Basic aspects of information security. Technological aspects and processes of information security

Annotation: The lecture covers the basic concepts of information security. Familiarization with the Federal Law "On Information, Information Technologies and Information Protection".

GOST " Data protection. Basic terms and definitions" introduces the concept information security as a state of information security, in which it is ensured confidentiality, availability and integrity.

• Confidentiality– a state of information in which access to it is carried out only by subjects who have the right to it.
• Integrity– a state of information in which there is no change or change is carried out only intentionally by subjects who have the right to it;
• Availability– a state of information in which subjects with access rights can exercise it without hindrance.

Information security threats– a set of conditions and factors that create a potential or actual danger of a violation of information security [,]. Attack is called an attempt to implement a threat, and the one who makes such an attempt is intruder. Potential attackers are called sources of threat.

The threat is a consequence of the presence vulnerabilities or vulnerabilities in the information system. Vulnerabilities can arise for various reasons, for example, as a result of unintentional mistakes by programmers when writing programs.

Threats can be classified according to several criteria:

• By properties of information(availability, integrity, confidentiality), against which threats are primarily directed;
• by components of information systems that are targeted by threats (data, programs, hardware, supporting infrastructure);
• by method of implementation (accidental/deliberate, natural/man-made actions);
• by location of the threat source (inside/outside the IS in question).

Ensuring information security is a complex task, the solution of which requires A complex approach. The following levels of information protection are distinguished:

1. legislative – laws, regulations and other documents of the Russian Federation and the international community;
2. administrative – a set of measures taken locally by the organization’s management;
3. procedural level - security measures implemented by people;
4. software and hardware level– directly means of information protection.

The legislative level is the basis for building an information security system, as it provides basic concepts subject area and determines the punishment for potential attackers. This level plays a coordinating and guiding role and helps maintain a negative (and punitive) attitude in society towards people who violate information security.

1.2. Federal Law "On Information, Information Technologies and Information Protection"

In Russian legislation, the basic law in the field of information protection is the Federal Law “On Information, Information Technologies and Information Protection” dated July 27, 2006, number 149-FZ. Therefore, the basic concepts and decisions enshrined in the law require careful consideration.

The law regulates relations arising when:

• exercising the right to search, receive, transmit, produce and disseminate information;
• application of information technologies;
• ensuring information security.

The law provides basic definitions in the field of information protection. Here are some of them:

• information- information (messages, data) regardless of the form of their presentation;
• information Technology- processes, methods of searching, collecting, storing, processing, providing, distributing information and methods of implementing such processes and methods;
• Information system- the totality of information contained in databases and information technologies and technical means that ensure its processing;
• owner of information- a person who independently created information or received, on the basis of a law or agreement, the right to permit or restrict access to information determined by any criteria;
• information system operator- a citizen or legal entity engaged in operating an information system, including processing information contained in its databases.
• confidentiality of information- a mandatory requirement for a person who has gained access to certain information not to transfer such information to third parties without the consent of its owner.

Article 4 of the Law formulates the principles of legal regulation of relations in the field of information, information technology and information protection:

1. freedom to search, receive, transmit, produce and disseminate information by any legal means;
2. establishing restrictions on access to information only by federal laws;
3. openness of information about the activities of state bodies and local governments and free access to such information, except in cases established by federal laws;
4. equality of rights for the languages ​​of the peoples of the Russian Federation in the creation of information systems and their operation;
5. ensuring the security of the Russian Federation during the creation of information systems, their operation and the protection of the information contained in them;
6. reliability of information and timeliness of its provision;
7. inviolability of private life, inadmissibility of collecting, storing, using and disseminating information about a person’s private life without his consent;
8. the inadmissibility of establishing by regulatory legal acts any advantages of using some information technologies over others, unless the mandatory use of certain information technologies for the creation and operation of state information systems is established by federal laws.

All information is divided into publicly available and limited access. Public information includes generally known information and other information, access to which is not limited. The law defines information to which access cannot be restricted, for example, information about the environment or the activities of government bodies. It is also stipulated that Access limitation to information is established by federal laws in order to protect the foundations of the constitutional system, morality, health, rights and legitimate interests of other persons, ensuring the defense of the country and the security of the state. It is mandatory to maintain the confidentiality of information, access to which is limited by federal laws.

It is prohibited to require a citizen (individual) to provide information about his private life, including information constituting a personal or family secret, and to receive such information against the will of the citizen (individual), unless otherwise provided by federal laws.

1. information freely disseminated;
2. information provided by agreement of persons participating in the relevant relationship;
3. information that, in accordance with federal laws, is subject to provision or distribution;
4. information the distribution of which is restricted or prohibited in the Russian Federation.

The law establishes the equivalence of an electronic message signed with an electronic digital signature or another analogue of a handwritten signature and a document signed by hand.

The following definition of information protection is given - it represents the adoption of legal, organizational and technical measures aimed at:

1. ensuring the protection of information from unauthorized access, destruction, modification, blocking, copying, provision, distribution, as well as from other unlawful actions in relation to such information;
2. maintaining the confidentiality of restricted information;
3. implementation of the right to access information.

The owner of information, the operator of the information system in cases established by the legislation of the Russian Federation, are obliged to ensure:

1. prevention of unauthorized access to information and (or) transfer of it to persons who do not have the right to access information;
2. timely detection of facts of unauthorized access to information;
3. preventing the possibility of adverse consequences of violating the order of access to information;
4. preventing influence on technical means of information processing, as a result of which their functioning is disrupted;
5. the ability to immediately restore information modified or destroyed due to unauthorized access to it;
6. constant monitoring of ensuring the level of information security.

Thus, the Federal Law “On Information, Information Technologies and Information Protection” creates the legal basis for information exchange in the Russian Federation and determines the rights and obligations of its subjects.

Information security refers to the security of information and its supporting infrastructure from any accidental or malicious influences that may result in damage to the information itself, its owners or supporting infrastructure.

The purpose of information security is to secure system values, protect and guarantee the accuracy and integrity of information, and minimize the destruction that may occur if information is modified or destroyed.

In practice, three aspects of information security are most important:

1. Availability (the ability to obtain the required information service within a reasonable time);

2. Integrity (its protection from destruction and unauthorized changes);

3. Confidentiality (protection from unauthorized reading).

Methods (methods) of information protection:

· Let- creating an obstacle in the path of a threat, overcoming which is associated with difficulties for an attacker or a destabilizing factor.

· Control- providing control actions on the elements of the protected system.

· Disguise- actions on the protected system or information, leading to their transformation in such a way that makes them inaccessible to an attacker. (This includes, in particular, cryptographic methods of protection).

· Regulation- development and implementation of a set of measures that create conditions for information processing that significantly complicate the implementation of attacks by an attacker or the impact of other destabilizing factors.

· Compulsion- the method consists in creating conditions under which users and personnel are forced to comply with the conditions for processing information under threat of liability (material, criminal, administrative)

· Inducement- the method consists in creating conditions under which users and staff comply with the conditions for processing information for moral, ethical and psychological reasons.

Information security measures:

· Physical means- mechanical, electrical, electromechanical, electronic, electronic-mechanical, etc. devices and systems that operate autonomously, creating various kinds of obstacles in the way of destabilizing factors.

· Hardware- various electronic and electronic-mechanical, etc. devices that are circuit-built into the equipment of a data processing system or interfaced with it specifically to solve information security problems.

· Software- special software packages or individual programs included in the software to solve information security problems.

· Organizational means- organizational and technical measures specifically provided for in the technology of system operation in order to solve information security problems.

· Legislative means- regulatory legal acts that regulate the rights and obligations, and also establish the responsibility of all persons and departments related to the operation of the system for violating the rules for processing information, which may result in a violation of its security.

· Psychological (moral and ethical means)- moral norms or ethical rules established in society or a given group, compliance with which contributes to the protection of information, and violation of them is equivalent to non-compliance with the rules of behavior in society or the team.

Methods and means of information protection

Methods for ensuring information security in IS:

· obstacle;

· access control;

· encryption mechanisms;

· countering malware attacks;

· regulation;

· coercion;

· motivation.

Obstruction - a method of physically blocking an attacker's path to

protected information (equipment, storage media, etc.).

Access control - methods of protecting information by regulation

use of all IP and IT resources. These methods should resist all

possible ways of unauthorized access to information.

Access control includes the following security functions:

· identification of users, personnel and system resources (assignment

each object of a personal identifier);

· identification (authentication) of an object or subject by

the identifier presented to them;

· verification of credentials (checking compliance with the day of the week, time of day,

requested resources and procedures established by regulations);

· permission and creation of working conditions within the established regulations;

· registration (logging) of requests to protected resources;

· response (alarm, shutdown, delay of work, refusal of request, etc.)

when attempting unauthorized actions.

Encryption mechanisms – cryptographic closure of information. These

protection methods are increasingly being used both during processing and storage

information on magnetic media. When transmitting information over communication channels

over long distances, this method is the only reliable one.

Countering malware attacks requires a comprehensive

various organizational measures and the use of antivirus

programs. The goals of the measures taken are to reduce the likelihood of infection

AIS, detection of system infection; mitigation

information infections, localization or destruction of viruses; recovery

information in the IS. Mastering this set of measures and means requires familiarity with

special literature.

Regulation – the creation of such conditions for automated processing,

storage and transmission of protected information, in which the norms and standards for

protection are carried out to the greatest extent

Coercion is a method of protection in which users and IS personnel

are forced to comply with the rules for processing, transfer and use of protected

information under threat of material, administrative or criminal

responsibility.

Inducement is a method of protection that encourages users and IS personnel not to

violate established orders by observing established moral and

ethical standards

The entire set of technical means is divided into hardware and

physical.

Hardware – devices built directly into

computer equipment, or devices that interface with it according to standard

interface.

Physical means include various engineering devices and

structures that prevent physical penetration of intruders into

objects of protection and personnel protection (personal means

security), material resources and finances, information from illegal

actions. Examples of physical controls: locks on doors, bars on windows, controls

electronic security alarm, etc.

Software tools are special programs and software

complexes designed to protect information in IP. As noted, many

of which are merged with the software of the IS itself.

From the security system software tools, we will also highlight software tools,

implementing encryption mechanisms (cryptography). Cryptography is the science of

ensuring the secrecy and/or authenticity (authenticity) of transmitted

messages.

Organizational means carry out regulation through their complex

production activities in IP and relationships between performers on

regulatory framework in such a way that disclosure, leakage and

unauthorized access to confidential information becomes

impossible or significantly hampered due to organizational

events. A set of these measures is being implemented by the information group

security, but must be under the control of the first supervisor.

Legislative remedies are determined by legislative acts

countries that regulate the rules of use, processing and transfer

information of limited access and measures of responsibility are established for

violation of these rules.

Moral and ethical protections include all kinds of norms

behavior (which traditionally developed earlier) develops as

distribution of IP and IT in the country and in the world or are specially developed.

Moral and ethical standards can be unwritten (for example, honesty) or

formalized in a certain set (charter) of rules or regulations. These norms are usually

are not legally approved, but since their non-compliance leads to

to a decline in the prestige of the organization, they are considered mandatory.

A typical example of such regulations is the Code of Professional Practice

behavior of members of the US Computer Users Association.

9.3. Security Technologies

When using any information technology, you should pay attention

attention to the availability of data protection tools, programs, computer systems.

Data security includes ensuring data integrity and protecting

data and programs from unauthorized access, copying, modification.

The reliability of the data is controlled at all stages of the technological process

operation of EIS. There are visual and software control methods.

Visual inspection is carried out at the home and final stages.

Software – at the in-machine stage. In this case, control when entering is required.

data, their correction, i.e. wherever there is user intervention in

computing process. Individual details, records, groups are controlled

records, files. Software tools for data reliability control

laid down at the detailed design stage.

Protection of data and programs from unauthorized access, copying, Information technology0n3o.l0o1g.i1i3v economics: 9.2. Methods and means of information protection »

abc.v v su.ru/Books/inform_tehnolog/page0025.asp 3/4

changes are implemented by software and hardware methods and technological

techniques. Hardware and software security measures include passwords, electronic

keys, electronic identifiers, electronic signature, coding tools,

data decoding. For encoding, decoding data, programs and

electronic signature uses cryptographic methods. For example, in the USA

The cryptographic standard developed by the IETF group is used. He exports

is not subject to. Domestic electronic keys have also been developed, for example,

NovexKey for protecting programs and data in Windows, DOS, Netware systems.

The security measures are similar, according to experts, to a door lock. Locks

they break in, but no one removes them from the doors, leaving the apartment open.

Technological control consists of organizing a multi-level

systems for protecting programs and data as means of checking passwords, electronic

signatures, electronic keys, hidden file marks, using software

products that meet computer security requirements and

methods of visual and software control of reliability, integrity, completeness

The security of data processing depends on the security of use

computer systems. A computer system is a collection

hardware and software, various types of physical media

information, data itself, as well as personnel servicing the listed

Components.

A standard for safety assessments has now been developed in the USA.

computer systems – criteria for assessing suitability. It takes into account four

type of requirements for computer systems:

· requirements for implementing a security policy – ​​securitypolicy;

· keeping records of the use of computer systems – accounts;

· trust in computer systems;

· documentation requirements.

Requirements for a consistent security policy and maintenance

accounting for the use of computer systems depend on each other and are provided

funds included in the system, i.e. security issues resolution is included

into software and hardware at the design stage.

Violation of trust in computer systems is usually caused by

violation of the program development culture: rejection of the structural

programming, non-elimination of stubs, undefined input, etc. For

testing for trust you need to know the application architecture, stability rules

its maintenance, test example.

Documentation requirements mean that the user must have

comprehensive information on all issues. In this case, the documentation should

be concise and understandable.

Only after assessing the security of the computer system can it be accepted

To the market.

During operation of an IP, the greatest harm and losses are caused by viruses. Protection

against viruses can be organized in the same way as protection against unauthorized

access. The protection technology is multi-level and contains the following stages:

1. Input control of new software or floppy disk, which

carried out by a group of specially selected detectors, auditors and filters.

For example, the group can include Scan, Aidstest, TPU8CLS. Can

carry out a quarantine regime. For this purpose, an accelerated computer

calendar. With each subsequent experiment, a new date is entered and observed

deviation in old software. If there is no deviation, then the virus is not

discovered.

2. Hard disk segmentation. At the same time, individual disk partitions

the ReadOnly attribute is assigned. For segmentation you can use, for example,

Manager program, etc.

3. Systematic use of resident audit programs and filters

for monitoring the integrity of information, for example Check21, SBM, Antivirus2, etc.

4. Archiving. Both system and application programs are subject to it. If

one computer is used by several users, it is advisable

daily archiving. For archiving, you can use PKZIP and others. The effectiveness of security software depends on the correctness of the actions

user, which may be performed erroneously or with malicious intent.

Therefore, the following organizational protective measures should be taken:

general access control, including a password system and segmentation

hard drive;

· training of personnel in protection technology;

· ensuring the physical security of the computer and magnetic media;

· development of archiving rules;

· storage of individual files in encrypted form;

· creating a plan for restoring the hard drive and damaged information.

To encrypt files and protect against unauthorized copying

Many programs have been developed, for example Catcher, Exeb, etc. One of the protection methods

is a hidden file label: the label (password) is written to a sector on the disk,

which is not read along with the file, and the file itself is located from a different sector,

thus, the file cannot be opened without knowing the label.

Restoring information on a hard drive is a difficult task, accessible

highly qualified system programmers. Therefore it is advisable to have

several sets of floppy disks for the hard drive archive and cyclic recording on these

kits. For example, to record on three sets of floppy disks, you can use

“week-month-year” principle. The location should be optimized periodically

files on the hard drive using the SpeedDisk utility, etc., which is essential

facilitates their recovery.

Components of information security

In general, information security (IS) can be defined as “the security of information, resources and supporting infrastructure from accidental or intentional impacts of a natural or artificial nature that may cause unacceptable damage to the subjects of information relations - producers, owners and users of information and supporting infrastructure.”

Information security is not limited solely to protection from unauthorized access to information: it is a fundamentally broader concept, including the protection of information, technologies and systems.

Security requirements in various aspects of information activity may differ significantly, but they are always aimed at achieving the following three main components of information security:

• integrity. This is, first of all, the relevance and consistency of information, its protection from destruction and unauthorized changes, namely: the data and information on the basis of which decisions are made must be reliable, accurate and protected from possible unintentional and malicious distortions;
• privacy. Classified information should be accessible only to those for whom it is intended. Such information cannot be obtained, read, changed, or transmitted unless there are appropriate access rights;
• accessibility(readiness). This is an opportunity to receive the required information service in a reasonable time, i.e. Data, information and related services, automated services, interaction and communication tools must be available and ready to work whenever they are needed.

Information security activities are aimed at preventing, preventing or neutralizing the following actions:

• unauthorized access to information resources (NSD, Unauthorized Access – UAA);
• distortion, partial or complete loss of confidential information;
• targeted actions (attacks) to destroy the integrity of software systems, data systems and information structures;
• failures and malfunctions of software, hardware and telecommunications.

Thus, a methodologically correct approach to information security problems begins with identifying the subjects of information relations and the interests of these subjects related to the use of information technologies and systems (IT/IS).

Assessing the real situation in most cases comes down to answering the key questions that form the systemic basis for ensuring information security, and in particular whether it is necessary to protect, from whom and what should be protected, what and how needs to be protected, what measures will ensure the effectiveness of protection, and also to evaluate the estimated cost of development, implementation, operation, maintenance and modernization of security systems.

The first three questions directly relate to the problem of assessing real threats (Fig. 7.1) 16]. The answers to these questions are ambiguous - much depends on the structure, area of ​​activity and goals of the company. When integrating individual and corporate information systems and resources into a unified information infrastructure, the determining factor is to ensure the appropriate level of information security for each entity that has decided to enter the unified infrastructure.

Rice. 7.1.

In a single information space of a state structure or a commercial company must be created authentication mechanisms and tool to authenticate user, message, and content. Thus, an information security system must be created that would include the necessary set of measures and technical solutions to protect:

• from dysfunction information space by eliminating the impact on information channels and resources;
• unauthorized access to information by detecting and eliminating attempts to use the resources of the information space, leading to a violation of its integrity;
• destruction of built-in protective equipment with the ability to identify unauthorized actions of users and service personnel;
• implementation of software " viruses " and "bookmarks" "in software products and hardware.

Of particular note are the tasks of ensuring the security of systems being developed and modified in an integrated information environment, since in the process of modifying the CIS, the occurrence of emergency situations of system insecurity (so-called “holes in the system”) is inevitable.

Along with the analysis of the specific means of protection existing in the company, the development information security policies, including a set of organizational and administrative measures and documents, as well as methodological and technical solutions that are the basis for creating an information security infrastructure (Fig. 7.2).

Rice. 7.2.

The next step in developing a comprehensive information security system is the acquisition, installation and configuration of information security tools and mechanisms. Such tools include systems for protecting information from unauthorized access, cryptographic protection systems, firewalls (firewalls, firewalls), security analysis tools, etc. For the correct and effective use of installed security tools, qualified personnel are required.

Over time, existing protection means become outdated, new versions of information security systems are released, the list of found vulnerabilities and attacks is constantly expanding, information processing technology, software and hardware, as well as company personnel are changing. Therefore, it is necessary to regularly review the developed organizational and administrative documents, conduct a survey of the information system or its subsystems, train personnel and update security measures.

Any enterprise that receives resources, including information, processes them in order to ultimately sell its own commercial product on the market. At the same time, it generates a specific internal environment, which is formed by the efforts of personnel of all structural divisions, as well as technical means and technological processes, economic and social relations both within the enterprise and in interaction with the external environment.

Corporate information reflects the financial and economic condition of the enterprise and the results of its activities. Examples of such information are registration and statutory documents, long-term and current plans, orders, instructions, reports, production data, data on the flow of finance and other resources, information on personnel training and areas of application of products, including methods and sales channels, sales techniques , orders, logistics, information about suppliers and partners.

Sources of corporate information - the directorate and administration of the enterprise, planning and financial departments, accounting, IT departments and computer centers, departments of the chief engineer and chief mechanic, production departments, legal, operational and repair services, logistics, purchasing and sales departments, etc. .

The corporate environment includes governmental, economic, political and social actors operating outside the enterprise. Information outside the corporate environment is often incomplete, contradictory, approximate, heterogeneous and does not adequately reflect the state of the external environment. Examples of external information that goes beyond the corporate environment are the state of the market (its long-term and current state, trends in the business environment, fluctuations in supply and demand, instability of the situation, variability, contradictory requirements), changes in legislation, consumer expectations, “intrigues” of competitors , consequences of political events, etc.

Most of this information is open, but depending on the characteristics of internal activities and interaction with the outside world, some of the information may be intended “for official use,” i.e. be "strictly confidential" or "secret". Such information is, as a rule, “closed” and requires appropriate protection measures.

To ensure security when working with protected information, you should: Firstly, line up policy for working with confidential and proprietary information, develop and implement appropriate guidelines and procedures and, secondly, to provide the necessary software and hardware resources.

Software and hardware for working with protected information are either built into the corresponding modules of the corporate information system (CIS) or used locally in systems specified in the information security policy. These include devices that:

• monitoring the movement of confidential information through the information system (Data-in-Shell);
• management of data leakage control through network traffic via TCP/IP, SMTP, IMAP, HTTP(s), IM (ICQ, AOL, MSN), FTP, SQL, proprietary protocols by filtering content at the level:
• – a gateway through which traffic flows from the internal network to the external network (Data-in-Motion);
• – a server that processes a certain type of traffic (Data-at-Rest);
• – workstation (Data-in-Use);
• – internal mail channels Microsoft Exchange, Lotus Notes, etc.
• – management control of leakage of protected information from workstations, peripheral and mobile

• – establishing proactive protection and personal firewalls;
• – shadow copying of information objects into a single content filtering database for all channels according to uniform rules.

Properly organizing the protection of protected data and information is neither easy nor cheap. To do this, you need to classify data, conduct a thorough inventory of information resources, select an adequate software and hardware solution, develop and implement a set of regulatory documents to ensure internal security. The main role in this difficult work of minimizing the risks of data leakage is played by the competence and will of the top management of the enterprise, current policies and effective software, as well as the trade secret regime when working with protected information.

The following aspects can be distinguished in the problem of information security:

Information integrity

Information integrity– this is its physical safety, protection from destruction and distortion, as well as its relevance and consistency.

Information integrity is divided into:

· static,

· dynamic.

Static integrity information presupposes the immutability of information objects from their original state, determined by the author or source of information.

Dynamic Integrity information includes issues of correctly performing complex actions with information flows, for example, analyzing the flow of messages to identify incorrect ones, monitoring the correct transmission of messages, confirming individual messages, etc.

Integrity is the most important aspect of information security in cases where information is used to manage various processes, for example, technical, social, etc.

Thus, an error in the control program will lead to the stop of the controlled system, an incorrect interpretation of the law can lead to its violations, just as an inaccurate translation of the instructions for using a medicinal product can cause harm to health. All these examples illustrate a violation of the integrity of information, which can lead to catastrophic consequences. That is why information integrity is highlighted as one of the basic components of information security.

Integrity is a guarantee that information now exists in its original form, that is, no unauthorized changes were made during its storage or transmission.

For example, when recording information about college students on a computer’s hard drive, we hope that it will be stored there for an indefinitely long time (until we erase it ourselves) unchanged (that is, spontaneously, without our knowledge, the names of students in this list do not change) . In addition, we count on the consistency of information, for example, that there will not be a one-year-old child on the list of students, or that the same student will not be on the lists of two groups at once.

Availability of information

Availability of information is a guarantee that the user will receive the required information or information service within a certain time.

The role of information availability is especially evident in various types of management systems - production, transport, etc. Less dramatic, but also very unpleasant consequences - both material and moral - can be caused by the long-term unavailability of information services that are used by a large number of people, for example, sales railway and air tickets, banking services, access to the Internet information network, etc.

The time factor in determining the availability of information in some cases is very important, since some types of information and information services are meaningful only during a certain period of time. For example, receiving a pre-booked plane ticket after departure loses all meaning. Likewise, getting a weather forecast for yesterday does not make any sense, since that event has already occurred. In this context, the saying “A spoon is dear to dinner” is very appropriate.

Availability of information implies that the subject of information relations (user) has the opportunity to obtain the required information service within an acceptable time.

For example, when creating an information system with information about college students, we expect that with the help of this system at any time within a few seconds we will be able to obtain the required information (a list of students of any group, complete information about a specific student, final data, for example, the average age of students , the number of boys and girls, and so on).

It should be noted that electronic data processing systems are created specifically to provide certain information services. If the provision of such services becomes impossible, then this causes damage to all subjects of information relations. Therefore, without contrasting accessibility with other aspects, it is singled out as the most important element of information security.

Almost all organizations have confidential information. This could be a production technology, a software product, personal data of employees, etc. In relation to computer systems, passwords for accessing the system are mandatory confidential data.

Confidentiality of information– this is a guarantee of the availability of specific information only to the circle of people for whom it is intended.

Confidential information– this is information to which a limited number of persons have the right to access.

If access to confidential information is obtained by a person who does not have such a right, then such access is called unauthorized and is considered a violation of the protection of confidential information. A person who obtains or attempts to obtain unauthorized access to confidential information is called intruder.

For example, if Sasha sent Masha a letter by email, then the information in this letter is confidential, since the secrecy of personal correspondence is protected by law. If Machine's brother, having hacked the password, gained access to Machine's mailbox and read the letter, then unauthorized access to confidential information has occurred, and Machine's brother is an attacker.

Ensuring information confidentiality is the most developed section of information security.

The Federal Law “On Information, Informatization and Information Protection” determines that information resources, that is, individual documents or arrays of documents, including in information systems, being the object of relations between individuals, legal entities and the state, are subject to mandatory accounting and protection, as any tangible property of the owner. In this case, the owner is given the right to independently, within his competence, establish a regime for protecting information resources and access to them. The law also establishes that “confidential information is such documented information, access to which is limited in accordance with the legislation of the Russian Federation.” At the same time, federal law may contain a direct provision according to which any information is classified as confidential information or access to it is limited. Thus, the federal law “On Information, Informatization and Information Protection” directly classifies personal data (information about citizens) as confidential information. The Russian Federation Law “On Banks and Banking Activities” limits access to information on transactions and accounts of bank clients and correspondents.

However, the direct rule does not apply to all information constituting confidential information. Sometimes only the characteristics that must be satisfied by this information are defined by law. This, in particular, applies to official and commercial secrets, the characteristics of which are determined by the Civil Code of the Russian Federation and are as follows:

 relevant information unknown to third parties

 there is no legal basis for free access to this information

 measures to ensure the confidentiality of information are taken by the owner of the information.

Confidential information is divided into:

· subject,

· service.

Subject information- this is information about some area of ​​​​the real world. which, in fact, is what the attacker needs, for example, drawings of a submarine or information about the location of Osama Bin Laden. Service information does not relate to a specific subject area, but is related to the operating parameters of a particular data processing system. Service information primarily includes user passwords for working in the system. Having received service information (password), an attacker can then use it to gain access to confidential information.

Violation of each of the three categories leads to a violation of information security as a whole. So, accessibility violation leads to denial of access to information, integrity violation leads to falsification of information and, finally, breach of confidentiality leads to information disclosure.

This aspect of information security has become extremely relevant recently due to the adoption of a number of international legal acts on the protection of intellectual property. This aspect mainly concerns the prevention of illegal use of programs.

So, for example, if a user installs an unlicensed Windows system on his computer, then there is a violation of information security.

In addition, this aspect concerns the use of information obtained from electronic sources. This problem has become more pressing due to the development of the Internet. A situation has arisen where an Internet user considers all information posted there as his personal property and uses it without any restrictions, often passing it off as his own intellectual product.

For example, a student “downloads” an essay from the Internet and submits it to the teacher under his last name.

Legislative acts and law enforcement practice related to this problem are still in their infancy.

It should be noted that although in all civilized countries there are laws to guard the security of citizens (including information security), in the field of computer technology law enforcement practice is not yet sufficiently developed, and the legislative process does not keep pace with the development of technology, therefore the process of ensuring information security is largely based on to self-defense measures.

Therefore, it is necessary to understand where information security threats may come from and what they may be, what measures can be taken to protect information, and be able to competently apply these measures.

Corporate security is not a new phenomenon at all. What has only recently come to be called by this term has existed since the beginning of trade. Each merchant sought to protect his professional secrets from competitors, so as not to lose profit.

Modern realities of corporate security of the company

In fact, modern corporate security is not much different from the old one. Only the realities in which businessmen must conduct their business are changing. Any company wants to be reliably protected not only from external threats, but also from internal ones. This problem is solved by corporate and information security specialists. They are faced with the task of carrying out a whole range of measures, including almost all areas of the company’s life:

• protection of trade secrets;
• internal work with employees;
• domestic counterintelligence;
• official investigations;
• economical security;
• technical and physical protection.

If there are problems with at least one of these points, there will be trouble. Not long ago, a scandal erupted in the UK - hard drives with clinic patient data that were supposed to be destroyed suddenly ended up on eBay auctions.

Hospitals transferred the decommissioned disks to a contracting company, which, in turn, used the services of a private party. An enterprising Englishman, instead of conscientiously fulfilling his duties - destroying the media - put up disks with data for sale.

In this case, two points can be called “weak links” - internal work with employees and technical protection. Let's figure out why. The leak was caused by an overly long chain of intermediaries, as a result of which the customer was not even aware of who was directly involved in the destruction of disks and whose actions needed to be monitored. In addition, the very fact that hospitals transferred disks with unprotected personal data of patients to third parties is a technical omission of employees.

A responsible approach to ensuring corporate information security would help avoid this situation. Let's figure out what needs to be done to get a really working information security system.

How to identify a thief in a company using KIB SearchInform?

Three difficult steps

Before starting to build an effective information security system, it is necessary to carefully analyze the data storage and processing system already existing in the enterprise. There are three main steps that need to be taken to do this:

1. Identifying critical information.

2. Identifying weaknesses in corporate security.

3. Assessing the possibilities for protecting this information.

All these actions can be performed either by your own employees, or you can order an audit of the company’s information security from specialists. The advantages of the first method are lower cost and, importantly, the lack of access to corporate data for third parties. However, if the organization does not have good full-time security audit specialists, then it is best to resort to the help of third-party companies - the result will be more reliable. This will help you avoid the most common mistakes in information security.

"The most common mistakes- this is an underestimation and overestimation of threats to business activity, - believes Alexander Doronin, economic security expert and author of Business Intelligence. “In the first case, there are gaping holes in the enterprise’s security system, which for the organization results in direct damage from the leakage of confidential information, corporate fraud and outright theft of whatever comes to hand.”

When overestimating threats, the security system not only places a heavy burden on the enterprise’s budget, but also unjustifiably makes it difficult for the organization’s employees to perform their duties. This threatens the loss of possible profits and loss of competitiveness.”

Identifying critical information. At this stage, the identification of those documents and data occurs, the security of which is of great importance for the company, and the leakage of which causes huge losses. Most often, such information includes information constituting a trade secret, but not only.

For example, after the adoption of the new edition of the federal law “On Personal Data,” all information collected by an organization about its employees and clients also needs protection. Last year’s series of leaks from Megafon, online stores and Russian Railways, as well as the fines received by the perpetrators of these incidents, are the best proof of the need to protect such information.

It is important to remember: third-party auditors cannot independently compile a list of all documents that need to be protected. The work of the auditor should be performed jointly with an employee of the enterprise who is well aware of the peculiarities of document flow.

Identifying weaknesses in corporate security. This task is performed directly by the specialists conducting the audit. The choice of information security design scheme depends on the results of this work.

When identifying gaps in information and, as a consequence, corporate security, not only technical means are assessed. A very important point is the existence of a differentiation of employee access rights to this or that information, and a non-disclosure agreement on corporate information. It is also important to assess the loyalty of employees to management and relationships in the team - all of this is the responsibility of the HR department.

A recent example of a situation where a staff member took advantage of his position and stole information was the theft by the Kenyan representative office of Google of information about the startup Mocality (an online business information database). Google was forced to make an official apology to the victims, and the head of the representative office, through whose fault the incident occurred, was removed from his position.

Assessment of information security capabilities. This is the final stage of the audit, during which, based on the analysis, a list of specific measures that must be taken to protect the company’s corporate secrets is compiled. Recommendations can be both technical and organizational in nature.

In addition, at this stage, the financial capabilities of the company to protect information are analyzed, since many information protection tools may turn out to be too expensive for the enterprise. And some of these measures are simply not practical for small businesses. A special need arises if the organization uses 50 or more computers.

Installation of a DLP system always precedes a technical audit. After ordering, the customer is consulted by SearchInform engineers, who assess the company’s IT infrastructure and determine how much capacity is required to install the program.

Two-way protection

Information security is just one of many ways (albeit the most important) to ensure corporate protection. A set of measures is needed - technical and organizational.

Technical solutions for protecting corporate secrets include installing a DLP system (Data Leak Prevention). This set of software tools monitors all information flows in the organization - from email to programs that use encryption algorithms (for example, Skype) or the HTTPS protocol. All removable storage media, corporate computers and laptops are also under control.

An important feature of DLP systems is their autonomy. There is no need for a company to maintain an entire department dedicated to information security. Just a few specialists are enough.

Recent research by SearchInform, a leading player in the Russian information security market, has shown that DLP systems are not very popular now in Russia and the CIS countries. Just over half of organizations (58%) plan to install comprehensive security soon. The rest do not consider its implementation necessary or believe that partial protection is sufficient. However, information security will only be at an optimal level when comprehensive protection is provided.

The DLP system allows not only to ensure reliable protection of secrets. Their functions are much broader: with the right approach, you can obtain information about the mood of employees in the team, track the movement of key documents, incoming and outgoing messages. As a result, the use of DLP systems is also an effective aid in such important corporate security activities as internal counterintelligence or internal investigations.

However, technical data security and tracking employee actions alone are not enough. Organizational measures, work with employees, and development of internal documentation are also important.

“The corporate security system must be comprehensive, otherwise it will be like a joke: at the entrance, a security guard strictly checks the passes of the company’s employees, and twenty meters from the entrance there is a hole through which anyone can enter the company’s territory,” he shares his experience Alexander Doronin.

Organizational work includes informing personnel about the presence of information security systems in the organization, the need to maintain trade secrets and the possible consequences of its disclosure, both for the company and for the employee himself. Creating a positive work environment is another key aspect of organizational measures. Corporate security is impossible if employees look at each other with distrust. Such a “cold war” will significantly slow down business processes. Therefore, it is worth recalling once again the important role of the HR department.

As for the development of internal documentation, the responsibilities of employees must be clearly stated, as well as their rights of access to certain documents. Each department must perform the tasks assigned to it - no more, but no less.

We must not forget about such seemingly basic things as the work of the security service. Physical protection of employees in the workplace is also an important part of corporate security.

Only by achieving such two-way - technical and organizational - protection, without exaggerating or minimizing the threat, can you create reliable corporate protection for the company.