With the Identity of Cybernetics, Norbert Wiener believed that the information had unique characteristics and could not be attributed to either energy or to matter. A special status of information as the phenomenon spawned a variety of definitions.

In the ISO / IEC 2382: 2015 Information Technology Standard, such interpretation is given:

Information (in the field of information processing) - Any data presented in electronic form written on paper, expressed at a meeting or on any other carrier used by a financial institution for making decisions, moving funds, establishing rates, provision of loans, processing operations, etc., including components Processing software software.

To develop a concept for providing information security (IB), information understand the information that is available for collecting, storing, processing (editing, transformation), use and transmission in various ways, including computer networks and other information systems.

Such information has a high value and can become objects of encroachment by third parties. The desire to protect information from threats underlies the creation of information security systems.

Legal basis

In December 2017, the doctrines of information security were adopted in Russia. The IB document is defined as a state of protection of national interests in the information sphere. Under national interests in this case it is understood as the combination of the interests of society, personality and state, each group of interest is necessary for the stable functioning of society.

Doctrine is a conceptual document. The legal relations related to the provision of information security are governed by federal laws "On State Secret", "On Information", "On Protection of Personal Data" and others. On the basis of fundamental regulations, government decisions and departmental regulations devoted to private information protection issues are being developed.

Definition of information security

Before developing information security strategy, it is necessary to adopt the basic definition of the concept itself, which will allow to apply a certain set of methods and protection methods.

The industry's practice is proposed to understand the information security, the stable state of information security, its carriers and infrastructure, which ensures the integrity and sustainability of processes related to information, to intentional or unintentional impacts of natural and artificial nature. Impacts are classified as threats of IB, which may damage to subjects of informational relations.

Thus, the protection of the information will be understood as a set of legal, administrative, organizational and technical measures aimed at preventing real or alleged IB threats, as well as to eliminate the consequences of incidents. The continuity of the information security process should ensure the fight against threats at all stages of the information cycle: in the process of collecting, storing, processing, using and transmit information.

Information security in this understanding becomes one of the characteristics of the system's performance. At any time, the system must have a measurable level of security, and ensuring the security of the system must be a continuous process, which is carried out at all time segments during the life of the system.

In infographics used their own data Surchinform.

In the theory of information security under Subjects, IB understands owners and users of information, and users not only on an ongoing basis (employees), but also users who turn to databases in isolated cases, for example, government bodies requiring information. In some cases, for example, in banking IB standards, shareholders belong to the owners of information - legal entities belonging to certain data.

Supporting infrastructure, in terms of the foundations of the IB, includes computers, networks, telecommunications equipment, premises, livelihood systems, personnel. When analyzing security, it is necessary to study all elements of systems, paying special attention to the personnel as the carrier of most internal threats.

To manage information security and assess the damage, the characterization of acceptability is used, so damage is defined as an acceptable or unacceptable. Each company is useful to approve their own criteria for damage in cash or, for example, in the form of permissible damage to reputation. Other characteristics may be taken in government agencies, for example, an impact on the management process or reflection of the degree of damage to the life and health of citizens. Criteria of the materiality, importance and value of information may vary during the life cycle of the information array, therefore should be revised in a timely manner.

An information threat in a narrow sense is an objective opportunity to influence an object of protection, which can lead to leakage, theft, disclosure or dissemination of information. In a broader sense to IB threats, the directed influence of an informational nature will be treated, the purpose of which is to damage the state, organization, personality. Such threats include, for example, defamation, intentional misleading, incorrect advertising.

Three main issues of IB concept for any organization

What to protect?

What types of threats prevail: external or internal?

How to protect, what methods and means?

IB system

The information security system for the company is a legal entity includes three groups of basic concepts: integrity, availability and confidentiality. Under each hid concepts with a variety of characteristics.

Under integrity It is understood as the sustainability of databases, other information arrays to random or intentionally destruction, introducing unauthorized changes. The concept of integrity can be considered as:

• static, expressed in the invariability, the authenticity of information objects of those objects that were created on a specific technical task and contain the amount of information necessary to users for the main activity in the desired configuration and sequence;
• dynamicwhich implies the correct performance of complex actions or transactions that harm the safety of information.

Special technical means are used to control dynamic integrity, which analyze the flow of information, for example, financial, and detect cases of theft, duplication, redirection, changes in the message order. The integrity as the main characteristic is required when, on the basis of incoming or available information, decisions are made to take action. A violation of the procedure for the arrangement of commands or a sequence of actions can cause great damage in the case of describing technological processes, program codes and in other similar situations.

Availability - This is a property that allows you to access authorized subjects to data that represents interest to them, or share these data. The key requirement of legitimation or authorization of subjects makes it possible to create different levels of access. The system fails to provide information becomes a problem for any organization or user groups. As an example, you can bring the unavailability of public service sites in the case of a system failure, which deprives many users of the opportunity to get the necessary services or information.

Confidentiality Indicates the property of information to be available to those users: subjects and processes that allow tolerance is initially. Most companies and organizations perceive confidentiality as a key element of IB, but in practice it is fully difficult to implement it. Not all data on existing information leakage channels are available to the authors of IB concepts, and many technical means of protection, including cryptographic, cannot be purchased freely, in some cases the turnover is limited.

Equal properties of IB have different value for users, from here - two extreme categories in developing data protection concepts. For companies or organizations associated with the state secret, the key parameter will be confidentiality, for public services or educational institutions, the most important parameter is accessibility.

Information security digest

Protection Objects in IB Concepts

The difference in subjects generates differences in protection objects. The main groups of protection objects:

• information resources of all kinds (under the resource means a material object: a hard disk, other carrier, a document with data and details that help it identify and attribute to a specific group of subjects);
• the rights of citizens, organizations and the state to access information, the opportunity to receive it within the law; Access can only be limited to regulatory acts, an organization of any barriers that violate human rights are unacceptable;
• system of creation, use and distribution of data (systems and technology, archives, libraries, regulatory documents);
• system of formation of public consciousness (media, Internet resources, social institutions, educational institutions).

Each object involves a special system of measures to protect against threats from IB and public order. Ensuring information security in each case should be based on a systematic approach that takes into account the specifics of the object.

Categories and media

The Russian legal system, law enforcement and established public relations classify information on accessibility criteria. This allows you to clarify the essential parameters necessary to provide information security:

• information, access to which is limited on the basis of the requirements of laws (state secrets, commercial secrets, personal data);
• information in open access;
• public information provided on certain conditions: Paid information or data, to use which you need to make a tolerance, such as a library ticket;
• dangerous, harmful, false and other types of information, the turnover and the distribution of which are limited or the requirements of laws, or corporate standards.

Information from the first group has two security modes. State mysteryAccording to the law, these are information protected by the state, the free distribution of which may cause damage to the country's security. These are data in the field of military, foreign policy, intelligence, counterintelligence and economic activities of the state. The owner of this data group is directly the state. Authorities authorized to take measures to protect state secrets - Ministry of Defense, Federal Security Service (FSB), External Intelligence Service, Federal Service for Technical and Export Control (FSTEC).

Confidential information - A more multifaceted regulatory object. The list of information that can be confidential information is contained in the Decree of the President No. 188 "On Approval of the List of Confidential Information". These are personal data; the secret of investigation and legal proceedings; service mystery; Professional mystery (medical, notary, lawyer); trade secret; information about inventions and useful models; Information contained in the personal affairs of convicts, as well as information on the forced execution of judicial acts.

Personal data exists in open and in confidential mode. Open and accessible to all users part of personal data includes a name, surname, patronymic. According to FZ-152 "On Personal Data", personal data entities are entitled:

• on information self-determination;
• to access personal personal data and making changes in them;
• on blocking personal data and access to them;
• to appeal against the unlawful actions of third parties committed in relation to personal data;
• to compensation for damage.

The right to be enshrined in state bodies, federal laws, licenses for working with personal data, which gives Roskomnadzor or FSTEC. Companies that professionally work with personal data of a wide range of persons, such as telecom operators, must be included in the registry, Roskomnadzor leads it.

A separate object in the theory and practice of IB is the media of information, access to which is open and closed. When developing the IB concept, protection methods are selected depending on the type of media. Main carriers of information:

• printed and electronic media, social networks, other resources on the Internet;
• employees of the organization who have access to information on the basis of their friendly, family, professional ties;
• communication means that transmit or save information: phones, PBX, other telecommunication equipment;
• documents of all types: personal, official, state;
• software as an independent information object, especially if its version was refined specifically for a particular company;
• electronic media of information that process data automatic order.

For the purpose of developing the IB protection concepts, information security tools is made to divide on regulatory (informal) and technical (formal).

Informal protection means are documents, rules, activities, formal - these are special technical means and software. The distinction helps to distribute the zones of responsibility when creating IB systems: with the general guideline, administrative personnel implements regulatory methods, and IT specialists, respectively, technical.

The basics of information security involve the delimitation of powers not only in terms of the use of information, but also in terms of working with its protection. Such a delimitation of powers requires several levels of control.

Formal protective equipment

The wide range of IB-protection technical means includes:

Physical remedies. These are mechanical, electrical, electronic mechanisms that function independently of the information systems and create obstacles to access to them. Castles, including electronic, screens, blinds are designed to create obstacles to the contact of destabilizing factors with systems. The group is complemented by means of security systems, such as camcorders, video recorders, sensors that detect movement or excess of the degree of electromagnetic radiation in the location zone of technical means of removing information, mortgage devices.

Hardware protection. These are electrical, electronic, optical, laser and other devices that are embedded in information and telecommunication systems. Before the introduction of hardware to information systems, it is necessary to make sure compatibility.

Software - These are simple and systemic, comprehensive programs designed to solve private and complex tasks associated with the provision of IB. An example of comprehensive solutions is: the first to serve to prevent leakage, reformatting information and redirect information flows, the second - ensure protection against incidents in the field of information security. Software are demanding that the power of hardware devices, and when installing, it is necessary to provide additional reserves.

You can test for free for 30 days. Before installing the Surchinform engineers in the Customer's technical audit.

TO specific funds Information security includes various cryptographic algorithms that allow you to encrypt information on disk and redirected by external communication channels. Information conversion may occur with software and hardware methods working in corporate information systems.

All funds guaranteeing the security of information should be used together, after a preliminary assessment of the value of information and comparing it with the cost of resources spent on guard. Therefore, suggestions on the use of funds should be formulated already at the system development phase, and the approval should be made at the level of the management level, which is responsible for approving budgets.

In order to ensure security, it is necessary to monitor all modern developments, software and hardware protection, threats and timely make changes to their own unauthorized access systems. Only adequacy and efficiency of the response to the threat will help achieve a high level of confidentiality in the company's work.

In 2018, the first release was published. This unique program is psychological portraits of employees and distributes them by risk groups. Such an approach to providing information security allows you to anticipate possible incidents and take measures in advance.

Informal protective equipment

Informal means of protection are grouped into regulatory, administrative and moral and ethical. At the first level of protection there are regulations governing information security as a process in the organization's activities.

• Regulations

In world practice, when developing regulatory funds, focus on IB protection standards, the main - ISO / IEC 27000. The standard created two organizations:

• ISO - International Commission for Standardization, which develops and approves most of the internationally recognized methods for certification of quality of production and management processes;
• IEC - International Energy Commission, which introduced its understanding of IB systems, funds and methods to ensure

The current version of ISO / IEC 27000-2016 offers ready-made standards and tested techniques needed to implement IB. According to the authors of the Methodology, the basis of information security is the systematic and consistent implementation of all stages from the development before post-control.

To obtain a certificate that confirms compliance with information security standards, it is necessary to implement all recommended techniques in full. If there is no need to receive a certificate, as a base for the development of own IB systems, it is allowed to take any of the earlier versions of the standard, starting with ISO / IEC 27000-2002, or Russian guests who have a recommendatory nature.

According to the results of the study of the standard, two documents are being developed that relate to the safety of information. The main, but less formal is the concept of an IB enterprise, which determines measures and methods for implementing the IB system for the information systems of the organization. The second document, which are obliged to execute all employees of the company, is the Regulation on the information security, approved at the level of the Board of Directors or the Executive Body.

In addition to the situation at the level of the company, lists of information constituting commercial secrets, annexes to labor contracts, enshrining responsibility for disclosing confidential data, other standards and techniques. Internal norms and rules should contain implementation mechanisms and responsibilities. Most often measures are disciplinary, and the violator should be ready for the fact that there will be significant sanctions on the violation of the commercial secrecy regime until dismissal.

• Organizational and administrative measures

As part of the administrative activities on the protection of IB for security service staff, there is a space for creativity. This is the architectural and planning solutions that allow you to protect negotiation rooms and manuals from listening, and establishing different levels of access to information. Important organizational measures will be certified by the company's activities on ISO / IEC 27000, certification of individual hardware and software complexes, certification of subjects and objects for compliance with the necessary security requirements, obtaining licenses required to work with protected arrays of information.

From the point of view of the regulation of personnel activities, it will be important to design a system of requests for access to the Internet, external e-mail, other resources. A separate element will be obtaining an electronic digital signature to enhance the security of financial and other information, which is transmitted to state authorities over email channels.

• Moral and ethical measures

Moral and ethical measures determine the personal attitude of a person to confidential information or information limited in the turnover. Improving the level of knowledge of employees regarding the impact of threats to the company's activities affects the degree of consciousness and responsibility of employees. To deal with violations of the information mode, including, for example, password transmission, careless handling of carriers, the dissemination of confidential data in private conversations, it is required to focus on personal consciousness of the employee. It will be useful to establish performance performance indicators that will depend on the relationship to the corporate system of the IB.

Annotation: The lecture examines the basic concepts of information security. Introduction to the Federal Law "On Information, Information Technologies and Information Protection".

GOST " Protection of information. The main terms and definitions "introduces the concept information security as a state of security of information in which it is provided confidentiality, Accessibility and integrity.

• Confidentiality - The status of information in which access to it only subjects that have the right on it.
• Integrity - the state of information in which there is no change in its change or the change is carried out only by deliberately subjects that have the right to it;
• Availability - The state of information in which the subjects with the right to access can be implemented freely.

Threats of information security - a set of conditions and factors creating a potential or actually existing danger of information security violations [,]. Attackan attempt to realize the threat is called, and the one who takes such an attempt - analyfactor. Potential attackers are called sources of threat.

The threat is a consequence of availability vulnerable places or vulnerabilities in the information system. Vulnerabilities may occur for various reasons, for example, as a result of unintended programmers errors when writing programs.

Threats can be classified by several criteria:

• by properties of information (availability, integrity, confidentiality), against which the threats are aimed primarily;
• according to the components of information systems, which threats are targeted (data, programs, equipment, supporting infrastructure);
• according to the implementation method (random / deliberate, natural / man-made actions);
• by the location of the source of threats (inside / outside the IP).

Information security is a challenge, to solve which required a complex approach. Allocate the following levels of information security:

1. legislative - laws, regulations and other documents of the Russian Federation and the international community;
2. administrative - a complex of measures taken locally by the management of the organization;
3. procedural level - security measures implemented by people;
4. software-technical level - Directory information security tools.

The legislative level is the basis for building a system for the protection of information, as it gives basic concepts subject area and determines the measure of punishment for potential intruders. This level plays a coordinating and guideline role and helps maintain a negative (and punitive) attitude towards people who violate information security in society.

1.2. FZ "On information, information technologies and information protection"

In Russian legislation, the basic law in the field of information protection is the Federal Law "On Information, Information Technologies and Information Protection" of July 27, 2006 number 149-FZ. Therefore, the basic concepts and decisions enshrined in the law require intersection.

The law regulates relations arising from:

• exercising the right to search, obtain, transfer, production and dissemination of information;
• application of information technologies;
• providing information security.

The law provides basic definitions in the field of information protection. Here are some of them:

• information- information (messages, data), regardless of the form of their submission;
• information Technology - processes, methods for searching, collecting, storing, processing, providing, disseminating information and methods for carrying out such processes and methods;
• information system - a set of information contained in the databases and providing its processing of information technologies and technical means;
• owner of information - a person who independently created the information either, on the basis of the law or agreement, the right to allow or restrict access to information determined by any signs;
• information system operator - A citizen or legal entity engaged in the operation of the information system, including the processing of information contained in its databases.
• confidentiality of information - Mandatory to fulfill the person who gained access to certain information, the requirement does not convey such information to third parties without the consent of its owner.

Article 4 of the Law formulates the principles of legal regulation of relations in the field of information, information technologies and information protection:

1. freedom of search, receipt, transmission, production and dissemination of information by any legitimate way;
2. establishing restrictions of access to information only by federal laws;
3. openness of information on the activities of state bodies and bodies of local self-government and free access to such information, except for cases established by federal laws;
4. equality of the languages \u200b\u200bof the peoples of the Russian Federation when creating information systems and their operation;
5. ensuring the security of the Russian Federation when creating information systems, their operation and the protection of the information contained in them;
6. accuracy of information and timeliness of its provision;
7. inviolability of privacy, the inadmissibility of the collection, storage, use and dissemination of information on the privacy of the person without its consent;
8. incassibility of establishing regulatory legal acts of any advantages to the application of some information technologies before others, unless the obligation to apply certain information technologies to create and operate state information systems is not established by federal laws.

All information is divided into publicly available and limited access. The public information includes well-known information and other information, access to which is not limited. The law, defines the information to which it is impossible to restrict access, for example, environmental information or state bodies. Stipulates that access limitation Information is established by federal laws in order to protect the foundations of constitutional system, morality, health, rights and legitimate interests of other persons, ensuring the defense of the country's country and security. It is obligatory to comply with the confidentiality of information, access to which is limited by federal laws.

It is forbidden to demand information from a citizen (individual) providing information about its private life, including information that makes up personal or family secrets, and to obtain such information besides the will of a citizen (individual), unless otherwise provided by federal laws.

1. information freely distributed;
2. information provided by agreement of persons participating in the relevant relationship;
3. information that in accordance with federal laws is subject to or distribution;
4. information whose distribution in the Russian Federation is limited or prohibited.

The law establishes the equivalent to an electronic message signed by an electronic digital signature or other analogue of his own signature, and a document signed by its own.

The following definition is given to the protection of information - is the adoption of legal, organizational and technical measures aimed at:

1. ensuring the protection of information from unlawful access, destruction, modifying, blocking, copying, providing, distribution, as well as other unlawful actions regarding such information;
2. compliance with the confidentiality of limited access information;
3. implementing the right to access information.

The owner of the information, the operator of the information system in cases established by the legislation of the Russian Federation must provide:

1. preventing unauthorized access to information and (or) transfer to its persons who are not entitled to access to information;
2. timely detection of unauthorized access to information;
3. preventing the ability of adverse effects of violation of the procedure for access to information;
4. preventing the impact on technical means of processing information, as a result of which their functioning is violated;
5. the possibility of immediate recovery of information modified or destroyed due to unauthorized access to it;
6. permanent control over ensuring the level of information security.

Thus, the Federal Law "On Information, Information Technologies and the Protection of Information" creates a legal framework for information exchange in the Russian Federation and determines the rights and obligations of its subjects.

Information security policy.

1. General provisions

This information security policy ( further - Politics ) Determines the system of views on the security problem of information and is a systematic presentation of the objectives and objectives, as well as organizational, technological and procedural aspects of ensuring the safety of information infrastructure facilities, including a set of information centers, data banks and organization communication systems. This policy is developed taking into account the requirements of the current legislation of the Russian Federation and the closest prospects for the development of information infrastructure facilities, as well as the characteristics and capabilities of modern organizational and technical methods and hardware-software for information protection.

The main provisions and policy requirements apply to all structural divisions of the organization.

Policy is a methodological basis for the formation and conduct of a single policy in the field of information security information information infrastructure, making agreed management decisions and developing practical measures aimed at ensuring information security, coordinating the activities of structural divisions of the Organization when working on creating, developing and operating information objects Infrastructure with compliance with information security requirements.

The policy does not regulate the issues of organizing the protection of premises and ensure the safety and physical integrity of the components of the information infrastructure, protection against natural disasters, and failures in the energy supply system, but it involves building an information security system on the same conceptual foundations as the organization's security system as a whole.

The implementation of policies is ensured by the relevant manuals, regulations, orders, instructions, guidelines and information security assessment system in the organization.

The policies use the following terms and definitions:

Automated system ( AC) — A system consisting of personnel and a set of means of automating its activities that implements the information technology for performing established functions.

Information infrastructure- system of organizational structures that ensure the functioning and development of information space and means of information interaction. Information infrastructure includes a set of information centers, data banks and knowledge, communication systems, provides consumer access to information resources.

Informational resources ( IR.) - these are separate documents and individual arrays of documents, documents and arrays of documents in information systems ( libraries, archives, foundations, databases and other information systems).

Information system (IS.) - information processing system and relevant organizational resources ( human, technical, financial, etc.), which provide and distribute information.

Safety -protection state of interests ( goals) Organizations in threat terms.

Information Security ( IB) — Safety associated with threats in the information sphere. Protection is achieved by ensuring the set of properties of the IB - accessibility, integrity, confidentiality of information assets. The priority of the properties of the IB is determined by the value of the specified assets for interests ( goals) Organizations.

Availability of information assets - The property of the IB organization, which is that informational assets are provided to an authorized user, and in the form and place necessary to the user, and at the time when they are needed.

Integrity of information assets - The property of the IB organization to maintain unchanged or correct the detected changes in their information assets.

Confidentiality of information assets - The property of the IB organization, which is that handling, storage and transfer of information assets is carried out in such a way that information assets are available only to authorized users, system objects or processes.

Information security system ( Sib) — A combination of protective measures, protective equipment and their operation processes, including resource and administrative ( organizing) Ensuring.

Unauthorized access - access to information in violation of employee officials, access to publicly accessing information from persons who do not have permission to access this information or receiving access to information to the person who has the right to access this information in the amount exceeding the necessary Official duties.

2. Common information security requirements

Information security requirements ( further -IB ) Determine the content and objectives of the organization's activities within the framework of the IB Management Processes.

These requirements are formulated for the following areas:

• appointment and distribution of roles and confidence in personnel;
• stages of the life cycle of information infrastructure objects;
• protection against unauthorized access ( further - NSD ), access control and registration in automated systems, in telecommunication equipment and automatic telephone stations, etc.;
• antivirus protection;
• use of Internet resources;
• use of cryptographic information protection tools;
• protection of personal data.

3. Objects to be protected

The main objects to be protected are:

• informational resourcespresented in the form of documents and arrays of information, regardless of the form and types of their submission, including confidential and open information;
• the system of formation, distribution and use of information resources, libraries, archives, databases and data banks, information technology, regulations and procedures for collecting, processing, storing and transmitting information, technical and service personnel;
• information infrastructure, including information processing and analysis systems, technical and software processing, transmission and display, including information exchange channels and telecommunications, systems and means of information protection, objects and premises in which the components of the information infrastructure are placed.

3.1. Features of an automated system

The speakers circulates information from different categories. Protected information can be shared by various users from various unified corporate network subnets.

In a number of subsystems, the AC provides for interaction with external ( state and commercial, Russian and foreign) Organizations on switched and dedicated communication channels using special means of transmitting information.

The complex of technical means AC includes data processing tools ( workstations, bd servers, email servers, etc.), data exchange tools in local computing networks with the possibility of accessing global networks ( cable system, bridges, gateways, modems, etc.), as well as storage facilities ( including Archiving) Data.

The main features of the functioning of the AU include:

• the need to unite into a single system of a large number of various technical means of processing and transmitting information;
• a wide variety of tasks and types of data processed;
• association in uniform information databases of various purposes, accessories and privacy levels;
• availability of connection channels to external networks;
• continuity of operation;
• availability of subsystems with various requirements on the levels of security, physically combined into a single network;
• a variety of categories of users and service personnel.

In general, a single AU is a set of local computing networks of units combined with the means of telecommunications. Each local computing network combines a number of interrelated and interacting automated subsystems ( technological areas), ensuring solving problems with individual structural divisions of the organization.

Informatization objects include:

• technological equipment ( computer Machinery, Network and Cable Equipment);
• informational resources;
• software ( operating systems, database management systems, system-wide and applied software);
• automated communication systems and data transmission (telecommunications means);
• channels of connection;
• office rooms.

3.2. Types of information assets of the organization to be protected

In subsystems of the organization, the organization circulates information from various privacy levels containing limited distribution information ( service, Commercial, Personal Information) and open information.

In document flow, AU is present:

• payment orders and financial documents;
• reports ( financial, analytical, etc.);
• facial account information;
• personal Information;
• other information of limited distribution.

Protection is subject to all information circulating in the AC and contained in the following types of information assets:

• information constituting commercial and official secrets, access to which is limited by the organization, as the owner of the information, in accordance with the Federal Law provided " On information, informatization and protection of information »Rights and federal law" About commercial mystery »;
• personal data, access to which is limited in accordance with the Federal Law " About personal data »;
• open information, in terms of ensuring the integrity and availability of information.

3.3. Categories of users of an automated system

The organization has a large number of categories of users and service personnel, which should have different authority on access to information resources AC:

• simple users ( end users, employees of the organization's divisions);
• server administrators ( file Servers, Application Servers, Database Servers), local computing networks and application systems;
• system programmers ( responsible for the maintenance of general software) on servers and workstations of users;
• application software developers;
• specialists in the maintenance of technical means of computing equipment;
• information security administrators and others.

3.4. Vulnerability of the main components of the automated system

The most vulnerable components of the AC are network workstations - automated jobs ( further - Arm ) employees. Attending to employees can be made attempts to unauthorized access to information or attempted unauthorized actions ( unintentional and intentional) In the computer network. Violations of the configuration of hardware and software for workstations and unlawful interference in the processes of their functioning can lead to blocking information, the impossibility of timely solution of important tasks and failure of individual AWP and subsystems.

In special protection, such network elements are needed as selected file servers, database servers and application servers. Disadvantages of the exchange and distribution tools for server access to server resources can enable unauthorized access to the protected information and the impact on the work of various subsystems. At the same time, attempts as remote ( from network stations) and directly ( with Server Console) Impact on the operation of servers and their means of protection.

Bridges, gateways, hubs, routers, switches and other network devices, channels and communications also need protection. They can be used by violators for restructuring and disorganizing the network operation, interception of transmitted information, analyzing traffic and implement other methods of interference in data exchange processes.

4. Basic principles for providing information security

4.1. General Principles of Safe Functioning

• Timeliness of problem detection. The organization must timely detect problems, potentially able to influence its business goals.
• Prodictability of the development of problems. The organization should identify the causal relationship of possible problems and build on this basis an accurate forecast for their development.
• Assessment of the impact of problems on business goals. The organization should adequately assess the degree of influence of identified problems.
• Adequacy of protective measures. The organization should choose protective measures, adequate threats and violators models, taking into account the costs of implementing such measures and the volume of possible losses from the completion of threats.
• The effectiveness of protective measures. The organization should effectively implement adopted protective measures.
• Using experience when making and implementing solutions. The organization should accumulate, summarize and use both their experience and the experience of other organizations at all levels of decision-making and their execution.
• Continuity of the principles of safe operation. The organization should ensure the continuity of the implementation of the principles of safe operation.
• Control by protective measures. The organization should apply only those protective measures, the correctness of which can be checked, while the organization should regularly assess the adequacy of the protective measures and the effectiveness of their implementation, taking into account the impact of protective measures on the organization's business goals.

4.2. Special Information Security Principles

• The implementation of Special Principles of Welfare IB is aimed at increasing the level of maturity of IB management processes in the organization.
• Definition of goals. The functional objectives and objectives of the IB organization should be explicitly defined in the internal document. Uncertainty leads to " blurry"Organizational structure, staff roles, IB policies and the impossibility of assessing the adequacy of adopted protective measures.
• Knowledge of their customers and workers. The organization must have information about its customers, carefully select staff ( workers), develop and maintain corporate ethics, which creates a favorable confidence environment for the activities of the assets management organization.
• Personification and adequate separation of roles and responsibilities. The responsibility of the organization's officials for decisions related to its assets should be personified and carried out mainly in the form of guarantee. It should be an adequate degree of influence on the purpose of the organization, to be recorded in politicians, control and improved.
• Adequacy roles features and procedures and their comparability with criteria and evaluation system. Roles should adequately reflect the executable functions and procedures for their implementation adopted in the organization. When assigning interrelated roles, the necessary sequence of their execution should be taken into account. The role should be agreed with the criteria for evaluating the effectiveness of its implementation. The main content and quality of the executable role are actually determined by the assessment system applied to it.
• Availability of services and services. The organization should provide for its customers and counterparties the availability of services and services on time specified by the relevant treaties ( agreements) and / or other documents.
• Observability and evaluability of IB. Any proposed protective measures must be arranged so that the result of their application is clearly observed ( transparent) and could be appreciated by the Unit of the Organization, which has appropriate authority.

5. Objectives and objectives for providing security information

5.1. Subjects of informational relations in the automated system

Subjects of legal relations when using AC and ensuring information security are:

• Organization as the owner of information resources;
• divisions of the organization that ensures the operation of the AC;
• employees of the structural divisions of the organization, as users and providers of information in the AC in accordance with the functions assigned to them;
• legal entities and individuals whose information accumulates is stored and processed in the AC;
• other legal entities and individuals involved in the process of creating and functioning AS ( developers of the component of the system, organizations involved in the provision of various services in the field of information technology, etc.).

Listed subjects of informational relations are interested in providing:

• confidentiality of a certain part of the information;
• confidence ( fullness, accuracy, adequacy, integrity) information;
• protection against imposing false ( unreliable, distorted) information;
• timely access to the necessary information;
• delimitation of responsibility for violations of legal rights ( interests) other subjects of information relations and established rules for handling information;
• the ability to continuously control and managing processing and information processing processes;
• protecting part of information from illegal replication ( protection of copyright, the rights of the owner of the information, etc.).

5.2. The purpose of providing information security

The main purpose of ensuring information is to protect the subjects of information relations on the possible application of material, moral or other damage through random or deliberate unauthorized intervention in the process of functioning of the AC or unauthorized access to information circulating in it and its illegal use.

The specified goal is achieved by providing and continuously maintaining the following properties of information and an automated processing system:

• availability of information being processed for registered users;
• confidentiality of a specific part of the information stored, processed and transmitted through communication channels;
• integrity and authenticity of information, stored, processed and transmitted through communication channels.

5.3. Information security tasks

To achieve the main security goal of information security, the AC Information Security System must ensure the effective solution of the following tasks:

• protection against interference in the process of functioning speakers of unauthorized persons;
• delimitation of the access of registered users to the hardware, software and information resources of the AC, that is, protection against unauthorized access;
• registration of user actions when using protected AC resources in system logs and periodic control of the correctness of the system's user actions by analyzing the contents of these journals by specialists of security divisions;
• protection against unauthorized modification and integrity control ( ensuring unchanged) program execution environment and its restoration in case of violation;
• protection against unauthorized modification and monitoring the integrity of software used in ac software, as well as system protection from the introduction of unauthorized programs, including computer viruses;
• protection of information from leakage on technical channels when processing, storage and transmission through communication channels;
• protection of information, stored, processed and transmitted over communication channels, from unauthorized disclosure or distortion;
• ensuring the authentication of users participating in the informational exchange;
• ensuring the survivability of cryptographic information protection tools when compromising part of the key system;
• timely identification of sources of safety threats of information, causes and conditions that contribute to the damage to interested entities of information relations, the creation of an operational response mechanism for information security and negative trends;
• creating conditions for minimizing and localization of damage to unlawful actions of individuals and legal entities, weakening the negative impact and liquidation of the effects of information security violations.

5.4. Ways to solve information security tasks

Solving information security tasks is achieved:

• strict taking into account all system resources to be protected ( information, tasks, communication channels, servers, arm);
• regulation of processing processes of information and actions of employees of the organization's structural divisions of the Organization, as well as personnel actions servicing and modifying software and technical equipment ACs, based on organizational and administrative documents on information security;
• fullness, real feasibility and consistency of the requirements of organizational and administrative documents on the security of information;
• appointment and training of employees responsible for organizing and implementing practical measures to ensure the safety of information;
• endowment of each employee is minimally necessary to fulfill their functional duties with access authority to AC resources;
• with clear knowledge and strict compliance with all employees using and servicing hardware and software ACs, the requirements of organizational and administrative documents on information security issues;
• personal responsibility for their actions of each employee participating in the framework of its functional duties, in the processes of automated processing of information and accessing AC resources;
• implementation of technological processes of information processing using the complexes of organizational and technical measures to protect software, technical means and data;
• adopting effective measures to ensure the physical integrity of technical means and continuously maintaining the required level of security of the components of the AC;
• application of technical ( software and hardware) protection means of system resources and continuous administrative support for their use;
• the delimitation of information flows and the prohibition of transmitting limited distribution information over unprotected communication channels;
• effective control over the compliance with information security requirements;
• constant monitoring of network resources, identifying vulnerabilities, timely detection and neutralization of external and internal threats to the computer network;
• legal protection of the interests of the organization from unlawful actions in the field of information security.
• conducting a permanent analysis of the effectiveness and adequacy of the measures taken and applied to the means of protecting information, the development and implementation of proposals for improving the system of information protection in the AC.

6. Freaks of information security

6.1. Threats of safety information and their sources

The most dangerous threats to the safety of information processed in the AC are:

• confidentiality violation ( disclosure, leakage) information constituting service or commercial secrets, including personal data;
• disability ( disorganization of work) AU, blocking information, violation of technological processes, breaking the timely solution of tasks;
• integrity violation ( distortion, substitution, destruction) Information, software and other AC resources.

The main sources of security threats information AC are:

• adverse events of natural and technogenic nature;
• terrorists, criminal elements;
• computer attackers carrying out targeted destructive impacts, including the use of computer viruses and other types of malicious codes and attacks;
• providers of software and hardware, consumables, services, etc.;
• contractors carrying out installation, commissioning of equipment and its repair;
• non-compliance with the requirements of supervisory and regulatory bodies current legislation;
• failures, failures, destruction / damage to software and technical means;
• employees who are legal participants in the processes in the AC and existing outside the framework of the authority provided;
• employees who are legal participants in the processes of the AC and operating under the authority provided.

6.2. Unintentional actions leading to informational security, and measures to prevent them

Employees of the organization directly accessing information processing processes are a potential source of unintentional random actions that can lead to informational security.

The main unintended actions leading to informational security (actions performed by people by chance, by ignorance, inattention or negligence, of curiosity, but without malice) and measures to prevent such actions and minimize damage they are given in Table 1..

Table 1

6.3. Intentional actions to violate information security and measures to prevent

Basic intentional actions ( with mercenary goals, forced, from the desire to revenge, etc.), resulting in violation of the information security of the AC, and measures to prevent and reduce possible damage are given in Table 2..

table 2

6.4. Leak of information on technical channels

When operating technical equipment, the following channels of leakage or violation of the integrity of information, violation of the working capacity of technical means are possible:

• side electromagnetic emissions of an informative signal from technical means and information transmission lines;
• purpose of an informative signal processed on means of electronic computers, on wires and lines that go beyond the controlled area of \u200b\u200boffices, incl. on the grounding and power supply chains;
• various electronic information intercepting devices ( including "Bookmarks") connected to communication channels or technical information processing techniques;
• view information from display screens and other means of displaying using optical means;
• impact on technical or software in order to violate integrity ( destruction, distortion) information, efficiency of technical means, information protection and timeliness of information exchange, including electromagnetic, through specially embedded electronic and software ( "Bookmarks").

Taking into account the specifics of processing and ensuring the safety of the threat of confidential information leakage ( including personal data) Technical channels are irrelevant to the organization.

6.5. Informal model of a probable violator

The violator is a person who has attempted to perform prohibited operations ( action) by mistake, ignorance or consciously with malicious intent ( from mercenary interests) or without that ( for the sake of play or pleasure, with the aim of self-affirmation, etc.) and uses various opportunities for this, methods and means.

The AC protection system should be based on assumptions about the following possible types of violators in the system ( taking into account the category of persons, motivation, qualifications, availability of special means, etc.):

• « Inexperienced (inattentive) user"- an employee who can attempt to perform prohibited operations, access to protective AC resources with exceeding their powers, input incorrect data, etc. actions by mistake, incompetence or negligence without malicious intent and using only regular ( available to it) Hardware and software.
• « Amateur"- an employee trying to overcome the protection system without mercenary goals and evil intent, for self-affirmation or from" sports interest" To overcome the protection system and perform prohibited actions, it can use various methods for obtaining additional access to resources ( names, passwords, etc. other users), shortcomings in building a protection system and the full-time accessible to him ( installed on the workstation) programs ( unauthorized actions by excess of their powers to use permitted means). In addition, he may try to use additionally abnormal instrumental and technological software ( debuggers, utilities), independently developed programs or standard additional technical means.
• « Fraudster"- an employee who can attempt to perform illegal technological operations, entry of substrate data and the like actions for mercenary purposes, forced or out of evil intent, but using only full-time ( installed on the workstation and accessible to it) Hardware and software from your own behalf or on behalf of another employee ( knowing his name and password using its short-term absence in the workplace, etc.).
• « External impairment (attacker)"- an extraneous face or a former worker who is valid for purposeful from mercenary interests, from revenge or out of curiosity, perhaps in collusion with other persons. It can use the entire set of ways to violate the safety of information, methods and means of hacking protection systems typical for public networks ( in particular networks based on IP protocol), including remote implementation of software bookmarks and the use of special instrumental and technological programs using the available weakness of the exchange protocols and network protection systems of the AC organization.
• « Inner maltfactor"- a worker registered as a system of a system that is valid for purposeful from self-employed interests or revenge is possible in collusion with non-employees of the organization. It can use the entire set of methods and means of hacking protection system, including the agent methods for obtaining access details, passive means (technical means of interception without modifying system components), methods and means of active impact ( modification of technical means, connecting to data transmission channels, implementation of software bookmarks and the use of special instrumental and technological programs), as well as combinations of impacts both from the inside and from public networks.

The internal intruder may be a face of the following personnel categories:

• registered end users ( employees of divisions and branches);
• workers who were not allowed to work with the AC;
• personnel serving technical equipment AC ( engineers, machinery);
• employees of software development and maintenance departments ( applied and System Programmers);
• technical staff serving the building and facilities of the organization ( cleaners, electricians, plumbers and other workers who have access to buildings and rooms where the components of the AS are located);
• officers of various levels.

• dismissed workers;
• representatives of organizations interacting on the issues of ensuring the life of the organization ( energy, water, heat supply, etc.);
• representatives of firms supplying equipment, software, services, etc.;
• members of criminal organizations and competing commercial structures or persons acting on their task;
• persons, randomly or deliberately penetrating the network from external networks ( "Hackers").

Users and staff members of employees have the widest opportunities to implement unauthorized actions, due to their certain authority on access to resources and good knowledge of information processing technology. The actions of this group of violators are directly related to violation of existing rules and instructions. This group of violators represents a particular danger when interacting with criminal structures.

The dismissed workers can use their knowledge of work technology, protective measures and access rights.

Criminal structures represent the most aggressive source of external threats. To implement their designs, these structures can go to an open violation of the law and involve employees of the organization by all forces available to them in their activities.

Hackers have the highest technical qualifications and knowledge of the weaknesses of the software used in the AC. They represent the greatest threat when interacting with working or dismissed workers and criminal structures.

Organizations involved in the development, supply and repair of equipment, information systems represent an external threat due to the fact that episodically have direct access to information resources. Criminal structures can use these organizations for a temporary device to work their members in order to access the protected information.

7. Technical policy in the field of information security

7.1. Basic Terms of Technical Policy

The implementation of the technical policy of information security should proceed from the premise that it is impossible to provide the required level of information security not only with a single individual ( events), but also with the help of their simple aggregate. Need their systematic agreement between themselves ( comprehensive application), and the individual the developed elements of the AU should be considered as part of the unified information system in protected performance with the optimal ratio of technical ( hardware, software) Funds and organizational events.

The main directions for the implementation of the technical policy of security policy security is to ensure the protection of information resources from the embezzlement, loss, leaks, destruction, distortion, or counterfeit due to unauthorized access and special impacts.

As part of these areas of technical security policy, information is carried out:

• implementation of performers permitting system ( users service personnel) to work, documents and confidential information;
• restricting the access of performers and unauthorized persons in the building and premises, where the works of confidential nature are carried out and the means of informatization and communication are being processed ( stored, transmitted) confidential information, directly to the means of informatization and communications;
• delimitation of access of users and service personnel to information resources, software processing and information protection software in subsystems of various levels and destination included in the AC;
• accounting of documents, information arrays, registration of user actions and service personnel, control over the unauthorized access and actions of users serving personnel and unauthorized persons;
• preventing implementation of viruses, software bookmarks in automated subsystems;
• cryptographic protection of information processed and transmitted by means of computing equipment and communication;
• reliable storage of machine media, cryptographic keys ( key information) and their appeal, excluding theft, substitution and destruction;
• necessary reservation of technical means and duplication of arrays and media;
• reducing the level and informativeness of by-empties and filing created by various elements of automated subsystems;
• electrical dissection of power supply, grounding and other chains of informatization objects that go beyond the controlled zone;
• countering Optical and Laser Observation Means.

7.2. Formation of information security mode

Taking into account the necessary security threats, the security regime of information should be formed as a set of methods and measures to protect the circulating information and supporting its infrastructure from random or deliberate impacts of natural or artificial nature, entailing damage to owners or users of information.

A set of information on the formation of information security regime includes:

• installation in the AC organizational and legal information security regime ( regulatory documents, work with personnel, office work);
• implementation of organizational and technical measures to protect the information of limited distribution from leakage on technical channels;
• organizational and software and technical measures to prevent unauthorized actions ( access) to the information resources of the AC;
• a set of measures to control the functioning of funds and systems for the protection of information resources of limited distribution after random or deliberate effects.

8. Measures, methods and means of ensuring information

8.1. Organizational measures

Organizational measures - These are organizational measures regulating the processes of the functioning of the AU, the use of their resources, the activities of the service personnel, as well as the procedure for the interaction of users with the system in such a way as to most difficult or eliminate the possibility of implementing safety threats and reduce the amount of damage in case of their implementation.

8.1.1. Formation of security policies

The main goal of organizational measures is to form a policy in the field of information security, reflecting approaches to information protection, and ensure its implementation, highlighting the necessary resources and controlling the state of affairs.

From a practical point of view, the security policy is appropriate for two levels. The top level includes solutions affecting the activities of the organization as a whole. An example of such solutions can be:

• formation or revision of a comprehensive information security program, determining those responsible for its implementation;
• formulating goals, setting tasks, determination of areas of information security activities;
• making decisions on the implementation of the Security Program, which are considered at the level of the organization as a whole;
• provision of regulatory ( legal) Base of security issues, etc.

The lower level policy determines the procedures and rules for achieving the objectives and solving information security tasks and details (regulators) these rules:

• what is the scope of information security policies;
• what are the roles and obligations of officials responsible for conducting information security policies;
• who has access rights to limited distribution information;
• who and under what conditions can read and modify information, etc.

The low-level policy should:

• provide for the regulations of informational relations that exclude the possibility of arbitrary, monopoly or unauthorized actions against confidential information resources;
• define coalition and hierarchical principles and methods for separating secrets and distinguishing access to limited distribution information;
• choose software and hardware tools for cryptographic protection, anti-NSD, authentication, authorization, identification and other protective mechanisms that ensure guarantees for the realization of the rights and responsibility of subjects of informational relations.

8.1.2. Regulation of access to technical means

Operation of protected AWCs and servers of the Bank should be carried out in premises equipped with reliable automatic locks, alarm means and constant under protection or observation, excluding the possibility of uncontrolled penetration into the premises of unauthorized persons and ensuring the physical safety of resource-protected resources ( Arm, documents, access details, etc.). Accommodation and installation of technical means of such AWS should exclude the possibility of visual viewing introduced ( output) Information by persons who do not have a relationship. The cleaning of premises with the equipment installed in them should be made in the presence of the responsible, for which these technical means are enshrined, or on duty by the division in compliance with measures that exclude the access of unauthorized persons to protected resources.

In premises, only personnel allowed to work with this information should be present during the processing of limited distribution information.

At the end of the working day, the premises with established security AWP should give up protection.

For storing official documents and machine carriers with protected information, employees are provided with metal cabinets, as well as means of destruction of documents.

Technical means that are used for processing or storing confidential information should be sealed.

8.1.3. Regulation of admission of workers to the use of information resources

As part of the permissive system of admission, it is established: who, to whom, what information and for what type of access can provide and under what conditions; Access separation system, which implies a definition for all users of AC information and software resources available to specific operations ( reading, writing, modification, deletion, execution) With the help of specified software and technical access tools.

The admission of workers to work with the AC and access to their resources should be strictly regulated. Any changes in the composition and powers of users subsystems of AS should be made by the established procedure.

The main users of information in the AC are employees of the structural divisions of the organization. The level of powers of each user is determined individually, following the following requirements:

• open and confidential information are placed as possible on various servers;
• each employee only enjoys the rights as prescribed to him in relation to the information with which he needs work in accordance with official duties;
• the boss has the right to view information of its subordinates;
• the most responsible technological operations should be carried out by rule "In two hands" - The correctness of the information entered is confirmed by another official who does not have the right to enter information.

All employees who admitted to work at the AC and the attendants of the AC should bear personal responsibility for violations of the established procedure for automated information processing, storage rules, use and transmission that are at their disposal of the protected system resources. Each employee, when taking a job, should sign an obligation to comply with the requirements for the preservation of confidential information and responsibility for their violation, as well as on the implementation of the rules for working with the information protected by the AC.

Processing of protected information in AC subsystems should be made in accordance with the approved technological instructions ( orders) For these subsystems.

For users protected by AWP should be developed necessary technological instructions, including information security requirements.

8.1.4. Regulation of database management and modification of information resources

All operations for maintaining databases in the AC and admission of workers to work with these databases should be strictly regulated. Any changes in the composition and powers of users of the AC databases should be made by the established procedure.

Name distribution, password generation, support of the rules for distinguishing access to databases are assigned to employees of the Information Technology Department. At the same time, both regular and additional means of protecting DBMS and operating systems can be used.

8.1.5. Regulation of maintenance and implementation of hardware and software modifications

Resources system to be protected ( tasks, programs, arm) subject to strict accounting ( based on the use of relevant formulas or specialized databases).

The hardware-software configuration of automated workplaces on which the protected information is processed or from which access to protected resources is possible must correspond to the circle of users of this AWP functional duties. All unused information for I / O devices (extra) COM, USB, LPT ports, NGMD drives, CDs and other media) There should be disabled (deleted), unnecessary software to work and data from ADDs should also be deleted.

To simplify the accompaniment, maintenance and organization of protection, ARTS should be equipped with software and configured unified ( in accordance with the established rules).

Commissioning of new AWS and all changes in the configuration of technical and software, existing AWPs in the AC organizations should be carried out only by the established procedure.

All software ( developed by specialists of the organization received or acquired from manufacturers) It must be established by the procedure for tested and transferred to the Depositary Programs of the Organization. In the AU subsystems, only the software obtained by the established procedure from the depositary should be installed and used. The use of software as not taken into account in the depositary programs should be prohibited.

Software development, testing of developed and acquired software, the transfer of software to operation should be carried out in accordance with the established procedure.

8.1.6. Preparation and training of users

Before providing access to the ACs, its users, as well as the governing and service personnel, should be familiar with the list of confidential information and their level of authority, as well as organizational and regulatory, regulatory, technical and operational documentation, which defines the requirements and procedure for processing such information.

Protection of information on all listed areas is possible only after developing in users of a certain discipline, i.e. Norms required to fulfill everyone who works at the AC. Such standards include the prohibition of any intentional or unintentional actions, which violate the normal work of the AS, cause additional costs of resources, violate the integrity of the stored and processed information, violate the interests of legitimate users.

All employees using specific AC subsystems must be familiarized with the organizational and administrative documents on the protection of the AC in terms of them relating to, should know and strictly implement technological instructions and general responsibilities for providing information security. By bringing the requirements of the specified documents to persons admitted to the processing of protected information should be carried out by the heads of the subdivisions.

8.1.7. Responsibility for violation of information security requirements

For each serious violation of information security requirements, employees of the organization should be held a service investigation. Adequitable measures should be applied to the guilty. The personnel responsibility measure for actions committed in violation of the established rules for ensuring the safe automated processing of information should be determined by damage, the presence of malicious intent and other factors.

To implement the principle of personal responsibility of users for their actions, it is necessary:

• individual identification of users and the processes initiated by them, i.e. Establishing an identifier for them, on the basis of which access will be made in accordance with the principle of reasonable access;
• user authentication ( authentication) based on passwords, keys on various physical basis, etc.;
• check in ( logging) work mechanisms for controlling access to resources of information systems, indicating the date and time, identifiers of requesting and requested resources, the type of interaction and its result;
• reaction to unauthorized access attempts ( alarm, blocking, etc.).

8.2. Technical means of protection

Technical ( hardware-software) Protection tools - various electronic devices and special programs included in the AC and performing (independently or in a complex with other means) protection functions ( identification and user authentication, disarming of access to resources, registration of events, cryptographic information protection, etc.).

Taking into account all the requirements and principles for ensuring the safety of information in the AU in all directions of protection, the following funds must be included in the protection system:

• user authentication tools and AC elements ( terminals, tasks, database elements, etc.) corresponding to the degree of confidentiality of information and processed data;
• data access disarming means;
• cryptographic information protection tools in data transfer lines and databases;
• means of registration of circulation and control over the use of protected information;
• response tools detected or NSD attempts;
• means of reducing the level and informativeness of by-radiation and tip;
• means of protection against optical surveillance means;
• means of protection against viruses and malicious programs;
• electric isolation means of both the elements of the speakers and the structural elements of the premises in which the equipment is located.

The technical means of protection against the NSD assumes the following main tasks:

• identification and authentication of users using names and / or special hardware ( Touch Memory, Smart Card, etc.);
• regulation of users access to physical workstation devices ( disks, I / O ports);
• selective (discretionary) access control to logic disks, catalogs and files;
• plenipotentiary (mandatory) Disposal of access to protected data on the workstation and on the file server;
• creating a closed software environment allowed for launching programs located both on local and network drives;
• protection against penetration of computer viruses and malicious programs;
• monitoring the integrity of the protection system modules, system of disk system and arbitrary file lists in automatic mode and by admin commands;
• registration of user actions in a secure magazine, the presence of several levels of registration;
• protection of data protection system on the file server from access of all users, including network administrators;
• centralized managing the settings for disarming means for network workstations;
• registration of all NSD events occurring at workstations;
• operational control over the operation of network users, changing the functioning modes of workstations and the possibility of blocking ( if necessary) Any network station.

The successful application of the technical means of protection assumes that the fulfillment of the requirements listed below is provided by organizational measures and used physical means of protection:

• the physical integrity of all components of the AC is provided;
• each employee ( user system) has a unique system name and minimally necessary to fulfill their functional duties authority to access the system resources;
• use on workstations of instrumental and technological programs ( test utilities, debuggers, etc.), allowing to take attempts to hack or bypassing protection funds, limited and strictly regulated;
• there are no programming users in the protected system, and the development and debugging programs are carried out outside the protected system;
• all changes in the configuration of technical and software products are made strictly established procedure;
• network hardware ( concentrators, switches, routers, etc.) Located in places inaccessible to outsiders ( special premises, cabinets, etc.);
• information security service is carried out continuous management and administrative support for the functioning of information protection tools.

8.2.1. Means identification and user authentication

In order to prevent access to the speakers of unauthorized persons, it is necessary to ensure the possibility of recognizing the system of each legitimate user (or limited user groups). For this in the system ( in protected place) A number of features of each user must be stored for which this user can be identified. In the future, when entering the system, and if necessary, and when performing certain actions in the system, the user is obliged to identify itself, i.e. Specify the identifier assigned to it in the system. In addition, various kinds of devices can be applied to identify various types of devices: magnetic cards, key inserts, floppy disks, etc.

Authentication ( confirmation of authenticity) Users should be carried out on the basis of passwords (secret words) or special authentication tools for users of unique characteristics (parameters) of users.

8.2.2. Access tools for access to automated system resources

After the user recognition, the system must carry out user authorization, that is, to determine which rights provided to the user, i.e. What data and how it can use which programs can perform when, how long and from which terminals can work, what system resources can be used, etc. User authorization should be carried out using the following mechanisms for implementing access to access:

• electoral access control mechanisms based on the use of attribute schemes, permissions lists, etc.;
• mechanisms of authorized access control access based on the use of resource confidential and user access levels;
• the mechanisms for providing a closed environment of trusted software ( individual for each user lists allowed for running programs) supported by user identification and authentication mechanisms when entering them into the system.

Areas of responsibility and tasks of specific technical means of protection are established on the basis of their capabilities and operational characteristics described in the documentation for the data of the funds.

Technical means of delimitation of access must be part of a unified access control system:

• on controlled territory;
• in separate rooms;
• to the elements of the speakers and the elements of the information security system ( physical access);
• to AC Resources ( software-mathematical access);
• to information storages ( media of information, volumes, files, data sets, archives, certificates, records, etc.);
• to active resources ( application programs, tasks, request forms, etc.);
• to the operating system, system programs and protection programs, etc.

8.2.3. Means of ensuring and monitoring the integrity of software and information resources

Monitoring the integrity of programs processed by information and protection tools in order to ensure the immutability of the program environment defined by the provided processing technology, and protection against unauthorized adjustment of information should be provided:

• means of counting checksums;
• electronic signature;
• means of comparing critical resources with their reference copies ( and recovery in case of integrity violation);
• access separation tools ( prohibition of access with modification or removal rights).

In order to protect information and programs from unauthorized destruction or distortion, it is necessary to ensure:

• duplication of system tables and data;
• duplexization and mirroring data on disks;
• transaction tracking;
• periodic monitoring of the integrity of the operating system and user programs, as well as user files;
• antivirus protection and control;
• backing up the data on a predetermined scheme.

8.2.4. Security Control Means

Controls must ensure the detection and registration of all events ( action of users, NSD attempts, etc.) who may entail a violation of security policies and lead to crisis situations. Controls must provide opportunities:

• continuous control of key nodes of the network and sedimentary communication equipment, as well as network activity in key network segments;
• control use by users of corporate and public network services;
• maintaining and analyzing security logging logs;
• timely detection of external and internal threats of information security.

When registering security events, the following information must be recorded in the system log:

• date and time of events;
• subject identifier ( user, Programs) exercising registered action;
• action ( if an access request is recorded, then the object and the type of access is noted.).

Controls must ensure the detection and registration of the following events:

• user entry into the system;
• user entrance to the network;
• unsuccessful attempt to log in or network ( incorrect password entry);
• connect to the file server;
• launch of the program;
• completion of the program;
• attempt to start a program inaccessible to run;
• an attempt to access an inaccessible catalog;
• attempting to read / write information from a disk, inaccessible to the user;
• attempt to start a program from a disk, inaccessible to the user;
• violation of the integrity of programs and data system data, etc.

The following basic ways to respond to discovered facts of NSD must be maintained ( perhaps with the participation of the security administrator):

• notice of the owner of information on the NSD to its data;
• removing the program ( tasks) with further execution;
• administrator notification of the database and security administrator;
• turning off the terminal ( workstation) from which NSD attempts to information or unlawful actions on the network were carried out;
• exclusion of the violator from the list of registered users;
• feed alarm, etc.

8.2.5. Cryptographic information security tools

One of the most important elements of the security system of the AU information should be the use of cryptographic methods and means of protecting information from unauthorized access when it is transmitted through communication channels and storage on machine media.

All means of cryptographic protection of information in ACs should be based on the basis of the base cryptographic kernel. The right to use cryptographic media, the organization must have license established by the legislation.

The key system of cryptographic protection used in the ACs should provide cryptographic vitality and multi-level protection against compromising key information, separation of users to ensure protection levels and areas of their interaction between themselves and users of other levels.

Confidentiality and simulators of information when it is transmitted through communication channels should be provided by applying subscriber and channel encryption to the system. The combination of subscriber and channel encryption of information should provide its end-to-end protection throughout the passage path, protect the information if it is erroneous redirection by failure and malfunctions of the switching centers of switching centers.

In the AC, which is a system with distributed information resources, the means of forming and verifying an electronic signature, providing integrity and legally evidential confirmation of the authentication of messages, as well as user authentication, subscriber points and confirm the time to send messages. At the same time, standardized electronic signature algorithms should be used.

8.3. Management of information security management

Management of information security system in the AC is a targeted impact on the security system components ( organizational, technical, software and cryptographic) In order to achieve the required indicators and the provisions of the security circulating in the AC information in the conditions of the implementation of basic security threats.

The main purpose of organizing the management of the security system of information is to improve the reliability of information protection in the process of processing, storage and transmission.

The management of the security system of information is implemented by a specialized management subsystem, which is a combination of management bodies, technical, software and cryptographic drugs, as well as organizational measures and interacting with each other from the management points of various levels.

The functions of the control subsystem are: information, managing and auxiliary.

The information function lies in continuous monitoring of the status of the protection system, verifying the conformity of the security indicators by acceptable values \u200b\u200band immediately informing security operators about situations that occur in speakers capable of violation of the security of information. Two requirements are presented to control the status of the protection system: completeness and accuracy. Fullness characterizes the degree of coverage of all means of protection and parameters of their functioning. The accuracy of the control characterizes the degree of adequacy of the values \u200b\u200bof the controlled parameters to their true meaning. As a result of processing the control data, the status of the protection system is generated, which is generalized and transmitted to the higher control points.

The control function lies in the formation of plans for the implementation of technological operations of the AU, taking into account the security requirements of information in the conditions established for this point in time, as well as in determining the place of the situation of the vulnerability of information and prevent its leakage due to the operational blocking of the sections of the ACs, which arise the security threats . Managing functions include accounting, storage, and issuance of documents and information carriers, passwords and keys. At the same time, the generation of passwords, keys, accompanying access to the accessation of access, acceptance of the AC new software included in the software environment, monitoring the conformity of the software environment, as well as monitoring the progress of the technological processing of confidential information assigned to employees of the Information Technology Department and the Department of Economic Security.

The auxiliary functions of the management subsystem include the accounting of all operations performed on the AC with the security of information, the formation of reporting documents and collecting statistical data in order to analyze and identify potential channel leakage channels.

8.4. Monitoring the effectiveness of the protection system

Control of the effectiveness of the information protection system is carried out with the aim of timely detection and preventing information leakage due to unauthorized access to it, as well as prevent possible special impacts aimed at the destruction of information, the destruction of informatization tools.

Evaluation of the effectiveness of information protection measures is carried out using organizational, technical and software controls for compliance with the established requirements.

Control can be carried out both using the staff of the information protection system and using special means of control and technological monitoring.

8.5. Features of providing information security personal data

The classification of personal data is carried out in accordance with the severity of the effects of loss of security properties of personal data for the subject of personal data.

• About personal data "To special categories of personal data;
• personal data related to federal law " About personal data "To biometric personal data;
• personal data that cannot be attributed to special categories of personal data, to biometric personal data, to publicly available or dispersed personal data;
• personal data related to federal law " About personal data "To publicly available or displaced personal data.

Personal data transfer to a third party should be carried out on the basis of a federal law or the consent of the subject of personal data. In the event that the organization instructs the processing of personal data to a third party on the basis of an agreement, a significant condition for such a contract is the obligation to ensure the third person of the confidentiality of personal data and security of personal data when processing them.

The organization should terminate the processing of personal data and destroy the collected personal data, unless otherwise established by the legislation of the Russian Federation, within the deadlines established by the legislation of the Russian Federation in the following cases:

• to achieve processing objectives or with the loss of their achievement;
• at the request of the subject of personal data or an authorized body to protect the rights of personal data entities - if personal data are incomplete, outdated, unreliable, illegally obtained or are not necessary for the declared treatment goal;
• when recalling the subject of personal data consent to the processing of its personal data, if such consent is required in accordance with the legislation of the Russian Federation;
• if it is impossible to eliminate the operator to the disorders in the processing of personal data.

The organization must also be identified and documented:

• the procedure for the destruction of personal data ( including material carriers of personal data);
• procedure for processing the appeals of personal data subjects ( or their legal representatives) on the processing of their personal data;
• the procedure for the requests of the authorized body to protect the rights of the subjects of personal data or other supervisory authorities carrying out control and supervision in the field of personal data;
• approach to classifying AC to information systems of personal data ( further - Caught );
• the list is dug. The list of keys should include the AC, the purpose of creating and using which is the processing of personal data.

For each dying must be defined and documented:

• purpose of personal data processing;
• the volume and content of the processed personal data;
• a list of actions with personal data and methods for processing.

The volume and maintenance of personal data, as well as a list of actions and methods of processing personal data, must correspond to processing targets. In the event that it does not require the need for the processing of certain personal data to perform the information technological process, the implementation of specific personal data, these personal data must be removed.

Requirements to ensure the safety of personal data in CPF in the general case are implemented by a complex of organizational, technological, technical and software measures, funds and information protection mechanisms.

Organization of implementation and ( or) The implementation of personal data security requirements should be carried out by a structural unit or an employee (employee) of an organization responsible for ensuring the safety of personal data, or on a contractual basis for the organization - a counterparty of an organization licensed to the technical protection of confidential information.

The creation of an organization of the organization should include development and coordination ( statement) Provided by the technical task of organizationally administrative, project and operational documentation on the system being created. The documentation should reflect the security issues of processed personal data.

Development of concepts, technical tasks, design, creation and testing, acceptance and commissioning of the CEDC should be carried out in coordination and under the control of the structural unit or an official (employee) responsible for ensuring personal data.

All information assets belonging to the indentation of the organization must be protected from malicious code. Organizations should also identify and documented the requirements for ensuring the safety of personal data by means of anti-virus protection and the procedure for monitoring the implementation of these requirements.

The organization should define an access control system, which allows you to control access to communication ports, information entry devices, removable machine media and external information storage devices.

The leaders of the operating and maintenance of the Divisions of the Organization ensure the safety of personal data when they are processed into PM.

Employees engaged in the processing of personal data into the dwells must act in accordance with the instructions ( leadership, regulations, etc.), which is part of the operational documentation for the CTF and comply with the requirements of IB documents.

Responsibilities for administering the means of protection and mechanisms of protection that implement the requirements for the provision of IB CDN organization are imposed on orders ( orders) At specialists of the Department of Information Technologies.

The procedure for the specialists of the Department of Information Technologies and Personnels occupied during the processing of personal data must be defined by the instructions ( manuals), which are prepared by the developer of the dignity as part of the operational documentation for the CDN.

These instructions ( manual):

• establish the requirements for the qualifications of personnel in the field of information protection, as well as the current list of protected objects and the rules of its update;
• contain in full topical ( in time) user authority data;
• contain data on information processing technology in the amount required for an information security specialist;
• set the procedure and frequency of analysis of event logging logs ( archives of magazines);
• regignat other actions.

The configuration parameters of the means of protection and mechanisms for the protection of information from the NSD used in the area of \u200b\u200bresponsibility of the specialists of the Information Technology Department are determined in the operational documentation for the CDM. The order and frequency of checks of the configuration settings of the configuration sets are set in operational documentation or are regulated by the internal document, while checking should be carried out at least once a year.

The organization should also identify and documented the order of access to the premises in which the technical means are indentible and the carriers of personal data are stored, providing for controlling access to the premises of unauthorized persons and the presence of obstacles to unauthorized penetration into the premises. The specified order should be developed by a structural unit or an official ( employee) responsible for providing a physical security regime and agreed by a structural unit or an official ( employee) responsible for ensuring the security of personal data and the Department of Economic Security.

Users and attendants keeper should not exercise unauthorized and ( or) Not registered ( uncontrolled) Copying personal data. For this purpose, unauthorized and operations should be prohibited by organizational and technical measures ( or) Not registered ( uncontrolled) copying personal data, including using alienated ( replaceable) information carriers, mobile copying and transferring information, communication ports and output devices that implement various interfaces ( including wireless) storage devices of mobile tools ( for example, laptops, pocket personal computers, smartphones, mobile phones), as well as devices of photo and video shooting.

Personal security control is carried out by an information security specialist, both using the staff of the information security system and using special means of control and technological monitoring.

Download zip file (65475)

Documents were useful - put Like or:

Information plays a special role in the development of civilization. Ownership of information resources and their rational use create the conditions for optimal management of society. And on the contrary, the distortion of information, blocking it, the use of unreliable data lead to erroneous solutions.

One of the main factors ensuring efficiency in the management of various spheres of public life is the correct use of information of various nature. The pace of progress of today's, and even more so tomorrow is largely dependent on the state of affairs in the field of information and computing maintenance of the most important areas of activity - science, technology, production and management.

The problem of the use of economic information in the field of material production management is particularly relevant, where the growth of the information flow is in quadratic dependence on the industrial potential of the country. In turn, the rapid development of automation processes, the use of computers in all spheres of modern life, in addition to undoubted advantages, entailed a number of specific problems. One of them is the need to ensure effective information protection. Based on this, the creation of legal norms enshrining the rights and obligations of citizens, teams and the state to information, as well as the protection of this information become the most important aspect of the state policy. Protection of information, especially in the economic sphere, is a very specific and important type of activity. It is enough to say that in the world the average amount of damage from one banking to the use of electronic means is estimated at 9 thousand dollars. Annual losses from computer crimes in the United States and Western Europe reach $ 140 billion in the opinion of American specialists, withdrawing information protection systems with Computer networks will lead to a ruin of 20% of medium-sized companies within a few hours, 40% of the average and 16% of large companies will fail in several days, 33% of banks burst in 2-5 hours, 50% of banks - after 2-3 days.

They are interested in information about the problems of data protection, which led to the material losses in US companies:

network failures (24%);

software errors (14%);

computer viruses (12%);

malfunctions in computers (11%);

theft of data (7%);

sabotage (5%);

unauthorized introduction to the network (4%);

others (23%).

The rapid development and distribution of computer systems and information networks serving banks and stock exchanges is accompanied by an increase in offenses associated with theft and unauthorized access to data stored in computers memory and transmitted over lines.

Computer crimes occur today in all countries of the world and are distributed in many areas of human activity. They are characterized by a high secrecy, complexity of evidence for the established facts of their committing and the complexity of evidence in the court of such cases. Office in computer information can be performed in the form:

machinations by computer manipulating data processing system to obtain financial benefits;

computer spying and theft of software;

computer diversions;

theft of services (time), unlawful use of data processing systems;

unlawful access to data processing systems and "hacking" them;

traditional business crimes (economics) performed using data processing systems.

Computer crimes are committed, as a rule, highly qualified system and banking programmers, specialists in the field of telecommunication systems. A serious threat to informational resources represent hackers and crackerspenetrating computer systems and networks by hacking protection software. Crackers, moreover, can erase or change the data in the information bank in accordance with their interests. Over the past decades, in the countries of the former USSR, there has been a powerful generation of highly prepared potential hackers who worked in organizations and departments engaged in informational piracy at the state level to use the information received from the West in military and economic interests.

What steal hackers? A potential object can serve as any information laid in a computer passing by computing networks or on computer media and capable of bringing profits to hacker or his employer. These information includes almost all information that make up the commercial secret of firms, ranging from the development and know-how and ending with payment statements, for which it is easy to "calculate" the turnover of the company, the number of employees, etc.

Especially valuable is information on bank transactions and loans, conducted by e-mail, as well as transactions on the stock exchange. Of great interest are software products for hackers, estimated in the current market in thousands, and even in millions of dollars.

Craks - "Computer Terrorists" - are engaged in certain programs or information using viruses - special programs that ensure the destruction of information or the system fails. The creation of "viral" programs is very profitable, as some manufacturers use viruses to protect their software products from unauthorized copying.

For many firms, obtaining information by introducing a hacker programmer to competitors is the most simple and profitable. Introducing the opponents to the special equipment, constantly monitor their office on radiation using special equipment - the case is expensive and dangerous. In addition, a competitor's firm when technical tools is found in response to start the game, giving false information. Therefore, its hacker programmer in the "Mill of the Enemy" is the most reliable way to combat competitors.

Thus, the ever-growing risk of computer crime, primarily in the financial and credit sphere, determines the importance of ensuring the security of automated information systems.

Under the security of the automated information system of the organization (institution) means its security against accidental or deliberate intervention in the normal functioning process, as well as attempts to theft, modification or destruction of its components.The security of the system is achieved by ensuring the confidentiality of the information being processed, as well as the integrity and availability of components and resources of the system.

Computer Information Privacy -this is the property of information to be known only to the allowed and past check (authorization) of the system (users, programs, processes, etc.).

Integrity The component (resource) of the system is the properties of the component (resource) to be unchanged (in the semantic sense) during the functioning of the system.

Availability Component (resource) of the system - the component property (resource) to be available for use by authorized system entities at any time.

System security is provided by a complex of technological and administrative measures applied to hardware, programs, data and services in order to ensure the availability, integrity and confidentiality of resource-related computers; This also includes the procedures for checking the execution by a system of certain functions in strict accordance with their planned procedure.

System security system can be divided into the following subsystems:

computer security;

data security;

secure software;

security communications.

Computer security Provided by a complex of technological and administrative measures applied to computer hardware to ensure the availability, integrity and confidentiality of resources related to it.

Data security It is achieved by the protection of data from unauthorized, random, deliberates or arisen on the negligence of modifications, destruction or disclosure.

Safe Software It is general and applied programs and means that secure data processing in the system and securely using system resources.

Security Communications Provided by the authentication of telecommunications by taking measures to prevent the provision of unauthorized persons of critical information, which can be issued by the system in response to a telecommunication request.

TO information security objects At the enterprise (firm) include:

information resources containing information assigned to commercial secrets and confidential information presented in the form of documented information arrays and databases;

means and systems of informatization - means of computing and organizational equipment, networks and systems, system-wide and applied software, automated enterprise management systems (offices), communication systems and data transmission systems, technical assembly, registration, transmission, processing and information display, as well Their informative physical fields.

In the modern world, information resources have become one of the powerful levers of economic development of enterprises (firms) playing an important role in business activities. Moreover, the lack of effective computer and modern information technologies in the field of domestic business, which are the basis of the functioning of the "fast" economies, significantly slows down the transition to new forms of management.

In the information and automated enterprise management systems (firm), it is advocated to ensure the effective solution of the tasks of marketing management, i.e. the tasks of accounting and analysis of contracts and contacts of the enterprise (firm), search for business partners, the organization of advertising campaigns promotion of goods, intermediary Services, development strategy for market penetration, etc.

Without possessing the support of various political, commercial and official power structures, it is usually possible to qualitatively, only a serious operation is possible, only the scarce of its true activities ("illegal") and their true face ("illegal personality").

This refers to both amateur individual and an unofficial group specifically created to solve some delicate, non-universal approval of tasks.

The same problem arises and when for any reason the person should be hidden from various services of a commercial, state, criminal, political order.

A typical illegal one can become intentionally, and forced. In any, however, the case you need to know at least the minimum of standard safety tactics to successfully slip this period, without having lost the obvious stupidity of physical or mental freedom, and sometimes life itself.

The level of insurance measures used is strongly dependent on both the degree of desired conspiracy of the person (or group) and the situation, the medium, and, of course, from the possibilities of the people themselves.

Separate personal security techniques should be a natural habit and implement regardless of the needs of the momentary situation.

The presented here does not exhaust possible funds of ordinary insurance, the criterion for the use of which is always a high opinion about the enemy and, of course, common sense of the people themselves.

The following types of security are typical:

External (during communication with outsiders);

Internal (when contacting in its environment and group);

Local (in various situations and actions).

Consider all this a little more.

External security

Different troubles may occur when communicating with ordinary people and state structures, but much here you can foresee and avoid using the banal principle of the three "not": not to annoy, do not get involved.

Need:

Do not attract unnecessary attention (tactics "dissolving in the environment"):

- Do not stand out of appearance (everyday haircut, decent clothes, the absence of something "screaming"; if, however, your surroundings are extravagant, then - be as they ...);

- not to get involved in quarrels and scandals (this, firstly, attracts unnecessary attention to you, and secondly, it may be simply a provocation aimed at detention or "punishment");

- Gently make all utilities and other state dresses; Always pay for transportation in transport;

- try to accurately follow the figure of a selected social role and not have claims to work (and not stand out there on a general collective background ...);

- not to break the obsessive curiosity of the neighbors an unusual lifestyle or visits of different people;

- Do not exhibit excessive awareness in anything, if, of course, this does not require your role (do not forget the ancients: "There should be an alert about three," I don't know "," not heard "," I don't understand ") .

Do not generate any dislike in neighbors, colleagues and acquaintances, but to call them sympathy:

- not to be a "white crow" (people always have to themselves the one who is revealed with their understandable ...);

- to work out a manner of behavior that does not cause the surrounding possible alertness (excessive curiosity, "mind" or obsession ...) or dislike (tactlessness, a bore, pride, rudeness ...);

- To be even and kind with all others and, if possible, to provide them with small (but not Lacées!) Services;

- Do not do anything that may cause discontent and curiosity of the neighbors (Flawering by the door at night, an excess of visitors, returning home by taxi, visits of women, Late calls on the phone in a shared apartment ...).

Carefully monitor all your connections and contacts (remember that "the most dangerous that enemy, you do not know about how"):

- keep secrets from their neighbors (wives, friends, relatives, mistress ...);

- with familiar alertness ("Why and why?") Always perceive attempts to close with you (accidental acquaintance, whose recommendations ...);

- carefully refer to all employees of repair services, advertising and service, view their documents and politely, but reasonable to be identical to the identity by phone, and then at the "colleagues";

- Be careful with everyone who offers as "disinterested" services (gives money off, actively helps in something, provides something like something ...).

Find out your own vulnerabilities and know how you can progress here:

- to analyze all your life and allocate those dubious moments that can be used for blackmail or discredit;

- to really assess the possible consequences of the announcement of such facts to all those who can be reported;

- Ask, who and for what reason is able to know the compromising and how to neutralize such awareness;

- to identify objects of their vulnerability (woman, children, moral edges ...), because they can be pressure on you;

- reveal your weaknesses (hobbies, wine, sex, money, character traits ...) and remember that they can always be used against you.

- Not to get involved in dubious scams that are not related to a common matter. In risky adventures relevant to the case, ever when resolving over.

Contacts in their own environment can not be considered as guaranteed safe. Remember that "the greatest harm is usually obtained from two conditions: from the disclosure of the secrecy and trust of the treacherous."

Preservation of the mystery of the personality:

- Instead of genuine names, aliases are always used (usually registered, but also digital, alphabetic or "nicknamed"); In each direction, "players" are under a separate pseudonym, although it is possible to work under several options, as well as the action under the general pseudonym of several different persons;

- Team members, if possible, know each other only under pseudonyms; Only trustees should be aware of the genuine names, home addresses and phones;

- when the possibility of failure and decryption, all the aliases used, as a rule, change;

- one should not be given to anyone any intimate and other information about their own person;

- Trying to create (using hints or rumors) fictional, but externally plausible "legend" about himself;

- no one in the group should exhibit excessive interest in classes, habits and intimate life of their comrades;

- no one should report other partner data, if it does not require an urgent need;

- In some cases, it makes sense to visually change the appearance (hairstyle, beard, makeup, wigs, tattoos, skin color, glasses with simple or smoky glasses and different ribs, inserts changing voice and gait ...);

- It is necessary to gain a habit of not leave any material traces, indicating that you were here (cigarette, abandoned paper traces, traces of shoes, contrasting odors, notable changes in the setting ...).

Preservation of the secrecy of the case:

- active working contacts are supported with a strictly limited set of persons (the system of triples or fives, depending on the tasks being solved ...), and the associates should not know what partners are involved specifically;

- Each specializes only in two or three areas, after the activity in one of them it became too dangerous to engage in the hand, and the transition to another direction;

- It is necessary to strictly distinguish between operational and information work: let everyone deal with its own business;

- best mask preparations for a specific action of the event for the embodiment of another;

- to tell about their activities, it is possible only if it is necessary for them; remember that the mystery is stored a maximum of five people;

- it is necessary to transmit the received information only to those who are obviously necessary (the discovery of excessive awareness is able to identify the source of information, and this may lead to its neutralization);

- to be careful when involving the means of communication that gives obvious opportunities to intercept information (postal posts, radio - and telephone conversations ...);

- Never write open text in the letters of real addresses, names and installations, not mentioning them in conversations leading on the street or by phone;

- use codes and pseudonyms even with intragroup communication, from time to time by changing them;

- the group must have 2-3 separate ciphers, known to different people;

- to count more on memory than to record; In the latter case, you need to use your personal code and cipher;

- try not to have compromising securities written by your own handwriting or imprinted on your own office equipment;

- in dealing with "illuminated" persons to refrain from direct contacts using if you need, sideforth or other means of communication;

- Always take into account and remember that there is an opportunity to leak information or betrayal, and be prepared for relevant counterators.

The best guarantee of success is usually a substrate, and therefore any actions are desirable to carry out all possible trouble from the enemy or accidentally converted to witnesses.

General rules for direct communication.

try not to keep informative conversations with open text in a crowded street or public transport;

it should not be mentioned in an open conversation of genuine surnames, names, well-known nicknies and addresses, as well as not to use "Associating" terminology;

use code names to refer individual actions;

the most secret aspects of the conversation (genuine addresses, passwords, dates) are written on paper, which is then destroyed;

it is necessary to navigate the technical capabilities of the eavestelness systems and know the elementary measures of opposition to them (see section on obtaining information ...);

if one of the interlocutors, during a conversation, notices something alarming, the partner is preventing a special word ("Atas" ...) or a gesture (finger to lips ...), and the whole conversation is translated into neutral;

if you know that you are eavenned, informative negotiations are better not to behave or use them for disinformation;

when you are allegedly "listening", and it is still necessary to talk, then we use the conditional language, where harmless senses have a completely different meaning; phrases are also used that should not be taken into account (they are usually reported by any reasonable gesture, for example, by crossing the fingers ...), and often standard techniques (casing, inserts in the mouth ...), impede the identification of the speaker;

when it is necessary to ensure a complete secret of communication in a crowded place, methods of conditional (non-verbal) communications are used, such as tongue language, gestures and gestures with fingers, as well as codes based on clothing attributes (different positions of the head removal, tongue clamp, nose handkerchief ...) or on manipulation of undergraduate objects (clocks, cigarettes, keys ...).

A. Providing personal security:

- try to discuss the time of other people and your own calls and limit the contact frequency;

- Do not abuse conversations on your own phone (given that it can be heard) and not to give another without an explicit need for your number (knowing that it is easy to go to your address);

- to take into account that listening can both the whole telephone conversation (when connected on the line ...) and only what you say (laid down "bug" or a neighbor behind the door ...);

- It is useful to integrate the simple "control" (fixing voltage drop ...) to connect to the line of someone else's instrument;

- Use Aon (automatic identifier number), and it would be better "anti-anti-Аон" in order not to advertise your number when other calls;

- Do not rely on the reliability of any radiotelephones;

- Intercity and other fixed contacts are better to carry out from someone else's "number" on a cellular "double" or radio) (see the section about blackmail ...), as well as through a direct connection to any pair of contacts in the distribution shield;

- For greater mystery of the negotiations, encoders can be used (at least simple improvised inversors and scramblers), although the use of them can sharply stimulate the attention of others;

- should not be particularly trusted in protection through "noise" or "voltage rise in line";

- If you do not want to "decrypt" to the interlocutor, you can try to change your voice (by means of mechanical and electronic stuff, or by simple sharing, pulling and breeding lips, nasal piercing ...) and a stylistic pattern of conversation (using jargon ...);

- Do not forget that there are other times and telephones and telephones, the location of which is easily calculated, like all other phones;

- If you need someone else's call, but there is no desire to give your coordinates, it is used intermediate - with an answering machine or a living "dispatcher", which can either know or not know (one-way option ...) Your private number is telephone;

- In some cases, the wordless use of the phone is possible when one, and more often several "empty" calls in some rhythm are some code;

- A specific signal sometimes can be simply the fact of the call of a certain person in the most trifling conversation, as well as the code mention of the conditional names with the "error number".

B. Providing verbal security:

- Do not hold business conversations with open text;

- Do not call genuine dates, surnames, addresses;

- use code names of individual actions;

- use the conditional language in which innocuous phrases have a completely different meaning;

- To call only as necessary, although the option of frequent conversations "not in case" are also possible with the same person (the tactics of "dissolving information").

B. Conversation under strangers:

- The whole dialogue is conducted by a partner, and you only say "yes" or "no" so that there are nothing about those who do not understand and did not know;

- that there is a surveillance, reported by open text or verbal code; The conversation after that should be a partner who does not apply to asking any questions requiring deployed answers;

- When there is a direct control of not a very friendly person, the partner is preventing this over the phrase-code (better in greeting ...), after which the whole conversation is carried out in empty or in disinformation style;

- If one of the interlocutors believes that his phone is listening, he immediately tries to warn himself about it, calling him well-known phrases with all of them ("the teeth hurt" ...), and the conversation then turns into a neutral direction.

Using a common telephone (in the apartment, at work ...):

- It is as little as possible to use a similar phone (especially - "at the reception"), if this is not related to the played role (dispatcher, advertising agent ...);

- call on this phone should one and the same person;

- try not to call too late and too early;

- when trying to be extraneous to identify the voice of the caller ("Who asks?" ...), respond politely-neutral ("colleague" ...) and, if there is no called, immediately stop the conversation;

- In essence, it is easy to make a separate phone, using, for example, a code splitter, so while the specific set of the total number will securely ensure the challenge of only your device, not at all affecting the neighboring.

The level of safety measures required in specific cases depends on the desired degree of conspiracy of contact, on the degree of legality of its participants and possible control of its strangers.

A. Choice of the meeting place:

- looking at suitable contact places, usually rely on the principles of naturalness, validity and chance;

- frequent meetings are easiest to exercise on the site of the fan party (fit into her drawing ...), in the hall of the sports section, in the work room ...;

- especially serious meetings can be implemented in hunting grounds, specially shot dachas, in baths, resort sanatoriums, on all kinds of sports bases, on the beaches of abroad;

- paired meetings are appointed in the subway and squares, in toilets and cars, on low-alive streets, in zoos, museums and exhibitions; intersections in such places are unlikely, and therefore they are less dangerous;

- It is necessary to refrain from conspiracy meetings at a well-known restaurant, a fashionable cafe and at the station, given that such points are usually controlled;

- It is possible to carry out "random" meetings in private apartments of third parties based on the informed occasion (funeral, anniversary, "kneading" of a certain event ...);

- one should not carry out some meetings (except for the usual) in stereotypical communal apartments;

- It is extremely limited to use their own apartments to contact;

- In some cases it makes sense to remove a special conspiracy apartment, if possible, in the house where there is a duplicating output;

- inspecting the meeting place, make sure whether it is possible to penetrate there and how from there can be safely eluded; Remember the old truth: "Not knowing how to leave, do not try to enter!"

B. Informing about the meeting:

- the place of a possible meeting is usually discussed in advance, and the code - alphabetic, digital or "false" - name, and several options, are attached to everyone;

- about the outlined contact by others reported on the phone, pager, letter, as well as through a connected;

- negotiating the meeting on the "open" communication lines, use the code name of the place, the encrypted date (for example, the day before the specified) and the shift time (on a constant or sliding number);

- before the occurrence of the outlined period, you must issue contact confirmation by either open text or a signaling link;

- In the event that when the meeting is permissible (at a stopping of urban transport, in line at the gas station ...), it is advisable to specify a specific period of time, after which it is no longer necessary.

B. Conducting a meeting:

- Multiplinary meetings should arrive not with a squash, but dispersed and not leaving in one place all personal cars;

- try to avoid presence at the fees of any extraneous and unnecessary persons;

- realizing that the crowded secret meetings, most likely, will also know those who do not need to take with them clearly compromising things (weapons, fake documents ...) and remember that they may other times slip;

- Very desirable to control the place of communication with special people before, during and after the meeting, so that if necessary, they could warn about the hazard, using any relatives (taking into account their capture) signals;

- With all sorts of contact, you have to estimate, how can you sit or overhear, stubbornly asking yourself a brief question: "Where? How? Who?";

- especially secret conversations should be carried out in local isolated points, tested and insulated on all the possibilities of eavesdropping, peeping and undermining;

- It is advisable to have at least simple indicators that inform the radiation of radio microphones or the presence of a recording voice recorder at the interlocutor;

- It is useful to use even "topor" spark silencers, as well as generators of erasing magnetic record;

- Classic illegal paired meetings are always calculated until the minute and are held as "random";

- To come to the point of the meeting at exactly the appointed time, it is necessary to carry out the timing of movement in advance and give some time a time on all sorts of surprises (overlapping the route track, tie a strangers, transport accident ...);

- If the meeting is planned on the street, it does not interfere with walking there in an hour before the meeting, carefully looking at every passionate and all parking cars; If something is alarming you, the contact must be postponed by saying this partner receivers of the camouflaged signal communication;

- at meetings with unfamiliar persons of the latter, they will learn to describe their appearance, a specific posture or gesture, the mention of things held in their hands, and best of all - in photography, with further confirmation of identity verbal (and other) password;

- It is necessary to place in the hospital so that all the time to control the obvious places of the occurrence of the threat (say, in the cafe - face to the entrance, following the window, which happens outside the window and placed near the open service stroke ...);

- remember and fulfill all the previously specified rules for verbal communication.

G. Organization of closed meetings (negotiations).

The organization of any event, including meetings and negotiations, is related to its preparation. There are no single unmistakable rules in this direction. However, the following version of this preparation scheme is recommended: planning, collection of material and its processing, analysis of the assembled material and its editing.

At the initial planning stage, the topic or questions that are desirable to discuss, and possible participants in the business conversation are determined. In addition, the most successful time is selected, and only then agree on the place, meeting time and organization of the enterprise (as a rule, such conversations are conducted by Tet-A-TET, confidentially, without the participation of unauthorized persons).

When the meeting has already been appointed, its plan is drawn up. First, it is necessary to determine the targets facing the entrepreneur, and then develop a strategy for their achievement and tactics of conversation.

Such a plan is a clear program of action to prepare and conduct a specific conversation. Planning makes it possible to mitigate, neutralize the effect of unexpected new facts or unforeseen circumstances on the course of the conversation.

The plan includes responsible for the implementation of each paragraph of the plan and the following activities for the organization of the meeting of the meeting (negotiations):

1. Meeting with the client of guests arriving at the meeting.

2. Coordination of the actions of the main security and bodyguards of invited persons.

3. Protection of clothing, things of guests and their cars in the adjacent territory.

4. Prevention of incidents between guests at the meeting.

5. Control of the status of beverages, snacks and other treats (for these purposes, trained dogs are used).

6. Detection of suspicious persons at an event or related premises.

7. Stripping premises (chairs of negotiations and adjacent rooms) before negotiating for the extraction of eavesover and explosive devices.

8. Establishing posts on fixation and observation of persons:

a) coming on a business reception or meeting with convulsions, with portfolios, etc.;

b) bringing audio - or video equipment to the event;

c) who come to business reception or a meeting for a short time or unexpectedly leave the event.

9. The avoidance of listening to conversations of the organizers of the event and guests in the premises and by telephone.

10. Development of spare options for holding a negotiation (for a private apartment, in a hotel, in a car, on a boat, in a bath (sauna), etc.

This list of events is not exhaustive. It can be significantly expanded and specified depending on the conditions of the object of protection, the nature of the event and other conditions specified with the client.

Common tasks that are solved during the meeting (negotiations) or other mass events include:

1) Negotiation premises are chosen in such a way that they are on the first or last floors and were located between those premises that are controlled by the Security Service;

2) familiarization with the object of protection, the establishment of the state of the criminogenic environment around it;

3) the establishment of interaction with the police during the events;

4) the establishment of a throughput in order to prevent break on the protected object of weapons, explosives, combustible and poisonous substances, drugs, heavy objects and stones;

5) prevention of the passage of the guarded territory or in the protected premises of people with dogs;

6) control and maintenance of order on the adjacent territory and in adjacent premises;

7) the distribution of roles among the guards of the strengthening group (support);

8) determining the equipment of the guards, including their weapons and communications;

9) establishing open and "encrypted" posts of control and observation;

10) Preparation of transport in case of extreme circumstances and evacuation of participants of the event;

11) checking the sustainability of communication in the territory of the object in order to identify the so-called "dead zones";

12) checking the possibility of using gas weapons and tear beams in order to identify the direction of air, drafts and twists, so that the guards themselves are not affected by the use of special funds;

13) Check the coherence of guards by testing various introductory tasks.

During the work step, security officers (security enterprise) must accurately fulfill their duties specified at the preparation stage.

At the same time, special attention is paid to the following questions:

1) the arrival of prospecting participants of the event, which are counting on a weak bandwidth after the meeting (negotiations);

2) a mandatory inspection of portfolio content and volumetric bags or the use of manual metal detectors, explosive vapor detectors used to detect min, pomegranate, rolling checkers and other explosives;

3) Special inspection, at least visual, should be subject to cars entering and leaving protected areas. This is especially important in order to prevent the penetration of foreign on the protected facility and excluding mining of vehicles of the meeting participants (negotiations);

4) the control of salons and trunk cars of traveling cars can prevent the abduction of persons who arrived at the event, for the purpose of extortion from the organizers of the meeting (negotiations);

5) Protection of outerwear and personal belongings of the participants of the event in order to exclude its embezzlement and establishment of radio layers;

6) Despite the desire of the event executives to have a beautiful view from the window, it is necessary to take into account that the area should be convenient for control by the security service (security company);

7) Cars under the windows of the premises of the negotiations should not be parked in which the equipment can be found with radio layers;

8) the creation of space safety zones intended for negotiations and equipment by its special equipment, screens, noise generators, etc.;

9) When negotiating, with the aim of preserving commercial secrets, the entire "secret" information is in writing, and its discussion is on the Esopov language.

At the final stage of the event, preservation of the vigilance of security officers (security enterprise) is required, despite the externally apparent insignificance of occurring events on the facility that can be very deceptive.

Checking the facility after the event is completed may be associated with no less risk for life than work in previous stages. During this period, the final stripping of the object is carried out on the same technique as during the preparatory activities. At the same time, it is necessary to search for individuals who can hide at the facility, or affected by criminals who require medical care. Accidental attention is drawn to forgotten items and things.

Souvenir and gifts are subjected to test inspection, presented to the head of the organization (firm), other participants of the event.

Everything found by guarding the facility that does not belong to the employees of the organization (firm) is subject to the transfer of the client or the administration of the protected premises along with one specimen of the inventory. The second copy of the inventory with the signature of a person who has taken storage is in the security service (security company).

Apartment, Machine, Street, Restaurant can not be reliable "defenders" of commercial secrets. Therefore, it is worth listening to the advice of professionals.

When conducting business meetings, it is necessary to close windows and doors. It is desirable that the room for the negotiations served an isolated room, such as a hall.

Competitors, if they want, can easily listen to conversations, sitting in the neighboring rooms, for example, in the apartment floor above or lower. The times when the scouts of all countries and peoples drove holes in the ceilings and walls, long ago passed - especially sensitive microphones allow you to obtain the necessary information almost freely.

For negotiations, it is necessary to choose premises with isolated walls, to get acquainted with the neighbors living above and below; To find out if they will not hand over their apartment (room) to unauthorized people. It is worth turning the neighbors to the allies, but at the same time considering that they can lead a double game or imperceptibly turn out of the goodwires in blackmail.

The activity of competitors depends primarily from the severity of their intentions. If necessary, listening devices ("bugs") can be installed directly in the apartment of the entrepreneur - and here neither iron doors nor imported locks, nor the traded guard.

A business person should ask his relatives to invite home all familiar people, if possible, control their behavior. During reception, the home office doors should be closed to the key, and in order not to seduce the children, the VCR and a computer should be in the place available to them. The computer naturally must be without working programs and confidential information.

In the case of suspicion that your car is "equipped", in front of the negotiations it is necessary to conduct an operation "Clean car".

On the eve of the business meeting, one of the employees of the company or a friend of the entrepreneur, who he completely trusts, should leave the car in ancase place. A few minutes after that, the business man is transplanted from his car left and, without stopping, is going to negotiate. At the same time, you should not forget to take a power of attorney for the right to control a stranger car!

During negotiations, the car must necessarily be in motion, and its windows are tightly closed. At stops (for example, at the traffic light), confidential questions are better not to discuss.

Let's analyze where else a business person can spend an important business meeting?

On the street.Two types of microphones can be used to listen to conversations - sharpened and built-in. The first allow you to remove information at a distance to a kilometer within the limits of direct visibility. Built-in microphones apply the same as radio label.

To effectively combat across-directed microphones, all the time must be moved, dramatically changing the direction of movement, using public transport, organizing counter-observice - with the help of security service or hired agents of private detective firms.

In the restaurant.Static position allows you to control conversations in common restaurant halls. Therefore, reliable Metrotel is needed to carry out such business meetings. In a convenient for the entrepreneur, a table or a separate office is reserved for competitors and unexpectedly, which, in turn, must be under reliable control of the firm's security service. Attempts to drown out the conversation with the sounds of the restaurant orchestra, as, by the way, and noise of water, are ineffective.

In a hotel room.Booking a hotel room for negotiations must be held secretly. After the start of the business meeting, security officers should keep under control not only neighbors, but also of all people living in the floor above and below.

All of the above methods and countermeasures are effective, subject to a good organization of misinformation around the time and character of planned meetings (negotiations). When the circle of employees dedicated to the full list of planned events of the most narrow and each of the participating in them knows exactly as much as it is necessary in a circle of his duties, then you can count on success in any business.

The overall classification of threats to the automated information system of the object is as follows:

Threats of confidentiality of data and programs.Implemented with unauthorized data access (for example, to information about the status of bank customer accounts), programs or communication channels.

Information processed on computers or transmitted over local data networks can be removed through the technical leakage channels. In this case, the equipment analyzes the electromagnetic radiation arising during the operation of the computer.

Such election is a complex technical problem and requires the involvement of qualified specialists. With the help of a receiving device made on the basis of a standard TV, you can intercept the information displayed on the screen displays from the distance to a thousand and more meters. Certain information about the operation of the computer system is extracted even if monitoring the messaging process without access to their content is monitored.

Threats of data integrity, programs, equipment.Data and program integrity is violated with unauthorized destruction, adding unnecessary elements and modify account status records, changing the order of data location, forming falsified payment documents in response to legitimate requests, with an active retransmission of messages with their delay.

Unauthorized modification of security information information can lead to unauthorized actions (incorrect routing or loss of transmitted data) or distortion of the meaning of transmitted messages. The integrity of the equipment is disturbed when it is damaged, the abduction or illegal change in the work algorithms.

Threats of data availability.There are in the case when the object (user or process) does not receive access to legal services or resources legally. This threat is implemented by the capture of all resources, blocking the communication lines by an unauthorized object as a result of transferring its information on them or the exception of the necessary system information.

This threat can lead to unreliability or poor quality of service in the system and, therefore, will potentially affect the accuracy and timeliness of delivery of payment documents.

– Threats to fail to perform transactions.There are in the case when the legal user transmits or accepts payment documents, and then deny it to take off responsibility.

Assessment of the vulnerability of the automated information system and the construction of the model of influences involve the study of all embodiments of the threats listed above and identifying the consequences to which they lead.

Threats may be due to:

- natural factors (natural disasters - fire, flood, hurricane, lightning and other reasons);

- Human factors that in turn are divided into:

passive threats (Threats caused by activities wearing random, indentible character). These are threats associated with the errors of the process of training, processing and transmitting information (scientific and technical, commercial, currency and financial documentation); with an unfinished "leakage of the minds", knowledge, information (for example, in connection with the migration of the population, departure to other countries for reuniting with family, etc.);

active threats (Threats caused by intentional, deliberate actions of people). These are threats related to transmission, distortion and destruction of scientific discoveries, inventions, secrets of production, new technologies for mercenary and other antisocial motifs (documentation, drawings, discoveries and inventions and other materials); viewing and transferring various documentation, viewing "garbage"; listening and transferring service and other scientific and technical and commercial conversations; with a targeted "leakage of the minds", knowledge, information (for example, in connection with the receipt of other citizenship for mercenary motives);

- man and machinery and machine factors divided by:

passive threats.These are threats associated with the errors of the design process, development and manufacture of systems and their components (buildings, facilities, facilities, computers, communications, operating systems, application programs, etc.); with errors in the work of the equipment due to the poor quality of its manufacture; with errors of the process of preparing and processing information (errors of programmers and users due to insufficient qualifications and low-quality maintenance, operator errors in preparing, entering and outputing data, adjusting and processing information);

active threats.These are the threats associated with unauthorized access to the resources of the automated information system (making technical changes in the means of computing equipment and means of communication, connection to the means of computing equipment and communication channels, theft of various types of information carriers: floppy disks, descriptions, printouts and other materials, viewing entered data, printouts, browsing "garbage"); Threats implemented by contactless way (collection of electromagnetic emissions, interception of signals inspected in chains (conductive communications), visual-optical methods of information extraction, eavesdropping service and scientific and technical conversations, etc.).

The main typical ways of leakage of information and unauthorized access to automated information systems, including through telecom channels, are as follows:

interception of electronic radiation;

use of overhearding devices (bookmarks);

remote photographing;

interception of acoustic radiation and restoring the text of the printer;

theft of media of information and production waste;

reading data in the arrays of other users;

reading residual information in the system's memory after executing authorized requests;

copying media with overcoming measures is sewn;

disguise under a registered user;

mysterification (disguise under the requests of the system);

illegal connection to equipment and communication lines;

the malicious conclusion is due to protection mechanisms;

the use of "software traps".

Possible channels of deliberate unauthorized access to information in the absence of protection in the automated information system can be:

standard information access channels (user terminals, display and documentation of information, information media, software download tools, external communication channels) during their illegal use;

technological consoles and controls;

internal installation of equipment;

communication lines between hardware;

side electromagnetic radiation, carrier information;

side floors on power supply chains, grounding equipment, auxiliary and foreign communications placed near the computer system.

Methods for the impact of threats to information security facilities are divided into informational, software-mathematical, physical, electronic and organizational and legal.

Information methods include:

violation of targeting and timeliness of information exchange, illegal collection and use of information;

unauthorized access to information resources;

manipulating information (disinformation, concealment or distortion of information);

illegal copying of data in information systems;

violation of information processing technology.

Software and mathematical methods include:

the introduction of computer viruses;

installation of software and hardware mortgage devices;

destruction or modifying data in automated information systems.

Physical methods include:

destruction or destruction of information processing and communication;

destruction, destruction or theft of machine or other original media;

theft of software or hardware keys and means of cryptographic protection of information;

impact on personnel;

supply of "infected" components of automated information systems.

Radio electronic methods are:

intercepting information in the technical channels of its possible leakage;

the introduction of electronic devices for intercepting information into technical means and premises;

interception, decryption and imposing false information in data transmission networks and communication lines;

impact on passing-key systems;

radio electronic suppression of communication lines and control systems.

Organizational and legal methods include:

failure to comply with the requirements of legislation and delay in the adoption of the necessary regulatory legal provisions in the information sphere;

unlawful restrictions on access to documents containing important information for citizens and organizations.

Software security threats. Ensuring the safety of automated information systems depends on the security of software used in them and, in particular, the following types of programs:

regular user programs;

special programs designed for violation of system security;

a variety of systemic utilities and commercial application programs that are distinguished by a high professional level of development and however, they may contain separate flaws that allow the invaders to attack the system.

Programs can generate problems of two types: first, they can intercept and modify the data as a result of the user's actions, which does not have access to this data, and, secondly, using omissions in protecting computer systems, can or provide access to the system to users, Do not have rights or block access to the system of legal users.

The higher the level of programmer's training, the more implicitly (even for it) become the mistakes allowed by them and the more thoroughly and reliably it is able to hide intentional mechanisms designed to violate the security of the system.

The purpose of the attack may be the programs themselves for the following reasons:

In the modern world, the program can be a considerable profitable product, especially those who will first begin to replicate the program for commercial purposes and issue copyrights to it.

Programs may also become an attack object that is able to modify these programs in some ways, which would allow in the future to carry out the attack on other system objects. Especially often the object attacks of this kind become programs that implement system protection functions.

Consider several types of programs and receptions that are most commonly used for software and data attacks. These techniques are indicated by a single term - "software traps". These include "software hatches", "Trojan horses", "Logic bombs", Salami attacks, hidden channels, refusals for maintenance and computer viruses.

Hatches in programs.The use of hatches for penetration into the program is one of the simple and frequently used methods of violation of the security of automated information systems.

Luche Called not described in the documentation for the software product the ability to work with this software product. The essence of the use of hatches is that when executing a user of some not described in the documentation of actions, it receives access to capabilities and data, which under normal conditions is closed for it (in particular, output to the privileged mode).

Lukes are most often the result of the forgetfulness of the developers. As a hatch, a temporary mechanism of direct access to parts of the product, created to facilitate the debugging process and not deleted at its end. The hatches can also form as a result of a frequently practiced technology for developing software products "top down": in their roles will be left for any reason in the finished product "plugs" - groups of commands that imitate or simply denote the place of connecting future subroutines.

Finally, another common source of hatches is the so-called "indefinite input" - input "meaningless" information, abracadabras in response to system requests. The reaction is not enough well-written program to an indefinite input may be, at best, unpredictable (when when you re-enter the same incorrect command, the program reacts every time differently); It is much worse if the program as a result of the same "uncertain" input performs some repetitive actions, it makes it possible to plan your actions to violate the security to the potential invader.

Uncertain input - Private interrupt implementation. That is, in general, the invader can intentionally go to the creation of a certain non-standard situation in the system, which would allow it to perform the necessary actions. For example, it can artificially cause an emergency completion program operating in a privileged mode in order to intercept control, remaining in this privileged mode.

The fight against the ability to interrupt, ultimately, is due to the need to envisage in the development of programs of the mechanisms forming the so-called "fool protection". The meaning of this protection is to ensure that it is guaranteed to cut off every likelihood of processing the indefinite input and various kinds of non-standard situations (in particular, errors) and thereby not allow the security of a computer system even if incorrect work with the program.

Thus, the hatch (or hatches) may be present in the program due to the fact that the programmer:

forgot to remove it;

deliberately left it in the program to ensure testing or performing the remaining part of debugging;

deliberately left him in the program in the interests of facilitating the final assembly of the final software product;

deliberately left him in the program in order to have a hidden access to the program after it entered the final product.

Luke is the first step to the system attack, the ability to penetrate the computer system bypassing protection mechanisms.

Trojan horses.

There are programs that implement, in addition to the functions described in the documentation, and some other functions, not described in the documentation. Such programs are called "Troyan horses".

The probability of detection of the Trojan horse is the higher, the more obvious the results of its actions (for example, deleting files or change their protection). More complex "Trojan horses" can mask traces of their activities (for example, return file protection to its original state).

"Logic bombs."

The "logical bomb" is usually called a program or even a code of code in the program that implements some function when performing a certain condition. This condition may be, for example, the onset of a specific date or detection of a file with a specific name.

"Flipping", "Logic Bomb" implements a function, unexpected and, as a rule, unwanted for the user (for example, deletes some data or destroys some system structures). The "logical bomb" is one of the favorite methods of revenge programmers to companies that they were fired or having offended.

Attack "Salami".

Attack "Salami" has become a real Beach of banking computer systems. In banking systems, thousands of operations related to non-cash payments, transfers, deductions, etc. are produced daily.

When processing accounts, whole units are used (rubles, cents), and when calculating interest, fractional amounts are often obtained. Typically, the values \u200b\u200bexceeding half of the ruble (cents) are rounded to a whole ruble (cents), and the values \u200b\u200bof less than half of the ruble (cents) are simply discarded. When attacking Salami, these insignificant values \u200b\u200bare not deleted, and gradually accumulate on a certain special account.

As practice is evidenced, the amount drawn up literally from nothing, for a couple of years of the "cunning" operation of the program on average for the size of the bank can be calculated by thousands of dollars. Attacks "Salami" are quite difficult to recognize if the attacker does not begin to accumulate large sums on one account.

Hidden Channels.

Under the hidden channels, there are programs that transmit information to individuals who should not receive this information under normal conditions.

In those systems where critical information is being processed, the programmer should not have access to the data processed program after the start of operation of this program.

From the fact of possessing, some official information can be learned considerable benefits, at least elementary information (for example, a list of clients) by a competing firm. A fairly qualified programmer can always find a way of hidden information transfer; At the same time, a program designed to create the most innocuous reports may be a little more difficult than the task.

For hidden information, you can successfully use the various elements of the "innocuous" format, for example, the different lengths of the strings, passing between strings, the presence or absence of service headers, a controlled output of insignificant numbers in the output values, the number of spaces or other characters in certain points of the report and T d.

If the invader has the ability to access the computer while working in the program you are interested in, the hidden channel can be sent to the critical information into a data specifically created in the computer's RAM.

The hidden channels are most applicable in situations where the invader is even interested in the content of the information, but, for example, the fact of its presence (for example, the availability of a current account with a specific number).

Refusal to maintain.

Most of the security breach methods are aimed at gaining access to data not allowed by the system under normal conditions. However, no less interesting for the invaders is access to the management of the most computer system or change its qualitative characteristics, for example, to obtain some resource (processor, an I / O device) to monopolized use or provoke a clinch situation for several processes.

This may be necessary in order to explicitly use the computer system for your own purposes (at least for free solutions to its tasks) or simply block the system by making it inaccessible to other users. This type of system security disorder is called "refusal to maintain" or "refusal of benefit." "Refusal of maintenance" is extremely dangerous for real-time systems - systems that manage some technological processes carrying out various kinds of synchronization, etc.

Computer viruses.

Computer viruses are quintessence of all kinds of security disorders. One of the most frequent and favorite methods of virus spread is the Trojan horse method. From the "logical bomb", viruses differ only to the ability to multiply and provide their launch, so many viruses can be considered a special form of "logical bombs".

To attack the system, viruses actively use different kind of "hatches". Viruses can implement a wide variety of diverse, including the Salami attack. In addition, the success of the attack of one species often helps to reduce the "immunity" of the system, creates a favorable environment for the success of attacks of other species. Invaders do this and actively use this circumstance.

Of course, in pure form, the techniques described above are rare enough. Much more often during the attack uses separate elements of different techniques.

Threats of information in computer networks. Computer networks have many advantages over a set of separately working computers, among them can be noted: the separation of system resources, improving the reliability of the system, allocation of downloads among network nodes and extensibility by adding new nodes.

At the same time, when using computer networks, serious problems of providing information security arise. You can note the following of them.

Separation of shared resources.

Due to the sharing of a large number of resources by various network users, possibly located at a high distance from each other, the risk of unauthorized access is strongly increasing, since it can be made easier and more accurate on the network.

Expansion of the control zone.

The administrator or operator of a separate system or subnet must control the activities of users who are out of reach.

Combination of various software and hardware.

The connection of several systems into the network increases the vulnerability of the entire system as a whole, since each information system is configured to fulfill its specific security requirements that may be incompatible with the requirements on other systems.

Unknown parameter.

Easy expansion of networks leads to the fact that it is sometimes difficult to determine the network boundaries, since the same node can be accessible to users of various networks. Moreover, for many of them, it is not always possible to determine exactly how many users have access to a specific network node and who they are.

Many attack points.

In networks, the same data set or message can be transmitted through several intermediate nodes, each of which is a potential source of threat. In addition, many modern networks can be accessed with switched communication lines and modem, which increases many times the number of possible attack points.

The complexity of control and control access to the system.

Many network attacks can be carried out without physical access to a specific node - using a network from remote points.

In this case, the identification of the intruder may be very complex. In addition, the time of attack may be too small to take adequate measures.

On the one hand, the network is a single system with a single information processing rules, and on the other, a set of separate systems, each of which has its own rules for processing information. Therefore, taking into account the duality of the nature of the network, the attack on the network can be carried out from two levels: the upper and lower (their combination is possible).

At the top level, the attack on the network attacker uses the properties of the network for penetration to another node and perform certain unauthorized actions. At the lower level, the attack on the network attacker uses the properties of network protocols to violate the confidentiality or integrity of individual messages or flow as a whole.

Violation of the message flow can lead to leakage of information and even loss of network control.

There are passive and active low-level threats specific to networks.

Passive threats

(Violation of the confidentiality of data circulating on the network) is viewing and / or recording data transmitted over communication lines. These include:

viewing Messages;

analysis of the schedule - the attacker can view the headlines of packets circulating on the network, and based on the service information contained in them to make conclusions about senders and recipients of the package and transmission conditions (time of departure, message class, security category, message length, traffic volume, etc. .).

Active threats

(Violation of the integrity or availability of resources and network components) - unauthorized use of devices that have access to the network to change individual messages or message flow. These include:

refusal of messaging services - an attacker can destroy or delay individual messages or a full flow of messages;

"Masquerade" - an attacker can assign a foreign identifier to his node or relay manager and receive or send messages from someone else's name;

the introduction of network viruses - transmission over a virus body network with its subsequent activation by the user of a remote or local node;

modification of the message flow - an attacker can selectively destroy, modify, delay, reordering and duplicate messages, as well as insert fake messages.

Threats of commercial information.

Supports of informatization are also a particular danger of such methods of unauthorized access to confidential information, as copying, fake, destruction.

Copy.

With unauthorized access to confidential information, it is copied: documents containing an attacker of the information that interests; Technical media; Information processed in automated information systems. The following copy methods are used: Functioning, Photocopying, Gluing, Photocopying and electronic copying.

Fake.

In the context of competing, fake, modification and imitation acquire a large scale. Malfactors fake confidence documents that allow you to get certain information, letters, accounts, accounting and financial documentation; Fake the keys, passwords, passwords, ciffers, etc. In automated information systems, the counterfeit is, in particular, such malicious actions as falsification (the recipient subscriber fakes the received message, issuing it for valid in its advantage), disguise (subscriber The pressor is masked under another subscriber in order to receive protected information).

Destruction.

Special danger represents the destruction of information in automated databases and knowledge bases. Information is destroyed on magnetic media using compact magnets and software ("Logic bombs"). A significant place in crimes against automated information systems is occupied by sabotage, explosions, destruction, conclusion of connecting cables, air conditioning systems.

The methods for ensuring information protection are the following: obstacle, access control, disguise, regulation, coercion and motivation.

Obstacle -method of physical bloculation of the way to the attacker to the protected information (to the equipment, information carriers, etc.).

Access control- method of protecting information by regulating the use of all resources of the automated information system of the organization (firm). Access control includes the following protection functions:

identification of users, personnel and resources of the information system (assigning each object of a personal identifier);

authentication (authentication) of an object or subject on the identifier submitted to them;

verification of powers (checking the conformity of the day of the week, the time of day requested resources and procedures established by the Regulations);

resolution and creation of working conditions within the established regulations;

registration (logging) appeals to protected resources;

response (alarm, shutdown, work delay, failure in the query) when trying unauthorized actions.

Masking -method for the protection of information in an automated information system by its cryptographic closure.

Regulation- The method of protecting information that creates such conditions for automated processing, storage and transmission of information in which the possibility of unauthorized access to it would be minimized.

Coercion -this method of information protection, in which users and personnel of the system are forced to comply with the rules for processing, transferring and using protected information under the threat of material, administrative or criminal liability.

Movement -such a method of information protection that encourages users and system staff does not violate the established rules by complying with the prevailing moral and ethical standards.

The above methods for ensuring the information security of the organization (firm) are implemented in practice the use of various protection mechanisms, to create the following fixed assets: physical, hardware, software, hardware, cryptographic, organizational, legislative and moral and ethical.

Physical remedies Designed for the external protection of the objects of objects, the protection of the components of the automated information system of the enterprise and are implemented in the form of autonomous devices and systems.

Along with traditional mechanical systems, universal automated electronic systems of physical protection, intended for the protection of territories, premises, are being developed and introduced, intended for the protection of territories, the protection of premises, the organization of the bandwidth, organization of observation; fire alarm systems; The prevention of the prevention of carriers.

The element database of such systems is different sensors, the signals from which are processed by microprocessors, electronic intelligent keys, devices for determining the biometric characteristics of a person, etc.

To organize the protection of equipment included in the automated information system of the enterprise, and moved media (floppers, magnetic ribbons, printouts) are used:

various locks (mechanical, with a code set, with a microprocessor control, radio-controlled), which are installed on the input doors, shutters, safes, cabinets, devices and system blocks;

microswitches fixing opening or closing doors and windows;

inertial sensors, to connect which you can use the lighting network, telephone wires and posting of television antennas;

special stickers made of foils, which are pasted on all documents, devices, nodes and system blocks to prevent their deposit from the room. With any attempt to endure an object with a sticker, a special installation (analogue of metal object detector), placed near the output, gives an alarm;

special safes and metal cabinets to install separate elements of the automated information system (file server, printer, etc.) and moved media.

To neutralize the leakage of information on electromagnetic channels, shielding and absorbing materials and products are used. Wherein:

screening of work premises where the components of the automated information system are installed by coating walls, gender and ceiling with metallized wallpaper, conductive enamel and plaster, wire mesh or foil, installation of a conductive brick, multilayer steel, aluminum or special sheets of sheets;

to protect windows, metallized curtains and glasses with a conductive layer are used;

all holes are closed with a metal grid connected to a grounding bus or wall shielding;

on ventilation channels, limit magnetic traps that prevent radio wave spreads are mounted.

To protect against tips on the electrical circuits of nodes and units of the automated information system, use:

shielded cable for intra-ware, intorbate, inter-block and outdoor installation;

shielded elastic connectors (connectors), network filters for suppression of electromagnetic emissions;

wires, tips, chokes, capacitors and other interference radio - and electolation;

on plumbing, heating, gas and other metal pipes, separating dielectric inserts are placed, which extend the electromagnetic chain.

Electronic tracers are used to control the power, devices that are installed in the Variable voltage input places. If the power cord is converted, clouded or burned, the encoded message includes alarm signal or activates the television chamber for subsequent event record.

To detect embedded "bugs", X-ray examination is considered the most effective. However, the implementation of this method is associated with large organizational and technical difficulties.

The use of special noise generators to protect against theft of information from computers by removing its emissions from displays, has an adverse effect on the human body, which leads to rapid baldness, decrease in appetite, headaches, nausea. That is why they are rarely applied in practice.

Hardware protection -these are various electronic, electromechanical and other devices, directly embedded in the automated information system units or decorated in the form of independent devices and conjugate with these blocks.

They are intended for internal protection of structural elements of means and systems of computing equipment: terminals, processors, peripheral equipment, communication lines, etc.

Basic functions of hardware protection:

prohibition of unauthorized internal access to individual files or databases of the information system, possible as a result of random or intentional actions of the service personnel;

protection of active and passive (archived) files and databases associated with the maintenance or disconnection of the automated information system;

protection of software integrity.

These tasks are implemented by hardware information security tools using the access control method (identification, authentication and verification of the authority of the subjects of the system, registration and response).

To work with particularly valuable information of the organization (firm), computer manufacturers can make individual discs with unique physical characteristics that do not allow reading information. In this case, the cost of the computer may increase several times.

Software protection Designed to perform logical and intelligent protection functions and are included in either the software of the automated information system, or to the composition of the means, complexes and control systems.

Software security software are the most common type of protection, possessing the following positive properties: versatility, flexibility, simplicity of implementation, the possibility of change and development. This circumstance makes them simultaneously and the most vulnerable elements of the protection of the information system of the enterprise.

Currently, a large number of operating systems, database management systems, network packets and application packages include a variety of information security tools.

Using software tools, the following information security tasks are solved:

control loading and logging in using personal identifiers (name, code, password, etc.);

distinction and control of subjects access to resources and components of the system, external resources;

isolation of the process programs performed in the interests of a particular subject, from other subjects (providing the work of each user in an individual environment);

confidential information flow management in order to prevent records on the storage media inappropriate level (grind) of secrecy;

protection of information from computer viruses;

erasing residual confidential information in unlocked after query querys of the computer's RAM;

erasing residual confidential information on magnetic disks, issuance of protocols on the results of erasure;

ensuring the integrity of information by introducing data redundancy;

automatic control over the operation of users of the system on the basis of logging results and preparation of reports according to records in the system registration journal.

Currently, a number of operating systems initially contains built-in reuse blocking tools. For other types of operating systems, there are many commercial programs, not to mention special safety packages that implement similar functions.

The use of redundant data is aimed at preventing the emergence of random errors and identify unauthorized modifications. It can be the use of checksum, control of data on a case, noise-resistant coding, etc.

It is often practiced storage in some protected location of the signature system of important system objects. For example, for a file as a signature, a combination of a file protection byte with its name, length and date of the last modification can be used. Each time contacting the file or in case of suspicion, the current file characteristics are compared with the standard.

The property of the audibility of the access control system means the ability to reconstruct events or procedures. The means of providing the audibility should find out what actually happened. Here we are talking about documenting executable procedures, registration of registration logs, as well as the use of clear and unequivocal identification and verification methods.

It should be noted that the task of access control while ensuring the integrity of resources reliably solves only encryption of information.

Achno-technical progress has turned information into a product that you can buy, sell, exchange. Often the cost of data is several times higher than the price of the entire technical system that stores and processes information.

The quality of commercial information provides the necessary economic effect for the company, so it is important to protect critical data from unlawful actions. This will allow the company to successfully compete in the market.

Definition of information security

Information Security (IB) - This is the state of the information system in which it is the least susceptible to intervening and damage from third parties. Data security also implies risk management that are related to disclosing information or influence on hardware and software protection modules.

The security of information that is processed in the organization is a set of actions aimed at solving the problem of protecting the information environment within the Company. At the same time, information should not be limited to use and dynamic development for authorized persons.

IB protection system requirements

Protection of information resources should be:

1. Constant. An attacker at any time can try to bypass the data protection modules that interest it.

2. Target. Information should be defended within a certain goal that the organization or the owner of the data is set.

3. Planned. All defense methods must comply with state standards, laws and subtitle acts that regulate confidential data protection issues.

4. Active. Events to support work and improve protection system should be carried out regularly.

5. Complex. The use of only individual protection modules or technical means is unacceptable. It is necessary to apply all types of protection to the fullest extent, otherwise the developed system will be deprived of the meaning and economic foundation.

6. Universal. Defense tools should be selected in accordance with the existing leakage channels.

7. Reliable. All protection techniques should reliably overlap the possible ways to protected information from the attacker, regardless of the data presentation form.

The listed requirements must also correspond to the DLP system. And it is best to evaluate its capabilities in practice, and not in theory. You can experience "Sirchinform Kib" for free within 30 days.

Security system model

Information is considered protected if three main properties are observed.

First - integrity - involves ensuring reliability and correct display of protected data, regardless of which security and protection systems are used in the company. Data processing should not be violated, and system users who work with protected files should not be faced with unauthorized modification or destruction of resources, malfunctions.

Second - confidentiality - Means that access to viewing and editing data is provided to exclusively authorized users of the protection system.

Third - availability - It implies that all authorized users must have access to confidential information.

It is enough to break one of the properties of the protected information so that the use of the system has become meaningless.

Stages of creating and providing information protection system

In practice, the creation of a system of information protection is carried out in three stages.

At the first stage A basic system model is being developed, which will function in the company. To do this, it is necessary to analyze all types of data that is circulated in the firm and which you need to protect against third-party encroachments. The work plan at the initial stage is four questions:

1. Does the information should be protected?
2. What is the proliferation of access to the security of information?

The goal may be familiarized, changing, modifying or destruction of data. Each action is illegal if an attacker performs it. The familiarization does not lead to the destruction of the data structure, and the modification and destruction lead to partial or complete loss of information.

1. What is the content of confidential information?

Sources In this case are people and information resources: Documents, flash drives, publications, products, computer systems, workshop tools.

1. Ways to gain access, and how to protect against unauthorized attempts to influence the system?

Distinguish the following ways to gain access:

• Unauthorized access - illegal use of data;
• A leak - uncontrolled dissemination of information outside the corporate network. Leakage occurs due to the shortcomings, weaknesses of the technical channel of the security system;
• Disclosure - The effect of the impact of the human factor. Sanctional users can disclose information to convey to competitors, or by negligence.

Second phase Includes development of protection system. This means to implement all selected methods, means and data protection directions.

The system is built immediately in several directions of protection, on several levels that interact with each other to ensure reliable information control.

Legal level Provides compliance with state standards in the field of information protection and includes copyright, decrees, patents and job descriptions. A competently built-up protection system does not violate user rights and data processing standards.

Organizational level Allows you to create a regulation of users with confidential information, pick up the personnel, organize work with documentation and physical data carriers.

The regulations of users with confidential information are called access to the rules of access. The rules are established by the management of the company together with the security service and the provider, which introduces the security system. The goal is to create the conditions for access to information resources for each user, for example, the right to read, edit, transmit a confidential document. The rules of separation of access are developed at the organizational level and are introduced at the stage of work with the technical component of the system.

Technical Level Conditionally divided into physical, hardware, software and mathematical sublevel.

• physical - Creating barriers around the protected object: Security systems, noise, strengthening architectural structures;
• hardware - Installation of technical means: special computers, employee control systems, server protection and corporate networks;
• program - Installation of the Protection System Software, Implementing the Rule of Disposal Access and Testing Work;
• mathematical - Implementation of cryptographic and stenograph data protection methods for secure transmission over the corporate or global network.

Third, final stage - This is support for the performance of the system, regular control and risk management. It is important that the protection module is distinguished by flexibility and allowed the security administrator to quickly improve the system when new potential threats are found.

Types of confidential data

Confidential data - This is information, access to which is limited in accordance with the laws of the state and the norms that companies are installed on their own.

• Personal Confidential data: personal data of citizens, the right to personal life, correspondence, personality concealment. Exception is only information that applies to the media.
• Service Confidential data: information, access to which can limit only the state (state authorities).
• Judicial Confidential data: the secret of investigation and proceedings.
• Commercial Confidential data: All types of information related to commerce (profitable) and access to which is limited by law or enterprise (secret developments, production technology, etc.).
• Professional Confidential data: data related to citizens' activities, for example, a medical, notarial or lawyer secret, the disclosure of which is prosecuted by law.

Threats of confidentiality of information resources

A threat - These are possible or actual attempts to take possession of protected information resources.

Sources of threat Conservatial data preservation are competitors, attackers, management bodies. The purpose of any threat is to affect the integrity, completeness and availability of data.

Threats are internal or external. External threats They are attempts to gain access to data from the outside and are accompanied by hacking servers, networks, employee accounts and reading information from technical leakage channels (acoustic reading with bugs, cameras, fittings for hardware, obtaining vibroacoustic information from windows and architectural structures).

Domestic threats Measure the illegal actions of the personnel, the work department or the management of the company. As a result, the user system that works with confidential information can issue outsiders. In practice, such a threat is found more often. An employee can "merge" secret data for years. This is easily implemented, because the actions of an authorized user, the security administrator does not qualify as a threat.

Since internal IB threats are associated with a human factor, track them and manage them more difficult. You can warn incidents by dividing employees to risk groups. With this task, an automated module can cope with psychological profiles.

An attempt to unauthorized access can occur in several ways:

• through employeeswhich can transmit confidential data to strangers, take physical media or access protected information through printed documents;
• using software The attackers carry out attacks that are aimed at theft "Login-password" steam, intercepting cryptographic keys to decrypt data, unauthorized copying of information.
• with hardware components automated system, for example, the introduction of listening devices or the use of hardware reading technologies at a distance (outside the controlled zone).

Hardware and software IB

All modern operating systems are equipped with built-in data protection modules at the program level. Mac OS, Windows, Linux, iOS perfectly copble with the task of encrypting data on the disk and during the transmission process to other devices. However, it is important to use additional protection modules to create efficiently working with confidential information.

Custom OS does not protect the data at the time of transmission over the network, and the protection systems allow you to control the information flows that are circulated by the corporate network, and storing data on nuclear.

The hardware and software module of protection is made to divide into groups, each of which performs the function of protection of sensitive information:

• Identification level - This is a comprehensive user recognition system that can use standard or multi-level authentication, biometry (face recognition, fingerprint scanning, voice recording and other techniques).
• Encryption level Provides the key exchange between the sender and the recipient and encrypts / decrypts all system data.

Legal protection of information

The legal basis of information security provides the state. Information protection is governed by international conventions, a constitution, federal laws and subtituations.

The state will also determine the measure of responsibility for violating the provisions of legislation in the field of IB. For example, Chapter 28 "Crimes in the Sphere of Computer Information" in the Criminal Code of the Russian Federation includes three articles:

• Article 272 "Unauthorized access to computer information";
• Article 273 "Creation, Use and Dissemination of Malicious Computer Programs";
• Article 274 "Violation of the rules of operation of storage, processing or transmission of computer information and information and telecommunication networks."