Information security and organization of information protection. Chapter V. Ensuring the security and protection of information. Information base and principles of communication

Annotation: The lecture covers the basic concepts of information security. Familiarization with the Federal Law "On Information, Information Technologies and Information Protection".

GOST " Data protection. Basic terms and definitions" introduces the concept information security as a state of information security, in which it is ensured confidentiality, availability and integrity.

• Confidentiality– a state of information in which access to it is carried out only by subjects who have the right to it.
• Integrity– a state of information in which there is no change or change is carried out only intentionally by subjects who have the right to it;
• Availability– a state of information in which subjects with access rights can exercise it without hindrance.

Information security threats– a set of conditions and factors that create a potential or actual danger of a violation of information security [,]. Attack is called an attempt to implement a threat, and the one who makes such an attempt is intruder. Potential attackers are called sources of threat.

The threat is a consequence of the presence vulnerabilities or vulnerabilities in the information system. Vulnerabilities can arise for various reasons, for example, as a result of unintentional mistakes by programmers when writing programs.

Threats can be classified according to several criteria:

• By properties of information(availability, integrity, confidentiality), against which threats are primarily directed;
• by components information systems, which threats are aimed at (data, programs, hardware, supporting infrastructure);
• by method of implementation (accidental/deliberate, natural/man-made actions);
• by location of the threat source (inside/outside the IS in question).

Ensuring information security is a complex task, the solution of which requires A complex approach. The following levels of information protection are distinguished:

1. legislative – laws, regulations and other documents of the Russian Federation and the international community;
2. administrative – a set of measures taken locally by the organization’s management;
3. procedural level - security measures implemented by people;
4. software and hardware level– directly means of information protection.

The legislative level is the basis for building an information security system, as it provides basic concepts subject area and determines the punishment for potential attackers. This level plays a coordinating and guiding role and helps maintain a negative (and punitive) attitude in society towards people who violate information security.

1.2. Federal Law "On Information, Information Technologies and Information Protection"

In Russian legislation, the basic law in the field of information protection is the Federal Law “On Information, Information Technologies and Information Protection” dated July 27, 2006, number 149-FZ. Therefore, the basic concepts and decisions enshrined in the law require careful consideration.

The law regulates relations arising when:

• exercising the right to search, receive, transmit, produce and disseminate information;
• application of information technologies;
• ensuring information security.

The law provides basic definitions in the field of information protection. Here are some of them:

• information- information (messages, data) regardless of the form of their presentation;
• information Technology- processes, methods of searching, collecting, storing, processing, providing, distributing information and methods of implementing such processes and methods;
• Information system- the totality of information contained in databases and information technologies that ensure its processing and technical means;
• owner of information- a person who independently created information or received, on the basis of a law or agreement, the right to permit or restrict access to information determined by any criteria;
• information system operator- a citizen or legal entity engaged in operating an information system, including processing information contained in its databases.
• confidentiality of information- a mandatory requirement for a person who has gained access to certain information not to transfer such information to third parties without the consent of its owner.

Article 4 of the Law formulates the principles of legal regulation of relations in the field of information, information technology and information protection:

1. freedom to search, receive, transmit, produce and disseminate information by any legal means;
2. establishing restrictions on access to information only by federal laws;
3. openness of information about the activities of state bodies and local governments and free access to such information, except in cases established by federal laws;
4. equality of languages ​​of peoples Russian Federation when creating information systems and their operation;
5. ensuring the security of the Russian Federation during the creation of information systems, their operation and the protection of the information contained in them;
6. reliability of information and timeliness of its provision;
7. inviolability of private life, inadmissibility of collecting, storing, using and distributing information about a person’s private life without his consent;
8. the inadmissibility of establishing by regulatory legal acts any advantages of using some information technologies over others, unless the mandatory use of certain information technologies for the creation and operation of state information systems is established by federal laws.

All information is divided into publicly available and limited access. Public information includes generally known information and other information, access to which is not limited. The law defines information to which access cannot be restricted, for example, information about environment or activities of government bodies. It is also stipulated that Access limitation to information is established by federal laws in order to protect the foundations of the constitutional system, morality, health, rights and legitimate interests of other persons, ensuring the defense of the country and the security of the state. It is mandatory to maintain the confidentiality of information, access to which is limited by federal laws.

It is prohibited to require a citizen (individual) to provide information about his private life, including information constituting a personal or family secret, and to receive such information against the will of the citizen (individual), unless otherwise provided by federal laws.

1. information freely disseminated;
2. information provided by agreement of persons participating in the relevant relationship;
3. information that, in accordance with federal laws, is subject to provision or distribution;
4. information the distribution of which is restricted or prohibited in the Russian Federation.

The law establishes the equivalence of an electronic message signed with an electronic digital signature or another analogue of a handwritten signature and a document signed by hand.

The following definition of information protection is given - it represents the adoption of legal, organizational and technical measures aimed at:

1. ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other unlawful actions in relation to such information;
2. maintaining the confidentiality of restricted information;
3. implementation of the right to access information.

The owner of information, the operator of the information system in cases established by the legislation of the Russian Federation, are obliged to ensure:

1. prevention of unauthorized access to information and (or) transfer of it to persons who do not have the right to access information;
2. timely detection of facts of unauthorized access to information;
3. preventing the possibility of adverse consequences of violating the order of access to information;
4. preventing influence on technical means of information processing, as a result of which their functioning is disrupted;
5. the ability to immediately restore information modified or destroyed due to unauthorized access to it;
6. constant monitoring of ensuring the level of information security.

Thus, the Federal Law “On Information, Information Technologies and Information Protection” creates the legal basis for information exchange in the Russian Federation and determines the rights and obligations of its subjects.

The definition of information as information of various kinds, presented in any form and being the objects of various processes, corresponds to the following interpretation of the concept of “information protection” in the law “On Information, Information Technologies and Information Protection”.

Information protection is the adoption of legal, organizational and technical measures aimed at:

• 1) ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other unlawful actions in relation to such information;
• 2) maintaining the confidentiality of restricted information,
• 3) implementation of the right to access information.

In accordance with the governing documents of the FSTEC of Russia information security - This is the state of security of information processed by computer technology or an automated system from internal and external threats.

In accordance with GOST R 50922-96 data protection - activities to prevent leakage of protected information, unauthorized and unintentional impacts on protected information.

This reflects the countering of two types of threats - unauthorized receipt (leakage) of protected information and impact on protected information.

Thus, the protection of information is understood as a set of measures and actions aimed at ensuring its security in the process of collection, transmission, processing and storage.

In a narrow sense, the above definition of the concept of “information protection” is primarily identical to the concept of “ensuring information security” (Fig. 1.5). Let us note that information security is the state of its protection from the destabilizing effects of the external environment (man and nature) and internal threats to the system or network in which it is or may be located, i.e. confidentiality, integrity and availability of information.

Let us emphasize once again that confidentiality of information - this is a status (requirement) determined by its owner and determining the required degree of its protection. Essentially, information confidentiality is the requirement for information to be known only to those admitted and verified (authorized).

Rice. 1.5.

subjects of the system (users, processes, programs). For other subjects of the system, this information should be unknown.

Information integrity - this is the ability of information (information requirement) to maintain unchanged semantic content (in relation to the original data), i.e. its resistance to accidental or intentional distortion or destruction.

Availability of information - This is the ability (requirement) of an object - an information system (network) - to provide timely, unimpeded access for authorized subjects (users, subscribers) to information of interest to them or to carry out timely information exchange between them.

Subject - it is an active component of the system that can cause the formation of a flow of information from an object to a subject or a change in the state of the system. An object - a passive component of a system that processes, stores, receives or transmits information. Accessing an object means accessing the information it contains.

Let us emphasize that access to the information - the ability to obtain and use information, i.e. the possibility of receiving it, familiarizing yourself with information, processing, in particular, copying, modifying or destroying information.

A distinction is made between authorized and unauthorized access to information. Authorized access to information - This is access to information that does not violate the established rules of access control. Access control rules serve to regulate the access rights of access subjects to access objects.

Unauthorized access to information characterized by a violation of established access control rules.

A user, program or process that has unauthorized access to information is a violator of the access control rules (one of the elements of the security policy). Unauthorized access is the most common type of computer and network violation.

Note that in the interpretation given here of the concept of “information protection” (as ensuring information security - confidentiality, integrity and availability of information) the concept of “information security” corresponds. In accordance with GOST R ISO/IEC 17799-2005 Information Security - a security mechanism that ensures confidentiality (only authorized users have access to information), integrity (the reliability and completeness of information and how it is processed), and availability (access to information and related assets by authorized users as needed). In the standard of JSC Russian Railways (STO Russian Railways 1.18.002-2009) “Information security management. General provisions» information security is also defined as a state of information security that ensures such characteristics as confidentiality, integrity and availability.

The implementation of activities to ensure information security of the Russian Federation is entrusted to the state, which, in accordance with the law, is the main subject of security. Let us note that the state is an organization of political power that covers a certain territory and acts simultaneously as a means of ensuring the interests of the entire society and as a special mechanism of control and suppression.

In the Doctrine of Information Security of the Russian Federation (2000), information security of the Russian Federation is understood as the state of security of its national interests in the information sphere, determined by the totality of balanced interests of the individual, society and the state.

There are four main components of the national interests of the Russian Federation in the information sphere:

• 1) compliance with the constitutional rights and freedoms of man and citizen in the field of obtaining information and using it, ensuring the spiritual renewal of Russia, preserving and strengthening the moral values ​​of society, traditions of patriotism and humanism, the cultural and scientific potential of the country;
• 2) information support for the state policy of the Russian Federation, related, among other things, to ensuring citizens’ access to open state information resources;
• 3) development of modern information technologies, the domestic information industry, meeting the needs of the domestic market with its products and the entry of these products into the world market; ensuring the accumulation, preservation and effective use of domestic information resources;
• 4) protecting national information resources from unauthorized access, ensuring the security of information and telecommunication systems.

Thus, the goal of ensuring information security of the Russian Federation is, first of all, to protect the vitally important balanced interests of subjects of information relations in the information sphere - citizens, communities of people, enterprises, organizations, corporations, and the state.

With all the variety of types of organizations, directions and scales of their activities, the number of participants, their significant assets are information, its supporting processes, information systems and network infrastructure, i.e. information assets. Confidentiality, integrity and availability of information can significantly contribute to an organization's competitiveness, liquidity, profitability, compliance and business reputation.

The content of their information security lies in the protection of targeted activities related to information and information infrastructure, provided information services, and other information assets of the organization. These include information systems and resources, objects of intellectual property, property rights to these objects, personal non-property rights of members of the organization, the right to maintain the established regime of access to information that constitutes a secret protected by law, for example, trade secrets and personal data. These components of the organization as an information security object are protected from external and internal threats.

Under information security of an organization, corporation, enterprise We will understand the state of security of information assets (resources) - information and information infrastructure, other information assets, which ensures an acceptable risk of damage in the face of external and internal, accidental and intentional threats.

The main goal of ensuring information security of organizations is to minimize or achieve acceptable risk or economic damage in the event of a violation of information security - compromise of its confidentiality, violation of integrity and availability.

When developing requirements for the security of an organization as a whole and the security of its “information dimension” - information security, analyzing and assessing security, managing the information security of an organization, as a rule, the methodology of acceptable (or unacceptable) risk of the organization’s activities is used (Fig. 1.6). The magnitude of the risk is determined by the expected risk of adverse events

Rice. 1.6.

security consequences caused by the manifestation of threats to the organization’s activities (the likelihood of the threat being realized and the value of the resource).

The main tasks of ensuring information security of an organization, corporation, or enterprise include:

• - identification of the most important, as well as weak and vulnerable objects in information terms;
• - assessment and forecasting of sources of threats to information security and methods of their implementation;
• - development of a policy for ensuring information security of the corporation, a set of measures and mechanisms for its implementation;
• - development of a regulatory framework for ensuring information security of the corporation, coordinating the activities of management bodies to ensure information security;
• - development of measures to ensure information security in the event of a threat or emergency;
• - development of a hierarchical system for ensuring information security, improving its organization, forms, methods and means of preventing, fending off and neutralizing threats to information security;
• - ensuring secure integration of a corporate system or network into global information networks and systems.

A broad interpretation of the concept of “information protection” provides for a set of measures to ensure the security of information presented in any material form, the security of the functioning of information systems and telecommunication networks and the use of information technologies. And in this sense, it coincides with the emerging understanding of the concept of “ensuring information security” of information or telecommunication systems (currently not defined by legislative acts).

The given modern interpretation of information security (in a broad sense - as ensuring the security of information and information infrastructure - information systems and technologies) does not have a sufficiently clear boundary with the process of ensuring information security.

At the same time, the content of the processes of ensuring information security and information protection (and, accordingly, the concepts of information security and information security) differs in the level of hierarchy and complexity of the organization of protected objects, and the nature of the threats. Ensuring the information security of objects involves “information protection” and “protection from information”, ensuring the security (security) of information and information infrastructure from threats. Both concepts imply the use of a set of measures and means of protection - legal, organizational and technological (technical) with an emphasis on one or another group of them.

Let us accept the following interpretation of the concepts “information security” and “ensuring information security”.

Let us first note that the concept safety is defined as “a state in which there is no threat of danger, there is protection from danger,” and in general as the impossibility of causing harm to someone or something due to the manifestation of threats, i.e. their security (state of security) from threats. Concept security We will consider it in two ways - as activity and means of activity - and also include support subjects.

In accordance with the work, in the structure of the concept of “information security” we will distinguish an object of information security, threats to this object and ensuring its information security from the manifestation of threats (Fig. 1.7).

In the context of the global problem of safe development, people, society (communities of people, organizations, including corporations, enterprises, etc.) and the state are considered as the main objects of information security.

In the most general form, for these objects, information security can be defined as the impossibility of causing harm to the properties of a security object or the properties of its structural components, determined by information and information infrastructure, i.e. as security (the state of security) of their “information dimension”.

Based on the above, it is possible to determine the content of information security of a person, society and state as the security of their “information dimension”.

Information security of a person consists in the impossibility of causing harm to him as an individual, whose social activity is largely based on understanding the information received.

Rice. 1.7.

mation, information interactions with other individuals and which often uses information as the subject of activity.

Information security of society lies in the impossibility of causing harm to its spiritual sphere, cultural values, social regulators of human behavior, information infrastructure and messages transmitted with its help.

Information security of the state lies in the impossibility of causing harm to its activities in performing the functions of managing the affairs of society related to the use of information and information infrastructure of society. Sometimes, taking into account the importance of the information security component associated with the impact on the psyche and consciousness of a person and public consciousness, information and psychological security is distinguished in it.

Ensuring information security characterized by activities to prevent harm to the properties of a security object, caused by information and information infrastructure, as well as the means and subjects of this activity.

Thus, ensuring information security is considered primarily as a solution to the global problem of the safe development of world civilization, states, communities of people, an individual, and the existence of nature. At the same time, the concept of “information security” characterizes the state of security of a person, society, state, nature in the conditions of the possible action of two types of generalized threats: compromise (disclosure) of their secrets, as well as the negative (accidental or intentional) impact of information on their information subsystems (consciousness). and the psyche of an individual, mass consciousness, the information sphere (environment), societies and states, information-sensitive elements of natural objects).

Under information security of a person, society, state, we will understand the state of security of their “information dimension” (vital interests of a person, society, state in the information sphere; information assets of an organization, corporation, enterprise; information itself and information infrastructure) from the manifestation of external and internal, accidental and intentional threats.

Specific wording will be given in the next paragraph.

In recent years, the concept of “information security” has spread (but is not enshrined in law) to such information security objects as information and automated systems themselves, corporate and telecommunication networks. Let us accept for them the following interpretation of the concept “information security”.

Information security of a corporate information system or network is a state of security of information located or circulating in it and its information infrastructure, which ensures the stable functioning of a system or network under the influence of destabilizing factors (threats).

When we talk about a threat to information security, as a rule, we imagine an experienced hacker, day and night, scrupulously studying the slightest gaps in database protection. However, as practice shows, often trouble comes from within the company - due to oversight or malicious intent, confidential information leaks through the organization's employees.

A number of serious specialists in organization information security calls the internal threat the most important, giving it up to 80% of the total number of potential risks. Indeed, if we consider the average damage from hacker attacks, then it will be close to zero, due to the large number of hacking attempts and their very low effectiveness. A single case of personnel error or successful insider crime can cost the company multimillion-dollar losses (direct and indirect), litigation and notoriety in the eyes of clients. In fact, the very existence of the company may be under threat and this, alas, is a reality. How to provide ? How to protect yourself from information leaks? How to recognize and prevent an internal threat in time? What methods of combating it are most effective today?

The enemy is within

An internal attacker, or insider, can become almost any employee who has access to confidential information companies. The motivation for an insider’s actions is not always obvious, which entails significant difficulties in identifying him. A recently fired employee who harbors a grudge against his employer; a dishonest worker who wants to make extra money by selling data; modern Herostratus; a specially embedded agent of a competitor or criminal group - these are just a few archetypes of an insider.

The root of all the troubles that malicious insider actions can bring lies in underestimating the importance of this threat. According to a study conducted by Perimetrix, the leak of more than 20% of a company's confidential information in most cases leads to its collapse and bankruptcy. Particularly frequent, but still the most vulnerable victims of insiders are financial institutions of any size - with a staff of hundreds to several thousand employees. Despite the fact that in most cases companies try to hide or significantly underestimate the real figures of damage from the actions of insiders, even the officially announced amounts of losses are truly impressive. Much more painful financial losses The company is hit by damage to the company's reputation and a sharp decline in customer confidence. Often, indirect losses can be many times greater than actual direct damage. Thus, the case of the Liechtenstein bank LGT is widely known, when in 2008 a bank employee handed over a database of depositors to the intelligence services of Germany, the USA, Great Britain and other countries. As it turned out, a huge number of foreign clients of the bank used the special LGT status to conduct transactions bypassing the tax laws in force in their countries. A wave of financial investigations and related litigation swept across the world, and LGT Bank lost all its significant clients, suffered critical losses and plunged the whole of Liechtenstein into a severe economic and diplomatic crisis. You also don’t need to look far for very recent examples - at the beginning of 2011, the fact of leakage of personal data of clients was recognized by such a financial giant as Bank of America. As a result of fraudulent activities, information containing names, addresses, social security and telephone numbers, bank account and driver's license numbers, email addresses, PIN codes and other personal information of depositors was leaked from the bank. It is unlikely that it will be possible to accurately determine the real scale of the bank’s losses, unless the amount was officially announced as “more than $10 million.” The cause of the data leak was the actions of an insider who transferred information to an organized criminal group. However, not only banks and funds are under the threat of insider attacks; it is enough to recall a number of high-profile scandals related to the publication of confidential data on the WikiLeaks resource - according to experts, a fair share of information was obtained through insiders.

Prose of life

Unintentional harm to confidential company data, its leakage or loss is a much more common and prosaic thing than harm caused by insiders. Carelessness of personnel and lack of proper technical support for information security can cause a direct leak of corporate secrets. Such negligence not only causes serious damage to the company’s budget and reputation, but can also cause widespread public dissonance. Once released, secret information becomes the property not of a narrow circle of attackers, but of the entire information space - the leak is discussed on the Internet, on television, and in the press. Let's remember the loud scandal with the publication of SMS messages from the largest Russian operator cellular communication"Megaphone". Due to the inattention of technical staff, SMS messages were indexed by Internet search engines, and subscriber correspondence containing information of both a personal and business nature was leaked into the network. A very recent case: the publication of personal data of clients of the Russian Pension Fund. An error by representatives of one of the fund’s regional offices led to the indexing of personal information of 600 people - names, registration numbers, detailed amounts any Internet user could read the savings of Pension Fund clients.

A very common cause of confidential data leaks due to negligence is related to the daily rotation of documents within the company. For example, an employee can copy a file containing sensitive data to a laptop, USB drive or PDA to work with data outside the office. Also, the information may end up on a file hosting service or the employee’s personal email. In such situations, the data is completely defenseless for attackers who can take advantage of an unintentional leak.

Golden armor or body armor?

To protect against data leakage, the information security industry creates a variety of information leakage protection systems, traditionally referred to by the abbreviation DLP from English. Data Leakage Prevention. As a rule, these are complex software systems that have wide functionality to prevent malicious or accidental leakage of classified information. The peculiarity of such systems is that for their correct operation, a strictly adjusted structure of the internal circulation of information and documents is required, since the security analysis of all actions with information is based on working with databases. This explains the high cost of installing professional DLP solutions: even before direct implementation, the client company has to purchase a database management system (usually Oracle or SQL), order an expensive analysis and audit of the information flow structure, and develop new policy security. A common situation is when more than 80% of the information in a company is unstructured, which gives a visual idea of ​​the scale of preparatory activities. Of course, the DLP system itself also costs a lot of money. It is not surprising that only large companies that are ready to spend millions on information security of the organization.

But what should small and medium businesses do if they need to provide business information security, but there are no funds and opportunities to implement a professional DLP system? The most important thing for a company manager or security officer is to determine what information to protect and which parties information activities subject employees to control. In Russian business, the prevailing opinion is still that absolutely everything needs to be protected, without classifying information or calculating the effectiveness of protective measures. With this approach, it is quite obvious that having learned the amount of expenses for enterprise information security, the head of a small and medium-sized business waves his hand and hopes for “maybe.”

Exist alternative ways protections that do not affect databases and the existing life cycle of information, but provide reliable protection from the actions of intruders and the negligence of employees. These are flexible modular systems that work seamlessly with other security tools, both hardware and software (for example, antiviruses). A well-designed security system provides very reliable protection from both external and internal threats, providing an ideal balance of price and functionality. According to specialists from the Russian company that develops information security systems SafenSoft, the optimal solution is to combine elements of protection against external threats (for example, HIPS to prevent intrusions, plus an anti-virus scanner) with tools for monitoring and controlling access of users and applications to individual sectors of information. With this approach, the entire network structure of the organization is completely protected from possible hacking or infection by viruses, and the means of monitoring and monitoring the actions of personnel when working with information can effectively prevent data leaks. If you have all the necessary arsenal of protective equipment, the cost of modular systems is tens of times less than complex DLP solutions and does not require any costs for preliminary analysis and adaptation of the company’s information structure.

So, let's summarize. Threats enterprise information security are absolutely real and should not be underestimated. In addition to countering external threats, special attention should be paid to internal threats. It is important to remember that leaks of corporate secrets occur not only due to malicious intent - as a rule, they are caused by the elementary negligence and inattention of an employee. When choosing means of protection, there is no need to try to cover all conceivable and inconceivable threats; there is simply not enough money and effort for this. Build a reliable modular system security, closed from the risks of intrusion from the outside and allowing control and monitoring of the flow of information within the company.

Enterprise information security is a state of security of corporate data that ensures their confidentiality, integrity, authenticity and availability.

Information security of an enterprise is achieved by a whole range of organizational and technical measures aimed at protecting corporate data. Organizational measures include documented procedures and rules for working with different types of information, IT services, security tools, etc. Technical measures consist of the use of hardware and software access control, leakage monitoring, antivirus protection, firewalling, protection against electromagnetic radiation, etc.

The tasks of enterprise information security systems are varied. This is to ensure secure storage of information on different media; protection of data transmitted via communication channels; restriction of access to various types documents; Creation backup copies, disaster recovery of information systems, etc.

Ensuring the information security of an enterprise is possible only with a systematic and comprehensive approach to protection. The information security system must take into account all relevant computer threats and vulnerabilities.

Complete information security of enterprises and organizations implies continuous real-time monitoring of all important events and conditions affecting data security. Protection must be carried out around the clock and year-round and cover the entire life cycle of information - from its receipt or creation to destruction or loss of relevance.

At the enterprise level, the departments of information technology, economic security, personnel and other services are responsible for information security.

Ensuring information security is a complex social, legal, economic, and scientific problem. Only a comprehensive solution to its goals and objectives simultaneously on several planes will be able to have a regulatory impact on ensuring the country’s information security. Work carried out in this area must have not only a practical orientation, but also a scientific justification.

The main goals of ensuring information security are determined on the basis of sustainable priorities of national and economic security that meet the long-term interests of social development, which include:

Preservation and strengthening of Russian statehood and political stability in society;

Preservation and development of democratic institutions of society, ensuring the rights and freedoms of citizens, strengthening law and order;

Ensuring a worthy place and role for the country in the world community;

Ensuring the territorial integrity of the country;

Ensuring progressive socio-economic development;

Preservation of national cultural values ​​and traditions.

In accordance with these priorities, the main objectives of ensuring information security are:

Identification, assessment and forecasting of sources of information security threats;

Development of a state policy for ensuring information security, a set of measures and mechanisms for its implementation;

Development of a regulatory framework for ensuring information security, coordination of the activities of government bodies and enterprises to ensure information security;

Development of an information security system, improvement of its organization, forms, methods and means of preventing, fending off and neutralizing threats to information security and eliminating the consequences of its violation;

Ensuring the active participation of the country in the processes of creating the use of global information networks and systems.

The most important principles of ensuring information security are:

1) the legality of measures to identify and prevent offenses in the information sphere;

2) continuity of implementation and improvement of means and methods of control and protection of the information system;

3) economic feasibility, i.e. comparability of possible damage and costs of ensuring information security

4) the comprehensiveness of the use of the entire arsenal of available means of protection in all divisions of the company and at all stages of the information process.

The implementation of the information security process includes several stages:

Definition of the object of protection: rights to protect the information resource, valuation of the information resource and its main elements, duration life cycle information resource, the trajectory of the information process across the functional divisions of the company;

Identification of sources of threats (competitors, criminals, employees, etc.), targets of threats (familiarization, modification, destruction, etc.), possible channels for the implementation of threats (disclosure, leakage, etc.);

Determination of necessary protective measures;

Assessment of their effectiveness and economic feasibility;

Implementation of the measures taken taking into account the selected criteria;

Communicating the measures taken to personnel, monitoring their effectiveness and eliminating (preventing) the consequences of threats.

The implementation of the described stages, in fact, is the process of managing the information security of an object and is provided by a control system, which includes, in addition to the managed (protected) object itself, means of monitoring its state, a mechanism for comparing the current state with the required one, as well as a mechanism of control actions for localization and preventing damage due to threats. In this case, it is advisable to consider the control criterion to be the achievement of a minimum of information damage, and the control goal is to ensure the required state of the object in the sense of its information security.

Methods for ensuring information security are divided into legal, organizational, technical and economic.

TO legal methods ensuring information security includes the development of normative legal acts regulating relations in the information sphere, and normative methodological documents on issues of ensuring information security. The most important areas of this activity are:

Introducing changes and additions to the legislation regulating relations in the field of information security, in order to create and improve the information security system, eliminate internal contradictions in federal legislation, contradictions related to international agreements, as well as for the purpose of specifying legal norms establishing liability for offenses in the field of information security;

Legislative delimitation of powers in the field of ensuring the definition of goals, objectives and mechanisms for the participation of public associations, organizations and citizens in these activities;

Development and adoption of regulatory legal acts establishing the liability of legal entities and individuals for unauthorized access to information, its illegal copying, distortion and illegal use, deliberate dissemination of false information, illegal disclosure of confidential information, use of proprietary information or information containing trade secret;

Clarification of the status of foreign news agencies, media and journalists, as well as investors when attracting foreign investment for the development of domestic information infrastructure;

Legislative consolidation of the priority of development of national communication networks and domestic production space satellites communications;

Determining the status of organizations providing services of global information and communication networks and legal regulation of the activities of these organizations;

Creation of a legal framework for the formation of regional structures for ensuring information security.

Organizational and technical methods for ensuring information security are:

Creation and improvement of a system for ensuring information security of the state;

Strengthening the law enforcement activities of authorities, including the prevention and suppression of offenses in the information sphere, as well as identifying, exposing and bringing to justice persons who have committed crimes and other offenses in this area;

Development, use and improvement of information security tools and methods for monitoring the effectiveness of these tools, development of secure telecommunication systems, increasing the reliability of special software;

Creation of systems and means to prevent unauthorized access to processed information and special impacts that cause destruction, destruction, distortion of information, as well as changes in the normal operating modes of information and communication systems and means;

Revealing technical devices and programs that pose a danger to the normal functioning of information and communication systems, preventing the interception of information through technical channels, the use of cryptographic means of protecting information during its storage, processing and transmission via communication channels, monitoring the implementation of special requirements for information protection;

Certification of information security means, licensing of activities in the field of protecting state secrets, standardization of methods and means of information security;

Improving the certification system for telecommunications equipment and software automated systems processing information according to information security requirements;

Monitoring the actions of personnel in secure information systems, training personnel in the field of ensuring information security of the state;

Formation of a system for monitoring indicators and characteristics of information security in the most important areas of life and activity of society and the state.

Economic methods information security include:

Development of programs to ensure state information security and determination of the procedure for their financing;

Improving the system for financing work related to the implementation of legal, organizational and technical methods of information protection, creating a system for insuring information risks of individuals and legal entities.

Along with the widespread use standard methods and funds for the economic sector, the priority areas for ensuring information security are:

Development and adoption legal provisions establishing the liability of legal entities and individuals for unauthorized access and theft of information, deliberate dissemination of false information, disclosure of trade secrets, leakage of confidential information;

Construction of a system of state statistical reporting that ensures the reliability, completeness, comparability and security of information by introducing strict legal liability of primary sources of information, organizing effective control over their activities and the activities of statistical information processing and analysis services, limiting its commercialization, using special organizational and software-technical information security tools;

Creation and improvement of special means of protecting financial and commercial information;

Development of a set of organizational and technical measures to improve the technology of information activity and information protection in economic, financial, industrial and other economic structures, taking into account information security requirements specific to the economic sector;

Improving the system of professional selection and training of personnel, systems of selection, processing, analysis and dissemination of economic information.

Public policy ensuring information security forms the directions of activity of public authorities and management in the field of ensuring information security, including guarantees of the rights of all subjects to information, securing the duties and responsibilities of the state and its bodies for the information security of the country, and is based on maintaining a balance of interests of the individual, society and the state in information sphere.

State information security policy is based on the following basic provisions:

Restriction of access to information is an exception to general principle openness of information, and is carried out only on the basis of legislation;

Responsibility for the safety of information, its classification and declassification is personified;

Access to any information, as well as introduced access restrictions, is carried out taking into account the property rights to this information determined by law;

Formation by the state of a regulatory framework regulating the rights, obligations and responsibilities of all entities operating in the information sphere;

Legal and individuals those collecting, accumulating and processing personal data and confidential information are responsible before the law for their safety and use;

Providing the state with legal means of protecting society from false, distorted and unreliable information coming through the media;

Exercising state control over the creation and use of information security tools through their mandatory certification and licensing of activities in the field of information security;

Carrying out a protectionist state policy that supports the activities of domestic producers of information technology and information protection tools and takes measures to protect the domestic market from the penetration of low-quality information media and information products into it;

State support in providing citizens with access to world information resources, global information networks,

Formation by the state of a federal information security program, combining the efforts of government organizations and commercial structures in creating unified system information security of the country;

The state makes efforts to counter the information expansion of other countries and supports the internationalization of global information networks and systems.

Based on the stated principles and provisions, the general directions for the formation and implementation of information security policy in the political, economic and other spheres of state activity are determined.

State policy, as a mechanism for coordinating the interests of subjects of information relations and finding compromise solutions, provides for the formation and organization of the effective work of various councils, committees and commissions with a wide representation of specialists and all interested structures. Mechanisms for implementing state policy must be flexible and promptly reflect changes occurring in the economic and political life of the country.

Legal support for information security of the state is a priority direction in the formation of mechanisms for implementing information security policy and includes:

1) rule-making activities to create legislation regulating relations in society related to ensuring information security;

2) executive and law enforcement activities for the implementation of legislation in the field of information, informatization and information protection by public authorities and management, organizations, citizens.

Rule-making activities in the field of information security provides:

Assessing the state of current legislation and developing a program for its improvement;

Creation of organizational and legal mechanisms to ensure information security;

Formation of the legal status of all subjects in the information security system, users of information and telecommunication systems and determination of their responsibility for ensuring information security;

Development of an organizational and legal mechanism for collecting and analyzing statistical data on the impact of threats to information security and their consequences, taking into account all types of information;

Development of legislative and other regulations governing the procedure for eliminating the consequences of threats, restoring violated rights and resources, and implementing compensatory measures.

Executive and law enforcement activities provides for the development of procedures for applying legislation and regulations to entities who have committed crimes and misdemeanors when working with confidential information and who have violated the rules of information interactions. All activities related to legal support of information security are built on the basis of three fundamental provisions of law: compliance with the rule of law, ensuring a balance of interests of individual subjects and the state, and the inevitability of punishment.

Compliance with the rule of law presupposes the existence of laws and other regulatory provisions, their application and execution by subjects of law in the field of information security.

12.3. STATE OF INFORMATION SECURITY IN RUSSIA

Assessing the state of information security of a state involves assessing existing threats. Clause 2 of the “Doctrine of Information Security of the Russian Federation” 1 identifies the following threats to the information security of the Russian Federation:

Threats to the constitutional rights and freedoms of man and citizen in the field of spiritual life and information activities, individual, group and public consciousness, the spiritual revival of Russia;

Threats to information support of state policy of the Russian Federation;

Threats to the development of the domestic information industry, including the industry of information technology, telecommunications and communications, meeting the needs of the domestic market for its products and the entry of these products into the world market, as well as ensuring the accumulation, safety and effective use of domestic information resources;

__________________________________________________________________

Threats to the security of information and telecommunication systems, both already deployed and those being created in Russia.

External sources of threats to Russia’s information security include:

1) the activities of foreign political, economic, military, intelligence and information structures, directed against the Russian Federation in the information sphere;

2) the desire of a number of countries to dominate and infringe on Russia’s interests in the global information space, to oust it from the external and internal information markets;

3) intensification of international competition for the possession of information technologies and resources;

4) activities of international terrorist organizations;

5) increasing the technological gap between the leading powers of the world and increasing their capabilities to counter the creation of competitive Russian information technologies;

6) activities of space, air, sea and ground technical and other means (types) of intelligence of foreign states;

7) development by a number of states of concepts of information wars, providing for the creation of means of dangerous influence on the information spheres of other countries of the world, disruption of the normal functioning of information and telecommunication systems, the safety of information resources, and gaining unauthorized access to them.

Internal sources of threats to Russia’s information security include:

1) the critical state of domestic industries;

2) an unfavorable crime situation, accompanied by trends in the merging of state and criminal structures in the information sphere, criminal structures gaining access to confidential information, increasing the influence of organized crime on the life of society, a decrease in the degree of protection of the legitimate interests of citizens, society and the state in the information sphere;

3) insufficient coordination of the activities of federal government bodies, government bodies of constituent entities of the Russian Federation in the formation and implementation of a unified state policy in the field of ensuring information security of the Russian Federation;

4) insufficient development of the regulatory legal framework regulating relations in the information sphere, as well as insufficient law enforcement practice;

5) underdevelopment of civil society institutions and insufficient control over development information market Russia;

6) insufficient economic power of the state;

7) decrease in the efficiency of the education and training system, insufficient number of qualified personnel in the field of information security;

8) Russia lags behind the leading countries of the world in terms of the level of informatization of federal government bodies, the credit and financial sphere, industry, agriculture, education, healthcare, the service sector and everyday life of citizens.

In recent years, Russia has implemented a set of measures to improve its information security. Measures were taken to ensure information security in federal government bodies, government bodies of constituent entities of the Russian Federation, at enterprises, institutions and organizations, regardless of their form of ownership. Work has begun to create a secure information and telecommunication system for special purposes in the interests of government bodies.

The successful solution of issues of ensuring information security of the Russian Federation is facilitated by the state system of information protection, the system of protection of state secrets and the system of certification of information security means.

Structure state system information protection are:

Bodies of state power and administration of the Russian Federation and constituent entities of the Russian Federation, problem solving ensuring information security within its competence;

State and interdepartmental commissions and councils specializing in information security issues;

State Technical Commission under the President of the Russian Federation;

Federal Security Service of the Russian Federation;

Ministry of Internal Affairs of the Russian Federation;

Ministry of Defense of the Russian Federation;

Federal Agency for Government Communications and Information under the President of the Russian Federation;

Russian Foreign Intelligence Service;

Structural and intersectoral divisions for the protection of information of public authorities;

Headquarters and leading research, scientific and technical, design and engineering organizations for information security;

Educational institutions providing training and retraining of personnel to work in the information security system.

The State Technical Commission under the President of the Russian Federation, being a body government controlled, implements a unified technical policy and coordinates work in the field of information protection, heads the state system for protecting information from technical intelligence, is responsible for ensuring the protection of information from leakage through technical channels in Russia, and monitors the effectiveness of protection measures taken.

A special place in the information security system is occupied by state and public organizations that exercise control over the activities of state and non-state media.

To date, a legislative and regulatory framework in the field of information security in Russia has been formed, which includes:

1. Laws of the Russian Federation:

Constitution of the Russian Federation;

“On banks and banking activities”;

"About safety";

“On foreign intelligence”;

“On state secrets”;

"About communication";

“On certification of products and services”;

“About the media”;

“On standardization”;

“On information, information technologies and information protection”;

"About organs Federal service security in the Russian Federation";

“On the mandatory copy of documents”;

“On participation in international information exchange”;

“O6 electronic digital signature”, etc.

2. Regulatory acts of the President of the Russian Federation:

“Doctrine of Information Security of the Russian Federation”;

“On the national security strategy of the Russian Federation until 2020”;

“On some issues of the interdepartmental commission for the protection of state secrets”;

“On the list of information classified as state secrets”;

“On the fundamentals of state policy in the field of informatization”;

“On approval of the list of confidential information”, etc.

H. Regulatory legal acts of the Government of the Russian Federation:

“On certification of information security means”;

“On licensing the activities of enterprises, institutions and organizations to carry out work related to the use of information constituting state secrets, the creation of means of protecting information, as well as the implementation of measures and (or) provision of services to protect state secrets”;

“On approval of the rules for classifying information constituting state secrets to various degrees of secrecy”;

“On licensing of certain types of activities”, etc.

4. Guiding documents of the State Technical Commission of Russia:

“The concept of protecting computer equipment and automated systems from unauthorized access to information”;

“Computer facilities. Protection against unauthorized access to information. Indicators of security against unauthorized access to information";

“Automated systems. Protection against unauthorized access to information. Classification of automated systems and requirements for information protection”;

"Data protection. Special protective signs. Classification and general requirements";

"Protection against unauthorized access to information. Part 1. Information security software. Classification according to the level of control over the absence of undeclared capabilities.”

5. Civil Code of the Russian Federation (part four).

6. Criminal Code of the Russian Federation.

International cooperation in the field of information security is an integral component of economic, political, military, cultural and other types of interaction between countries that are part of the world community. Such cooperation should help improve the information security of all members of the world community, including Russia. The peculiarity of international cooperation of the Russian Federation in the field of ensuring information security is that it is carried out in the context of intensifying international competition for the possession of technological and information resources, for dominance in sales markets, strengthening the technological lead of the leading powers of the world and increasing their capabilities to create “information weapons” . This could lead to a new stage in the unfolding of the arms race in the information sphere.

International cooperation in the field of information security is based on the following regulatory framework:

Agreement with the Republic of Kazakhstan dated January 13, 1995, with Moscow (Resolution of the Government of the Russian Federation dated May 15, 1994 No. 679);

Agreement with Ukraine dated June 14, 1996, Kiev (Resolution of the Government of the Russian Federation dated June 7, 1996 Ns 655);

Agreement with the Republic of Belarus (Draft);

Issuance of certificates and licenses for international information exchange (Federal Law of July 4, 1996 X 85-FZ).

The main areas of international cooperation that meet the interests of the Russian Federation are:

Preventing unauthorized access to confidential information in international banking networks and channels information support world trade, to confidential information in international economic and political unions, blocs and organizations, to information in international law enforcement organizations fighting international organized crime and international terrorism;

Prohibition of the development, distribution and use of “information weapons”;

Ensuring the security of international information exchange, including the safety of information during its transmission through national telecommunication networks and communication channels;

Coordination of the activities of law enforcement agencies of states participating in international cooperation to prevent computer crimes;

Participation in international conferences and exhibitions on information security.

During cooperation, special attention should be paid to the problems of interaction with the CIS countries, taking into account the prospects for creating a single information space on the territory of the former USSR, within which practically uniform telecommunication systems and communication lines are used.

At the same time, an analysis of the state of information security in Russia shows that its level does not fully meet the needs of society and the state. Modern conditions of the country's political and socio-economic development cause an aggravation of contradictions between the needs of society to expand the free exchange of information and the need to maintain certain regulated restrictions on its dissemination.

The rights of citizens to privacy, personal and family secrets, and secrecy of correspondence enshrined in the Constitution of the Russian Federation do not have sufficient legal, organizational and technical support. The protection of personal data collected by federal government bodies is poorly organized.

There is a lack of clarity in the implementation of state policy in the field of formation of the Russian information space, development of the mass information system, organization of international information exchange and integration of the Russian information space into the world information space, which creates conditions for ousting Russian news agencies and mass media from the domestic information market and deforming the structure of international information exchange.

There is insufficient government support for the activities of Russian news agencies to promote their products on the international information market.

The situation with ensuring the safety of information constituting state secrets is deteriorating.

Serious damage has been caused to the personnel potential of scientific and production teams operating in the field of creating information technology, telecommunications and communications, as a result of the mass departure of the most qualified specialists from these teams.

The lag of domestic information technologies forces the government authorities of the Russian Federation, when creating information systems, to follow the path of purchasing imported equipment and attracting foreign firms, which increases the likelihood of unauthorized access to processed information and increases Russia’s dependence on foreign manufacturers of computer and telecommunications equipment, as well as software provision.

In connection with the intensive introduction of foreign information technologies into the spheres of activity of the individual, society and the state, as well as the widespread use of open information and telecommunication systems, the integration of domestic and international information systems, the threat of using “information weapons” against the information infrastructure of Russia has increased. Work to adequately comprehensively counter these threats is carried out with insufficient coordination and weak budget funding.

Control questions

1. What is the place of information security in the economic security system of the state? Show with examples the importance of information security in ensuring the economic security of the state?

2. What is the reason for the increased importance of information security in the modern period?

3. Describe the main categories of information security: information, informatization, document, information process, Information system, informational resources, personal data, confidential information.

4. What are the interests of the individual, society and the state in the information sphere?

5. What types of information security threats exist?

6. Name the ways threats influence information security objects.

7. Explain the concept of “information warfare”.

8. List external sources of threats to Russia’s information security.

9. List internal sources of threats to Russia’s information security.

10. What regulations ensure information security on the territory of the Russian Federation?

11. What international regulations in the field of information protection do you know?

12. What is the essence of state policy for ensuring information security?

13. List methods for ensuring information security.

14. Describe the structure of the state information security system

15. Assess the state of information security in Russia.

Norbert Wiener, the founder of cybernetics, believed that information has unique characteristics and it cannot be attributed to either energy or matter. The special status of information as a phenomenon has given rise to many definitions.

In the dictionary of the ISO/IEC 2382:2015 standard " Information Technology” the following interpretation is given:

Information (in the field of information processing)- any data presented in electronic form written on paper, spoken at a meeting, or in any other medium, used by a financial institution to make decisions, move funds, set rates, make loans, process transactions, etc., including processing system software components.

To develop the concept of information security (IS), information is understood as information that is available for collection, storage, processing (editing, conversion), use and transmission different ways, including in computer networks and other information systems.

Such information is highly valuable and may become the target of attacks by third parties. The desire to protect information from threats underlies the creation of information security systems.

Legal basis

In December 2017, Russia adopted the Information Security Doctrine. The document defines information security as the state of protecting national interests in the information sphere. In this case, national interests are understood as the totality of the interests of society, the individual and the state; each group of interests is necessary for the stable functioning of society.

Doctrine is a conceptual document. Legal relations related to ensuring information security are regulated by federal laws “On State Secrets”, “On Information”, “On the Protection of Personal Data” and others. On the basis of fundamental regulations, government regulations and departmental regulations are developed on private issues of information protection.

Definition of information security

Before developing an information security strategy, you need to decide basic definition the very concept, which will allow the use of a certain set of methods and methods of protection.

Industry practitioners propose to understand information security as a stable state of security of information, its media and infrastructure, which ensures the integrity and resistance of information-related processes to intentional or unintentional impacts of a natural and artificial nature. Impacts are classified in the form of information security threats that can cause damage to subjects of information relations.

Thus, information security will be understood as a set of legal, administrative, organizational and technical measures aimed at preventing real or perceived information security threats, as well as eliminating the consequences of incidents. The continuity of the information protection process must guarantee the fight against threats at all stages of the information cycle: in the process of collecting, storing, processing, using and transmitting information.

Information security in this understanding becomes one of the characteristics of system performance. At each moment in time, the system must have a measurable level of security, and ensuring the security of the system must be a continuous process that is carried out at all time intervals during the life of the system.

The infographic uses data from our own"SearchInform".

In information security theory, information security subjects are understood as owners and users of information, not only users on an ongoing basis (employees), but also users who access databases in isolated cases, for example, government agencies requesting information. In some cases, for example, in banking information security standards, shareholders - legal entities that own certain data - are considered owners of information.

Supporting infrastructure, from the point of view of information security fundamentals, includes computers, networks, telecommunications equipment, premises, life support systems, and personnel. When analyzing security, it is necessary to study all elements of systems, paying special attention to personnel as the carrier of the majority of internal threats.

To manage information security and assess damage, the acceptability characteristic is used, thus determining the damage as acceptable or unacceptable. It is useful for each company to establish its own criteria for acceptable damage in monetary form or, for example, in the form of acceptable damage to reputation. In government institutions, other characteristics may be adopted, for example, influencing the management process or reflecting the degree of damage to the life and health of citizens. The criteria for the materiality, importance and value of information may change during the life cycle of the information array, and therefore must be revised in a timely manner.

An information threat in the narrow sense is recognized as an objective opportunity to influence the object of protection, which can lead to leakage, theft, disclosure or dissemination of information. In a broader sense, information security threats will include targeted influences of an informational nature, the purpose of which is to cause damage to the state, organization, or individual. Such threats include, for example, defamation, intentional misrepresentation, and incorrect advertising.

Three main issues of the information security concept for any organization

What to protect?

What types of threats prevail: external or internal?

How to protect, by what methods and means?

Information security system

The information security system for a company - a legal entity includes three groups of basic concepts: integrity, availability and confidentiality. Underneath each lie concepts with multiple characteristics.

Under integrity refers to the resistance of databases and other information arrays to accidental or intentional destruction and unauthorized changes. The concept of integrity can be seen as:

• static, expressed in immutability, authenticity information objects those objects that were created according to a specific technical specification and contain the volumes of information necessary for users for their main activities, in the required configuration and sequence;
• dynamic, implying correct execution complex actions or transactions that do not harm the safety of information.

To control dynamic integrity, special technical means are used that analyze the flow of information, for example, financial, and identify cases of theft, duplication, redirection, and changes in the order of messages. Integrity as a basic characteristic is required when decisions to take actions are made on the basis of incoming or available information. Violating the order of commands or the sequence of actions can cause great damage if described technological processes, program codes and in other similar situations.

Availability is a property that allows authorized subjects to access or exchange data of interest to them. The key requirement of legitimation or authorization of subjects makes it possible to create different levels of access. System failure to provide information becomes a problem for any organization or user groups. An example is the inaccessibility of government service websites in the event of a system failure, which deprives many users of the opportunity to obtain the necessary services or information.

Confidentiality means the property of information to be accessible to those users: subjects and processes to which access is initially granted. Most companies and organizations perceive confidentiality as a key element of information security, but in practice it is difficult to fully implement it. Not all data on existing information leakage channels is available to the authors of information security concepts, and many technical means of protection, including cryptographic ones, cannot be purchased freely; in some cases, circulation is limited.

Equal information security properties have different values ​​for users, hence the two extreme categories when developing data protection concepts. For companies or organizations associated with state secrets, confidentiality will be a key parameter, for public services or educational institutions, the most important parameter is accessibility.

Information Security Digest

Objects of protection in information security concepts

Differences in subjects give rise to differences in objects of protection. Main groups of protected objects:

• information resources of all types (a resource is understood as a material object: HDD, other media, document with data and details that help to identify it and assign it to a specific group of subjects);
• the rights of citizens, organizations and the state to access information, the opportunity to obtain it within the framework of the law; access can be limited only by regulations; the organization of any barriers that violate human rights is unacceptable;
• system for creating, using and distributing data (systems and technologies, archives, libraries, regulatory documents);
• system for the formation of public consciousness (mass media, Internet resources, social institutions, educational institutions).

Each facility requires a special system of protection measures against threats to information security and public order. Ensuring information security in each case should be based on a systematic approach that takes into account the specifics of the object.

Categories and media

The Russian legal system, law enforcement practice and existing social relations classify information according to accessibility criteria. This allows you to clarify the essential parameters necessary to ensure information security:

• information to which access is restricted based on legal requirements (state secrets, commercial secrets, personal data);
• information in open access;
• publicly available information that is provided under certain conditions: paid information or data that requires permission to use, for example, a library card;
• dangerous, harmful, false and other types of information, the circulation and dissemination of which is limited either by legal requirements or corporate standards.

Information from the first group has two security modes. State secret, according to the law, this is state-protected information, the free dissemination of which could harm the security of the country. This is data in the field of military, foreign policy, intelligence, counterintelligence and economic activities of the state. The owner of this data group is the state itself. Bodies authorized to take measures to protect state secrets are the Ministry of Defense, the Federal Security Service (FSB), the Foreign Intelligence Service, the Federal Service for Technical and Export Control (FSTEK).

Confidential information- a more multifaceted object of regulation. The list of information that may constitute confidential information is contained in Presidential Decree No. 188 “On approval of the list of confidential information.” This is personal data; secrecy of investigation and legal proceedings; official secret; professional confidentiality (medical, notarial, lawyer); trade secret; information about inventions and utility models; information contained in the personal files of convicted persons, as well as information on the forced execution of judicial acts.

Personal data exists in open and confidential mode. The part of personal data that is open and accessible to all users includes first name, last name, and patronymic. According to Federal Law-152 “On Personal Data”, subjects of personal data have the right:

• for information self-determination;
• to access personal personal data and make changes to them;
• to block personal data and access to it;
• to appeal against unlawful actions of third parties committed in relation to personal data;
• for compensation for damage caused.

The right to is enshrined in regulations on government bodies, federal laws, and licenses to work with personal data issued by Roskomnadzor or FSTEC. Companies that professionally work with personal data of a wide range of people, for example, telecom operators, must enter the register, which is maintained by Roskomnadzor.

A separate object in the theory and practice of information security are information carriers, access to which can be open or closed. When developing an information security concept, protection methods are selected depending on the type of media. Main storage media:

• print and electronic media, social media, other resources on the Internet;
• employees of the organization who have access to information based on their friendly, family, and professional connections;
• communication means that transmit or store information: telephones, automatic telephone exchanges, other telecommunications equipment;
• documents of all types: personal, official, state;
• software as an independent information object, especially if its version was modified specifically for a specific company;
• electronic storage media that process data automatically.

For the purpose of developing information security concepts, information security means are usually divided into regulatory (informal) and technical (formal).

Informal means of protection are documents, rules, measures; formal means are special technical means and software. The distinction helps to distribute areas of responsibility when creating information security systems: with general management of protection, administrative personnel implement regulatory methods, and IT specialists, accordingly, implement technical ones.

The fundamentals of information security presuppose a division of authority not only in terms of using information, but also in terms of working with its protection. Such a separation of powers also requires several levels of control.

Formal remedies

A wide range of technical information security protection means includes:

Physical means of protection. These are mechanical, electrical, electronic mechanisms that operate independently of information systems and create obstacles to access to them. Locks, including electronic ones, screens, and blinds are designed to create obstacles to the contact of destabilizing factors with systems. The group is supplemented by security systems, for example, video cameras, video recorders, sensors that detect movement or excess levels of electromagnetic radiation in the area where technical means of collecting information and embedded devices are located.

Hardware protection. These are electrical, electronic, optical, laser and other devices that are built into information and telecommunication systems. Before implementing hardware into information systems, it is necessary to ensure compatibility.

Software - these are simple and systemic, comprehensive programs designed to solve specific and complex problems related to providing information security. Examples of complex solutions include: the first serve to prevent leakage, reformat information and redirect information flows, the second - provide protection against incidents in the field of information security. Software tools are demanding on the power of hardware devices, and during installation it is necessary to provide additional reserves.

You can try it for free for 30 days. Before installing the system, SearchInform engineers will conduct a technical audit at the customer’s company.

TO specific means Information security includes various cryptographic algorithms that allow you to encrypt information on disk and redirected via external communication channels. Information conversion can occur using software and hardware methods operating in corporate information systems.

All means that guarantee the security of information must be used in combination, after a preliminary assessment of the value of the information and comparing it with the cost of resources spent on security. Therefore, proposals for the use of funds should be formulated already at the stage of system development, and approval should be made at the management level that is responsible for approving budgets.

In order to ensure security, it is necessary to monitor all modern developments, software and hardware protection, threats and promptly make changes to your own protection systems against unauthorized access. Only an adequate and prompt response to threats will help achieve high level confidentiality in the company's work.

The first release was released in 2018. This unique program compiles psychological portraits of employees and distributes them into risk groups. This approach to information security allows you to anticipate possible incidents and take action in advance.

Informal remedies

Informal means of protection are grouped into normative, administrative and moral and ethical. At the first level of protection there are regulatory means regulating information security as a process in the activities of the organization.

• Regulatory means

In world practice, when developing regulatory tools, they are guided by information security protection standards, the main one being ISO/IEC 27000. The standard was created by two organizations:

• ISO - International Commission for Standardization, which develops and approves most internationally recognized methods for certifying the quality of production and management processes;
• IEC - International Energy Commission, which introduced into the standard its understanding of information security systems, means and methods of ensuring it

The current version of ISO/IEC 27000-2016 offers ready-made standards and proven techniques necessary for the implementation of information security. According to the authors of the methods, the basis of information security lies in the systematic and consistent implementation of all stages from development to post-control.

To obtain a certificate that confirms compliance with information security standards, it is necessary to implement all recommended practices in full. If there is no need to obtain a certificate, it is possible to accept any of the earlier versions of the standard, starting with ISO/IEC 27000-2002, or Russian GOSTs, which are advisory in nature, as a basis for developing your own information security systems.

Based on the results of studying the standard, two documents are being developed that relate to information security. The main, but less formal one is the concept of enterprise information security, which determines the measures and methods of implementing an information security system for the organization’s information systems. The second document that all company employees are required to comply with is the information security regulation, approved at the level of the board of directors or executive body.

In addition to the regulations at the company level, lists of information constituting a trade secret, annexes to employment contracts, establishing responsibility for the disclosure of confidential data, other standards and methods. Internal norms and rules must contain implementation mechanisms and measures of responsibility. Most often, the measures are disciplinary in nature, and the violator must be prepared for the fact that a violation of the trade secret regime will be followed by significant sanctions, including dismissal.

• Organizational and administrative measures

As part of the administrative activities for information security protection, security officers have scope for creativity. These include architectural and planning solutions that make it possible to protect meeting rooms and management offices from eavesdropping, and the establishment of different levels of access to information. Important organizational measures will be certification of the company’s activities according to ISO/IEC 27000 standards, certification of individual hardware and software systems, certification of subjects and objects for compliance with the necessary security requirements, obtaining licenses necessary to work with protected information arrays.

From the point of view of regulating the activities of personnel, it will be important to formalize a system of requests for access to the Internet, external e-mail, other resources. A separate element will be the receipt of an electronic digital signature to enhance the security of financial and other information that is transmitted to government agencies via email channels.

• Moral and ethical measures

Moral and ethical measures determine a person’s personal attitude towards confidential information or information restricted in circulation. Increasing the level of employee knowledge regarding the impact of threats on the company’s activities affects the degree of consciousness and responsibility of employees. To combat information violations, including, for example, the transfer of passwords, careless handling of media, and the dissemination of confidential data in private conversations, it is necessary to emphasize the personal consciousness of the employee. It will be useful to establish personnel performance indicators, which will depend on the attitude towards the corporate information security system.