turnover. In addition, a large package of internal regulatory documentation needs to be brought in line or developed again.
At a minimum, organizations that hold trade secrets need:
- - to develop provisions on commercial secrets and on the document flow of all storage media with the signature stamp "Commercial secret";
- - issue an order for the organization on admission to trade secrets;
- - provide in the employment contract additional conditions on the employee’s voluntary obligation to comply with the trade secret regime.
Thus, on the one hand, the Law expanded the powers of state bodies to control the economic activities of organizations. On the other hand, the process of protecting the rights of information owners has become much more complicated.
Information related to official information is not usually the subject of independent transactions, however, their disclosure may cause property damage to the organization and damage to its business reputation.
The need for systemic legal regulation of the institution of official confidentiality is caused by a number of reasons, including: the lack of a uniform approach to the relevant category of information of limited access in legislation; numerous examples of illegal distribution (sale) of information accumulated in government bodies and relating either to the person or to the activities of business entities; restrictions on the dissemination of information imposed at the discretion of the heads of state authorities and state (municipal) employees on the provision of information to citizens, public organizations, and the media.
The level of normative regulation of the procedure for handling official information of limited distribution, the institution of which can now be perceived as an analogue of the official secret of the socialist period, cannot be considered satisfactory for a number of reasons. The only normative act regulating this group of legal relations is “The Regulation on the Procedure for the Handling of Official Information of Limited Distribution in the Federal Executive Bodies,” approved by Decree of the Government of the Russian Federation of November 3, 1994 No. 1233 (DSP). This Regulation applies only to the activities of federal executive bodies, although similar information is generated and received by any government bodies and local authorities. Many important conditions that determine the procedure for classifying information as official information are not established in the Regulation and are left to the heads of federal executive bodies, which cannot be considered correct, since maintaining restrictions on access to information should be established only by federal law. Thus, the level of legal regulation is clearly insufficient, moreover, at the level of a decree of the Government of the Russian Federation, it is impossible to build a long-term and stable system for protecting information with a long shelf life, especially when it comes to establishing a number of civil law norms. Despite the almost complete absence of normative regulation in the field of classifying information as official secret, protecting it and imposing sanctions for the unlawful distribution of such information, this category is present in a large number of federal laws (about 40), including: Federal Law "On the Foundations of the Civil Service of the Russian Federation" Federation ", Federal Law" On the Government of the Russian Federation ", Federal Law" On the Service in the Customs Authorities of the Russian Federation ", Federal Law" On the Central Bank of the Russian Federation (Bank of Russia) ", Federal Law" On the Basics of the Municipal Service of the Russian Federation Federation, Federal Law "On the Restructuring of Credit Organizations", Federal Law "On the Securities Market", etc. Moreover, the absence of a clearly defined legal institution of official secrecy has led to a variety of legal approaches that have been enshrined in law. So, in the Federal Law "On Restructuring of Credit Organizations" the official secret of a credit organization is mentioned (Article 41), in the Federal Law "On Measures to Protect the Economic Interests of the Russian Federation in Foreign Trade in Goods" "confidential information" circulates in the executive bodies (Article 18), the Federal Law "On the Fundamentals of the Civil Service of the Russian Federation" and a number of other laws use the term "service information", the Federal Law "On the Customs Tariff" circulates in the customs body information constituting trade secrets and confidential information (Article 14). Federal Law No. 119-ФЗ dated 08/20/2004 "On the State Protection of Victims, Witnesses and Other Participants in Criminal Proceedings" provides for a number of security measures for the protected person to ensure confidentiality of information about him.
The information in its content constitutes official secrets and legislative consolidation of the mechanisms for managing this information will help the implementation of this Federal Law. These examples indicate that not only the terminology, but also the content of the institution of protection of official information are not explicitly reflected in the legislation.
The question of the structure of confidential information and the ratio of different types of secrets is differently decided in legislation. In this regard, the inclusion of the category “official secret” in the norms of Article 139 of the Civil Code of the Russian Federation, where relevant information on systemic features is practically merged with commercial secret, is of particular concern, although, following sound legal logic, these systems of restrictions on access to information should be inherently are different. In the electronic markets of the country and by sending unsolicited e-mails (so-called "spam"), CDs containing databases (databases) with information about personalities and organizations are uncontrollably distributed. For example, the database "Customs", the traffic police, BTI (Bureau of Technical Inventory), "Registration", "Foreign Economic Activity", the Unified State Register of Enterprises ("Unified State Registration of Enterprises"), "Apartment Owners", "Income of Individuals", and "Card File of the Ministry of Internal Affairs" (criminal record etc.), OVIR (registered passports), DB Ministry of Justice, Siren (transportation of individuals by Russian railways), DB on non-cash payments of enterprises with suppliers and consumers, etc. It is obvious that such information cannot be obtained to the market without state participation real employees.
Currently, lawmakers have prepared a draft law “On official secrets”, which regulates the protection of such information.
Personal (personal) data includes the last name, first name, middle name, year, month, date and place of birth, address, marital, social, property status, education, profession, income of an individual. The composition of personal data shall also include information related to the entry into work (service), its passage and dismissal; data on the spouse, children and other family members of the owner, data allowing to determine the place of residence, mailing address, telephone and other individual means of communication of the civil servant, as well as his wife (her spouse), children and other members of his family, data allowing to determine location of real estate owned or owned by a civil servant, information on income, property and property obligations, information on facts, events and circumstances the privacy of a citizen, allowing him to identify his personality, information that has become known to the employee of the civil registry office in connection with the state registration of the certificate of civil status, language skills (mother tongue, Russian, another language or other languages), general education (primary general , basic general, secondary (full) general) and vocational (primary vocational, secondary vocational, higher vocational, postgraduate vocational), housing conditions (type of residential wages, the time of construction of the house, the size of the total and living space, the number of living rooms, types of improvement of the living space), sources of livelihood (income from employment or other occupations, pension, including disability pension, scholarship, allowance, other type government support, another source of livelihood). Defining personal data as an open list of information, regardless of the form of their presentation, the legislator thereby retains the possibility of expanding it as the social status of its holder changes at a particular stage in his life.
Personal data are classified as confidential information, which implies a lack of free access to it and the existence of an effective system for its protection. The inclusion of personal data in the category of confidential information is aimed at preventing unauthorized actions to destroy, modify, distort, copy, block information, preventing other forms of unlawful interference in the personal life of a citizen.
The legal basis for the construction of a personal data protection system is the provisions of the Constitution of the Russian Federation. Articles 22 and 23 contain rules proclaiming the fundamental rights of the individual regarding privacy. They enshrined the right to privacy, personal and family secrets. It is forbidden to collect, store, use and disseminate information about a person’s private life without his consent.
Forming the legislative basis for the processing of personal data, the legislator takes as a basis and norms of international law containing the basic principles of working with personal data in the process of their processing. Initially, these principles were enshrined in the International Convention "On the Protection of Personalities with regard to Automatic Processing of Personal Data" ETS N 108 (January 28, 1981), which became a unifying principle for the relevant national legislation. Then the personal data protection system was developed in the Directive of the European Union and Parliament 95/46 / EC of October 24, 1995 on the protection of the rights of individuals with regard to the processing of personal data and the free movement of such data and Directive 97/66 / EC of December 15, 1997 on the processing of personal data and protecting privacy in the telecommunications sector. These documents contain a list of basic measures for the protection of personal data accumulated in automated databases from accidental or unauthorized destruction or accidental loss, as well as from unauthorized access, modification or distribution.
The main federal law protecting the confidentiality of personal data is the Law on Personal Data, adopted on July 27, 2006.
The Law defines the principles and conditions for the processing of personal data. By establishing a general ban on the processing of personal data without the consent of the subject of personal data, the Law provides for cases when such consent is not required.
Relations are separately regulated for processing special categories of personal data (information about racial, ethnicity, political views, religious or philosophical beliefs, state of health, intimate life). Processing of these categories of information is not allowed without the prior consent of the subject of personal data, unless the personal data is publicly available, data processing is necessary to ensure the life and health of a person; processing is carried out in connection with the administration of justice, as well as other circumstances.
The most important guarantee of the rights of the subject of personal data is the obligation of operators and third parties who have access to personal data to ensure their confidentiality (except for cases of depersonalization and publicly available personal data), as well as the right of the subject of personal data to protect their rights and legitimate interests, including for damages and (or) compensation for non-pecuniary damage in court. The control and supervision of the processing of personal data is entrusted to the federal executive body, which exercises control and supervision functions in the field of information technologies and communications, which is vested with relevant rights and obligations. In particular, the authorized body has the right to verify the information system for processing personal data, to make demands on blocking, deleting false or illegally obtained personal data, establish a permanent or temporary ban on the processing of personal data, and conduct investigations in administrative proceedings on violations of the law. The principles of cross-border data transfer are established, in which adequate protection of the rights of subjects of personal data should be ensured.
In addition to the said acts, the legislator includes other laws in the system of legislation in the field of personal data:
The Labor Code of the Russian Federation, in chapter 14 of which the fundamental requirements for the protection of the personal data of an employee are fixed. Admission of an employee for business qualities involves the use of certain methods of collecting information about the employee, so that they sufficiently fully reveal a predetermined set of criteria necessary for occupying a particular position, that is, the employer actually collects personal data of the employee;
The Customs Code of the Russian Federation of May 28, 2003 N 61-ФЗ, which regulates the processing of personal data of persons carrying out activities related to the movement of goods and vehicles across the customs border or carrying out activities in the field of customs for the purpose of customs control and collection of customs payments;
Federal Law of July 27, 2006 N 149-ФЗ "On Information, Information Technologies and Information Protection" gives a general definition of personal data, lays down the basic principles of legal regulation of activities related to personal data. It also introduces liability for violation of their confidentiality, as well as the mandatory licensing for non-governmental organizations and individuals of activities related to the processing and provision of personal data;
Federal Law of November 15, 1997 N 143-ФЗ "On acts of civil status" regulates the procedure for protecting confidential information in the process of registration of acts of civil status.
In addition, issues of legal regulation of work with personal data are addressed in the Federal Laws of October 22, 2004 N 125-ФЗ "On Archival Affairs in the Russian Federation", dated August 12, 1995 N 144-ФЗ "On operational search activities" , dated June 12, 2002 N 67-ФЗ "On basic guarantees of electoral rights and the right to participate in a referendum of citizens of the Russian Federation", the Tax Code of the Russian Federation, the Fundamentals of the legislation of the Russian Federation on the protection of public health of July 22, 1993 N 5487-1, The laws of the Russian Federation of July 21, 1993 N 5485-1 "On state secrets", dated March 28, 1998 N 53-ФЗ "On the warrior of duty and military service ", Federal Laws of April 1, 1996 N 27-ФЗ" On Individual (Personified) Accounting in the Compulsory Pension Insurance System ", dated August 8, 2001 N 129-ФЗ" On State Registration of Legal Entities and individual entrepreneurs "and a number of others. In the Civil Code of the Russian Federation, article 152 protects the honor, dignity and business reputation of a citizen. In the Criminal Code of the Russian Federation in Art. 137 establishes criminal liability "for the illegal collection or dissemination of information about the private life of a person constituting his personal or family secret."
Introduction
Conclusion
Bibliography
Introduction
At the present stage of development of our society, many traditional resources of human progress are gradually losing their original meaning. They are being replaced by a new resource, the only product not decreasing, but growing over time, called information. Information today becomes the main resource of scientific, technical and socio-economic development of the world community. The more and faster quality information is introduced into the national economy and special applications, the higher the standard of living of the people, the economic, defense and political potential of the country.
The integrity of the modern world as a community is ensured mainly through intensive information exchange. The suspension of global information flows, even for a short time, can lead to no less crisis than the rupture of interstate economic relations. Therefore, in the new competitive market conditions there are a lot of problems associated not only with ensuring the safety of commercial (entrepreneurial) information as a type of intellectual property, but also of individuals and legal entities, their property and personal security.
The aim of this work is to consider information security as an integral part of national security, as well as to identify the degree of its security at the present stage, to analyze internal and external threats, to consider problems and ways to solve them.
In this regard, certain tasks are set:
.Determine the place and importance of information security at the present stage of development; 2.Consider the legal framework in the field of information security; .Identify the main problems and threats and ways to solve them. Chapter 1. Problems and threats to information security
1.1 the Place of information security in the national security system of Russia
The national security of the Russian Federation substantially depends on ensuring information security, and in the course of technological progress this dependence will increase. In the modern world, information security is becoming a vital condition for ensuring the interests of man, society and the state and the most important, crucial, link in the entire national security system of the country. The regulatory framework for the protection of information has become the Doctrine of Information Security of the Russian Federation, approved by the President of the Russian Federation in 2001. It is a set of official views on the goals, objectives, principles and main directions of ensuring information security in Russia. The Doctrine addresses: objects, threats and sources of threats to information security; possible consequences of information security threats; methods and means of preventing and neutralizing threats to information security; features of ensuring information security in various spheres of life of society and the state; the main provisions of the state policy to ensure information security in the Russian Federation. The doctrine considers all work in the information sphere on the basis and in the interests of the National Security Concept of the Russian Federation. She identifies four main components of Russia's national interests in the information sphere. The first component includes the observance of the constitutional rights and freedoms of man and citizen in the field of obtaining and using information, ensuring the spiritual renewal of Russia, maintaining and strengthening the moral values \u200b\u200bof society, the traditions of patriotism and humanism, and the cultural and scientific potential of the country. For its implementation it is necessary: to increase the efficiency of the use of information infrastructure in the interests of social development, the consolidation of Russian society, the spiritual revival of the multinational people of the country; to improve the system of formation, preservation and rational use of information resources that form the basis of the scientific, technical and spiritual potential of Russia; to ensure the constitutional rights and freedoms of man and citizen to freely seek, receive, transmit, produce and disseminate information by any legal means, receive reliable information about the state of the environment; to ensure the constitutional rights and freedoms of man and citizen to personal and family secrets, secrecy of correspondence, telephone conversations, mail, telegraph and other messages, to protect your honor and your good name; strengthen the mechanisms of legal regulation of relations in the field of intellectual property protection, create conditions for compliance with restrictions on access to confidential information established by federal legislation; guarantee freedom of the media and prohibition of censorship; prevent propaganda and agitation that contribute to inciting social, racial, national or religious hatred and enmity; confidential information protection russia to ensure a ban on the collection, storage, use and dissemination of information about a person’s private life without his consent and other information, access to which is limited by federal law. The second component of national interests in the information sphere includes information support of the state policy of the country, related to bringing to the Russian and international public reliable information about its official position on socially significant events in Russian and international life, with ensuring citizens' access to open state information resources. This requires: strengthen the state media, expand their capabilities for timely delivery of reliable information to Russian and foreign citizens; to intensify the formation of open state information resources, increase the efficiency of their economic use. The third component of national interests in the information sphere includes the development of modern information technologies, including the industry of means of informatization, telecommunications and communications, meeting the needs of the domestic market with these products and its entry into the world market, as well as ensuring the accumulation, preservation and effective use of domestic information resources. To achieve a result in this direction it is necessary: to develop and improve the infrastructure of a single information space in Russia; to develop the domestic industry of information services and increase the efficiency of using state information resources; to develop the production in the country of competitive means and systems of informatization, telecommunications and communications, to expand Russia's participation in the international cooperation of manufacturers of these tools and systems; to provide state support for basic and applied research, developments in the fields of informatization, telecommunications and communications. The fourth component of national interests in the information sphere includes the protection of information resources from unauthorized access, ensuring the security of information and telecommunication systems. For these purposes, it is required: to increase the security of information systems (including communication networks), primarily, primary communication networks and information systems of state authorities, financial and credit and banking sectors, economic activities, weapons and military equipment informatization systems and equipment, troop and weapon control systems, and environmental hazardous and economically important industries; to intensify the development of domestic production of hardware and software for information protection and methods for monitoring their effectiveness; ensure the protection of information constituting a state secret; expand international cooperation of Russia in the safe use of information resources, countering the threat of confrontation in the information sphere. 1.2 The main problems of information security and solutions
Ensuring information security requires solving a whole range of tasks. The most important task in ensuring the information security of Russia is the implementation of a comprehensive consideration of the interests of the individual, society and the state in this area. The doctrine defines these interests as follows: the interests of the individual in the information sphere are the realization of the constitutional rights of a person and a citizen to access information, to use information in the interests of carrying out activities not prohibited by law, physical, spiritual and intellectual development, as well as to protect information that ensures personal security; the interests of society in the information sphere are to ensure the interests of society in this field, consolidate democracy, create a legal social state, achieve and maintain social harmony, and spiritually renew Russia; the state’s interests in the information sphere are to create conditions for the harmonious development of the Russian information infrastructure, the implementation of constitutional rights and freedoms of a person (citizen) in the field of information. At the same time, the use of this sphere is required only in order to ensure the inviolability of the constitutional system, sovereignty and territorial integrity of Russia, political, economic and social stability, in unconditionally ensuring the rule of law and order, and the development of equal and mutually beneficial international cooperation. General methods for solving key tasks in ensuring information security The Doctrine combines into three groups: legal; organizational and technical; economic. Legal methods include the development of regulatory legal acts regulating relations in the information sphere, and regulatory methodological documents on ensuring information security of the Russian Federation (they are discussed in detail in Chapter 4 of this manual). Organizational and technical methods for ensuring information security are: creation and improvement of information security systems; strengthening law enforcement activities of authorities, including the prevention and suppression of offenses in the information sphere; the creation of systems and means to prevent unauthorized access to information and influences causing the destruction, destruction, distortion of information, changing the standard operating modes of systems and means of informatization and communication; certification of information protection tools, licensing of activities in the field of state secret protection, standardization of methods and means of information protection; control over the actions of personnel in information systems, training in the field of information security; the formation of a system for monitoring indicators and characteristics of information security in the most important areas of life and activities of society and the state. Economic methods for ensuring information security include: development of information security programs and determining the procedure for their financing; improving the financing system for work related to the implementation of legal and organizational and technical methods of information protection, creating a system of insurance of information risks of individuals and legal entities. According to the Doctrine, the state in the process of implementing its functions to ensure information security: conducts an objective and comprehensive analysis and forecasting of threats to information security, develops measures to ensure it; organizes the work of authorities on the implementation of a set of measures aimed at preventing, repelling and neutralizing threats to information security; supports the activities of public associations aimed at objectively informing the population about socially significant phenomena of public life, protecting society from distorted and inaccurate information; exercises control over the development, creation, development, use, export and import of information security tools through their certification and licensing of information security activities; pursues the necessary protectionist policy with respect to manufacturers of means of informatization and information protection on the territory of the Russian Federation and takes measures to protect the domestic market from the penetration of low-quality means of informatization and information products; contributes to providing individuals and legal entities access to global information resources, global information networks; formulates and implements the state information policy of Russia; organizes the development of a federal program for ensuring information security, combining the efforts of state and non-governmental organizations in this field; contributes to the internationalization of global information networks and systems, as well as Russia's entry into the global information community on an equal footing. When solving the main tasks and performing the priority measures of the state policy to ensure information security, the desire to solve mainly regulatory and technical problems currently dominates. Most often, we are talking about “developing and implementing legal norms,” “improving the legal culture and computer literacy of citizens,” “creating safe information technologies,” “ensuring technological independence,” etc. Accordingly, it is planned to develop a training system for personnel used in the field of ensuring information security, that is, training of personnel in the field of communications, information processing, and technical means of protecting it predominates. To a lesser extent, the training of specialists in the field of information and analytical activities, social information, information security of the individual. Unfortunately, many state institutions consider the technical side of the problem the most important, losing sight of its socio-psychological aspects. 1.3 Sources of information security threats
Threats to information security are the use of various types of information against a particular social (economic, military, scientific and technical, etc.) object in order to change its functionality or total defeat. Given the general focus, the Doctrine divides information security threats into the following types: threats to the constitutional rights and freedoms of man and citizen in the field of spiritual life and information activity, individual, group and public consciousness, spiritual revival of Russia; threats to the information support of the state policy of the Russian Federation; threats to the development of the domestic information industry, including the industry of means of informatization, telecommunications and communications, to ensure the needs of the domestic market for its products and the entry of these products into the world market, as well as to the accumulation, preservation and effective use of domestic information resources; threats to the security of information and telecommunication facilities and systems, both already deployed and those being created in Russia. Threats to the constitutional rights and freedoms of man and citizen in the field of spiritual life and information activity, individual, group and public consciousness, and spiritual rebirth of Russia may include: adoption by the authorities of legal acts that infringe upon the constitutional rights and freedoms of citizens in the field of spiritual life and information activities; the creation of monopolies on the formation, receipt and dissemination of information in the Russian Federation, including using telecommunication systems; opposition, including from criminal organizations, to the exercise by citizens of their constitutional rights to personal and family secrets, the secrecy of correspondence, telephone conversations and other communications; excessive restriction of access to necessary information; unlawful use of special means of influence on individual, group and public consciousness; failure to comply with the requirements of the legislation governing relations in the information sphere by state authorities and local self-government bodies, organizations and citizens; unlawful restriction of citizens' access to the information resources of state authorities and local self-government, to open archival materials, to other open socially significant information; disorganization and destruction of the system of accumulation and preservation of cultural property, including archives; violation of the constitutional rights and freedoms of man and citizen in the field of mass media; ousting Russian news agencies, the media from the domestic information market and increasing the dependence of the spiritual, economic and political spheres of public life in Russia on foreign information structures; devaluation of spiritual values, propaganda of samples of mass culture based on the cult of violence, on spiritual and moral values \u200b\u200bthat contradict the values \u200b\u200baccepted in Russian society; reduction of the spiritual, moral and creative potential of the population of Russia; information manipulation (misinformation, concealment or distortion of information). Threats to the information support of the state policy of the Russian Federation can be: monopolization of the information market of Russia, its individual sectors by domestic and foreign information structures; blocking the activities of state media in informing Russian and foreign audiences; low efficiency of information support of the state policy of the Russian Federation due to the shortage of qualified personnel, the lack of a system for the formation and implementation of state information policy. Threats to the development of the domestic information industry may amount to: counteracting access to the latest information technologies, mutually beneficial and equal participation of Russian manufacturers in the global division of labor in the industry of information services, means of informatization, telecommunications and communications, information products, creating conditions for enhancing Russia's technological dependence in the field of information technologies; the procurement by government bodies of imported means of informatization, telecommunications and communications in the presence of domestic counterparts; ousting Russian manufacturers of informatization, telecommunications and communications from the domestic market; the use of non-certified domestic and foreign information technologies, information protection tools, means of informatization, telecommunications and communications; outflow of specialists and intellectual property owners abroad. The doctrine divides all sources of threats to information security into external and internal. To external sources of threats, the Doctrine includes: the activities of foreign political, economic, military, intelligence and information structures against the interests of the Russian Federation; the desire of a number of countries to dominate the global information space, to oust Russia from information markets; the activities of international terrorist organizations; increasing the technological gap between the leading powers of the world and building up their capabilities to counteract the creation of competitive Russian information technologies; activity of space, air, sea and ground technical and other means (types) of intelligence of foreign states; development by several states of the concepts of information warfare, providing for the creation of dangerous means of exposure to the information spheres of other countries, disruption of the functioning of information and telecommunication systems, and gaining unauthorized access to them. According to the Doctrine, internal sources of threats include: critical state of a number of domestic industries; unfavorable criminogenic situation, accompanied by trends in the merging of state and criminal structures in the information sphere, criminal structures gaining access to confidential information, increasing the impact of organized crime on society, reducing the degree of protection of the legitimate interests of citizens, society and the state in the information sphere; insufficient coordination of the activities of authorities at all levels in the implementation of a unified state policy in the field of information security; deficiencies in the regulatory framework governing relations in the information sphere and law enforcement practice; the underdevelopment of civil society institutions and insufficient state control over the development of the information market in Russia; insufficient funding for information security measures; insufficient number of qualified personnel in the field of ensuring information security; insufficient activity of the federal authorities in informing the public about their activities, in explaining the decisions made, forming open state resources and developing a system of citizens' access to them; russia lags behind the leading countries of the world in terms of informatization of authorities and local self-government, the credit and financial sector, industry, agriculture, education, healthcare, the service sector and everyday life of citizens. Chapter 2. Protecting Confidential Information
2.1 Classification of information to be protected
Currently, various regulatory documents indicate a significant number (more than 40) types of information requiring additional protection. For convenience, consideration of the legal regime of information resources on the basis of access can be conditionally combined into four groups: state secret; trade secret; confidential information intellectual property. State secret. The Law of the Russian Federation “On State Secrets” gives the following definition of state secrets: this is information protected by the state in the field of military, foreign policy, economic, intelligence, counterintelligence and operational-search activities, the dissemination of which could harm the security of Russia (Article 2). Article 5 of this Law defines a list of information classified as state secret: information in the military field - on the content of strategic and operational plans, on plans for the construction of the Armed Forces, on development, technology, production, on production facilities, on storage, on the disposal of nuclear weapons, on the tactical and technical characteristics and capabilities of the combat use of weapons and military equipment , on the deployment of missile and critical missions, etc .; information in the field of economics, science and technology - on the content of plans for preparing the Russian Federation and its individual regions for possible military operations, on production volumes, on state order plans, on the release and supply of weapons, military equipment, on achievements of science and technology that have important defense or economic importance, etc .; information in the field of foreign policy and economy - on the foreign policy and foreign economic activity of the Russian Federation, the premature dissemination of which may harm the security of the state, etc .; forces and means of the named activity, its sources, plans and results; persons cooperating or collaborating on a confidential basis with bodies carrying out these activities; presidential, government, encrypted systems, including coded and classified communications; ciphers and information and analytical systems for special purposes, methods and means of protecting classified information, etc. Any information useful in business and giving an advantage over competitors who do not possess such information can be a trade secret. In many cases, trade secrets are a form of intellectual property. According to Article.139 part 1 of the Civil Code of the Russian Federation, information constituting a commercial secret includes information that has actual or potential commercial value due to its unknown to third parties and to which there is no free access legally. It may include various ideas, inventions, and other business information. Decree of the Government of the Russian Federation of December 5, 1991 No. 35 "On the list of information that cannot constitute a commercial secret." This information includes: organizational information (charter and constituent documents of an enterprise, registration certificates, licenses, patents); financial information (documents on the calculation and payment of taxes, other payments prescribed by law, documents on the state of solvency); information on the state and conditions of activity (number and composition of employees, their wages, availability of vacancies, the impact of production on the environment, sales of products harmful to public health, participation of officials in entrepreneurial activity, violation of antitrust laws); information on ownership (property, cash, investment payments in securities, bonds, loans, statutory funds of joint ventures). Confidential Information. Confidentiality of information is a characteristic of information indicating the need to introduce restrictions on the circle of entities having access to this information. Confidentiality implies the preservation of rights to information, its non-disclosure (secrecy) and immutability in all cases except authorized use. By presidential decree of March 6, 1997 No. 188, a list of confidential information was approved. This list includes: information about facts, events and circumstances of a citizen’s private life, allowing him to identify his personality (personal data); information constituting the secret of the investigation and legal proceedings; official information, access to which is limited by public authorities in accordance with the Civil Code of the Russian Federation and federal laws (official secret); information on professional activities (medical, notarial, lawyer's secret, secret of correspondence, etc.); information about the essence of the invention or industrial designs before the official publication of information about them. The list of information of a confidential nature is supplemented by other regulatory legal acts: Fundamentals of the legislation of the Russian Federation "On the protection of citizens' health", laws of the Russian Federation "On psychiatric care and guarantees of the rights of citizens when it is provided", "On notaries", "On advocacy", "On basic guarantees Electoral Rights of Citizens of the Russian Federation "," On Banks and Banking ", as well as the Tax Code of the Russian Federation, the Family Code of the Russian Federation, etc. As a result, we can distinguish several groups of confidential information that form certain "secrets": medical (medical) secret; bank secrecy; tax secret; notarial secret; secret insurance; lawyer's secret; the secret of religion and the secret of confession; secrecy of voting; official secret, etc. The information defined by the concept of intellectual property can include most of the above information of a scientific and technological nature, as well as works of literature and art, products of inventive and rationalization activities, and other types of creativity. In accordance with the Law of the Russian Federation "On the Legal Protection of Programs for Electronic Computing Machines and Databases" dated September 23, 1992, computer programs and databases are also subject to copyright, the violation of which entails civil, criminal and administrative liability in accordance with the law RF The definition of intellectual property also includes a certain part of the information classified as state and commercial secrets. 2.2 Organization of information security
The most reasonable efforts in this direction, most experts consider the following "protective" measures: adequate definition of the list of information to be protected; identifying accessibility levels and predicting possible vulnerabilities in access to information; taking measures to restrict access to information or an object; organization of premises security and constant monitoring of information safety (in particular, the need for lockable cabinets, safes, cabinets, television security cameras, etc.); the presence of clear rules for handling documents and their reproduction. As you know, the invention of multiplying technology literally caused a surge in industrial espionage; the presence on the documents of the inscriptions "Secret", "For official use", and on the doors - "No trespassing." Each storage medium (document, disk, etc.) must have an appropriate designation and storage location (room, safe, metal box); signing a confidentiality agreement with employees of an organization or company. The main means of information protection are currently regime measures aimed at preventing the leakage of specific information. The adoption of these measures depends, first of all, on the owners of the information that develops in their sphere of activity in the competitive environment, the value that production or commercial information represents for them, and other factors. Among the measures to protect information can be identified external and internal. External events include: studying partners, clients with whom you have to conduct business, collecting information about their reliability, solvency and other data, as well as forecasting the expected actions of competitors and criminal elements. Whenever possible, persons who show interest in the activities of the organization (company), to the personnel working in the organization are found out. Internal security measures include the selection and verification of people entering work: their personal data are examined, behavior at the place of residence and at their previous work, personal and business qualities, psychological compatibility with employees; the reasons for leaving the previous place of work, criminal records, etc. are found out. In the process of work, the study and analysis of the employee’s actions affecting the interests of the organization continues, an analysis of his external relations is carried out. Employees are an essential element of a security system. They can play a significant role in protecting trade secrets, but at the same time they can be the main reason for its leak. Often this happens due to inattention, illiteracy. Therefore, regular and easy-to-understand training of personnel in matters of secrecy is an essential condition for maintaining confidentiality. However, cases of intentional transfer (sale) by an employee of company secrets cannot be ruled out. The motivational basis of such actions is either self-interest or revenge, for example, by the dismissed employee. The practice of such actions has its roots in ancient times. Information protection involves the use of special technical means, electronic devices, which allows not only to contain their leakage, but also to stop such type of activity as industrial (commercial) espionage. Most of them are technical means of detection and means of counteracting listening devices: telephone converter (to suppress the operation of the mini-transmitter and neutralize the removal of audio information); telephone jammer of listening devices; professional detector (used for "rough" location of radio bookmarks); mini-detector of transmitters (used to accurately determine the location of radio bookmarks); noise generator. Organizations that have valuable information should store it in special fireproof cabinets or safes, not allow the loss of keys to them or transfer to storage to other persons, even from among the most trusted. One of the common methods of protecting intellectual property is a patent, that is, a certificate issued to the inventor or his assignee for the exclusive right to use the invention made by him. The patent is intended to protect the inventor (author) from the reproduction, sale and use of his invention by other persons. The implementation of special internal and external measures to protect valuable information systems should be entrusted to specially trained persons. To this end, an entrepreneur may seek the help of private detective firms specializing in detectives and property protection. Own security services can also be created. Since protective measures require significant costs, the entrepreneur himself must decide what is more profitable for him: put up with the leak of information or involve specialized services to protect it. Conclusion
The current state of information security in Russia is a state of a new state-public institute that is only taking shape taking into account the dictates of the time. Much has already been done on the path to its formation, but there are even more problems here that require the most rapid solution. In recent years, a number of measures to improve information security have been implemented in Russia, namely: The formation of the legal framework for ensuring information security has begun. A number of laws have been adopted that regulate public relations in this area, and work has been launched to create mechanisms for their implementation. The staged result and the regulatory framework for further solving problems in this area was the approval by the President of the Russian Federation in September 2001 of the Doctrine of Information Security of the Russian Federation; Information security is facilitated by the following: state system of information protection; system of licensing activities in the field of protection of state secrets; certification system for information security tools. However, an analysis of the state of information security shows that there are still a number of problems that seriously hinder the full-fledged provision of information security for a person, society and the state. The doctrine names the following main problems in this area. The current conditions of the political and socio-economic development of the country still retain sharp contradictions between the needs of society in expanding the free exchange of information and the need for individual regulated restrictions on its dissemination. The inconsistency and underdevelopment of the legal regulation of public relations in the information sphere makes it difficult to maintain the necessary balance of interests of the individual, society and the state in this area. Incomplete legal regulation does not allow to complete the formation in the territory of the Russian Federation of competitive Russian news agencies and the media. The lack of rights of citizens to access information, manipulating information cause a negative reaction of the population, which in some cases leads to destabilization of the socio-political situation in society. The rights of citizens enshrined in the Constitution of the Russian Federation to privacy, personal and family secrets, and secrecy of correspondence practically do not have sufficient legal, organizational and technical support. The protection of the data on individuals (personal data) collected by federal bodies of state power, bodies of power of constituent entities of the Russian Federation, and bodies of local self-government is poorly organized. There is no clarity when pursuing a state policy in the field of the formation of the Russian information space, as well as the organization of international information exchange and the integration of Russia's information space into the global information space, which creates the conditions for crowding out Russian news agencies, the media from the internal information market, and leads to a deformation of the structure international exchange. There is insufficient government support for the activities of Russian news agencies in promoting their products on the foreign information market. The situation with ensuring the safety of information constituting a state secret does not improve. Serious damage was inflicted on the personnel potential of scientific and production teams operating in the field of creating means of informatization, telecommunications and communications, as a result of the massive withdrawal of the most qualified specialists from these teams. Bibliography
1.Information Security Doctrine of the Russian Federation (approved by the President of the Russian Federation of 09.09.2000 No. Pr-1895) .RF Law "On Security" 2010 .The Law of the Russian Federation "On State Secret", adopted on July 21, 1993 (as amended on 11/08/2011) .The Law of the Russian Federation "On Copyright and Related Rights", which entered into force on August 3, 1993 (as amended), .Federal Law "On the Basics of Public Service", adopted on July 31, 1995, .2013 Criminal Code
Introduction
Chapter 1. The basics of information security and information protection
1.1 The evolution of the term "information security" and the concept of confidentiality
1.2 Value of information
1.3 Channels of distribution and leakage of confidential information
1.4 Threats and confidential information protection system
Chapter 2. Organization of work with documents containing confidential information
2.1 The regulatory framework of confidential records management
2.2 Organization of access and staff working with confidential information, documents and databases
2.3 Technological basis for the processing of confidential documents
Chapter 3. Protection of limited access information in JSC "ChZPSN - Professional flooring"
3.1 Characteristic of JSC "ChZPSN - Professional flooring"
3.2 Information security system at JSC "ChZPSN - Professional flooring"
3.3 Improving the security system of restricted access information
Conclusion
List of used sources and literature
Introduction
One of the most important components of the national security of any country is currently unanimously called its information security. The problems of ensuring information security are becoming increasingly complex and conceptually significant in connection with the massive transition of information technologies in management to a paperless automated basis.
The choice of the topic of this final qualification work is due to the fact that the modern Russian market economy is a prerequisite for the success of an entrepreneur in business, making a profit and maintaining the integrity of the organizational structure that he created is to ensure the economic security of his activities. And one of the main components of economic security is information security.
The object of research in this work is the formation and functioning of information resources in the organization’s management system.
The basis of the study is JSC "ChZPSN - Professional flooring"
The subject of the study is the activity to ensure the security of information resources in the organization’s management system.
The purpose of the study is the analysis of modern technologies, methods, methods and means of protecting confidential enterprise information.
The objectives of the study, in accordance with the goal, include:
1. To reveal the main components of information security;
2. To determine the composition of the information that should be classified as confidential;
3. Identify the most common threats, distribution channels, and privacy leaks;
4. Consider methods and means of protecting confidential information;
5. To analyze the regulatory framework of confidential records management;
6. To study the security policy in organizing access to confidential information and the procedure for personnel to work with confidential documents;
7. Consider technological systems for processing confidential documents;
8. Evaluate the information protection system of the enterprise JSC ChZPSN - Professional flooring and provide recommendations for its improvement.
The following research methods were used in the work: methods of cognition (description, analysis, observation, survey); general scientific methods (analysis of the publication array on a topic), as well as such a documentary method as analysis of enterprise documentation.
The legal framework for graduation qualification is based primarily on the Constitution as the main law of the Russian Federation) (1). Article 23 of the Constitution of the Russian Federation guarantees the right to personal and family secrets, secrecy of correspondence, telephone conversations, postal, telegraphic and other communications. Moreover, the restriction of this right is allowed only on the basis of a court decision. The Constitution of the Russian Federation does not allow (Article 24) the collection, storage, use and dissemination of information about a person’s private life without his consent (1).
The norms for regulating relations arising from the handling of confidential information are also contained in the Civil Code of the Russian Federation. At the same time, confidential information is referred to in the Civil Code of the Russian Federation as intangible benefits (Article 150) (2).
The criteria by which information relates to official and commercial secrets , contained in Article 139 of the Civil Code of the Russian Federation. It states that the information constitutes an official or commercial secret when:
1. This information has real or potential value due to its unknownness to third parties;
2. There is no legal access to this information legally and the owner of the information takes measures to protect its confidentiality (2).
In addition, the definition of confidentiality of commercial information is contained in Article 727 of the Civil Code of the Russian Federation (2).
On July 27, 2006, two federal laws, the most important for the sphere of protecting information of confidential nature, were adopted: No. 149-ФЗ "On Information, Information Technologies, and Information Protection" (8) and No. 152-ФЗ "On Personal Data" (9). They give basic concepts of information and its protection. Such as "information", "confidentiality of information", "personal data", etc.
On January 10, 2002, the President of the Russian Federation signed a very important law "On electronic digital signature" (5), developing and concretizing the provisions of the above law "On information ..." (8).
The laws of the Russian Federation are also fundamental in the field of security of confidential information:
2. “On Trade Secret” dated July 29, 2004 (it contains information constituting a trade secret, a regime of trade secret, disclosure of information constituting a trade secret) (6);
3. "On approval of the List of Confidential Information" (11);
4. On approval of the List of information that cannot constitute a commercial secret "(13).
The standard fixing the basic terms and definitions in the field of information protection is GOST R 50922-96 (29).
The regulatory framework of confidential record keeping is described in detail in the second chapter of this work. In the final qualifying work the works of leading documentary experts were used: I.V. Kudryaeva (83), A.I. Aleksentseva (31; 32), T.V. Kuznetsova (45; 67; 102), A.V. Pshenko (98), L.V. Sankina (92), E.A. Stepanova (81; 96).
The concept of information security, its main components, are described in the writings of V.A. Galatenko (82), V.N. Yarochkina (56), G. Zotova (66).
K. Ilyin (52) in his works considers issues of information security in electronic document management). Information security aspects are described in articles by V.Ya. Ischeinova (76; 77), M.V. Metsatunyan (77), A.A. Malyuka (74), V.K. Senchagova (93), E.A. Stepanova (96).
The information security system is described in the works of E.A. Stepanova (81), Z. Bogatyrenko (74), T.A. Korolkova (69), G.G. Aralbaeva (100), A.A. Shiversky (103), V.N. Martynova and V.M. Martynova (49).
The legal regulation of limited access information is devoted to the work of the authors: A.A. Antopolsky (33), E.A. Stepanova (81), I.L. Bachilo (37, 38), O. Gavrilova (41). The latter, in his article, points to the imperfection of the legislation in this area.
Technologies for processing confidential documents devoted their works to R.N. Moseev (75), M.I. Petrov (89), V.I. Andreeva (34), V.V. Galakhov (44), A.I. Aleksentseva (32).
In the process of preparing the work, scientific, educational, practical, methodological recommendations on the organization of the protection of confidential information were prepared by such leading experts in this field as A.I. Aleksentsev (31; 32) and E.A. Stepanov (81; 96).
Works I.L. Bachilo (38), K. B. Gelman-Vinogradova (43), N.A. Khramtsovskaya (48), V.M. Kravtsova (51) is devoted to the controversial aspects of information security.
In general, we can say that the problem of information security, in general, is provided by sources, the source base allows us to illuminate the tasks. The significance of the literature on this issue is great and corresponds to its relevance.
But in our country there is no normative legal act that would establish a single procedure for accounting, storage, use of documents containing confidential information. And according to analysts whose articles were used in the work, E.A. Voynikanisa (40), T.A. Partyks (57), V.A. Mazurova (71) and others, it is hardly advisable.
The final qualification work consists of introduction, three chapters, conclusion, list of sources and literature, applications.
In the introduction, the relevance and practical significance of the topic, the purpose of the study, tasks, the degree of development of the problem being studied, the object, subject, research base, research tools, the structure and content of the final qualification work are formulated
The first chapter: “Fundamentals of information security and information protection” contains the history of the issue and the basic concepts of information security. Such as value of information, confidentiality. Section 1.2 indicates the distribution channels, information leakage, the next, considers the threat system and the system for protecting confidential information.
Chapter "Organization of work with confidential documents". consists of the normative and methodological foundations of confidential records management, then the order of employees and the organization of their access to confidential information are given. The technology for working with the indicated information is described in the last paragraph of the second chapter.
In the third chapter, using the example of the enterprise ChZPSN-Profnastil, an enterprise, a system for protecting information of limited access and analysis of work with confidential documents is considered. recommendations, changes and additions to the technology of confidential office work formed at the enterprise are given.
Today, threats associated with unauthorized access to confidential data can have a significant impact on the organization. Possible damage from the disclosure of corporate secrets may include direct financial losses, for example, as a result of the transfer of commercial information to competitors and the costs of eliminating the consequences, as well as indirect ones - poor reputation and loss of promising projects. The consequences of losing a laptop with details for access to bank accounts, financial plans and other private documents can hardly be underestimated.
One of the most dangerous threats today is unauthorized access. According to a study by the Computer Security Institute, last year 65% of companies reported incidents of unauthorized access to data. Moreover, as a result of unauthorized access, each company lost in 2014–2015. an average of $ 353 thousand. Moreover, compared with 2012–2013. losses increased six times. Thus, the total losses incurred by more than 600 firms surveyed for the year exceeded $ 38 million (see chart).
The problem is compounded by the fact that unauthorized access to confidential information is often followed by its theft. As a result of such a combination of two extremely dangerous threats, the company's losses can increase several times (depending on the value of the stolen data). In addition, firms often encounter physical theft of mobile computers, as a result of which both threats of unauthorized access and theft of sensitive information are realized. By the way, the cost of the portable device itself is often not comparable with the cost of the data recorded on it.
Problems that arise when an enterprise leaks information are especially indicative of the theft of laptops. Suffice it to recall recent incidents when Ernst & Young stole five laptops containing the private information of its customers over the course of several months: Cisco, IBM, Sun Microsystems, BP, Nokia, etc. Here, such a hard-to-measure indicator of damage was manifested to the highest degree. as a deterioration of the image and a decrease in customer confidence. Meanwhile, many companies experience similar difficulties.
So, in March 2006, Fidelity lost a laptop with private data of 200 thousand HP employees, and in February, PricewaterhouseCoopers audit company lost a laptop with sensitive information of 4 thousand patients from one US hospital. If you continue the list, it will include such well-known companies as Bank of America, Kodak, Ameritrade, Ameriprise, Verizon, and others.
Thus, in addition to protecting confidential information from unauthorized access, it is necessary to protect the physical medium itself. It should be borne in mind that such a security system should be absolutely transparent and not give the user difficulties when accessing sensitive data either in the corporate environment or during remote work (at home or on a business trip).
So far, nothing more effective in protecting information from unauthorized access than data encryption has not been invented. Provided that the cryptographic keys are safe, encryption guarantees the security of sensitive data.
Encryption technology
In order to protect information from unauthorized access, encryption technologies are used. However, users who do not have the proper knowledge of encryption methods may experience the false impression that all sensitive data is secure. Consider the basic technology for data encryption.
- File Encryption The user selects the files to be encrypted. This approach does not require deep integration of the encryption tool into the system, and, therefore, allows manufacturers of cryptographic tools to implement a multi-platform solution for Windows, Linux, MAC OS X, etc.
- Directory encryption. The user creates folders, all data in which is encrypted automatically. Unlike the previous approach, encryption takes place on the fly, and not at the request of the user. In general, directory encryption is quite convenient and transparent, although it is based on the same file encryption. This approach requires deep interaction with the operating system, therefore, it depends on the platform used.
- Virtual disk encryption. The concept of virtual disks is implemented in some compression utilities, for example, Stacker or Microsoft DriveSpace. Encrypting virtual disks involves creating a large hidden file on your hard drive. This file is subsequently available to the user as a separate disk (the operating system “sees” it as a new logical disk). For example, drive X: \\. All information stored on the virtual disk is encrypted. The main difference from previous approaches is that cryptographic software does not need to encrypt each file individually. Here, data is automatically encrypted only when it is written to or read from a virtual disk. At the same time, work with data is carried out at the sector level (usually 512 bytes in size).
- Encryption of the entire disk. In this case, absolutely everything is encrypted: the Windows boot sector, all system files and any other information on the disk.
- Protection of the boot process. If the whole disk is encrypted, the operating system will not be able to start until some mechanism decrypts the boot files. Therefore, encryption of the entire disk necessarily implies protection of the boot process. Typically, the user is required to enter a password so that the operating system can start. If the user enters the password correctly, the encryption program will gain access to the encryption keys, which will allow you to read further data from the disk.
Thus, there are several ways to encrypt data. Some of them are less reliable, some are faster, and some are generally not suitable for protecting important information. In order to be able to evaluate the suitability of certain methods, we consider the problems that a cryptographic application encounters when protecting data.
Features of operating systems
Let us dwell on some features of operating systems, which, despite all their positive functions, sometimes only interfere with reliable protection of confidential information. The following are the most common system mechanisms that leave a number of "loopholes" for the attacker, and relevant for both laptops and PDAs.
- Temporary files. Many programs (including the operating system) use temporary files to store intermediate data during their work. Often, an exact copy of the file opened by the program is entered into the temporary file, which makes it possible to fully recover data in the event of unforeseen failures. Of course, the payload of temporary files is high, however, being unencrypted, such files pose a direct threat to corporate secrets.
- Swap files (or swap files). Very popular in modern operating systems is the technology of swap files, which allows you to provide any application with almost unlimited amount of RAM. So, if the operating system does not have enough memory resources, it automatically writes data from RAM to the hard disk (in the swap file). As soon as there is a need to use the stored information, the operating system extracts data from the swap file and, if necessary, puts other information into this storage. In the same way as in the previous case, secret information in unencrypted form can easily get into the page file.
- File alignment. The Windows file system places data in clusters that can occupy up to 64 sectors. Even if the file is several bytes long, it will still occupy the whole cluster. A large file will be divided into portions, each the size of a file system cluster. The remainder of the partition (usually the last few bytes) will still occupy the whole cluster. Thus, random information that was in the PC’s RAM at the time the file was written to disk gets into the last sector of the file. There may be passwords and encryption keys. In other words, the last cluster of any file can contain quite sensitive information, ranging from random information from RAM to data from electronic messages and text documents that were previously stored at this place.
- Basket. When a user deletes a file, Windows moves it to the trash. Until the recycle bin is empty, the file can be easily restored. However, even if you empty the trash, the data will still physically remain on disk. In other words, deleted information can very often be found and restored (if no other data was written over it). There are a huge number of application programs for this, some of them are free and freely distributed via the Internet.
- Windows registry. The Windows system itself, like a large number of applications, stores its specific data in the system registry. For example, a web browser stores in the registry the domain names of the pages that the user visited. Even the Word text editor saves the last opened file name in the registry. In this case, the registry is used by the OS at boot. Accordingly, if any encryption method starts after Windows has booted, the results of its operation may be compromised.
- Windows NT File System (NTFS). It is believed that a file system with integrated access control (as in Windows NT) is safe. The fact that the user must enter a password to gain access to their personal files leaves a false impression that personal files and data are protected. However, even a file system with built-in Access Control List (ACLs), such as NTFS, provides absolutely no protection against an attacker who has physical access to the hard drive or administrator rights on this computer. In both cases, the offender can gain access to classified data. To do this, he will need an inexpensive (or generally free) disk editor to read the text information on the disk to which he has physical access.
- Sleeping mode. This mode is very popular on laptops, as it saves battery power when the computer is turned on but not in use. When the laptop goes into sleep state, the operating system copies to the disk absolutely all the data in the RAM. Thus, when the computer "wakes up", the operating system can easily restore its previous state. Obviously, in this case sensitive information can easily get to the hard disk.
- Hidden sections of the hard drive. A hidden partition is one that the operating system does not show to the user at all. Some applications (for example, those that save energy on laptops) use hidden partitions to store data in them instead of files on regular partitions. With this approach, information placed on a hidden partition is not protected at all and can easily be read by anyone using a disk editor.
- Free space and space between sections. Sectors at the very end of the disk do not belong to any partition, sometimes they appear as free. Another insecure place is the space between partitions. Unfortunately, some applications, as well as viruses, can store their data there. Even if you format the hard drive, this information will remain untouched. It can be easily restored.
Thus, in order to effectively protect data, it is not enough to simply encrypt them. Care must be taken to ensure that copies of classified information do not “leak” into temporary and swap files, as well as into other “secret places” of the operating system where they are vulnerable to an attacker.
Suitability of various approaches to data encryption
Consider how various approaches to data encryption cope with the features of operating systems.
File Encryption
This method is mainly used to send encrypted files by e-mail or via the Internet. In this case, the user encrypts a specific file, which must be protected from third parties, and sends it to the recipient. This approach suffers from a low speed of work, especially when it comes to large amounts of information (after all, it is required to encrypt each file attached to the letter). Another problem is that only the original file is encrypted, and temporary files and the swap file remain completely unprotected, so protection is provided only from an attacker trying to intercept a message on the Internet, but not against the criminal who stole a laptop or PDA. Thus, we can conclude: file encryption does not protect temporary files, its use to protect important information is unacceptable. Nevertheless, this concept is suitable for sending small amounts of information through a network from computer to computer.
Folder encryption
Unlike file encryption, this approach allows you to transfer files to a folder where they will be encrypted automatically. Thus, working with protected data is much more convenient. Since encryption of folders is based on file encryption, both methods do not provide reliable protection for temporary files, swap files, do not physically delete data from disk, etc. Moreover, directory encryption is very uneconomical for memory and processor resources. The processor takes time to constantly encrypt / decrypt files, and for each protected file, additional disk space is allocated (sometimes more than 2 KB). All this makes directory encryption very resource intensive and slow. To summarize, although this method is fairly transparent, it cannot be recommended to protect important information. Especially if an attacker can gain access to temporary files or swap files.
Virtual disk encryption
This concept involves the creation of a large hidden file located on the hard drive. The operating system works with it as a separate logical drive. The user can put the software on such a disk and compress it to save space. Consider the advantages and disadvantages of this method.
First of all, the use of virtual disks creates an increased load on the resources of the operating system. The fact is that every time you access the virtual disk, the operating system has to redirect the request to another physical object - a file. This, of course, negatively affects performance. Due to the fact that the system does not identify the virtual disk with the physical one, problems may arise with the protection of temporary files and the swap file. Compared to directory encryption, the concept of virtual disks has both pros and cons. For example, an encrypted virtual disk protects file names located in virtual file tables. However, this virtual disk cannot be expanded as easily as an ordinary folder, which is very inconvenient. To summarize, we can say that encryption of virtual disks is much more reliable than the two previous methods, but it can leave temporary files and paging files unprotected if the developers do not specifically take care of this.
Full disk encryption
The basis of this concept is not file-by-file, but sector-by-sector encryption. In other words, any file written to disk will be encrypted. Cryptographic programs encrypt data before the operating system places it on disk. To do this, the cryptographic program intercepts all attempts of the operating system to write data to a physical disk (at the sector level) and performs encryption operations on the fly. Thanks to this approach, temporary files, a swap file, and all deleted files will also be encrypted. The logical consequence of this method should be a significant decrease in the overall level of PC performance. Many developers of encryption tools are working on this problem, although several successful implementations of such products already exist. We can summarize: encryption of the entire disk allows you to avoid situations where some part of important data or an exact copy of it remains somewhere on the disk in unencrypted form.
Protection of the boot process. As already noted, it is advisable to protect the boot process when encrypting the entire disk. In this case, no one can start the operating system without going through the authentication procedure at the start of the download. And for this you need to know the password. If the attacker has physical access to the hard drive with sensitive data, he will not be able to quickly determine where the encrypted system files are located and where is the important information. It should be noted that if cryptographic software encrypts the entire disk, but does not protect the boot process, it means that it does not encrypt system files and boot sectors. That is, the disk is not fully encrypted.
Thus, today for reliable protection of confidential data on laptops, encryption technology of either virtual disks or the entire disk should be used. However, in the latter case, you need to make sure that the cryptographic tool does not take away the resources of the computer so that it interferes with the work of users. Note that Russian companies do not yet produce the entire encryption of the disk, although several such products already exist in Western markets. In addition, protecting data on a PDA is somewhat easier, because due to the small amount of stored information, developers can afford to encrypt all data in general, for example, on a flash card.
Strong Authentication Encryption
Reliable data storage requires not only powerful and well-implemented cryptographic technologies, but also means of providing personalized access. In this regard, the use of strong two-factor authentication based on hardware keys or smart cards is the most efficient way to store encryption keys, passwords, digital certificates, etc. To successfully pass the strong authentication procedure, the user must be presented with a token (USB key or smart card) to the operating system (for example, insert it into one of the computer’s USB ports or into a smart card reader), and then prove your ownership of this electronic key (that is, enter the password). Thus, the task of an attacker trying to access sensitive data is greatly complicated: he needs to not only know the password, but also have a physical medium that only legal users possess.
The internal device of the electronic key requires an electronic chip and a small amount of non-volatile memory. Using an electronic chip, data is encrypted and decrypted based on cryptographic algorithms embedded in the device. Non-volatile memory stores passwords, electronic keys, access codes and other secret information. The hardware key itself is protected from being stolen by a PIN code, and special mechanisms built into the key protect this password from busting.
Summary
Thus, effective data protection involves the use of strong encryption tools (based on virtual disk technologies or covering the entire disk) and strong authentication tools (tokens and smart cards). Among the file encryption tools, ideal for sending files over the Internet, it is worth noting the well-known PGP program, which can satisfy almost all user requests.
At the present stage of development of society, the most valuable is not a new, but always valuable resource, called information. Information today becomes the main resource of scientific, technical and socio-economic development of the world community. Almost any activity in today's society is closely related to the receipt, accumulation, storage, processing and use of a variety of information flows. The integrity of the modern world as a community is ensured mainly through intensive information exchange.
Therefore, in the new conditions there are a lot of problems associated with ensuring the safety and confidentiality of commercial information as a type of intellectual property.
List of used sources and literature
- Lopatin V.N. Information Security.
- Information Security Basics: Textbook / V.A. Minaev , S.V. Skryl , A.P. Fisun , V. E. Potanin , S.V. Dvoryankin .
- GOST ST 50922-96. Protection of information. Key terms and definitions.
- www.intuit.ru
In classmates
The main provision describes a unified approach to confidentiality and is the main management link that is mandatory for all employees:
- List of data that constitute a trade secret. List of confidential data, list of personal data of employees, etc.
- Restriction of free access to such information
- Documents regarding the use and transfer of confidential information
- Restriction on copying confidential information to media
- If necessary, the use of technical / organizational / programmatic measures to protect confidential information that does not violate the laws of the country
- Responsibility for non-observance of confidentiality must be determined
Regulations
- Federal Law of February 20, 1995 No. 24-03 “On information, informatization and information protection”
- Law of the Russian Federation of July 29, 2004 No. 98-F3 "On Commercial Secret"
- The law of the Russian Federation of January 10, 2002 No. 1-F3 "On electronic digital signature"
- Federal Law of the Russian Federation of December 30, 2001 No. 197-F3 "Labor Code of the Russian Federation"
Terms
Privacy mode - organizational, legal and technical measures taken by the enterprise.
Confidential data - data on objects, persons, facts, processes, regardless of the form, constituting a trade secret, which are protected by the laws of the country, and regulatory acts and documents of the enterprise.
Transmission of Confidential Information - the owner in a documented form communicates confidential information to employees in the prescribed manner by laws. Confidential document - confidential information recorded on a tangible medium with details that allows it to be identified.
Privacy stamp - there are the following:
- Trade secrets - type of privacy stamp for documents that have data and constitute a business secret
- Personal data - type of neck for documents that contain personal data of employees
- For internal use - type of privacy stamp for documents that have other protected information
Restrictions: Marks that restrict access to data.
Confidentiality classification scheme
Confidential company information may consist of:
- trade secret data
- personal data of enterprise employees
- other data overlaid with privacy stamp
Confidential information may include:
- data on events, facts of the employee’s life, which allow him to identify his personality
- data subject to the laws of the country in the hands of the enterprise
- technical, organizational or other business information:
- which may have potential or actual commercial value
- to which there is no access in public
- in relation to which, the owner sees in it value
Information really has value if it:
- has information about increasing income
- to avoid losses
- other benefit
- state registries
- data on the activities of the entrepreneur, licenses and other documents that indicate this type of activity
- Everything related to the federal budget, and the things that this money was spent on
- On the state of fire safety, environmental, and so on.
- On the number of employees, availability
- About wage arrears and other payments
- about violation of the laws of the country and their consequences
- On the terms of privatization of state property, on the participants; drafting of privatization agreements
- on the list of persons who have, without a power of attorney, speak on behalf of a legal entity
The level of confidentiality of the data should correspond to the severity of the damage that may be caused to the company or its employees. Under the damage understand the costs that will be spent on: restoration of violated rights, loss, damage, income not received.
Document Access and Confidential Information Scheme
The access of the company employees to confidential data is carried out using the order of the chief director for enterprise security. Admission of employees to confidential information is possible only after signing the employment contract.
Rights of persons admitted to confidential information
Employees admitted to confidential information must:
- implement privacy mode
- not to disclose confidential information within three years after the end of the employment contract
- immediately inform top management about the fact of disclosure or a known threat of disclosure of confidential information
- If an employee is guilty of disclosure, he must compensate
- Give all tangible media to the company with confidential information after the termination of the employment contract
Employees Approved for Confidential Information FORBIDDEN:
- talk about confidential information through insecure communication channels, use undocumented security features
- use confidential information in open articles, speeches
- realize photo or video shooting in rooms where work with confidential information is carried out
Confidential Information Handling Algorithm
- Accounting for confidential documents
- Registration of confidential documents
The confidentiality mode when working in the information system is determined by the Regulation on the procedure and organization of work to protect confidential information. When confidential information is placed on portable media, the confidentiality stamp is indicated on a paper label. Printed and signed documents are submitted for registration. Drafts are destroyed. Each copy of a confidential document has the same significance as the original. A copy is also registered, has its number in the general list.
The security of confidential information should be implemented. It should be placed in special rooms of limited access.
Algorithm for transporting confidential information to other enterprises
The transfer of confidential information to counterparties is possible upon their signing the “Confidentiality Agreement”. If the agent lacks some information, he turns to the gene. Director of Enterprise Security.
Confidentiality Control
Monitoring the implementation of the confidentiality regime at the enterprise was created to study and evaluate the state of protection of confidential data, identify deficiencies and identify violations of the regime. Monitoring the implementation of the regime is supported by the deputy gene. enterprise security directors.
Verification of the implementation of the regime is carried out by a commission (individuals) appointed by the gene. Director of the enterprise. The commission has the right to engage third-party specialists in agreement with the director. Inspectors have the right to get acquainted with all documents, to conduct consultations. The unit in which the audit was carried out implements a plan to eliminate the identified deficiencies. The plan is agreed with the deputy. gene. Director of Enterprise Security.
Conducting an internal investigation into the disclosure of confidential information
To conduct an internal investigation, no later than the day after the fact of the discovery of a leak by order of the gene. Director created a commission of at least 3 people. Members of the commission have the right:
- implement inspection of the premises and places where the conf. documents
- interview employees
- to attract additional people who are not interested in the outcome of the case to coordinate the gene. directors
An internal investigation should be carried out as soon as possible.
