Basics of information security. Chapter V. Ensuring Security and Protection of Information What is information security organization

Achno-technical progress has turned information into a product that you can buy, sell, exchange. Often the cost of data is several times higher than the price of the entire technical system that stores and processes information.

The quality of commercial information provides the necessary economic effect for the company, so it is important to protect critical data from unlawful actions. This will allow the company to successfully compete in the market.

Definition of information security

Information Security (IB) - This is the state of the information system in which it is the least susceptible to intervening and damage from third parties. Data security also implies risk management that are related to disclosing information or influence on hardware and software protection modules.

The security of information that is processed in the organization is a set of actions aimed at solving the problem of protecting the information environment within the Company. At the same time, information should not be limited to use and dynamic development for authorized persons.

IB protection system requirements

Protection of information resources should be:

1. Constant. An attacker at any time can try to bypass the data protection modules that interest it.

2. Target. Information should be defended within a certain goal that the organization or the owner of the data is set.

3. Planned. All defense methods must comply with state standards, laws and subtitle acts that regulate confidential data protection issues.

4. Active. Events to support work and improve protection system should be carried out regularly.

5. Complex. The use of only individual protection modules or technical means is unacceptable. It is necessary to apply all types of protection to the fullest extent, otherwise the developed system will be deprived of the meaning and economic foundation.

6. Universal. Defense tools should be selected in accordance with the existing leakage channels.

7. Reliable. All protection techniques should reliably overlap the possible ways to protected information from the attacker, regardless of the data presentation form.

The listed requirements must also correspond to the DLP system. And it is best to evaluate its capabilities in practice, and not in theory. You can experience "Sirchinform Kib" for free within 30 days.

Security system model

Information is considered protected if three main properties are observed.

First - integrity - involves ensuring reliability and correct display of protected data, regardless of which security and protection systems are used in the company. Data processing should not be violated, and system users who work with protected files should not be faced with unauthorized modification or destruction of resources, malfunctions.

Second - confidentiality - Means that access to viewing and editing data is provided to exclusively authorized users of the protection system.

Third - availability - It implies that all authorized users must have access to confidential information.

It is enough to break one of the properties of the protected information so that the use of the system has become meaningless.

Stages of creating and providing information protection system

In practice, the creation of a system of information protection is carried out in three stages.

At the first stage A basic system model is being developed, which will function in the company. To do this, it is necessary to analyze all types of data that is circulated in the firm and which you need to protect against third-party encroachments. The work plan at the initial stage is four questions:

Does the information should be protected?
What is the proliferation of access to the security of information?

The goal may be familiarized, changing, modifying or destruction of data. Each action is illegal if an attacker performs it. The familiarization does not lead to the destruction of the data structure, and the modification and destruction lead to partial or complete loss of information.

What is the content of confidential information?

Sources In this case are people and information resources: Documents, flash drives, publications, products, computer systems, workshop tools.

Ways to gain access, and how to protect against unauthorized attempts to influence the system?

Distinguish the following ways to gain access:

Unauthorized access - illegal use of data;
A leak - uncontrolled dissemination of information outside the corporate network. Leakage occurs due to the shortcomings, weaknesses of the technical channel of the security system;
Disclosure - The effect of the impact of the human factor. Sanctional users can disclose information to convey to competitors, or by negligence.

Second phase Includes development of protection system. This means to implement all selected methods, means and data protection directions.

The system is built immediately in several directions of protection, on several levels that interact with each other to ensure reliable information control.

Legal level Provides compliance with state standards in the field of information protection and includes copyright, decrees, patents and job descriptions. A competently built-up protection system does not violate user rights and data processing standards.

Organizational level Allows you to create a regulation of users with confidential information, pick up the personnel, organize work with documentation and physical data carriers.

The regulations of users with confidential information are called access to the rules of access. The rules are established by the management of the company together with the security service and the provider, which introduces the security system. The goal is to create the conditions for access to information resources for each user, for example, the right to read, edit, transmit a confidential document. The rules of separation of access are developed at the organizational level and are introduced at the stage of work with the technical component of the system.

Technical Level Conditionally divided into physical, hardware, software and mathematical sublevel.

physical - Creating barriers around the protected object: Security systems, noise, strengthening architectural structures;
hardware - Installation of technical means: special computers, employee control systems, server protection and corporate networks;
program - Installation of the Protection System Software, Implementing the Rule of Disposal Access and Testing Work;
mathematical - Implementation of cryptographic and stenograph data protection methods for secure transmission over the corporate or global network.

Third, final stage - This is support for the performance of the system, regular control and risk management. It is important that the protection module is distinguished by flexibility and allowed the security administrator to quickly improve the system when new potential threats are found.

Types of confidential data

Confidential data - This is information, access to which is limited in accordance with the laws of the state and the norms that companies are installed on their own.

Personal Confidential data: personal data of citizens, the right to personal life, correspondence, personality concealment. Exception is only information that applies to the media.
Service Confidential data: information, access to which can limit only the state (state authorities).
Judicial Confidential data: the secret of investigation and proceedings.
Commercial Confidential data: All types of information related to commerce (profitable) and access to which is limited by law or enterprise (secret developments, production technology, etc.).
Professional Confidential data: data related to citizens' activities, for example, a medical, notarial or lawyer secret, the disclosure of which is prosecuted by law.

Threats of confidentiality of information resources

A threat - These are possible or actual attempts to take possession of protected information resources.

Sources of threat Conservatial data preservation are competitors, attackers, management bodies. The purpose of any threat is to affect the integrity, completeness and availability of data.

Threats are internal or external. External threats They are attempts to gain access to data from the outside and are accompanied by hacking servers, networks, employee accounts and reading information from technical leakage channels (acoustic reading with bugs, cameras, fittings for hardware, obtaining vibroacoustic information from windows and architectural structures).

Domestic threats Measure the illegal actions of the personnel, the work department or the management of the company. As a result, the user system that works with confidential information can issue outsiders. In practice, such a threat is found more often. An employee can "merge" secret data for years. This is easily implemented, because the actions of an authorized user, the security administrator does not qualify as a threat.

Since internal IB threats are associated with a human factor, track them and manage them more difficult. You can warn incidents by dividing employees to risk groups. With this task, an automated module can cope with psychological profiles.

An attempt to unauthorized access can occur in several ways:

through employeeswhich can transmit confidential data to strangers, take physical media or access protected information through printed documents;
using software The attackers carry out attacks that are aimed at theft "Login-password" steam, intercepting cryptographic keys to decrypt data, unauthorized copying of information.
with hardware components automated system, for example, the introduction of listening devices or the use of hardware reading technologies at a distance (outside the controlled zone).

Hardware and software IB

All modern operating systems are equipped with built-in data protection modules at the program level. Mac OS, Windows, Linux, iOS perfectly copble with the task of encrypting data on the disk and during the transmission process to other devices. However, it is important to use additional protection modules to create efficiently working with confidential information.

Custom OS does not protect the data at the time of transmission over the network, and the protection systems allow you to control the information flows that are circulated by the corporate network, and storing data on nuclear.

The hardware and software module of protection is made to divide into groups, each of which performs the function of protection of sensitive information:

Identification level - This is a comprehensive user recognition system that can use standard or multi-level authentication, biometry (face recognition, fingerprint scanning, voice recording and other techniques).
Encryption level Provides the key exchange between the sender and the recipient and encrypts / decrypts all system data.

Legal protection of information

The legal basis of information security provides the state. Information protection is governed by international conventions, a constitution, federal laws and subtituations.

The state will also determine the measure of responsibility for violating the provisions of legislation in the field of IB. For example, Chapter 28 "Crimes in the Sphere of Computer Information" in the Criminal Code of the Russian Federation includes three articles:

Article 272 "Unauthorized access to computer information";
Article 273 "Creation, Use and Dissemination of Malicious Computer Programs";
Article 274 "Violation of the rules of operation of storage, processing or transmission of computer information and information and telecommunication networks."

Send your good work in the knowledge base is simple. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Posted on http://www.allbest.ru/

Introduction

1. Classification of information
2. Information security

2.1 Threats of information
2.2 Threats of confidential information.
2.3 Information Protection Directions
2.4 Information Protection System

Conclusion
List of sources used
Introduction
Each information resource, whether the user's computer, the organization server or network equipment must be protected from all kinds of threats. The file systems, network, etc. must be protected. Ways to implement the protection We will not consider in this article because of their enormous diversity.
However, it should be understood that it is impossible to ensure one hundred percent protection. At the same time, it is necessary to remember: the higher the level of security, the more expensive the system, the more uncomfortable in use, it turns out for the user, which respectively leads to a deterioration of protection against the human factor. As an example, we recall that excessive complication of the password leads to the fact that the user is forced to record it on a piece of paper, which sticks to the monitor, keyboard, etc.
There is a wide range of software aimed at solving information protection tasks. These are anti-virus programs, firewalls, built-in tools for operating systems and much more. However, it is worth remembering that a person remains the most vulnerable link in defense! After all, the efficiency of any software depends on the quality of its writing and literacy of the administrator, which sets up a means of protection.
Many organizations in connection with this create services (departments) of information protection or put appropriate tasks to their IT departments. At the same time, it is necessary to understand that it is impossible to take the functions that are unusual for it. This was not already mentioned and wrote. So, suppose in your organization created an information security department. What to do next? Where to begin?
You need to start with employee learning! And in the future to make this process regular. Personnel training The basics of information security should be the permanent task of the Information Protection Division. And you need to do it at least twice a year.
1. Classification of information
Historically, it has developed as soon as the question of the classification of information is raised (first of all it refers to the information owned by the state), it immediately begins to classify in the level of secrecy (confidentiality). On the requirements for the availability, integrity, observability, if they are remembered, then casual, in a number of general requirements for information processing systems.
If such a glance can still somehow justify the need to ensure state secrets, then it looks easy to transfer it to another subject area. For example, according to the requirements of Ukrainian legislation, the owner of the information itself determines the level of its confidentiality (in case this information does not belong to the state).
In many areas, the share of confidential information is relatively small. For open information, the detriment of the disclosure of which is small, the most important properties such as availability, integrity or security from unlawful copying can be. Consider as an example of the website of the Internet publication. In the first place will stand, in my opinion, the availability and integrity of information, and not its confidentiality. Evaluate and classify information only from position and secrecy at least unproductive.
And this can be explained only by the narrowness of a traditional approach to the protection of information, the lack of experience in terms of ensuring the availability, integrity and observability of information, which is not a secret (confidential).
Scheme classification of information on importance
INFORMATION

A. Special importance (s)

B. Top Secret (SS)

C. Secret (C)

D. For official use

F. and Open Character (O)

From the point of view of protection, a number of significant properties can be distinguished from "information":

1. Confidentiality - the property of information whose value is set by the owner of the information reflecting the restriction of access to it, according to existing legislation.

2. Availability - property of information that determines the degree of opportunity to obtain information.

3. Reliability - the property of information determining the degree of confidence in it.

4. Integrity - the property of information that determines the structural suitability of information to use.

Privacy Categories Protected Information

· Completely confidentially - information recognized as confidential in accordance with the requirements of the law, or information, a restriction on the distribution of which was introduced by the decision by decision due to the fact that its disclosure could lead to severe financial and economic consequences for the organization up to bankruptcy;

· Confidentially - this category includes information that is not attributed to the category "completely confidential", the restrictions on the dissemination of which were introduced by the management decision in accordance with the information provided to him as an existing legislation with the rights due to the fact that its disclosure could lead to significant losses and loss the competitiveness of the organization (cause significant damage to the interests of its clients, partners or employees);

· Opened - this category includes information, the provision of confidentiality of which is not required.

Categories integrity of protected information

· High - information, unauthorized modification or fake of which can lead to the application of significant damage to the organization;

· Low - this category includes information unauthorized modification of which can lead to the application of minor damage to the organization, its customers, partners or employees;

· No requirements - this category includes information to ensure the integrity and authenticity of which the requirements are not presented.

2. Information security

While information security is a state of information security, information protection is activities to prevent leakage of protected information, unauthorized and unintended impacts on protected information, that is, a process aimed at achieving this state.

The information security of the organization is the state of security of the information environment of the organization, providing its formation, use and development.

In modern society, the information sphere has two components: the information and technical (artificially created world of technology, technologies, etc.) and the informational and psychological (natural world of wildlife, including the person himself). Accordingly, in general, the information security of the Company (states) can be submitted by two components: information and technical safety and information and psychological (psychophysical) security.

Security of information (data) is the status of information security (data), in which it is provided (their) confidentiality, availability and integrity.

Information Security - Privacy Protection, Integrity and Information Accessibility.

Information Security (Eng. Information Security) - all aspects related to the definition, achievement and maintenance of confidentiality, integrity, accessibility, non-sensibility, accountability, authenticity and reliability of information or tools for its processing.

2.1 Threats of information

Under the threats of information, we will understand potential or actually possible actions with respect to the information sphere, leading to unauthorized changes in the properties of information (confidentiality, availability, accuracy, integrity).

At the final manifestation, the following threats to the information can be distinguished:

1. Acquaintance.

2. Modification.

3. Destruction.

4. Blocking.

Specific realization of the threats of information are called - scenarios of threats of information.

Acquaintance with confidential information can pass in various ways and ways, with significant, is the lack of changes in the information itself.

Violation of the confidentiality or secrecy of information is related to familiarization with it those for whom it was not intended. What information is confidential or secret solves the owner or owner of this information. They define a circle of persons with access to it. Violation of the confidentiality of information can occur by familiarizing with it by persons who do not have the right and unauthorized modification of the secrecy griff (significance).

The modification of information is aimed at changing such properties as confidentiality, accuracy, integrity, while it is implied to change the composition and content of information. Modification of information does not imply its complete destruction.

The destruction of information is directed, as a rule, the integrity of information and leads to its complete destruction. Violation of the integrity of information is the loss of information. If the information is lost, it disappears permanently and cannot be restored by any means. Losts can occur due to the destruction or destruction of the information carrier or its disappearance, due to erasing information on media with multiple recording, due to the disappearance of the power supply in devices with volatile memory. When destroying information, the property of information availability is also violated.

Blocking information leads to loss of access to it, i.e. To unavailability of information. The availability of information is that the entity that has the right to use it should be able to obtain it in a convenient form for it. When losing access to information, it still exists, but it is impossible to use it. Those. The subject cannot familiarize with it, copy, convey to another subject or submit in the form convenient for use. The loss of access may be related to the lack or malfunction of some equipment of automated systems (AC), the absence of any specialist or insufficient qualifications, the absence or inoperability of some kind of software, using the AC resources for processing foreign information, failure of the security systems et al. Since information is not lost, then access to it can be obtained after eliminating the causes of access loss.

The listed threats of information may manifest itself in the form of a complex of consecutive and parallel implementations. The implementation of threats to information associated with violation of information properties leads to a violation of the control mode and ultimately to moral and (or) material losses.

The information listed above the information may be classified in the following areas:

oN OBJECTS:

· Staff

· Material and financial values,

· Information;

by damage:

· Limit,

· Significant,

· Insignificant;

for reasons appearance

· Spontaneous

· Intentional;

in relation to the object:

· Internal,

· External;

by the nature of the action:

· Active,

· Passive.

Sources of information threats can be both internal and external. Most often, this division occurs in a territorial basis and on the basis of belonging to the object of information protection.

Sources of information threats

The ratio of external and internal threats at averaged level can be characterized as follows:

· 82% of threats are performed by their own employees of the company or with their direct or mediated participation;

· 17% threats are made from the outside - external threats;

· 1% threats are committed by random.

Information threats have a vector character, i.e. Always pursue certain goals and are directed to specific objects.

Sources of confidential information are people, documents, publications, technical information carriers, technical means of ensuring production and work activities, products and waste production.

The most important objects to ensure information security in law enforcement and judicial fields include:

· Information resources of federal executive bodies implementing law enforcement functions, judicial authorities, their information and computing centers, research institutions and educational institutions, containing special information and service operational data;

· Information and computational centers, their information, technical, software and regulatory support;

· Information infrastructure (information and computing networks, control points, nodes and communication lines).

2.2 Threats of confidential information.

For information communication systems, there is one general situation, very important for understanding information security as a whole. The information is always addressed and always has the owner. Moreover, the targeting is not arbitrary, but is determined by the owner of the information. If this right is emphasized in the message (specifies the secrecy), the information becomes confidential. Receiving this information, the user can not arbitrarily dispose of it, it does not belong to him (if there was no transfer of ownership).

Ownership is determined by the law in force in the country. Depending on the type of property, confidential information can be attributed to the information, commercial, personal information. Such correlation is made with a descending hierarchy.

The list of information components of the state secret forms the state in the person of its institutions and institutions. This information is mandatory secret for individual, undergoing in rank, legal entities and individuals of the country.

The list of information determining commercial secrets is formed a commercial enterprise. It also provides their safety and protection.

Personal secret is determined by an individual. Naturally, the preservation and protection of these information is its concern, although legal protection for the state.

Unlawful mastering confidential information is possible at the expense of its disclosure to sources of information, due to the leakage of information through technical means and by unauthorized access to the protected information.

Actions leading to illegal mastering confidential information:

· Declections,

· A leak,

· Unauthorized access.

1. The disclosure is intentional or careless actions with confidential information that led to familiarization with them who were not admitted to them.

The disclosure is expressed in the message, transfer, provision, forwarding, publishing, losing and other forms of exchange and actions with confidential information. The disclosure on formal and informal information dissemination channels is being implemented.

Formal communications include business meetings, meetings, negotiations and the like forms of communication: the exchange of official business and scientific documents to the means of transferring official information (mail, telephone, telegraph, etc.).

Informal communications include personal communication, exhibitions, seminars, conferences and other mass events, as well as media (print, newspapers, interviews, radio, television, etc.).

As a rule, the reason for the disclosure of confidential information is the insufficient knowledge of the security rules of secrets and misunderstanding (or misunderstanding) of the need for their careful compliance. It is important to note that the subject in this process is the source (owner) of protected secrets.

It should be noted the information features of this action. Information content, meaningful, ordered, argued, volume and is often realized real-time. Often there is the possibility of dialogue. Information is focused in a specific thematic area and documented. For information that interests is interested in the information attacker, the latter spends almost minimal efforts and uses simple legal techniques.

2. The leakage is an uncontrolled way out of confidential information beyond the organization or circle of persons with which it is entrusted with the technical leakage channels.

Information leakage is carried out on various technical channels. It is known that the information is generally transferred or transmitted either by energy or substance. This is either acoustic (sound), or electromagnetic radiation, or a sheet of paper, etc.

With this in mind, it can be argued that in physical nature, the following ways of transferring information light rays, sound waves, electromagnetic waves, materials and substances are possible.

Accordingly, there are also channel leakage channels for visual-optical, acoustic, electromagnetic and material and material. Under the channel leakage channel, it is customary to understand the physical path from the source of confidential information to an attacker, by which the latter can access protected information.

To form an information leakage channel, certain spatial, energy and time conditions are needed, as well as the presence on the side of the attacker the corresponding equipment for receiving, processing and fixing information.

3. Unauthorized access is an unauthorized intentional mastering of confidential information by a person who does not have access to protected secrets.

To implement these actions, an attacker has to penetrate the protection object using various technical means. With the development of computer technology, remote unauthorized access to protected information was available or, in other words, a computer hacking.

Taking into account the above, it remains to consider what conditions contribute to unlawful mastering confidential information:

lD disclosure (excessive employee talkative) - 32%;

b. Unauthorized access by bribing and declining to cooperation from competitors and criminal groups - 24%;

b lacking on the firm of proper control and strict conditions for providing information security - 14%;

b traditional exchange of production experience - 12%;

the uncontrolled use of information systems - 10%;

the presence of prerequisites for the occurrence of conflict staff - 8%.

2.3 Information Protection Directions

The literature proposes the following classification of information security tools.

· Remedies for non-banking access (NSD):

· Mandate access control;

· Selective access control;

· Role-based access control;

· Journaling (the audit is the same as the same).

· Systems for analyzing and modeling information flows (CASE system).

· Network monitoring systems:

· Invgested detection and prevention systems (IDS / IPS).

· Protocol analyzers.

· Antivirus.

· Firewater screens.

· Cryptographic means:

· Encryption;

· Digital signature.

· Backup systems.

· Uninterruptible power supply systems:

· Uninterruptible power sources;

· Load reservation;

· Voltage generators.

· Authentication systems:

· Password;

· Certificate;

· Biometric.

· Tools preventing hacking hulls and equipment tools.

· Premises access control tools.

· Tools for analyzing protection systems:

· Monitoring software product.

Taking into account the current practice of ensuring information security, the following directions of information protection are allocated:

1. Legal protection is special laws, other regulatory acts, rules, procedures and activities that protect information on a legal basis;

2. Organizational protection is the regulation of the activities and relationships of the performers on a regulatory and legal basis, excluding or significantly impedely mastered by confidential information and manifestation of internal and external threats.

3. Engineering and technical protection is a combination of special bodies, technical means and activities for their use in the interests of protecting confidential information.

A security system is created to implement information information.

Under the security system, we will understand the organizational set of special bodies, services, funds, methods and activities that protect the vital interests of the individual, enterprises, states from internal and external threats.

As part of the security system, there is a system for the protection of information.

Organizational and engineering and technical support of information security.

Organizational protection is the regulation of production activities and the relationship between the performers on a regulatory and legal basis, excluding or significantly impedely master the confidential information and manifestation of internal and external threats.

Organizational protection provides:

· Organization of security, regime, work with personnel, with documents;

· Use of safety and information and analytical activities to identify internal and external security threats.

Organizational events play a significant role in creating a reliable information protection mechanism, since the possibilities of unauthorized use of confidential information are largely due to technical aspects, but by malicious actions, negligence, negligence and negligence of users or security personnel. The influence of these aspects is almost impossible to avoid using technical means. For this, a combination of organizational and legal and technical and technical measures, which would exclude (or at least reduced to a minimum) the possibility of the hazard of confidential information.

Organizational events are restrictive measures that are mainly reduced to the regulation of access and use of technical information processing. They are usually carried out by the forces of the organization itself by using the simplest organizational measures.

The main organizational measures can be attributed to:

· Organization of regime and protection. Their goal is to eliminate the possibility of secret penetration into the territory and in the premises of unauthorized persons; Ensuring the convenience of monitoring the passage and movement of employees and visitors;

· Creation of individual production areas by type of confidential work with independent access systems;

· Control and observance of the temporary regime of labor and stay on the territory of the company's personnel;

· Organization and maintenance of reliable throughput and control of employees and visitors, etc.;

· The organization of work with employees, which provides for the selection and placement of personnel, including familiarization with employees, their study, training rules for working with confidential information, familiarization with the measures of responsibility for violating the rules of information protection, etc.;

· Organization of work with documents and documented information, including the organization of development and use of documents and carriers of confidential information, their accounting, execution, refund, storage and destruction;

· Organization of technical equipment for collecting, processing, accumulating and storing confidential information;

· Organization of work on the analysis of domestic and external threats to confidential information and the development of measures to ensure its protection;

· Organization of work on conducting systematic control over the work of personnel with confidential information, procedure for accounting, storing and destroying documents and technical conductors.

In each particular case, organizational events are a form-specific form and content aimed at ensuring information security in specific conditions.

· Determining the boundaries of the protected zone (territory);

· Determining the technical means used to process confidential information within the controlled territory;

· Determination of "dangerous", in terms of the possibility of formation of channels of information leakage, technical means and design features of buildings and structures;

· Detection of possible paths of penetration of confidential information from intruders;

· Implementation of measures to detect, identify and control the protection of information by all available means.

Organizational measures are expressed in certain restrictive measures. Such restrictive measures can be distinguished as territorial, spatial and temporary.

Territorial restrictions are reduced to the skillful location of sources on the ground or in buildings and premises that exclude listening to negotiations or intercepting radio-electronic means.

Spatial restrictions are expressed in the choice of radiation directions of those or other signals towards the smallest possibility of their intercepting by intruders.

Temporary restrictions are manifested in reducing to a minimum of technical tools, the use of hidden communication methods, encryption and other protection measures.

One of the most important tasks of organizational activities is to determine the state of technical safety of the object, its premises, the preparation and implementation of organizational measures that exclude the possibility of unlawful mastering confidential information, the reversion of its disclosure, leakage and unauthorized access to the protected secrets.

The specific area of \u200b\u200borganizational measures is to organize the protection of PEVM, information systems and networks.

Engineering and technical protection is a combination of special bodies, technical means and activities for their use in the interests of protecting confidential information.

Means of engineering and technical protection on the functional purpose of the means of engineering and technical protection are classified into the following groups:

physical means, including various means and structures that prevent physical penetration (or access) of intruders on protecting facilities and to material carriers of confidential information and protecting personnel, material funds, finance and information from unlawful impacts;

b hardware. Devices, devices, devices and other technical solutions used in the interests of information protection;

b software, covering special programs, software complexes and information protection systems in information systems for various purposes and processing tools (collection, accumulation, storage, processing and transmission) data;

cryptographic tools, special mathematical and algorithmic means of protecting information transmitted by systems and communication networks, stored and processed on a computer using a variety of encryption methods.

Obviously, such a division of information protection funds are sufficiently conditionally, since in practice they often interact and are implemented in a complex in the form of software and hardware modules with a wide use of information closing algorithms.

Physical instruments are a variety of devices, devices, designs, devices, products intended to create obstacles on the way of motion of intruders.

Physical facilities include mechanical, electromechanical, electronic, electron-optical, radio engineering and other devices for the reversion of unauthorized access (entry, exit), fraction (removal) of means and materials and other possible types of criminal actions.

These funds are used to solve the following tasks:

Protection of the territory of the enterprise and monitoring it;

Protection of buildings, indoor premises and control over them;

Protection of equipment, products, finance and information;

Implementation of controlled access to the building and premises.

All physical means of protecting objects can be divided into three categories: means of preventing, detection tools and threat elimination system. Security alarms and security television, for example, belong to threat detection tools. Fences around objects are the means of preventing unauthorized penetration into the territory, and reinforced doors, walls, ceilings, windows, and other measures serve as protection and penetration, and from other criminal actions (listening, shelling, throwing garnet and explosives, etc.) . Fire extinguishing products belong to threat liquidation systems.

In general terms, physical nature and functional purpose, all means of this category can be divided into the following groups:

Security and Security and Fire Systems;

Security television;

Security lighting;

Physical protection means.

The hardware of information protection includes the most different technical structures on the principle of action, device and capabilities, ensuring the prevention of disclosure, protection against leakage and countering unauthorized access to sources of confidential information.

Hardware tools for information protection are used to solve the following tasks:

Conducting special research of technical means of ensuring production activities for possible channel leakage channels;

Detecting channel leakage channels on different objects and indoors;

Localization of information leakage channels;

Search and detect industrial espionage;

Countering unauthorized access to sources of confidential information and other actions.

A special group allocated hardware tools for the protection of computers and communication systems on their base.

Hardware protection products are used both in separate PC and at various levels and areas of the network: in the center processors of the computer, in their operational memory (RAM), I / O controllers, external memory, terminals, etc.

To protect the central processors (CPU), code reservation is used - the creation of additional bits in the formats of machine commands (secrecy discharges) and backup registers (in CPU devices). At the same time, two possible mode of operation of the processor, which separate the auxiliary operations from the operations of directly solving the user's tasks are envisaged. To do this, serves a special interrupt system implemented by hardware.

One of the hardware protection measures of the computer and information networks is to limit access to RAM using borders or fields. This creates the control registers and data protection registers. Additional parity bits also apply - a type of code redundancy method.

To indicate the degree of privacy of programs and data, users categories are used, called privacy bits (these are two or three additional discharges, with which the categories of users' secrecy, programs and data are encoded).

To prevent the data from reading after processing data in RAM, a special erase scheme is applied. In this case, a command for erasing RAM is formed and the address of the memory block to be released from the information is specified. This scheme writes zeros or any other sequence of characters into all cells of this memory block, providing reliable erasing of previously downloaded data.

Hardware protection applies both in user terminals. To prevent information leakage when connecting an unregistered terminal, it is necessary before issuing the requested data to identify (automatically definition of code or number) of the terminal from which the request was received. In the multiplayer mode of this terminal of identification it is not enough. It is necessary to carry out user authentication, that is, to establish its authenticity and powers. This is necessary and because different users registered in the system can only have access to individual files and strictly limited powers to use them.

To identify the terminal, the code generator included in the terminal hardware is most often used, and for user authentication - hardware such as keys, personal code cards, personal identifier, user recognition devices or the shape of its fingers. But the most common authentication tools are passwords that are checked not by hardware, and software identification software.

Protection software.

Computer protection funds from someone else's invasion are very diverse and can be classified into such groups as:

own protection funds provided for by general software. Protection elements inherent in the software itself or accompanying it.

h Tools in the composition of the computing system. Protection of equipment, disks and standard devices. Program execution depends on certain actions, special precautions.

protection tools with information request. Require additional information in order to identify user authority.

b means of active protection. Initiate when special circumstances occur (input of the wrong password, etc.).

b passive protection means. Aims on caution, control, search for evidence, etc.

You can highlight the following areas of use of programs for confidential information:

Protection of information from unauthorized access;

Protection of information and coping information;

Protection of information and programs from viruses;

Software protection of communication channels.

For each of these areas there is a sufficient amount of high-quality developed by professional organizations and distributed in software products.

Protection software has the following types of special programs:

Identification of technical means, files and user authentication;

Registration and control of technical tools and users;

Maintenance of information processing modes of limited use;

Protection of operating tools of computer and user application programs;

The destruction of information in the memory after use;

Control of resource use;

Auxiliary programs to protect various purposes.

Cryptographic remedies

Converting mathematical methods transmitted over the communication channels of a secret message, telephone conversation or computer data in such a way that they become completely incomprehensible to unauthorized persons.

Organizational and technical measures provide blockage of disclosure and leakage of confidential information through technical means of ensuring production and labor activity, as well as countering technical means of industrial espionage using special technical means installed on elements of buildings of premises and technical means that potentially forming information leakage channels.

To this end, it is possible to use:

Technical means of passive protection, such as filters of limiters and similar means of union of acoustic electrical and electromagnetic systems for the protection of telephone networks, power supply, radio, etc.

Technical means of active protection: sensors of acoustic noise and electromagnetic interference.

Organizational and technical measures to protect information can be divided into spatial, regime and energy.

Spatial measures are expressed in reducing the width of the radiation chart, weakening the side and rear petals of the radiation pattern of radio-electronic means (RES).

Primary measures are reduced to the use of hidden methods of transmitting information by means of communication: encryption, quasi-air transmission frequencies, etc.

Energy is a decrease in the intensity of radiation and the operation of the RES at low facilities.

Technical measures are activities that provide the acquisition, installation and use in the process of industrial activities of special, protected from side emission (safe) technical means or funds, which are not exceeding the border of the protected area.

Technical measures to protect confidential information can be divided into hide, suppress and disinformation.

The hide is expressed in the use of radio combat and the creation of passive interference by the receiving means of intruders.

Suppression is the creation of active interference with the means of intruders.

Disinformation is the organization of false work of technical means of communication and information processing; Changing the use of frequency and communication regulations; Showing false demisciprons of activities and identification.

Protective technical measures can be sent to a specific technical device or specific equipment and are expressed in measures such as disabling equipment at the time of confidential negotiations or the use of certain protective devices such as limiters, buffer means of filters and devices of noise.

2.4 Information security system

information security integrity

Under the security system, we will understand the organizational set of special bodies, services, funds, methods and activities that ensure the protection of the vital interests of the individual, enterprises, states from internal and external threats

Safety system

lE development of plans and measures to protect information;

b formation, ensuring and developing bodies, forces and security tools;

b Restoring Protection Objects

b identification of the threat;

b prevention of threat;

b Neutralization of the threat;

b Suppression of the threat;

localization of the threat;

reflection of the threat;

b Delivery of the threat

The information protection system (SZI) is an organized set of special bodies of funds, methods and activities that protect information from internal and external threats.

From the position of the system approach to the protection of information, certain requirements are presented. Information protection must be:

1. Continuous.

2. Planned. Each service is developing a plan for protecting information in its competence.

3. targeted. Protecting what should be defended in the interests of a particular purpose.

4. Specific. Specific data is protected, objectively to be protected.

5. Active.

6. Reliable.

7. Universal. Approaches any information leak channels.

8. Complex. All necessary types and forms of protection are applied.

To implement these SPI requirements may have the following provision:

1. Legal.

2. Organizational. Different types of services.

3. Hardware. Technical means of protecting information.

4. Informational. Information, data, indicators.

5. Software. Programs.

6. Mathematical. Mathematical methods.

7. Linguistic. Language means of communication.

8. Regulatory-methodical. Regulations of services, practical techniques.

Methods are the order and techniques for the use of forces and means to achieve the goal of protecting confidential information.

Ways to protect information are a combination of techniques, forces and means that ensure confidentiality, integrity, completeness and availability of information, and opposition to internal and external threats.

Ensuring information security is achieved by a system of measures aimed at:

· Threat warning. Threat Prevention is preventive measures to ensure information security in the interests of the ability of their occurrence;

· Detection of threats. The identification of threats is expressed in systematic analysis and control of the possibility of the emergence of real or potential threats and timely measures to prevent them;

· Threat detection. Detection is aimed at identifying real threats and specific criminal actions;

· Localization of criminal actions and taking measures to eliminate threats or specific criminal actions;

· Elimination of the effects of threats and criminal actions and the restoration of the status quo.

Prevention of possible threats and unlawful actions can be provided with the most different measures and means, ranging from the creation of a deeply informed attitude of employees to the problem of security and information protection before creating a deep, echelonized system for the protection of physical, hardware, software and cryptographic means.

Threat warning is possible and by obtaining (if you want - and mining) information on preparing unlawful acts, planned embezzlements, preparatory activities and other elements of criminal acts. For these purposes, the work of security officers with informants in the interests of observation and objective assessment of the situation both within the staff of the staff, especially the main plots of its company and outside, among competitors and criminal formations.

In prevention of threats, the information and analytical activity of the security service based on the deep analysis of the criminogenic situation and the activities of competitors and attackers is played.

The identification aims to carry out measures to collect, accumulate and analytical processing information about the possible preparation of criminal actions by criminal structures or competitors in the production market and sales of goods and products.

Detection of threats is actions to determine the specific threats and their sources that bring some kind of damage. Such actions include the detection of the facts of theft or fraud, as well as the facts of disclosing confidential information or cases of unauthorized access to sources of commercial secrets.

Suppression or localization of threats is actions aimed at eliminating the current threat and specific criminal actions. For example, suppressing listening to confidential negotiations through the acoustic channel for leakage of information on ventilation systems.

The elimination of the consequences aims to restore the state of the preceding the occurrence of the threat.

It is natural to assume that every kind of threats are inherent in its specific methods, strength and means.

Conclusion

Since the human factor is key to ensuring a proper level of security, then all employees must have an idea of \u200b\u200bpossible threats and problems and should implement the Company's information security policies in their work. To achieve this, employees who have access to important information should be conducted.

The Company's Security Service should provide physical security and access control to resources:

· Employees, laboratories and server workplaces should be located in separate rooms;

· Access to resources, as well as safety within the development center, must be effectively monitored to ensure the continuity of production processes;

· Access to premises with expensive systems and carriers of confidential information should be monitored around the clock.

Also, the company needs and implemented a plan to ensure the continuity of business processes. In this regard, the main risks and security threats, methods of preventing key production processes and their recovery after emergency situations should be identified. The plan should include regular conducting internal audits, exercises to restore after accidents and eliminate the effects of emergencies.

Technical measures to prevent information leakage include the introduction of ILDP Information Systems (Information LEAKAGE Detection and Prevention). These are tools designed to fulfill information security policies. Technical tools must analyze information transmitted by possible channels, and, in case of detecting confidential information, prevent its leakage in accordance with the Rules and Policy of the Company's information security.

It is important to remember that the universal 100% protection against information leakage does not exist anywhere and will never exist. Consequently, the degree of protection of information from leakage can be determined as a ratio of costs of protection and the value of the most protected information.

List I.usingoh literature

1. Barman Scott. Development of information security rules. M.: Williams, 2002. - 208 p. - ISBN 5-8459-0323-8, ISBN 1-5787-0264-x.

2. Bratricov, M.V. Information management technologies: Tutorial / M.V. Bastric, O.P. Pononarev; Institute "Kwshu". - Kaliningrad: Publishing House of Institute "Kwshu", 2005

3. Domarev V.V. Safety of information technologies. System approach - Q.: LLC TID Dia Soft, 2004. - 992 p.

4. Baked S. V., Miloslavskaya N. G., Tolstoy A. I., Ushakov D.V. Information Security of open systems. In 2 tt.

5. Information Security and Information Protection: Tutorial. - Rostov-on-Don: Rostov Law Institute of the Ministry of Internal Affairs of Russia, 2004. - 82 p.

6. Shantigin V. F. Protection of computer information. Effective methods and means. M.: DMK Press, 2008. - 544 p. - ISBN 5-94074-383-8.

7. Shcherbakov A. Yu. Modern computer security. Theoretical basis. Practical aspects. - M.: Book World, 2009. - 352 p. - ISBN 978-5-8041-0378-2.

8. "Information Protection Service: First Steps" // ComputerPress 9 "2008 (http://www.compress.ru/index.aspx)

Posted on Allbest.ru.

...

Information Security System of the Russian Federation

In recent times, any organization or individual has a very large amount of generalized information, which is stored on the Internet or on computers, such a large amount of information has the reason that its leakage occurs very often, but no one would like to classify and confidential information Anything came to unauthorized people, actually it is necessary to apply safety precautions to ensure information security.

Statistics in this area shows that some countries have already begun to apply certain measures to ensure information security that have become generally accepted, but there are other statistics that show us that scammers not only never ceased to try to get to secret information, on the contrary, with improvement The attackers find new ways to climbing it or hacking, so at the moment we can observe the growth trend of fraudulent actions, and not its disposal. I would like to add that now the information support of the Russian Federation develops rather rapidly and has a positive growth trend, there was no such high level of providing information in the Russian Federation.

Absolutely, any organization or enterprise perfectly understands that the threat of the loss of classified information is quite large, so they try to prevent leakage with all the power and to make the secret information and remained, but the scheme is not professional, it protects a large amount of information and closes many moves for Scammers, but still the bars remain in it, therefore it happens that the competent programmers bypass the security systems and get to the secret information, which after being used in illegal purposes.

Functions and Conditions of SIB

The main functions of the information security system of the Russian Federation, which should be present in any protection system:

Instant detection of the threat of penetration. Eliminating this threat and closing the access channel to information by which attackers can harm the enterprise and a separate person in material and moral terms;
The creation of a mechanism for the speedy identification of violations in the work of the enterprise and responding to situations in which information security is in a weakened state or under the threat of hacking;
Conditions are being created to compensate for the possible damage to the enterprise as a physical or legal person as soon as possible, and the conditions for the speedy restoration of the enterprise so that the lost information cannot affect its work and to achieve the tasks before the enterprise.

Media video monitoring video:

Information base and principles of SIB

The above tasks already give a sufficient information base in order for a person to realize, for which it is necessary to ensure information security systems and how it functions in real conditions.

Principles of building a system of information security, which should be guided by organizations and enterprises protecting confidential information from intruders.

It has long been known to ensure a high level of own information, you need to be guided by certain principles, since without them scheme of information support will be easily necessary, thereby you can not be constantly confident that the information is really classified.

So, the first and most important principle of the information security system of the Russian Federation is uninterrupted work on improving and improving the system, since development technology does not stand still, an even account as not worth the development of fraudulent actions aimed at hacking and receiving secret data, so This scheme should be constantly improved. It is necessary to check and test the current security system as often as possible - this aspect is included in the first principle of building the information security system, you should analyze the system and, if possible, to identify its bars in defense and weaknesses that attackers actually will be used. When you find a shash or any ways to leak information, you should immediately update the safety system mechanism and to finalize it so that the bars found were immediately closed and are not available for fraudsters. Based on this principle, it is worth assimilating that it is impossible to simply install the security system and be calm for its secret information, since this system needs to be constantly analyzed, improved and improve;
The second principle is to use the entire potential of system security, all functions for each individual file, which is responsible for a particular aspect of the enterprise's work, that is, the security system needs to be used all and comprehensively, so that in service the entire arsenal is available to this system;
The third and most recent principle is the holistic use of the security system, you should not break it into separate parts, consider individual functions, thereby ensuring a different level of security with important files and less important. It works as one huge mechanism that has a large number of gears performing different functions, but constituting one system.

Vizo Provision Security of Industrial Systems:

Legislation and SIB

A very important aspect of the information security system is to cooperate with government law enforcement agencies and the legality of this system. A high level of professionalism of employees of the firm providing you with information security is played, do not forget that with this company and its employees must be committed agreement on non-disclosure of the company's secret information, since all employees providing full-fledged security system will have access to information The firms, thereby you should have a guarantee that employees will not transmit this information to third parties interested in obtaining it for mercenary purposes or to undermine the work of your enterprise.

If we neglect by these principles and conditions, then your security will not be able to provide you with a proper high level of protection, thereby there will be no guarantees that the data is continuously in the inaccessibleness of intruders, and this can very badly affect the work of the enterprise.

Requirements for the provision of information security of any object

Principles need not only to know, but also be able to realize them in life, it is for this that there are a number of requirements for the protection system of information security, which are mandatory to fulfill, as the principles themselves.

The ideal security scheme should be:

Centralized. It is always always centrally managed to manage the security system, therefore the enterprise information security system should be similar to the structure of the enterprise itself, to which this method of providing information security (CIB) is attached;
Planned. Based on the general purpose of providing information, each individual employee responsible for a certain aspect of the system should always have a detailed plan for improving the protective system and the use of the current one. This is necessary, in order for the protection of information to work, as one holistic scheme, which will ensure the highest level of protection of confidential information of the protected object;
Specified. Each security scheme should have specific protection criteria, since different enterprises have different preferences, it is necessary to protect precisely certain files that can take advantage of the company's competitors in order to undermine the production process. Other firms require a holistic protection of each file, regardless of its importance, therefore, before putting information protection, it should be determined to determine what exactly you need it;
Active. Provide information protection is always very active and purposefully. What does it mean? This means that the firm providing a safety frame must have a department containing experts and analysts. Because your security principle should not only eliminate the existing threats and find babes in the database, but also know the possible way to develop an event to prevent possible threats before they appear, so an analytical department is a very important part in the structure of information protection, Do not forget about it and try to pay special attention to this aspect. "Forewarned is forearmed";
Universal. Your scheme should be able to adapt to absolutely any conditions, that is, it does not matter, on which carrier your base is stored, and should not matter what language it is represented and in which format is contained. If you want to translate it into another format or on another medium, it should not be the cause of information leakage;
Unusual. Your information security layout must be unique, that is, it should differ from similar schemes that use other enterprises or firms. For example, if another enterprise, which is similar to your data protection scheme, was attacked, and the intruders were able to find in it, the likelihood that the resource will be hacked, increases at times, so in this regard, the individuality should be manifested and set For its company, the security scheme, which previously did not appear anywhere and was not used, thereby enlaring the level of protection of confidential data of your enterprise;
Open. It should be open in terms of changes made, adjustments and improvements, that is, if you have discovered the defense in the defense of your own security system or want to improve it, you should not have any problems with access, since some time can be used to access the system, during which the base can be hacked, so make it open for your own company and the company providing information security of the Russian Federation, on which the conservation of your information systems depends;
Economical. Economicity is the last requirement for any security system, you must accomplish everything and make that the cost of information support information systems of the Russian Federation in no way exceed the value of your information. For example, as far as expensive and perfect security planning, there is still a chance that it can hack or get around, because you can find it if you wish to detect in any protection, and if you spend a lot of money on such a security scheme, but in The same time, the data themselves do not cost such money, then these are simply meaningless spending that can negatively affect the budget of the enterprise.

Video about IDM solutions:

Secondary requirements of SIB

The above-mentioned basic requirements required for the full operation of the security system were listed, further, will be required that are not required for the system:

The security scheme should be pretty easy to use, that is, any employee who has access to protected information, if necessary, it should not be able to view it for a large amount of time, as it will prevent the main work, the scheme must be convenient and "transparent", but only inside your company;
Each employee or a trustee must have any privileges for accessing secure information. Again, I will give an example: you are the director of the enterprise and your facility has a number of employees who you trust and can provide access, but you do not, and access only you and the employees of the company providing the information security system, it turns out that Your accountant and other employees, having a need to look at reports or other protected files, will have to go away from work, to tear away from you or employees of the firm providing protection to access one file, thereby the work of the enterprise will be undermined, and its effectiveness Reduced. Therefore, provide privileges to your employees to facilitate their work and yourself;
The possibility of simple and fast shutdown of protection, as there are situations when the protection of the information will greatly impede the work of the enterprise, in this case you should be able to easily disable and, when you need to enable the information security system;
Information security scheme must function separately from each security entity, that is, they should not be interrelated;
The firm providing you with the security system must periodically try to hack it, she may ask for this programmers working on other projects if they succeed, you need to immediately find out exactly how it happened and where there is weakness in the protection system, To neutralize it as soon as possible;
Your company should not contain detailed reports and a detailed description of the mechanisms for the protection of your information, only the owner of the enterprise and the firm providing information protection should be positioned by such information.

Information Support System - Stage

An important element is the stratitude of actions when developing and installing the information security system of the Russian Federation.

Initially, when creating a protection system, it is necessary to determine what kind of intellectual property. For example, for the enterprise, intellectual property is knowledge and accurate information about each manufactured product, its improvements, the manufacture and development of new products and ideas for improving the enterprise, in general, all that ultimately brings your profit. If you cannot determine that for you intellectual property, no matter what good information system scheme, it will not be able to provide you with a high level of protection, and you still risk losing unprotected information, which will subsequently lead to moral and material losses, so That this item should initially pay special attention.

After you determine that you are intellectual property to go to the following, generally accepted for absolutely any organization, regardless of its size and specification, stages:

Installation of certain borders in which information system layouts have its strength;
Constant study and identification of weak points in the protection system;
Installing a certain security policy policy and quickly effective adoption of countermeads in identifying a threat;
Continuously checking information security system;
Drawing up a detailed plan for protection system;
Accurate implementation of the previously composed plan.

If there is a threat - there must be methods of protection and counteraction.. Methods are funds to achieve the tasks and the procedure for methods for using confidential information protection forces.

The principle of man's action on the subconscious is designed to achieve positive results. The experience of professionals in the field of information protection quite clearly determined the combination of funds, forces and techniques aimed at guaranteeing information security or information reliability.

Ensuring information reliability or information security is achieved by the following actions aimed at:

Detection of threats is expressed in decent analysis and control of the permissible appearances of potential or real threats as well as timely measures to prevent them;
threat warning is achieved by providing information security or information reliability in favor of the progress and their occurrence
to detect threats with risk analysis;
The inclusion of measures to destroy the threat or criminal actions and localization of criminal actions;
detection of threats is achieved by determining specific criminal actions and real threats;
liquidation of consequences regarding threats and criminal specific action. Restoration of status quo (Fig. 1).

Information Protection Methods:

an obstacle is a means of physical blockage actions by an attacker regarding critical information
access control - information protection tools by regulating the use of all IP resources in IT. Such methods must protect against information
Encryption algorithms - methods are implemented both during storage and when processing information. When transferring information - this is the main and only protection method
Regulation - Creating conditions for storing and processing information in the information system, in which standard and defense standards are implemented to the greatest extent
Forcing - a means of protection that makes users comply with the rules of work in the information system
Movement - a means of protection that encourages users of the information system does not violate the rules due to ethical and moral norms
Hardware - devices that are built into computing mechanisms or connected using interfaces
physical remedies - different engineering facilities that protect staff, information, devices, things from intruders
Software tools - for which is being introduced into the information system for the implementation of protection
Organizational funds - are achieved on the basis of regulatory documents that regulate the work of employees in such a way that to implement the maximum protection of the information system

The prevention of unlawful actions and possible can be provided with various means and measures, ranging from the observance of relations between employees by organizational methods ending with the protection of hardware, physical, software and methods (or or or). Threat Prevention is also possible by the stage of obtaining information on preparatory actions preparing acts, planned embezzlements and other elements of criminal action. For such purposes, you need with informants in different areas of action with different tasks. Some observe and give an objective assessment of what is happening. Others appreciate the relationship of employees inside the team at various corners of the enterprise. Third work among criminal formations and competitors.

Picture 1

To prevent threats, the activity of the information and analytical security service is very significantly played on the basis of the analysis of the special situation and the activities of intruders and competitors. If you have access to the Internet, security service. And also or.

Protection against data disclosure comes down to creating a catalog of information representing a commercial secret in the enterprise. This information catalog must be brought to each employee at the enterprise, with the obligation in writing this employee to maintain this mystery. One of the important actions is the control system for saving the integrity and confidentiality of commercial secrets.

Protection of confidential information from leakage works on the basis of accounting, identifying and control of probable leakage paths in specific situations as well as the implementation of technical, organizational, organizational and technical measures to destroy them.

The protection of confidential information from unauthorized access is valid on the basis of the implementation of technical, organizational, organizational and technical procedures for the anti-NSD. As well as monitoring methods of unauthorized access and analysis.

In practice, all activities are used to a certain extent technical, and they are divided into three groups (Fig. 2):

organizational (in the field of technical means);
technical.
organizational and technical;

Figure 2.

Reference protective actions

Protective work, as well as techniques and procedures for maintaining information security, are classified according to the characteristics and protection objects that are divided into the following parameters:

By orientation - protective methods can be classified as actions, a course on personnel protection, financial and material assets and information as a fund.

According to methods, this is a detection (for example :) or, warning, detection, suppression and recovery.

In the directions, it is protection based on legal methods, organizational and engineering and technical actions.

Updated protective equipment may be aimed at protecting the perimeter of the enterprise, individual premises, buildings, specific groups of equipment, technical means and systems, individual elements (houses, premises, equipment) dangerous from the point of view of the NSD to them.

The cause of information may be, people, waste, technical means and so on. Information media can be acoustic and electromagnetic fields, or substances (product, paper, material). The distribution medium serves hard media or airspace.

The offender may have all the necessary means of receiving electromagnetic and acoustic energy, air surveillance and the possibility of analyzing the reporting materials.

Submission of information in real form. To eliminate wrongful mastering confidential information, you should process the signal or source of information to the encryption tools muffled or others.

With an increase in the pace of use and distribution of information networks (or) and the PC increases the role of different factors causing disclosure, leakage and NSD to information. These are:

errors;
malicious or unauthorized acts of employees and users;
defaults of hard baggs in programs;
spontaneous catastrophes, collapse of various origin and danger;
user and personnel errors;
errors at.

In this regard, the basic security protection of information in information networks and PC are:

warning of leakage of information and losses, interference and interception on all degrees of influence, for all objects geographically divided;
ensuring the rights of users and legal norms in connection Access information and other resources involving administrative reviews for informational activities, including personal responsibility for the consequences of working and rules;

Figure 3.

conclusions

1. The cost of information reliability or security is achieved by organizational, technical and organizational and technical procedures, any of which is provided by peculiar methods, means and measures that have appropriate parameters.

2. Required actions and conditions contributing to the illegal or unlawful assimilation of confidential data forcing the use of no less diverse methods, means, forces and to provide information security or reliability.

3. The main tasks of information protection is guaranteed confidentiality, integrity and sufficiency of information resources. And also to introduce it into the system.

4. Methods for providing information protection should be aimed at the proactive temperature of actions, induced to advance paths of preventing probable threats to commercial secrets.

With the Identity of Cybernetics, Norbert Wiener believed that the information had unique characteristics and could not be attributed to either energy or to matter. A special status of information as the phenomenon spawned a variety of definitions.

In the ISO / IEC 2382: 2015 Information Technology Standard, such interpretation is given:

Information (in the field of information processing) - Any data presented in electronic form written on paper, expressed at a meeting or on any other carrier used by a financial institution for making decisions, moving funds, establishing rates, provision of loans, processing operations, etc., including components Processing software software.

To develop a concept for providing information security (IB), information understand the information that is available for collecting, storing, processing (editing, transformation), use and transmission in various ways, including computer networks and other information systems.

Such information has a high value and can become objects of encroachment by third parties. The desire to protect information from threats underlies the creation of information security systems.

Legal basis

In December 2017, the doctrines of information security were adopted in Russia. The IB document is defined as a state of protection of national interests in the information sphere. Under national interests in this case it is understood as the combination of the interests of society, personality and state, each group of interest is necessary for the stable functioning of society.

Doctrine is a conceptual document. The legal relations related to the provision of information security are governed by federal laws "On State Secret", "On Information", "On Protection of Personal Data" and others. On the basis of fundamental regulations, government decisions and departmental regulations devoted to private information protection issues are being developed.

Definition of information security

Before developing information security strategy, it is necessary to adopt the basic definition of the concept itself, which will allow to apply a certain set of methods and protection methods.

The industry's practice is proposed to understand the information security, the stable state of information security, its carriers and infrastructure, which ensures the integrity and sustainability of processes related to information, to intentional or unintentional impacts of natural and artificial nature. Impacts are classified as threats of IB, which may damage to subjects of informational relations.

Thus, the protection of the information will be understood as a set of legal, administrative, organizational and technical measures aimed at preventing real or alleged IB threats, as well as to eliminate the consequences of incidents. The continuity of the information security process should ensure the fight against threats at all stages of the information cycle: in the process of collecting, storing, processing, using and transmit information.

Information security in this understanding becomes one of the characteristics of the system's performance. At any time, the system must have a measurable level of security, and ensuring the security of the system must be a continuous process, which is carried out at all time segments during the life of the system.

In infographics used their own data Surchinform.

In the theory of information security under Subjects, IB understands owners and users of information, and users not only on an ongoing basis (employees), but also users who turn to databases in isolated cases, for example, government bodies requiring information. In some cases, for example, in banking IB standards, shareholders belong to the owners of information - legal entities belonging to certain data.

Supporting infrastructure, in terms of the foundations of the IB, includes computers, networks, telecommunications equipment, premises, livelihood systems, personnel. When analyzing security, it is necessary to study all elements of systems, paying special attention to the personnel as the carrier of most internal threats.

To manage information security and assess the damage, the characterization of acceptability is used, so damage is defined as an acceptable or unacceptable. Each company is useful to approve their own criteria for damage in cash or, for example, in the form of permissible damage to reputation. Other characteristics may be taken in government agencies, for example, an impact on the management process or reflection of the degree of damage to the life and health of citizens. Criteria of the materiality, importance and value of information may vary during the life cycle of the information array, therefore should be revised in a timely manner.

An information threat in a narrow sense is an objective opportunity to influence an object of protection, which can lead to leakage, theft, disclosure or dissemination of information. In a broader sense to IB threats, the directed influence of an informational nature will be treated, the purpose of which is to damage the state, organization, personality. Such threats include, for example, defamation, intentional misleading, incorrect advertising.

Three main issues of IB concept for any organization

What to protect?

What types of threats prevail: external or internal?

How to protect, what methods and means?

IB system

The information security system for the company is a legal entity includes three groups of basic concepts: integrity, availability and confidentiality. Under each hid concepts with a variety of characteristics.

Under integrity It is understood as the sustainability of databases, other information arrays to random or intentionally destruction, introducing unauthorized changes. The concept of integrity can be considered as:

static, expressed in the invariability, the authenticity of information objects of those objects that were created on a specific technical task and contain the amount of information necessary to users for the main activity in the desired configuration and sequence;
dynamicwhich implies the correct performance of complex actions or transactions that harm the safety of information.

Special technical means are used to control dynamic integrity, which analyze the flow of information, for example, financial, and detect cases of theft, duplication, redirection, changes in the message order. The integrity as the main characteristic is required when, on the basis of incoming or available information, decisions are made to take action. A violation of the procedure for the arrangement of commands or a sequence of actions can cause great damage in the case of describing technological processes, program codes and in other similar situations.

Availability - This is a property that allows you to access authorized subjects to data that represents interest to them, or share these data. The key requirement of legitimation or authorization of subjects makes it possible to create different levels of access. The system fails to provide information becomes a problem for any organization or user groups. As an example, you can bring the unavailability of public service sites in the case of a system failure, which deprives many users of the opportunity to get the necessary services or information.

Confidentiality Indicates the property of information to be available to those users: subjects and processes that allow tolerance is initially. Most companies and organizations perceive confidentiality as a key element of IB, but in practice it is fully difficult to implement it. Not all data on existing information leakage channels are available to the authors of IB concepts, and many technical means of protection, including cryptographic, cannot be purchased freely, in some cases the turnover is limited.

Equal properties of IB have different value for users, from here - two extreme categories in developing data protection concepts. For companies or organizations associated with the state secret, the key parameter will be confidentiality, for public services or educational institutions, the most important parameter is accessibility.

Information security digest

Protection Objects in IB Concepts

The difference in subjects generates differences in protection objects. The main groups of protection objects:

information resources of all kinds (under the resource means a material object: a hard disk, other carrier, a document with data and details that help it identify and attribute to a specific group of subjects);
the rights of citizens, organizations and the state to access information, the opportunity to receive it within the law; Access can only be limited to regulatory acts, an organization of any barriers that violate human rights are unacceptable;
system of creation, use and distribution of data (systems and technology, archives, libraries, regulatory documents);
system of formation of public consciousness (media, Internet resources, social institutions, educational institutions).

Each object involves a special system of measures to protect against threats from IB and public order. Ensuring information security in each case should be based on a systematic approach that takes into account the specifics of the object.

Categories and media

The Russian legal system, law enforcement and established public relations classify information on accessibility criteria. This allows you to clarify the essential parameters necessary to provide information security:

information, access to which is limited on the basis of the requirements of laws (state secrets, commercial secrets, personal data);
information in open access;
public information provided on certain conditions: Paid information or data, to use which you need to make a tolerance, such as a library ticket;
dangerous, harmful, false and other types of information, the turnover and the distribution of which are limited or the requirements of laws, or corporate standards.

Information from the first group has two security modes. State mysteryAccording to the law, these are information protected by the state, the free distribution of which may cause damage to the country's security. These are data in the field of military, foreign policy, intelligence, counterintelligence and economic activities of the state. The owner of this data group is directly the state. Authorities authorized to take measures to protect state secrets - Ministry of Defense, Federal Security Service (FSB), External Intelligence Service, Federal Service for Technical and Export Control (FSTEC).

Confidential information - A more multifaceted regulatory object. The list of information that can be confidential information is contained in the Decree of the President No. 188 "On Approval of the List of Confidential Information". These are personal data; the secret of investigation and legal proceedings; service mystery; Professional mystery (medical, notary, lawyer); trade secret; information about inventions and useful models; Information contained in the personal affairs of convicts, as well as information on the forced execution of judicial acts.

Personal data exists in open and in confidential mode. Open and accessible to all users part of personal data includes a name, surname, patronymic. According to FZ-152 "On Personal Data", personal data entities are entitled:

on information self-determination;
to access personal personal data and making changes in them;
on blocking personal data and access to them;
to appeal against the unlawful actions of third parties committed in relation to personal data;
to compensation for damage.

The right to be enshrined in state bodies, federal laws, licenses for working with personal data, which gives Roskomnadzor or FSTEC. Companies that professionally work with personal data of a wide range of persons, such as telecom operators, must be included in the registry, Roskomnadzor leads it.

A separate object in the theory and practice of IB is the media of information, access to which is open and closed. When developing the IB concept, protection methods are selected depending on the type of media. Main carriers of information:

printed and electronic media, social networks, other resources on the Internet;
employees of the organization who have access to information on the basis of their friendly, family, professional ties;
communication means that transmit or save information: phones, PBX, other telecommunication equipment;
documents of all types: personal, official, state;
software as an independent information object, especially if its version was refined specifically for a particular company;
electronic media of information that process data automatic order.

For the purpose of developing the IB protection concepts, information security tools is made to divide on regulatory (informal) and technical (formal).

Informal protection means are documents, rules, activities, formal - these are special technical means and software. The distinction helps to distribute the zones of responsibility when creating IB systems: with the general guideline, administrative personnel implements regulatory methods, and IT specialists, respectively, technical.

The basics of information security involve the delimitation of powers not only in terms of the use of information, but also in terms of working with its protection. Such a delimitation of powers requires several levels of control.

Formal protective equipment

The wide range of IB-protection technical means includes:

Physical remedies. These are mechanical, electrical, electronic mechanisms that function independently of the information systems and create obstacles to access to them. Castles, including electronic, screens, blinds are designed to create obstacles to the contact of destabilizing factors with systems. The group is complemented by means of security systems, such as camcorders, video recorders, sensors that detect movement or excess of the degree of electromagnetic radiation in the location zone of technical means of removing information, mortgage devices.

Hardware protection. These are electrical, electronic, optical, laser and other devices that are embedded in information and telecommunication systems. Before the introduction of hardware to information systems, it is necessary to make sure compatibility.

Software - These are simple and systemic, comprehensive programs designed to solve private and complex tasks associated with the provision of IB. An example of comprehensive solutions is: the first to serve to prevent leakage, reformatting information and redirect information flows, the second - ensure protection against incidents in the field of information security. Software are demanding that the power of hardware devices, and when installing, it is necessary to provide additional reserves.

You can test for free for 30 days. Before installing the Surchinform engineers in the Customer's technical audit.

TO specific funds Information security includes various cryptographic algorithms that allow you to encrypt information on disk and redirected by external communication channels. Information conversion may occur with software and hardware methods working in corporate information systems.

All funds guaranteeing the security of information should be used together, after a preliminary assessment of the value of information and comparing it with the cost of resources spent on guard. Therefore, suggestions on the use of funds should be formulated already at the system development phase, and the approval should be made at the level of the management level, which is responsible for approving budgets.

In order to ensure security, it is necessary to monitor all modern developments, software and hardware protection, threats and timely make changes to their own unauthorized access systems. Only adequacy and efficiency of the response to the threat will help achieve a high level of confidentiality in the company's work.

In 2018, the first release was published. This unique program is psychological portraits of employees and distributes them by risk groups. Such an approach to providing information security allows you to anticipate possible incidents and take measures in advance.

Informal protective equipment

Informal means of protection are grouped into regulatory, administrative and moral and ethical. At the first level of protection there are regulations governing information security as a process in the organization's activities.

Regulations

In world practice, when developing regulatory funds, focus on IB protection standards, the main - ISO / IEC 27000. The standard created two organizations:

ISO - International Commission for Standardization, which develops and approves most of the internationally recognized methods for certification of quality of production and management processes;
IEC - International Energy Commission, which introduced its understanding of IB systems, funds and methods to ensure

The current version of ISO / IEC 27000-2016 offers ready-made standards and tested techniques needed to implement IB. According to the authors of the Methodology, the basis of information security is the systematic and consistent implementation of all stages from the development before post-control.

To obtain a certificate that confirms compliance with information security standards, it is necessary to implement all recommended techniques in full. If there is no need to receive a certificate, as a base for the development of own IB systems, it is allowed to take any of the earlier versions of the standard, starting with ISO / IEC 27000-2002, or Russian guests who have a recommendatory nature.

According to the results of the study of the standard, two documents are being developed that relate to the safety of information. The main, but less formal is the concept of an IB enterprise, which determines measures and methods for implementing the IB system for the information systems of the organization. The second document, which are obliged to execute all employees of the company, is the Regulation on the information security, approved at the level of the Board of Directors or the Executive Body.

In addition to the situation at the level of the company, lists of information constituting commercial secrets, annexes to labor contracts, enshrining responsibility for disclosing confidential data, other standards and techniques. Internal norms and rules should contain implementation mechanisms and responsibilities. Most often measures are disciplinary, and the violator should be ready for the fact that there will be significant sanctions on the violation of the commercial secrecy regime until dismissal.

Organizational and administrative measures

As part of the administrative activities on the protection of IB for security service staff, there is a space for creativity. This is the architectural and planning solutions that allow you to protect negotiation rooms and manuals from listening, and establishing different levels of access to information. Important organizational measures will be certified by the company's activities on ISO / IEC 27000, certification of individual hardware and software complexes, certification of subjects and objects for compliance with the necessary security requirements, obtaining licenses required to work with protected arrays of information.

From the point of view of the regulation of personnel activities, it will be important to design a system of requests for access to the Internet, external e-mail, other resources. A separate element will be obtaining an electronic digital signature to enhance the security of financial and other information, which is transmitted to state authorities over email channels.

Moral and ethical measures

Moral and ethical measures determine the personal attitude of a person to confidential information or information limited in the turnover. Improving the level of knowledge of employees regarding the impact of threats to the company's activities affects the degree of consciousness and responsibility of employees. To deal with violations of the information mode, including, for example, password transmission, careless handling of carriers, the dissemination of confidential data in private conversations, it is required to focus on personal consciousness of the employee. It will be useful to establish performance performance indicators that will depend on the relationship to the corporate system of the IB.

Basics of information security. Chapter V. Ensuring Security and Protection of Information What is information security organization

Definition of information security

IB protection system requirements

Security system model

Stages of creating and providing information protection system

Types of confidential data

Threats of confidentiality of information resources

Hardware and software IB

Legal protection of information

Send your good work in the knowledge base is simple. Use the form below

Privacy Categories Protected Information

Categories integrity of protected information

· High - information, unauthorized modification or fake of which can lead to the application of significant damage to the organization;

· Low - this category includes information unauthorized modification of which can lead to the application of minor damage to the organization, its customers, partners or employees;

· No requirements - this category includes information to ensure the integrity and authenticity of which the requirements are not presented.

2. Information security

2.2 Threats of confidential information.

2.3 Information Protection Directions

Similar documents

Information Security System of the Russian Federation

Functions and Conditions of SIB

Information base and principles of SIB

Legislation and SIB

Requirements for the provision of information security of any object

Secondary requirements of SIB

Information Support System - Stage

Reference protective actions

conclusions

Legal basis

Definition of information security

IB system

Information security digest

Protection Objects in IB Concepts

Categories and media

Formal protective equipment

Informal protective equipment

Last

It is necessary to know